For your Managed and Wrapped Apps in a ConfigMgr 2012 R2 SP1 hybrid scenario with Microsoft Intune, there’s a new functionality that now lets you associate a Mobile Application Management (MAM) policy to restrict cut, copy and paste for instance. With this new capability you’re now in control of managing how data can be restricted in your organization and can easier bring your apps into compliance with your organization’s security policies.

A Mobile Application Management policy can be associated with a Managed App in ConfigMgr 2012 R2 SP1 (and ConfigMgr 2012 SP2). Unlike from Configuration Baselines, you do not deploy the MAM policies to collections, instead you associate the MAM policy with your Managed App once you deploy it. It’s worth noticing that you can only associate one MAM policy with each deployment of the Managed App, so if your security policies state that you need to have different policy settings per e.g. department, you’d have to create multiple deployments. In this post I’ll walk you through the steps of creating a Mobile Application Management policy, and give you some further information on how to use them.

Overview

  • Policy types
  • Policy restrictions and support
  • Create and deploy a MAM policy

Policy Types

There are currently two Mobile Application Management policy types that you can choose from when creating a Mobile Application Management policy. A policy type is used for specifying what configuration and restrictions the policy holds. As more and more functionality is added to the Intune App SDK and the Intune service, I’d suspect more types will be added and provide additional configuration settings. The two current policy types are:

  • General – This policy type gives you the functionality to modify the behavior of Managed or Wrapped Apps to ensure compliance and security requirements within your organization.
  • Managed Browser – This policy type lets you modify the functionality of the Intune Managed Browser app, that manage the browsing experience for users. You can control what web sites users can access and how the content within the browser are opened.

Policy restrictions and support

In order to associate a Mobile Application Management policy to your app, the app needs to be of a specific type:

  • Managed App – A Managed App has the Intune App SDK capabilities built into it, and therefor it supports MAM policies
  • Wrapped App – A Wrapped App is a custom Line-of-Business (LOB) app that has been wrapped using either Intune App Wrapping Tool for iOS or Android giving it support for MAM policies

If you want to know how a custom Android LOB app can be wrapped, check out this blog post I’ve recently created:

How to wrap Android Line of Business apps with Intune App Wrapping Tool

Another thing to consider when creating Mobile Application Management policies is the supported platforms:

  • A device running Android 4.0 or newer
  • A device running iOS 7.0 or newer

When you create a Mobile Application policy, you’re given the option to select what platform the policy is intended for in addition to the policy type. The options you have is iOS and Android. Below is a table showing the restrictions available by platform for a General policy type:

iOS
Type Restriction Values
App Web Content Restrict web content to display in the Managed Browser Yes
No
Data Relocation Prevent iTunes and iCLoud backups Yes
No
Allow app to transfer data to other apps None
Policy Managed Apps
Any App
Allow app to receive data from other apps None
Policy Managed Apps
Any App
Prevent “Save As” Yes
No
Restrict cut, copy and paste with other apps Blocked
Policy Managed Apps
Policy Managed Apps with Paste In
Any App
Access Require simple PIN for access Yes
No
Number of attempts before PIN reset (integer)
Require corporate credentials for access Yes
No
Require device compliance with corporate policy for access Yes
No
Recheck the access requirement after (minutes) – Timeout (integer)
Recheck the access requirement after (minutes) – Offline grace period (integer)
Additional Policies Encrypt app data When device is locked
When device is locked (except open files)
After device restart
Use device settings

Android
Type Restriction Values
App Web Content Restrict web content to display in the Managed Browser Yes
No
Data Relocation Prevent Android backups Yes
No
Allow app to transfer data to other apps None
Policy Managed Apps
Any App
Allow app to receive data from other apps None
Policy Managed Apps
Any App
Prevent “Save As” Yes
No
Restrict cut, copy and paste with other apps Blocked
Policy Managed Apps
Policy Managed Apps with Paste In
Any App
Access Require simple PIN for access Yes
No
Number of attempts before PIN reset (integer)
Require corporate credentials for access Yes
No
Require device compliance with corporate policy for access Yes
No
Recheck the access requirement after (minutes) – Timeout (integer)
Recheck the access requirement after (minutes) – Offline grace period (integer)
Additional Policies Encrypt app data When device is locked
When device is locked (except open files)
After device restart
Use device settings
Block screen capture Yes
No

If you need to know more about the different restrictions and policy settings in detail, check out Step 3 in the documentation below:

https://technet.microsoft.com/en-us/library/dn878026.aspx

Create and deploy a MAM policy

Now that you know a bit more about what a Mobile Application Management policy is and what it can provide in terms of restriction and ensuring security compliance, let’s create one and associate it with a deployment of an app. In this demonstration I’ve created a Wrapped App called Notepad 1.4.0.7 that I will be associating the Mobile Application Management policy with.

Create Mobile Application Management policy

1. Open the ConfigMgr console and to go Software Library – Application Management.
2. Right click on Application Management Policies and click Create Application Management Policy.

148_1

3. On the General page, name the policy appropriately. For instance I like to give all objects a prefix, in this case MAM, followed by the name of the app it’s gonna be associated with. If necessary you could also add the specific department that the policy is intended for. Click Next.

148_2

4. On the Policy Type page, select the platform your app supports and the policy type that you want to create. Click Next.

148_3

5. On the platform specific page, configure in accordance with your organizations security requirements in order to ensure compliance. When ready, click Next.

148_4

6. On the Summary page, click Next.

148_5

7. Click Close on the Completion page.

Associate Mobile Application Management policy with a Deployment

1. Locate your app that you want to deploy to a specific collection of users and right-click on the app and select Deploy.

148_7

2. On the General page, browse and select a user collection that you want target this deployment with. Click Next.

148_8

3. On the Content page, make sure that the \\manage.microsoft.com Distribution Point is added if your app has any source content (custom Wrapped Apps has, not apps that are links pointing to either Google Play or the App Store). Click Next.

148_9

4. On the Deployment Settings, Scheduling, User Experience and Alerts pages, configure accordingly for the purpose of your deployment. Click Next.
5. On the Application Management page, select the Mobile Application Management policy that you previously created och click Next.

148_10

6. On the Summary page, click Next.

148_11

7. And finally on the Completion page, click Close.

That’s all, you have now created a Mobile Application Management policy and associated it with a deployment of an app. I hope this helps!

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

(236)

comments
  • Mike
    Posted at 19:58 November 19, 2015
    Mike
    Reply
    Author

    Great article! I have been searching for that for quite some time, cudos! In this case you define in the policy “allow app to transfer data to other appa – policy defined apps”. Where can I define those apps? Are these apps from other MAM policies? Thank you!

    • Nickolaj
      Posted at 10:22 November 25, 2015
      Nickolaj
      Reply
      Author

      Hi Mike,

      You don’t have to define any apps. The correct naming of the options available in this case is “Policy Managed Apps”, meaning that all Managed apps are able to exchange data between them.

      Regards,
      Nickolaj

  • Shariq
    Posted at 06:40 July 10, 2016
    Shariq
    Reply
    Author

    Hi I have created a wagr app( sample app provided by Microsoft to test app wrapping)

    It is working fine in intune. But when I’m trying to deploy it via SCCM its not giving option to associate MAM policy.

  • Leave a Reply