Nickolaj AndersenFor your Managed and Wrapped Apps in a ConfigMgr 2012 R2 SP1 hybrid scenario with Microsoft Intune, there’s a new functionality that now lets you associate a Mobile Application Management (MAM) policy to restrict cut, copy and paste for instance. With this new capability you’re now in control of managing how data can be restricted in your organization and can easier bring your apps into compliance with your organization’s security policies.
A Mobile Application Management policy can be associated with a Managed App in ConfigMgr 2012 R2 SP1 (and ConfigMgr 2012 SP2). Unlike from Configuration Baselines, you do not deploy the MAM policies to collections, instead you associate the MAM policy with your Managed App once you deploy it. It’s worth noticing that you can only associate one MAM policy with each deployment of the Managed App, so if your security policies state that you need to have different policy settings per e.g. department, you’d have to create multiple deployments. In this post I’ll walk you through the steps of creating a Mobile Application Management policy, and give you some further information on how to use them.
Overview
- Policy types
- Policy restrictions and support
- Create and deploy a MAM policy
Policy Types
There are currently two Mobile Application Management policy types that you can choose from when creating a Mobile Application Management policy. A policy type is used for specifying what configuration and restrictions the policy holds. As more and more functionality is added to the Intune App SDK and the Intune service, I’d suspect more types will be added and provide additional configuration settings. The two current policy types are:
- General – This policy type gives you the functionality to modify the behavior of Managed or Wrapped Apps to ensure compliance and security requirements within your organization.
- Managed Browser – This policy type lets you modify the functionality of the Intune Managed Browser app, that manage the browsing experience for users. You can control what web sites users can access and how the content within the browser are opened.
Policy restrictions and support
In order to associate a Mobile Application Management policy to your app, the app needs to be of a specific type:
- Managed App – A Managed App has the Intune App SDK capabilities built into it, and therefor it supports MAM policies
- Wrapped App – A Wrapped App is a custom Line-of-Business (LOB) app that has been wrapped using either Intune App Wrapping Tool for iOS or Android giving it support for MAM policies
If you want to know how a custom Android LOB app can be wrapped, check out this blog post I’ve recently created:
How to wrap Android Line of Business apps with Intune App Wrapping Tool
Another thing to consider when creating Mobile Application Management policies is the supported platforms:
- A device running Android 4.0 or newer
- A device running iOS 7.0 or newer
When you create a Mobile Application policy, you’re given the option to select what platform the policy is intended for in addition to the policy type. The options you have is iOS and Android. Below is a table showing the restrictions available by platform for a General policy type:
iOS
| Type | Restriction | Values |
| App Web Content | Restrict web content to display in the Managed Browser | Yes No |
| Data Relocation | Prevent iTunes and iCLoud backups | Yes No |
| Allow app to transfer data to other apps | None Policy Managed Apps Any App | |
| Allow app to receive data from other apps | None Policy Managed Apps Any App | |
| Prevent “Save As” | Yes No | |
| Restrict cut, copy and paste with other apps | Blocked Policy Managed Apps Policy Managed Apps with Paste In Any App | |
| Access | Require simple PIN for access | Yes No |
| Number of attempts before PIN reset | (integer) | |
| Require corporate credentials for access | Yes No | |
| Require device compliance with corporate policy for access | Yes No | |
| Recheck the access requirement after (minutes) – Timeout | (integer) | |
| Recheck the access requirement after (minutes) – Offline grace period | (integer) | |
| Additional Policies | Encrypt app data | When device is locked When device is locked (except open files) After device restart Use device settings |
Android
| Type | Restriction | Values |
| App Web Content | Restrict web content to display in the Managed Browser | Yes No |
| Data Relocation | Prevent Android backups | Yes No |
| Allow app to transfer data to other apps | None Policy Managed Apps Any App | |
| Allow app to receive data from other apps | None Policy Managed Apps Any App | |
| Prevent “Save As” | Yes No | |
| Restrict cut, copy and paste with other apps | Blocked Policy Managed Apps Policy Managed Apps with Paste In Any App | |
| Access | Require simple PIN for access | Yes No |
| Number of attempts before PIN reset | (integer) | |
| Require corporate credentials for access | Yes No | |
| Require device compliance with corporate policy for access | Yes No | |
| Recheck the access requirement after (minutes) – Timeout | (integer) | |
| Recheck the access requirement after (minutes) – Offline grace period | (integer) | |
| Additional Policies | Encrypt app data | When device is locked When device is locked (except open files) After device restart Use device settings |
| Block screen capture | Yes No |
If you need to know more about the different restrictions and policy settings in detail, check out Step 3 in the documentation below:
https://technet.microsoft.com/en-us/library/dn878026.aspx
Create and deploy a MAM policy
Now that you know a bit more about what a Mobile Application Management policy is and what it can provide in terms of restriction and ensuring security compliance, let’s create one and associate it with a deployment of an app. In this demonstration I’ve created a Wrapped App called Notepad 1.4.0.7 that I will be associating the Mobile Application Management policy with.
Create Mobile Application Management policy
1. Open the ConfigMgr console and to go Software Library – Application Management.
2. Right click on Application Management Policies and click Create Application Management Policy.
3. On the General page, name the policy appropriately. For instance I like to give all objects a prefix, in this case MAM, followed by the name of the app it’s gonna be associated with. If necessary you could also add the specific department that the policy is intended for. Click Next.
4. On the Policy Type page, select the platform your app supports and the policy type that you want to create. Click Next.
5. On the platform specific page, configure in accordance with your organizations security requirements in order to ensure compliance. When ready, click Next.
6. On the Summary page, click Next.
7. Click Close on the Completion page.
Associate Mobile Application Management policy with a Deployment
1. Locate your app that you want to deploy to a specific collection of users and right-click on the app and select Deploy.
2. On the General page, browse and select a user collection that you want target this deployment with. Click Next.
3. On the Content page, make sure that the \\manage.microsoft.com Distribution Point is added if your app has any source content (custom Wrapped Apps has, not apps that are links pointing to either Google Play or the App Store). Click Next.
4. On the Deployment Settings, Scheduling, User Experience and Alerts pages, configure accordingly for the purpose of your deployment. Click Next.
5. On the Application Management page, select the Mobile Application Management policy that you previously created och click Next.
6. On the Summary page, click Next.
7. And finally on the Completion page, click Close.
That’s all, you have now created a Mobile Application Management policy and associated it with a deployment of an app. I hope this helps!
Maurice Daly
Sandy Zeng
Michael Mardahl
Hi I have created a wagr app( sample app provided by Microsoft to test app wrapping)
It is working fine in intune. But when I’m trying to deploy it via SCCM its not giving option to associate MAM policy.
Great article! I have been searching for that for quite some time, cudos! In this case you define in the policy “allow app to transfer data to other appa – policy defined apps”. Where can I define those apps? Are these apps from other MAM policies? Thank you!
Hi Mike,
You don’t have to define any apps. The correct naming of the options available in this case is “Policy Managed Apps”, meaning that all Managed apps are able to exchange data between them.
Regards,
Nickolaj