App Protection
Configure Mobile Application Management (MAM) policies to protect corporate data within apps without requiring device enrollment. Control data sharing, require PINs, and selectively wipe corporate data from personal devices.
Note: App Protection Policies (APP/MAM) protect data at the app level without device enrollment. Ideal for BYOD scenarios where users want privacy for personal data.
Policy Types
iOS/iPadOS Policies
Protect data in apps on iOS devices using Intune App SDK or app wrapping.
- Works without enrollment
- Protects managed apps only
- Integrates with Face ID/Touch ID
- Selective wipe supported
Android Policies
Protect data in apps on Android devices. Works with managed Google Play apps.
- Works without enrollment
- Android Enterprise integration
- Conditional launch controls
- Screen capture blocking
Windows Policies
Windows Information Protection (WIP) policies for Windows 10/11 devices.
- Requires MDM enrollment
- Enlightened app protection
- Corporate boundary definition
- Encryption of work data
Edge Policies
Specific policies for Microsoft Edge browser protecting corporate web content.
- Work/personal profile separation
- Controlled data transfer
- Bookmark sync controls
- InPrivate mode management
Data Protection Settings
Data Transfer
- Send org data to other apps — Policy managed apps / All apps / None
- Receive data from other apps — Policy managed apps / All apps / None
Clipboard and Copy/Paste
- Restrict cut, copy, paste between apps — Policy managed apps with paste in / Blocked / Any app
- Cut/copy character limit — 0 (configurable)
Save and Backup
- Save copies of org data — Block
- Allow backup to local storage — Block
Screen Capture
- Block screen capture and AI assistant — Yes
Access Requirements
PIN Settings
- Require PIN for access: Required
- PIN type: Numeric / Passcode
- Minimum PIN length: 6 characters
- Simple PIN: Block
- PIN reset after (days): 90
Biometric Settings
- Allow biometric instead of PIN: Allow
- Allow Face ID (iOS): Allow
- Override biometric with PIN: After 5 failed attempts
- PIN after biometric update: Required
Conditional Launch
Define conditions that must be met before app launch:
| Condition | Value | Action |
|---|---|---|
| Maximum PIN attempts | 5 | Wipe data |
| Offline grace period | 720 minutes | Block access |
| Jailbroken/rooted device | Detected | Wipe data |
| Minimum OS version | iOS 15.0 / Android 11 | Block access |
| Minimum app version | Current - 2 | Warn |
| Disabled account | Detected | Block access |
Protected Apps
Apps that support Intune App Protection policies:
Microsoft Apps
- Microsoft Outlook
- Microsoft Teams
- Microsoft Word/Excel/PowerPoint
- Microsoft OneDrive
- Microsoft Edge
- Microsoft SharePoint
Third-Party Apps
- Adobe Acrobat Reader
- Box
- Cisco Webex
- Salesforce
- SAP apps
- ServiceNow
Line of Business
- Apps with Intune SDK
- Wrapped iOS apps
- Wrapped Android apps
- Custom MAM apps
Selective Wipe
Remove only corporate data from devices without affecting personal data:
What Gets Removed:
- Corporate app data
- Work account credentials
- Corporate email and calendars
- Managed app configurations
- VPN/Wi-Fi profiles (work)
What Stays:
- Personal photos and videos
- Personal apps and data
- Personal accounts
- Text messages
- Personal contacts
Policy Assignment
User Groups
Assign to Entra ID user groups. Policies follow users across devices.
Exclusions
Exclude specific groups from policy assignment (e.g., IT admins, executives).
Filters
Further refine assignment with device filters (managed, unmanaged, OS version).
API Reference
GET /api/devices/app-protection-policies— List app protection policiesPOST /api/devices/app-protection-policies— Create app protection policyGET /api/devices/app-protection-status— Get protection status by user/devicePOST /api/devices/:id/selective-wipe— Perform selective wipeGET /api/devices/protected-apps— List MAM-enabled apps