📱 Lock It Down: How to Secure BYOD Mobile Access with Intune App Protection Policies (MAM)

ByWeb Master

🔐 A Practical Guide to Protecting iOS & Android Devices Without Enrollment

In a world where users check work email on their personal phones and join Teams meetings from the beach, managing mobile security isn’t optional — it’s mandatory. But forcing full device control (MDM) on personal phones? That’s a fast track to user revolt.

Enter Intune App Protection Policies (MAM) — the right tool for BYOD environments.

This guide will walk you through:

  • Setting up App Protection Policies for iOS and Android
  • Using Conditional Access to enforce them
  • Blocking default email apps like Apple Mail or Samsung Email
  • Best practices that don’t choke productivity

Let’s get your data protected — without managing the whole device.

✅ Step 1: What You Need

Before you begin:

  • Microsoft Intune is set up and integrated with Entra ID
  • Users are licensed for Intune (included in Microsoft 365 Business Premium, E3/E5, or EMS)
  • You’re targeting Microsoft 365 apps only (Outlook, Teams, OneDrive, Word, etc.)
  • You have at least an Entra P1 license to configure Conditional Access

🔐 Step 2: Create App Protection Policies for iOS and Android

You’ll create two separate policies: one for iOS/iPadOS and one for Android.

👉 Instructions (repeat per platform):

  1. Go to the Intune Admin Center
  2. Navigate to: Apps > App protection policies > + Create policy
  3. Select Platform (start with iOS/iPadOS)
  4. Name the policy (e.g., MAM-iOS-BYOD-Standard)
  5. Click Next

🔧 Targeted Apps

Under Targeted apps:

  • Click Select public apps
  • Add:
    • Microsoft Outlook
    • Teams
    • OneDrive
    • Word, Excel, PowerPoint
    • Microsoft Edge (for secure links)
  • Click Next

🔒 Data Protection Settings

SettingRecommended
Backup org data to iTunes/iCloudBlock
Send org data to other appsPolicy managed apps
Receive data from other appsAll apps
Save copies of org dataBlock
Restrict cut, copy, pastePolicy managed apps
Encrypt org dataRequire

🧠 Access Requirements

SettingRecommended
PIN for accessRequire
Simple PINBlock
Biometrics (Face ID/Fingerprint)Allow
Recheck access after idle5 minutes
Offline grace period72 hours

🚨 Conditional Launch Settings

ConditionAction
Jailbroken/rootedBlock
Min OS versioniOS 16 / Android 12
Wipe after device noncomplianceYes

Assign the policy to your BYOD user group and repeat the exact process for Android.

🛡️ Step 3: Enforce MAM with Conditional Access

App Protection Policies don’t mean anything if users can still access Exchange or SharePoint with unprotected apps. Lock it down with Conditional Access.

✅ Create CA Policy: Require App Protection

  1. Go to Microsoft Entra Admin Center
  2. Navigate to Protection > Conditional Access > + New Policy
  3. Name it: Require App Protection on Mobile Devices

📋 Assignments

  • Users: All users or specific BYOD group
  • Cloud Apps: Microsoft 365 or individual apps (Exchange Online, SharePoint)
  • Conditions:
    • Device platforms: iOS, Android
    • Client apps: Mobile apps and desktop clients (uncheck browser for now)

🛑 Access Controls

  • Grant access only if App Protection Policy is applied

Click Create.
Now, if a user tries to access data from a mobile app without the MAM policy applied — they get blocked.

🚫 Step 4: Block Native Mail Apps (Apple Mail, Samsung Email)

Here’s the piece everyone forgets: native email apps don’t support MAM, so even with policies in place, your data’s exposed if users connect mail manually.

✅ Create CA Policy: Block Unmanaged Mobile Email Clients

  1. Back in Entra Admin Center, create another policy
  2. Name it: Block Mobile Mail Clients (Non-Outlook)

📋 Assignments

  • Users: Same as above
  • Cloud App: Exchange Online only
  • Conditions:
    • Device platforms: iOS and Android
    • Client apps: Mobile apps and desktop clients

🛑 Access Controls

  • Grant access: Block

Optional:
Use filters to exclude Outlook for iOS/Android, if available in your org’s Entra conditions, or use an allow-only policy that explicitly requires Outlook mobile.

✅ Result

  • Apple Mail and Samsung Email: Blocked
  • Outlook mobile with MAM applied: Allowed and secured
  • Users can’t sidestep your policies with their phone’s built-in apps

💡 Best Practices for Admins

  • Start in report-only mode for CA policies if you’re unsure about impact
  • Use dynamic groups (e.g., devices where enrollmentState = “notEnrolled”) to apply MAM policies only to BYOD
  • Train users: explain how this protects their personal device from full IT control
  • Monitor enforcement with Sign-In Logs in Entra ID to catch gaps

🔐 Final Thoughts

You don’t need full device management to lock down mobile access.
With App Protection Policies, Conditional Access, and blocking native apps, you get:

  • Protection of corporate data
  • Separation from personal apps
  • A smoother BYOD experience that users won’t fight against

This is modern mobile security, the way it should be.

Similar Posts

📱 Intune for iOS and Android: App Protection vs. Device Enrollment — What’s Right for BYOD?

ByWeb Master

When employees start using personal smartphones to check work email or chat on Teams, IT admins face a critical choice: Do we enroll the mobile device into Intune, or just protect the apps? If you get this wrong, you’ll either: Let’s break down the real-world difference between App Protection Policies (MAM) and Device Enrollment (MDM)…

🔄 How to Move from Entra Connect Synced Users to Cloud-Only in Microsoft 365

ByWeb Master

If you’re done with on-premises Active Directory and ready to manage users entirely in Microsoft 365, you need to convert your synced users to cloud-only. This means disabling directory sync and letting Microsoft Entra (Azure AD) take full control of identity management. No fluff — here’s exactly how to do it. ✅ Why Move to…

🖼️ Greenshot: The Free Screenshot Tool Every Windows User Should Know About

ByWeb Master

In a world full of bloated apps and overcomplicated tools, Greenshot stands out as one of the most efficient, lightweight, and useful utilities you can install on a Windows machine. If you take screenshots regularly—whether you’re documenting issues, writing documentation, or just need to share visual info—this tool belongs in your arsenal. ✅ What Is…

🎥 Open-Source Screen Recording with OBS Studio: A No-Cost Powerhouse for Pros and Beginners

ByWeb Master

If you’re tired of trial-limited, watermark-heavy screen recording software and just want something that works—without draining your wallet—OBS Studio is the answer. Whether you’re creating tutorials, recording software demos, or live streaming your gameplay, OBS (Open Broadcaster Software) is a beast of a tool. And yes, it’s 100% free and open-source. 💡 Why Use OBS…

🔐 Lock Down Local Admins: Deploy Windows LAPS with Intune (Using Built-In Administrator)

ByWeb Master

Local admin accounts are a necessary evil. You don’t want them—but when you need them, they better be secure and accessible. Windows LAPS (Local Administrator Password Solution) gives you a secure, automated way to manage the built-in Administrator account across your Windows fleet. With Intune, you can deploy LAPS at scale, back up passwords to…

🛡️ Microsoft Intune Security Baselines: What They Are, Which to Use, and How to Avoid Disrupting Productivity

ByWeb Master

If you’re managing Windows devices in Intune, one of the most overlooked but powerful tools at your disposal is Security Baselines. They let you apply Microsoft-recommended security configurations across your environment without having to build policies from scratch. But here’s the reality: if you blindly apply them without understanding the impact, you’re going to break…