Contents

Manage apps
Overview
App management overview
Quickstarts
Add and assign an app
Create and assign an app protection policy
Tutorials
Protect email on managed devices
Protect email on unmanaged devices
Configure Slack to use Intune
Concepts
App lifecycle
App protection policies and work profiles (Android)
Use Intune without Google Mobile Services
MAM FAQ
How-to guides
Add apps
Add apps overview
Intune protected apps
Store apps
Android store apps
iOS store apps
Windows Phone 8.1 store apps
Windows store apps
Microsoft Store for Business apps
Managed Google Play apps
Microsoft 365 Suite
Microsoft 365 apps for Windows 10
Microsoft 365 apps for macOS
 Android Enterprise system apps
Web apps
Built-in apps
Build your app (LOB)
Android LOB apps
iOS LOB apps
Windows Phone LOB apps
Windows LOB apps
Sideload Windows LOB apps
macOS LOB apps
Win32 app management
Win32 app S mode devices
Add specific apps
Company Portal app - Autopilot
Company Portal app - Download
Company Portal app - macOS
Microsoft Edge for Windows 10
Microsoft Edge for macOS
Microsoft Defender ATP for macOS
PowerShell scripts
macOS shell scripts
Assign apps
Assign apps to groups
Include and exclude apps
Deploy Windows 10 apps
Deploy apps to Government environments
Monitor apps
Discovered apps
Configure apps
App configuration policies
iOS managed devices
Android managed devices
 Managed apps
Use iOS app provisioning profiles
Configure specific apps
Configure the Managed Home Screen
Configure the Company Portal
Configure Microsoft Launcher
Configure Microsoft Edge
Configure Office
Configure Outlook
Configure Microsoft Teams
Configure Google Chrome for Android
VPN and per-app VPN on Android Enterprise
Volume-purchased apps and books
Volume-purchased overview
Volume-purchased iOS apps
Microsoft Store for Business apps
iOS eBooks
Protect apps
Selectively wipe apps
Use app protection policies
App protection policies overview
Data protection framework using app protection policies
Create app protection policies
General settings
Android settings
iOS settings
Conditional launch
Data transfer exceptions
Validate app protection policies
App protection policy delivery
Protecting app extensions
Monitor app protection user status
 Get ready for WIP app protection policies
Create & assign WIP app protection policies
Manage data transfer between iOS apps
Review app protection logs
Troubleshoot
Help users troubleshoot problems
Troubleshoot app installation problems
App installation error reference
Troubleshoot mobile application management
Review app protection logs
Troubleshooting app protection policy deployment
Reference
Protect apps with Intune App SDK
Get started with Intune App SDK
Prepare LOB apps for app protection
App Wrapping Tool for iOS
Intune App SDK for iOS
App Wrapping Tool for Android
Intune App SDK for Android
Intune App SDK for Android testing guide
Intune App SDK Xamarin Bindings
 What is Microsoft Intune app management?
9/4/2020 • 7 minutes to read • Edit Online

As an IT admin, you can use Microsoft Intune to manage the client apps that your company's workforce uses. This functionality is in addition to managing
devices and protecting data. One of an admin's priorities is to ensure that end users have access to the apps they need to do their work. This goal can be a
challenge because:
There are a wide range of device platforms and app types.
You might need to manage apps on both company devices and users' personal devices.
You must ensure that your network and your data remain secure.
Additionally, you might want to assign and manage apps on devices that are not enrolled with Intune.

Mobile Application Management (MAM) basics

Intune mobile application management refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and
update mobile apps for your users.
MAM allows you to manage and protects your organization's data within an application. With MAM without enrollment (MAM-WE), a work or school-
related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios.
Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. See the official list of Microsoft Intune protected apps available
for public use.
Intune MAM supports two configurations:
Intune MDM + MAM : IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile
device management (MDM). To manage apps using MDM + MAM, customers should use Intune in the Microsoft Endpoint Manager admin center.
MAM without device enrollment : MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using MAM and app
protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM
providers. To manage apps using MAM-WE, customers should use Intune in the Microsoft Endpoint Manager admin center. Also, apps can be managed
by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers or not enrolled with an MDM at all. For more
information about BYOD and Microsoft's EMS, see Technology decisions for enabling BYOD with Microsoft Enterprise Mobility + Security (EMS).

App management capabilities by platform

Intune offers a range of capabilities to help you get the apps you need on the devices you want to run them on. The following table provides a summary of
app management capabilities.

A P P M A N A GEM EN T A N DRO ID/ A N DRO ID

C A PA B IL IT Y EN T ERP RISE IO S/ IPA DO S MAC OS W IN DO W S 10

Add and assign apps to Yes Yes Yes Yes

devices and users

Assign apps to devices Yes Yes No No

not enrolled with Intune

Use app configuration Yes Yes No No

policies to control the
startup behavior of apps

Use mobile app No Yes No No

provisioning policies to
renew expired apps

Protect company data in Yes Yes No No 1

apps with app protection
policies

Remove only corporate Yes Yes No Yes

data from an installed
app (app selective wipe)

Monitor app Yes Yes Yes Yes

assignments

Assign and track No No No Yes

volume-purchased apps
from an app store
 A P P M A N A GEM EN T A N DRO ID/ A N DRO ID
C A PA B IL IT Y EN T ERP RISE IO S/ IPA DO S MAC OS W IN DO W S 10

Mandatory install of Yes Yes Yes Yes

apps on devices
(required) 2

Optional installation on Yes 3 Yes Yes Yes

devices from the
Company Portal
(available installation)

Install shortcut to an Yes 4 Yes Yes Yes

app on the web (web
link)

In-house (line-of- Yes Yes Yes Yes

business) apps

Apps from a store Yes Yes No Yes

Update apps Yes Yes No Yes

1 Consider using Windows Information Protection to protect apps on devices that run Windows 10.
2 Applies to devices managed by Intune only.
3 Intune supports available apps from Managed Google Play store on Android Enterprise devices.
4 Intune does not provide installing a shortcut to an app as a web link on standard Android Enterprise devices. However, Web link support is provided for

multi-app dedicated Android Enterprise devices.

Get started
You can find most app-related information in the Apps workload, which you can access by doing the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps .

The apps workload provides links to access common app information and functionality.
The top of the App workload navigation menu provide commonly used app details:
Over view : Select this option to view the tenant name, the MDM authority, the tenant location, the account status, app installation status, and app
 protection policy status.
All apps : Select this option to display a list of all available apps. You can add additional apps from this page. Additionally, you can see the status of each
app, as well as whether each app is assigned. For more information, see Add apps and Assign apps.
Monitor apps
App licenses : View, assign, and monitor volume-purchased apps from the app stores. For more information, see iOS volume-purchased
program (VPP) apps and Microsoft Store for Business volume-purchased apps.
Discovered apps : View apps that were assigned by Intune or installed on a device. For more information, see Intune discovered apps.
App install status : View the status of an app assignment that you created. For more information, see Monitor app information and assignments
with Microsoft Intune.
App protection status : View the status of an app protection policy for a user that you select.
By Platform : Select these platforms to view the available apps by platform.
Windows
iOS
macOS
Android
Policy :
App protection policies : Select this option to associate settings with an app and help protect the company data it uses. For example, you might
restrict the capabilities of an app to communicate with other apps, or you might require the user to enter a PIN to access a company app. For
more information, see App protection policies.
App configuration policies : Select this option to supply settings that might be required when a user runs an app. For more information, see
App configuration policies, iOS app configuration policies, and Android app configuration policies.
iOS app provisioning profiles : iOS apps include a provisioning profile and code that is signed by a certificate. When the certificate expires, the
app can no longer be run. Intune gives you the tools to proactively assign a new provisioning profile policy to devices that have apps that are
nearing expiration. For more information, see iOS app provisioning profiles.
S mode supplemental policies : Select this option to authorize additional applications to run on your managed S mode devices. For more
information, see S mode supplemental policies.
Policy sets : Select this option to create an assignable collection of apps, policies, and other management objects you've created. For more
information, see Policy sets.
Other :
App selective wipe : Select this option to remove only corporate data from a selected user's device. For more information, see App selective
wipe.
App categories : Add, pin, and delete app category names.
E-books : Some app stores give you the ability to purchase multiple licenses for an app or books that you want to use in your company. For more
information, see Manage volume-purchased apps and books with Microsoft Intune.
Help and suppor t : Troubleshoot, request support, or view Intune status. For more information, see Troubleshoot problems.
Try the interactive guide
The Manage and protect mobile and desktop applications with Microsoft Endpoint Manager interactive guide steps you through the Microsoft Endpoint
Manager admin center to show you how to manage devices enrolled in Intune, enforce compliance with policies, and protect your organization's data.
https://mslearn.cloudguides.com/guides/Manage%20and%20protect%20mobile%20and%20desktop%20applications%20with%20Microsoft%20Endpoint%20Manager

Additional information
The following items within the console provide app related functionality:
Microsoft Store for Business : Set up integration to the Microsoft Store for Business. Afterward, you can synchronize purchased applications to
Intune, assign them, and track your license usage. For more information, see Microsoft Store for Business volume-purchased apps.
Windows enterprise cer tificate : Apply or view the status of a code-signing certificate that's used to distribute line-of-business apps to your
managed Windows devices.
Windows Symantec cer tificate : Apply or view the status of a Symantec code-signing certificate.
Windows side loading keys : Add a Windows side-loading key that can be used to install an app directly to devices rather than publishing and
downloading the app from the Windows store. For more information, see Side-load a Windows app.
Apple VPP tokens : Apply and view your iOS/iPadOS Volume Purchase Program (VPP) licenses. For more information, see iOS/iPadOS volume-
purchased apps.
Managed Google Play : Managed Google Play is Google's enterprise app store and sole source of applications for Android Enterprise. For more
information, see Add Managed Google Play apps to Android Enterprise devices with Intune.
Customization : Customize the Company Portal to give it your company branding. For more information, see Company Portal configuration.
For more information about apps, see Add apps to Microsoft Intune.

Next steps
Add an app to Microsoft Intune
 Quickstart: Add and assign a client app
4/22/2020 • 3 minutes to read • Edit Online

In this quickstart, you will use Intune to add and assign a client app to your company's workforce. One of an
admin's priorities is to ensure that end users have access to the apps they need to do their work.
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
To complete this quickstart, you must create a user, create a group, and enroll a device.

Sign in to Intune
Sign in to Intune as a Global administrator or an Intune Service administrator. If you have created an Intune Trial
subscription, the account you created the subscription with is the Global administrator.

Add the client app to Intune

An app can be included so that Intune can manage aspects of the app.
Use the following steps to add an app to Intune:
1. In Intune, select Apps > All apps > Add .
2. Select Windows 10 in the Microsoft 365 Apps section of the Select app type pane.
3. Click Select . The Add app steps are displayed.
4. Confirm the default details in the App suite information page.
5. Click Next to display the Configure app suite page.
6. Next to Update Channel select Monthly from the dropdown box.
7. Confirm the remaining default details in the *Configure app suite page.
8. Click Next to display the Scope tags page.
9. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
10. Click Next to display the Assignments page.
11. Select the group assignments for the app. For more information, see Add groups to organize users and devices.
12. Click Next to display the Review + create page. Review the values and settings you entered for the app.
13. When you are done, click Create to add the app to Intune.

Assign the app to a group

After you've added an app to Microsoft Intune, you can assign the app to groups of users or devices.

NOTE
This quickstart builds on previous quickstarts in this series. Please see prerequisites in this quickstart for details.

Use the following steps to assign an app to a group:

1. In Intune, select Apps > All apps .
2. Select the app that you want to assign to a group.
3. Click Assignments > Add group to display the Add group pane.
4. Select Available for enrolled devices in the Assignment type dropdown box.
5. Click Included Groups > Select groups to include > Contoso Testers .
6. Click Select > OK > OK > Save to assign the group.
You now have assigned the app to the Contoso Testers group.

Install the app on the enrolled device

You must install and use the Company Portal app to install the Contoso's To-Do app made available by Intune.
Use the following steps to verify that the app is available to the user of the enrolled device.
1. Log in to your enrolled Windows 10 Desktop device.

IMPORTANT
The device must be enrolled with Intune. Also, you must sign in to the device using an account contained in the
group you assigned to the app.

2. From the Star t menu, open the Microsoft Store . Then, find the Company Por tal app and install it.
3. Launch the Company Por tal app.
4. Click the app that you added using Intune. In this quickstart you added the Microsoft 365 Apps suite.

NOTE
If you did not successfully assign any apps to the Intune user, you will see the following message: Your IT
administrator did not make any apps available to you.

5. Click Install .
If your business needs require that you assign the Company Portal app to your workforce, you can manually assign
the Windows 10 Company Portal app directly from Intune. For more information see, Manually add the Windows
10 Company Portal app by using Microsoft Intune.

Next steps
In this quickstart, you added apps to Intune, assigned the apps to a group, and installed the apps on the enrolled
Windows 10 Desktop device. For more information about managing apps in Intune, see What is Microsoft Intune
app management?
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Create and assign an app protection policy
 Quickstart: Create and assign an app protection
policy
3/9/2020 • 2 minutes to read • Edit Online

In this quickstart, you will use Intune to create and assign an app protection policy to a client app on an end user's
device. Intune uses app protection policies to confirm that your apps are meeting your organization's data
protection requirements.
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
To complete this quickstart, you must create a user, create a group, enroll a device, and add and assign an app.

Sign in to Intune
Sign in to the Intune as a Global administrator or an Intune Service administrator. If you have created an Intune
Trial subscription, the account you created the subscription with is the Global administrator.

Create an app protection policy

Use the following steps to create an app protection policy:
1. In Intune, select Apps > App protection policies > Create Policy .
2. Enter the following details:
Name : Windows 10 content protection
Description : Users associated with this policy will not be able to cut, copy, or paste any content between
the assigned app and other non-managed apps on the device.
Platform : Windows 10
Enrollment state : With enrollment
3. Select Protected apps to choose the apps that must adhere to this policy.
4. Click Add apps .
5. Under Recommended apps , select Word Mobile .
6. Click OK > OK .
7. Select Required settings to configure the app.
8. Click Allow Overrides to set the Windows Information Protection mode. Selecting this option will block
enterprise data from leaving the protected app.
9. Click OK > Create .
You'll now see the app protection policy in Intune.
Assign the app protection policy
After you've created an app protection policy in Intune, you can assign to groups.
Use the following steps to assign the app protection policy:
1. In Intune, select Intune > Apps > App protection policies .
2. Select the app protection policy you created earlier. In this quickstart, the policy is Windows 10 content
protection .
3. Select Assignments .
4. Click Select groups to include in the Include tab.
5. Select Contoso Testers as the group to include.
6. Click Select > Save .
You now have assigned the app protection policy.

NOTE
App protection policies can only be applied to groups that contains users, not groups that contain devices.

Next steps
In this quickstart, you created and assigned an app protection policy. Users of the app that have this policy assigned
will not be able to cut, copy, or paste any content between the assigned app and other non-managed apps on the
device. This type of protection will help protect your organization's data. For more information about app
protection policies in Intune, see What are app protection policies?
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Create and assign a custom role
 Tutorial: Protect Exchange Online email on managed
devices
9/4/2020 • 4 minutes to read • Edit Online

Learn about using device compliance policies with Conditional Access to make sure that iOS devices can access
Exchange Online email only if they're managed by Intune and using an approved email app.
In this tutorial, you'll learn how to:
Create an Intune iOS device compliance policy to set the conditions that a device must meet to be considered
compliant.
Create an Azure Active Directory (Azure AD) Conditional Access policy that requires iOS devices to enroll in
Intune, comply with Intune policies, and use the approved Outlook mobile app to access Exchange Online email.
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Azure Active Directory Premium (free trial)
Microsoft 365 Apps for business subscription that includes Exchange (free trial)
Before you begin, create a test device profile for iOS devices by following the steps in Quickstart: Create an email
device profile for iOS/iPadOS.

Sign in to Intune
Sign in to the Microsoft Endpoint Manager admin center as a Global administrator or an Intune Service
administrator. If you have created an Intune Trial subscription, the account you created the subscription with is the
Global administrator.

Create the iOS device compliance policy

Set up an Intune device compliance policy to set the conditions that a device must meet to be considered compliant.
For this tutorial, we'll create a device compliance policy for iOS devices. Compliance policies are platform-specific,
so you need a separate compliance policy for each device platform you want to evaluate.
1. In Intune, select Devices > Compliance policies > Create policy .
2. For Name , enter iOS compliance policy test .
3. For Description , enter iOS compliance policy test .
4. For Platform , select iOS/iPadOS .
5. Select Settings > Email .
a. Next to Require mobile devices to have a managed email profile , select Require .
b. Select OK .
6. Select Device Health . Next to Jailbroken devices , select Block , and then select OK .
7. Select System Security and enter Password settings. For this tutorial, select the following recommended
settings:
For Require a password to unlock mobile devices , select Require .
For Simple passwords , select Block .
For Minimum password length , enter 4 .

TIP
Default values that are grayed out and italicized are only recommendations. You must replace values that are
recommendations to configure a setting.

For Required password type , choose Alphanumeric .

For Maximum minutes after screen lock before password is required , choose Immediately .
For Password expiration (days) , enter 41 .
For Number of previous passwords to prevent reuse , enter 5 .

8. Select OK , and then select OK again.

9. Select Create .

Create the Conditional Access policy

Now we'll create a Conditional Access policy that requires all device platforms to enroll in Intune and comply with
our Intune compliance policy before they can access Exchange Online. We'll also require the Outlook app for email
access. Conditional Access policies are configurable in either the Azure AD portal or the Intune portal. Since we're
already in the Intune portal, we'll create the policy here.
1. In Intune, select Endpoint security > Conditional Access > New policy .
2. For Name , enter Test policy for Microsoft 365 email .
3. Under Assignments , select Users and groups . On the Include tab, select All users , and then select
Done .
4. Under Assignments , select Cloud apps or actions . Because we want to protect Microsoft 365 Exchange
Online email, we'll select it by following these steps:
a. On the Include tab, choose Select apps .
b. Choose Select .
c. In the applications list, select Office 365 Exchange Online , and then choose Select .
d. Select Done .

5. Under Assignments , select Conditions > Device platforms .

a. Under Configure , select Yes .
 b. On the Include tab, select Any device , and then select Done .
c. Select Done again.

6. Under Assignments , select Conditions > Client apps .

a. Under Configure , select Yes .
b. For this tutorial, select Mobile apps and desktop clients and Modern authentication clients
(which refers to apps like Outlook for iOS and Outlook for Android). Clear all other check boxes.
c. Select Done , and then select Done again.
7. Under Access controls , select Grant .
a. On the Grant pane, select Grant access .
b. Select Require device to be marked as compliant .
c. Select Require approved client app .
d. Under For multiple controls , select Require all the selected controls . This setting ensures that
both requirements you selected are enforced when a device tries to access email.
e. Choose Select .
8. Under Enable policy , select On .

9. Select Create .

Try it out
With the policies you've created, any iOS device that attempts to sign in to Microsoft 365 email will need to enroll
in Intune and use the Outlook mobile app for iOS/iPadOS. To test this scenario on an iOS device, try signing in to
Exchange Online using credentials for a user in your test tenant. You'll be prompted to enroll the device and install
the Outlook mobile app.
1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account > Exchange .
2. Enter the email address for a user in your test tenant, and then press Next .
3. Press Sign In .
4. Enter the test user's password, and press Sign in .
5. A message appears that says your device must be managed to access the resource, along with an option to
enroll.

Clean up resources
When the test policies are no longer needed, you can remove them.
1. Sign in to the Microsoft Endpoint Manager admin center as a Global Administrator or an Intune Service
Administrator.
2. Select Devices > Compliance policies .
3. In the Policy Name list, select the context menu (...) for your test policy, and then select Delete . Select OK
to confirm.
4. Select Endpoint security > Conditional access .
5. In the Policy Name list, select the context menu (...) for your test policy, and then select Delete . Select Yes
to confirm.

Next steps
In this tutorial, you created policies that require iOS devices to enroll in Intune and use the Outlook app to access
Exchange Online email. To learn about using Intune with Conditional Access to protect other apps and services,
including Exchange ActiveSync clients for Microsoft 365 Exchange Online, see Set up Conditional Access.
 Tutorial: Protect Exchange Online email on
unmanaged devices
9/4/2020 • 7 minutes to read • Edit Online

Learn about using app protection policies with Conditional Access to protect Exchange Online, even when devices
aren't enrolled in a device management solution like Intune. In this tutorial, you'll learn how to:
Create an Intune app protection policy for the Outlook app. You'll limit what the user can do with app data by
preventing "Save As" and restrict cut, copy, and paste actions.
Create Azure Active Directory (Azure AD) Conditional Access policies that allow only the Outlook app to access
company email in Exchange Online. You'll also require multi-factor authentication (MFA) for Modern
authentication clients, like Outlook for iOS and Android.

Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Azure Active Directory Premium (free trial)
Intune subscription (free trial)
Microsoft 365 Apps for business subscription that includes Exchange (free trial)

Sign in to Intune
For this tutorial, when you sign in to the Microsoft Endpoint Manager admin center, sign in as a Global
administrator or an Intune Service administrator. If you've created an Intune Trial subscription, the account you
created the subscription with is the Global administrator.

Create the app protection policy

In this tutorial, we'll set up an Intune app protection policy for iOS for the Outlook app to put protections in place at
the app level. We'll require a PIN to open the app in a work context. We'll also limit data sharing between apps and
prevent company data from being saved to a personal location.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App protection policies > Create policy , and select iOS/iPadOS for the platform.
3. On the Basics page, configure the following settings:
Name : Enter Outlook app policy test .
Description : Enter Outlook app policy test .
The Platform value is set to your previous choice.
Click Next to continue.
4. The Apps page allows you to choose how you want to apply this policy to apps on different devices.
Configure the following options:
For Target to all app types : Select No , and then for App types , select the checkbox for Apps on
unmanaged devices .
Click Select public apps . In the Apps list, select Outlook , and then choose Select . Outlook now
 appears under Public apps.
Click Next to continue.
5. The Data protection page provides settings that determine how users interact with data in the apps that
this app protection policy applies. Configure the following options:
Below Data Transfer, configure the following settings, leaving all other settings at their default values:
For Send org data to other apps , select None .
For Receive data from other apps , select None .
For Save copies of org data , select Block .
For Restrict cut, copy and paste between other apps , select Blocked .

Select Next to continue.

6. The Access requirements page provides settings to allow you to configure the PIN and credential
requirements that users must meet to access apps in a work context. Configure the following settings,
leaving all other settings at their default values:
For PIN for access , select Require .
For Work or school account credentials for access , select Require .
 Select Next to continue.
7. The Conditional launch page provides settings to set the sign-in security requirements for your app
protection policy. For this tutorial, you don't need to configure these settings.
Click Next to continue.
8. Use the Assignments page to assign the app protection policy to groups of users. For this tutorial, you
won't assign this policy to a group.
Click Next to continue.
9. On the Next: Review + create page, review the values and settings you entered for this app protection
policy. Click Create to create the app protection policy in Intune.
The app protection policy for Outlook is created. Next, you'll set up Conditional Access to require devices to use the
Outlook app.

Create Conditional Access policies

Now we'll create two Conditional Access policies to cover all device platforms.
The first policy will require that Modern Authentication clients use the approved Outlook app and multi-
factor authentication (MFA). Modern Authentication clients include Outlook for iOS and Outlook for Android.
The second policy will require that Exchange ActiveSync clients use the approved Outlook app. (Currently,
Exchange Active Sync doesn't support conditions other than device platform). You can configure Conditional
 Access policies in either the Azure AD portal or the Intune portal. Since we're already in the Intune portal,
we'll create the policy here.
Create an MFA policy for Modern Authentication clients
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Endpoint security > Conditional access > New policy .
3. For Name , enter Test policy for modern auth clients .
4. Under Assignments , select Users and groups . On the Include tab, select All users , and then select
Done .
5. Under Assignments , select Cloud apps or actions . Because we want to protect Microsoft 365 Exchange
Online email, we'll select it by following these steps:
a. On the Include tab, choose Select apps .
b. Choose Select .
c. In the Applications list, select Office 365 Exchange Online , and then choose Select .
d. Select Done to return to the New policy pane.

6. Under Assignments , select Conditions > Device platforms .

a. Under Configure , select Yes .
b. On the Include tab, select Any device .
c. Select Done .
7. On the Conditions pane, select Client apps .
a. Under Configure , select Yes .
b. Select Mobile apps and desktop clients and Modern authentication clients .
 c. Clear the other check boxes.
d. Select Done > Done to return to the New policy pane.

8. Under Access controls , select Grant .

a. On the Grant pane, select Grant access .
b. Select Require multi-factor authentication .
c. Select Require approved client app .
d. Under For multiple controls , select Require all the selected controls . This setting ensures that both
requirements you selected are enforced when a device tries to access email.
e. Choose Select .
9. Under Enable policy , select On , and then select Create .
The Conditional Access policy for Modern Authentication clients is created. Now you can create a policy for
Exchange Active Sync clients.
Create a policy for Exchange Active Sync clients
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Endpoint security > Conditional Access > New policy .
3. For Name , enter Test policy for EAS clients .
4. Under Assignments , select Users and groups . On the Include tab, select All users , and then select Done .
5. Under Assignments , select Cloud apps or actions . Select Microsoft 365 Exchange Online email with
these steps:
a. On the Include tab, choose Select apps .
b. Choose Select .
c. From the list of Applications, select Office 365 Exchange Online , and then choose Select , and then
Done .
6. Under Assignments , select Conditions > Device platforms .
a. Under Configure , select Yes .
b. On the Include tab, select Any device , and then select Done .
7. On the Conditions pane, select Client apps .
 a. Under Configure , select Yes .
b. Select Mobile apps and desktop clients .
c. Select Exchange ActiveSync clients and Apply policy only to suppor ted platforms .
d. Clear all other check boxes.
e. Select Done , and then select Done again.

8. Under Access controls , select Grant .

a. On the Grant pane, select Grant access .
b. Select Require approved client app . Clear all other check boxes.
c. Choose Select .
9. Under Enable policy , select On , and then select Create .
Your app protection policies and Conditional Access are now in place and ready to test.

Try it out
With the policies you've created, devices will need to enroll in Intune and use the Outlook mobile app to access
Microsoft 365 email. To test this scenario on an iOS device, try signing in to Exchange Online using credentials for a
user in your test tenant.
1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account > Exchange .
2. Enter the email address for a user in your test tenant, and then press Next .
3. Press Sign In .
4. Enter the test user's password, and press Sign in .
5. The message More information is required appears, which means you're being prompted to set up MFA.
Go ahead and set up an additional verification method.
6. Next you'll see a message that says you're trying to open this resource with an app that isn't approved by
your IT department. The message means you're being blocked from using the native mail app. Cancel the
sign-in.
7. Open the Outlook app and select Settings > Add Account > Add Email Account .
8. Enter the email address for a user in your test tenant, and then press Next .
9. Press Sign in with Office 365 . You'll be prompted for additional authentication and registration. Once
you've signed in, you can test actions such as cut, copy, paste, and "Save As".

Clean up resources
When the test policies are no longer needed, you can remove them.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices Compliance policies .
3. In the Policy Name list, select the context menu (...) for your test policy, and then select Delete . Select OK
to confirm.
4. Select Endpoint security > Conditional access .
5. In the Policy Name list, select the context menu (...) for each of your test policies, and then select Delete .
Select Yes to confirm.

Next steps
In this tutorial, you created app protection policies to limit what the user can do with the Outlook app, and you
created Conditional Access policies to require the Outlook app and require MFA for Modern Authentication clients.
To learn about using Intune with Conditional Access to protect other apps and services, see Set up Conditional
Access.
 Tutorial: Configure Slack to use Intune for EMM and
app configuration
9/4/2020 • 7 minutes to read • Edit Online

Slack is a collaboration app that you can use with Microsoft Intune.
In this tutorial, you will:
Set Intune as the Enterprise Mobility Management (EMM) provider on your Slack Enterprise Grid. You'll be able
to limit access to your Grid plan's workspaces to Intune managed devices.
Create app configuration policies to manage the Slack for EMM app on iOS/iPadOS and the Slack app for
Android work profile devices.
Create Intune device compliance policies to set the conditions Android and iOS/iPadOS devices must meet to be
considered compliant.
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Azure Active Directory Premium (free trial)
Intune subscription (free trial)
You will also need a Slack Enterprise Grid plan.

Configure your Slack Enterprise Grid plan

Turn on EMM for your Slack Enterprise Grid plan by following Slack's instructions and connect Azure Active
Directory as your Grid plan's identity provider (IDP).

Sign in to Intune
Sign in to the Microsoft Endpoint Manager admin center as a Global Administrator or an Intune Service
Administrator. If you have created an Intune Trial subscription, the account you created the subscription with is the
Global administrator.

Set up Slack for EMM on iOS devices

Add the iOS/iPadOS app Slack for EMM to your Intune tenant and create an app configuration policy to enable your
organizations' iOS/iPadOS users to access Slack with Intune as an EMM provider.
Add Slack for EMM to Intune
Add Slack for EMM as a managed iOS/iPadOS app in Intune and assign your Slack users. Apps are platform-
specific, so you need to add a separate Intune app for your Slack users on Android devices.
1. In the admin center, select Apps > All apps > Add .
2. Under App type , select the iOS store app.
3. Select Search the App Store . Enter the search term "Slack for EMM" and select the app. Click Select in the
Search the App Store pane.
 4. Select App information and configure any changes as you see fit. Select OK to set your app information.
5. Click Add .
6. Select Assignments .
7. Click Add group . Depending on who you chose to be affected when you turned on EMM for Slack, under
Assignment type you may wish to select:
Available for enrolled devices if you chose "All members (including guests)" OR
Available with or without enrollment if you chose "All members (excluding guests)" or "Optional".
8. Select Included Groups and under Make this app available to all users select Yes .
9. Click OK , and then click OK again to add the group.
10. Click Save .
Add an app configuration policy for Slack for EMM
Add an app configuration policy for the Slack for EMM iOS/iPadOS. App configuration policies for managed devices
are platform-specific, so you need to add a separate policy for your Slack users on Android devices.
1. In the admin center, select Apps > App configuration policies > Add > Managed devices .
2. In Name, enter 'Slack app configuration policy test'.
3. Under Device enrollment type, confirm Managed devices is set.
4. Under Platform, select iOS .
5. Select Associated app .
6. In the search bar, enter "Slack for EMM" and select the app.
7. Click OK , and then select Configuration settings .
8. Select OK , and then select Add .
9. In the search bar, enter "Slack app configuration policy test" and select the policy you just added.
10. From Manage, select Assignments .
11. Under Assign to, select All Users + All Devices .
12. Click Save .
(Optional) Create an iOS device compliance policy
Set up an Intune device compliance policy to set the conditions that a device must meet to be considered compliant.
For this tutorial, we'll create a device compliance policy for iOS/iPadOS devices. Compliance policies are platform-
specific, so you need to create a separate policy for your Slack users on Android devices.
1. In the admin center, select Device compliance > Policies > Create Policy .
2. In Name, enter "iOS compliance policy test".
3. In Description, enter "iOS compliance policy test".
4. Under Platform, select iOS .
5. Select Device Health . Next to Jailbroken devices, select Block , and then select OK .
6. Select System Security and enter Password settings. For this tutorial, select the following recommended
settings:
For Require a password to unlock mobile devices, select Require .
For Simple passwords, select Block .
For Minimum password length, enter 4.
For Required password type, choose Alphanumeric .
For Maximum minutes after screen lock before password is required, choose Immediately .
For Password expiration (days), enter 41.
For Number of previous passwords to prevent reuse, enter 5.
7. Click OK , and then select OK again.
8. Click Create .
 Set up Slack on Android work profile devices
Add the Slack Managed Google Play app to your Intune tenant and create an app configuration policy to enable
your organizations' Android users to access Slack with Intune as an EMM provider.
Add Slack to Intune
Add Slack as a Managed Google play app in Intune and assign your Slack users. Apps are platform-specific, so you
need to add a separate Intune app for your Slack users on iOS/iPadOS devices.
1. In Intune, select Apps > All apps > Add .
2. Under App type, select Store app – Managed Google Play .
3. Select Managed Google Play - Approve . Enter the search term "Slack for EMM" and select the app.
4. Select Approve .
5. In the search bar, enter "Slack" and select the app you just added.
6. From Manage, select Assignments .
7. Select Add group . Depending on who you chose to be affected when you turned on EMM for Slack, under
Assignment type you may wish to select:
Available for enrolled devices if you chose "All members (including guests)" OR
Available with or without enrollment if you chose "All members (excluding guests)" or "Optional".
8. Select Included Groups and under Make this app available to all users select Yes .
9. Click OK , and then click OK again.
10. Click Save .
Add an app configuration policy for Slack
Add an app configuration policy for Slack. App configuration policies for managed devices are platform-specific, so
you need to add a separate policy for your Slack users on iOS/iPadOS devices.
1. In Intune, select Apps > App configuration policies > Add .
2. In Name, enter Slack app configuration policy test.
3. Under Device enrollment type, select Managed devices .
4. Under Platform, select Android .
5. Select Associated app .
6. In the search bar, enter "Slack" and select the app.
7. Select OK , and then select Configuration settings .
For information on configuration keys and their values, consult the documentation on the "Technical" tab
of Slack's AppConfig web page.
8. Click OK , and then select Add .
9. In the search bar, enter "Slack app configuration policy test" and select the policy you just added.
10. From Manage, select Assignments .
11. Under Assign to, select All Users + All Devices .
12. Click Save .
(Optional) Create an Android device compliance policy
Set up an Intune device compliance policy to set the conditions that a device must meet to be considered compliant.
For this tutorial, we'll create a device compliance policy for Android devices. Compliance policies are platform-
specific, so you need to create a separate policy for your Slack users on iOS/iPadOS devices.
1. In Intune, select Device compliance > Policies > Create Policy .
2. In Name, enter "Android compliance policy test".
3. In Description, enter "Android compliance policy test".
4. Under Platform, select Android Enterprise .
5. Under Profile type, select Work profile .
6. Select Device Health . Next to Rooted devices, select Block , and then select OK .
7. Select System Security and enter Password settings . For this tutorial, select the following recommended
settings:
For Require a password to unlock mobile devices, select Require .
For Required password type, select At least alphanumeric .
For Minimum password length, enter 4.
For Maximum minutes after screen lock before password is required, choose 15 Minutes .
For Password expiration (days), enter 41.
For Number of previous passwords to prevent reuse, enter 5.
8. Click OK , and then click OK again.
9. Click Create .

Launch Slack
With the policies you've just created, any iOS/iPadOS or Android work profile devices that attempt to sign in to one
of your workspaces will need to be Intune enrolled. To test this scenario, try launching Slack for EMM on an Intune
enrolled iOS/iPadOS device or launching Slack on an Intune enrolled Android work profile device.

Next steps
In this tutorial:
You set Intune as the Enterprise Mobility Management (EMM) provider on your Slack Enterprise Grid.
You created app configuration policies to manage the Slack for EMM app on iOS/iPadOS and the Slack app for
Android work profile devices.
You created Intune device compliance policies to set the conditions Android and iOS/iPadOS devices must meet
to be considered compliant.
To learn more about app configuration policies, see App configuration policies for Microsoft Intune. To learn more
about device compliance policies, see Set rules on devices to allow access to resources in your organization using
Intune.
 Overview of the app lifecycle in Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

The Microsoft Intune app lifecycle begins when an app is added and progresses through additional phases until
you remove the app. By understanding these phases, you'll have the details you need to get started with app
management in Intune.

Add
The first step in app deployment is to add the apps, which you want to manage and assign, to Intune. While you
can work with many different app types, the basic procedures are the same. With Intune you can add different app
types, including apps written in-house (line-of-business), apps from the store, apps that are built in, and apps on
the web. For more information about each of these app types, see How to add an app to Microsoft Intune.

Deploy
After you've added the app to Intune, you can then assign it to users and devices that you manage. Intune makes
this process easy, and after the app is deployed, you can monitor the success of the deployment from the Intune
within the Azure portal. Additionally, in some app stores, such as the Apple and Windows app stores, you can
purchase app licenses in bulk for your company. Intune can synchronize data with these stores so that you can
deploy and track license usage for these types of apps right from the Intune administration console.

Configure
As part of the app lifecycle, new versions of apps are regularly released. Intune provides tools to easily update apps
that you have deployed to a newer version. Additionally, you can configure extra functionality for some apps, for
example:
iOS/iPadOS app configuration policies supply settings for compatible iOS/iPadOS apps that are used when the
app is run. For example, an app might require specific branding settings or the name of a server to which it
must connect.
Managed browser policies help you to configure settings for the Microsoft Edge, which replaces the default
device browser and lets you restrict the websites that your users can visit.

Protect
Intune gives you many ways to help protect the data in your apps. The main methods are:
Conditional Access, which controls access to email and other services based on conditions that you specify.
Conditions include device types or compliance with a device compliance policy that you deployed.
App protection policies works with individual apps to help protect the company data that they use. For example,
you can restrict copying data between unmanaged apps and apps that you manage, or you can prevent apps
from running on devices that have been jailbroken or rooted.

Retire
Eventually, it's likely that apps that you deployed become outdated and need to be removed. Intune makes it easy
to uninstall apps. For more information, see Uninstall an app.

Next steps
Learn about app management in Microsoft Intune
 Application protection policies and work profiles on
Android Enterprise devices in Intune
9/4/2020 • 7 minutes to read • Edit Online

In many organizations, administrators are challenged to protect resources and data on different devices. One
challenge is protecting resources for users with personal Android Enterprise devices, also known as bring-your-
own-device (BYOD). Microsoft Intune supports two Android deployment scenarios for bring-your-own-device
(BYOD):
App protection policies without enrollment (APP-WE)
Android Enterprise work profiles
The APP-WE and the Android work profile deployment scenarios include the following key features important for
BYOD environments:
1. Protection and segregation of organization-managed data : Both solutions protect organization data
by enforcing data loss prevention (DLP) controls on organization-managed data. These protections prevent
accidental leaks of protected data, such as an end user accidentally sharing it to a personal app or account.
They also serve to ensure that a device accessing the data is healthy and not compromised.
2. End-user privacy : APP-WE and Android Enterprise work profiles separate end users content on the device,
and data managed by the mobile device management (MDM) administrator. In both scenarios, IT admins
enforce policies, such as PIN-only authentication on organization-managed apps or identities. IT admins are
unable to read, access, or erase data that's owned or controlled by end users.
Whether you choose APP-WE or Android Enterprise work profiles for your BYOD deployment depends on your
requirements and business needs. The goal of this article is to provide guidance to help you decide.

About Intune app protection policies

Intune app protection policies (APP) are data protection policies targeted to users. The policies apply data loss
protection at the application level. Intune APP requires app developers enable APP features on the apps they create.
Individual Android apps are enabled for APP in a few ways:
1. Natively integrated into Microsoft first-par ty apps : Microsoft Office apps for Android, and a selection
of other Microsoft apps, come with Intune APP built-in. These Office apps, such as Word, OneDrive, Outlook,
and so on, don't need any more customization to apply policies. These apps can be installed by end users
directly from Google Play Store.
2. Integrated into app builds by developers using the Intune SDK : App developers can integrate the
Intune SDK into their source code and recompile their apps to support Intune APP policy features.
3. Wrapped using the Intune app wrapping tool : Some customers compile Android apps (.APK file)
without access to source code. Without the source code, the developer can't integrate with the Intune SDK.
Without the SDK, they can't enable their app for APP policies. The developer must modify or recode the app
to support APP policies.
To help, Intune includes the App Wrapping Tool tool for existing Android apps (APKs), and creates an app
that recognizes APP policies.
For more information on this tool, see prepare line-of-business apps for app protection policies.
To see a list of apps enabled with APP, see managed apps with a rich set of mobile application protection policies.

Deployment scenarios
This section describes the important characteristics of the APP-WE and Android Enterprise work profile deployment
scenarios.
APP-WE
An APP-WE (app protection policies without enrollment) deployment defines policies on apps, not devices. In this
scenario, devices typically aren't enrolled or managed by an MDM authority, such as Intune. To protect apps and
access to organizational data, administrators use APP-manageable apps, and apply data protection policies to these
apps.
This feature applies to:
Android 4.4 and later

TIP
For more information, see What are app protection policies?.

APP-WE scenarios are for end users who want a small organizational footprint on their devices, and don't want to
enroll in MDM. As an administrator, you still need to protect your data. These devices aren't managed. So common
MDM tasks and features, such as WiFi, device VPN, and certificate management, aren't part of this deployment
scenario.
Android Enterprise work profiles
Work profiles are the core Android Enterprise deployment scenario and the only scenario targeted at BYOD use
cases. The work profile is a separate partition created at the Android OS level that can be managed by Intune.
This feature applies to:
Android 5.0 and later devices with Google Mobile Services
A work profile includes the following features:
Traditional MDM functionality : Key MDM capabilities, such as app lifecycle management using managed
Google Play, is available in any Android Enterprise scenario. Managed Google Play provides a robust
experience to install and update apps without any user intervention. IT can also push app configuration
settings to organizational apps. It also doesn't require end users to allow installations from unknown
sources. Other common MDM activities, such as deploying certificates, configuring WiFi/VPNs, and setting
device passcodes are available with work profiles.
DLP on the work profile boundar y : Like APP-WE, IT can enforce data protection policies. With a work
profile, DLP policies are enforced at the work profile level, not the app level. For example, copy/paste
protection is enforced by the APP settings applied to an app, or enforced by the work profile. When the app
is deployed into a work profile, administrators can pause copy/paste protection to the work profile by
turning off this policy at the APP level.

Tips to optimize the work profile experience

When to use APP within work profiles
Intune APP and work profiles are complementary technologies that can be used together or separately.
Architecturally, both solutions enforce policies at different layers – APP at the individual app layer, and work profile
at the profile layer. Deploying apps managed with an APP policy to an app in a work profile is a valid and supported
scenario. To use APP, work profiles, or a combination depends on your DLP requirements.
Work profiles and APP complement each other's settings by providing additional coverage if one profile doesn't
meet your organization's data protection requirements. For example, work profiles don't natively provide controls
to restrict an app from saving to an untrusted cloud storage location. APP includes this feature. You may decide that
DLP provided solely by the work profile is sufficient, and choose not to use APP. Or you may require the protections
from a combination of the two.
Suppress APP policy for work profiles
You may need to support individual users who have multiple devices - unmanaged devices in an APP-WE scenario,
and managed devices with work profiles.
For example, you require end users to enter a PIN when opening a work app. Depending on the device, the PIN
features are handled by APP or by the work profile. For the APP-WE devices, the PIN-to-launch behavior is enforced
by APP. For work profile devices, you can use a device or work profile PIN enforced by the OS. To accomplish this
scenario, configure APP settings so that they don't apply when an app is deployed into a work profile. If you don't
configure it this way, the end user gets prompted for a PIN by the device, and again at the APP layer.
Control multi-identity behavior in work profiles
Office applications, such as Outlook and OneDrive, have "multi-identity" behavior. Within one instance of the
application, the end user can add connections to multiple distinct accounts or cloud storage locations. Within the
application, the data retrieved from these locations can be separate or merged. And, the user can context switch
between personal identities (user@outlook.com) and organization identities (user@contoso.com).
When using work profiles, you may want to disable this multi-identity behavior. When you disable it, badged
instances of the app in the work profile can only be configured with an organization identity. Use the Allowed
Accounts app configuration setting for supporting Office Android apps.
For more information, see deploy Outlook for iOS/iPadOS and Android app configuration settings.

When to use Intune APP

There are several enterprise mobility scenarios where using Intune APP is the best recommendation.
Older devices running Android 4.4-5.1 are being used
Officially, any Android device 5.0 or above with Google Mobile Services supports work profiles, and is eligible to be
managed in that way. However, some Android 5.0 and 5.1 devices from some OEMs don't support work profiles.
If using versions that don't support work profiles, and to ensure DLP for organization data on devices, you must
use Intune APP features.
No MDM, no enrollment, Google services are unavailable
Some customers don't want any form of device management, including work profile management, for different
reasons:
Legal and liability reasons
For consistency of user experience
The Android device environment is highly heterogeneous
There isn't any connectivity to Google services, which is required for work profile management.
For example, customers in or have users in China can't use Android device management since Google services are
blocked. In this case, use Intune APP for DLP.

Summary
Using Intune, both APP-WE and Android Enterprise work profiles are available for your Android BYOD program. To
choose APP-WE or work profiles depends upon your business and usage requirements. In summary, use work
profiles if you need MDM activities on managed devices, such as certificate deployment, app push, and so on. Use
APP-WE if you don't want or can't manage devices, and are using only Intune APP-enabled apps.

Next steps
Start using app protection policies, or enroll your devices.
 How to use Intune in environments without Google
Mobile Services
9/4/2020 • 2 minutes to read • Edit Online

Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Microsoft Intune company portal
when managing Android devices. In some cases, devices may temporarily or permanently not have access to GMS.
For example, a device might ship without GMS, or the device may be connecting to a closed network where GMS is
not available. This document summarizes the differences and limitations you may observe when installing and
using Intune to manage Android devices without GMS.

Install the Intune Company Portal app without access to the Google
Play Store
For users outside of People's Republic of China
If Google Play isn't available, Android devices can download theMicrosoft Intune Company Portal for Android and
sideload the app. When installed this way, the app doesn't receive updates or fixes automatically. You must be sure
to regularly update and patch the app manually.
For users in People's Republic of China
Because the Google Play Store is currently not available in People's Republic of China, Android devices must obtain
apps from Chinese app marketplaces. For more information, see Install the Company Portal app in People's
Republic of China.

Limitations of Intune device administrator management when GMS is

unavailable
Unavailable Intune features
Some Intune features rely on components of GMS such as the Google Play store or Google Play services. Because
these components are not available in environments without GMS, the following features in the Intune
administrator console may be unavailable.

SC EN A RIO F EAT URES

Device compliance policies When creating or editing compliance policies for Android
device administrator, all options listed under Google Play
Protect are unavailable.

App protection policies (conditional launch) SafetyNet device attestation and Require threat scan
on apps device conditions cannot be used for conditional
launch.

Client apps Apps of type Android are not available. Use Line-of-
business app instead to deploy and manage apps.

Mobile Threat Defense Work with your MTD vendor to understand if their solution is
integrated with Intune, if it is available in the region of interest,
and if it relies on GMS.

Some tasks may be delayed

In environments where GMS is available, Intune relies on push notifications to speed tasks to finish. For example, if
you try to remotely wipe the device, notifications generally get to the device in seconds. In conditions where GMS
isn't available, push notifications may also not be available. Therefore, Intune must wait for the next device check-in
time to complete the tasks.
Enrolled Android devices report to Intune every 8 hours. For example, if a device reports to Intune at 1 PMand the
remote tasks are issued at 1:05 PM, Intune will contact the device at 9 PMto complete the tasks.
The following tasks can require up to8hours to finish:
Intune console :
Full wipe
Selective wipe
New or updated app deployments
Remote lock
Passcode reset
Intune Company Por tal app for Android :
Remote device removal
Device reset
Installation of available line-of-business apps
Intune Company Por tal website :
Device removal (local and remote)
Device reset
Device passcode reset
If the device recently enrolled, the compliance, non-compliance, and configuration check-in runs more frequently.
For more information on device check-ins, see Common questions, issues, and resolutions with device policies and
profiles in Microsoft Intune.

Next steps
Assign apps to groups with Microsoft Intune
 Frequently asked questions about MAM and app
protection
9/4/2020 • 22 minutes to read • Edit Online

This article provides answers to some frequently asked questions on Intune mobile application management
(MAM) and Intune app protection.

MAM Basics
What is MAM?
Intune mobile application management refers to the suite of Intune management features that lets you publish,
push, configure, secure, monitor, and update mobile apps for your users.
What are the benefits of MAM app protection?
MAM protects an organization's data within an application. With MAM without enrollment (MAM-WE), a work or
school-related app that contains sensitive data can be managed on almost any device, including personal devices in
bring-your-own-device (BYOD) scenarios. Many productivity apps, such as the Microsoft Office apps, can be
managed by Intune MAM. See the official list of Intune-managed apps available for public use.
What device configurations does MAM suppor t?
Intune MAM supports two configurations:
Intune MDM + MAM : IT administrators can only manage apps using MAM and app protection policies on
devices that are enrolled with Intune mobile device management (MDM). To manage apps using MDM +
MAM, customers should use the Microsoft Endpoint Manager admin center.
MAM without device enrollment : MAM without device enrollment, or MAM-WE, allows IT administrators
to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This
means apps can be managed by Intune on devices enrolled with third-party EMM providers. To manage
apps using MAM-WE, customers should use the Microsoft Endpoint Manager admin center. Also, apps can
be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM)
providers or not enrolled with an MDM at all.

App protection policies

What are app protection policies?
App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. A
policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions
that are prohibited or monitored when the user is inside the app.
What are examples of app protection policies?
See the Android app protection policy settings and iOS/iPadOS app protection policy settings for detailed
information on each app protection policy setting.
Is it possible to have both MDM and MAM policies applied to the same user at the same time, for
different devices? For example, if a user could be able to access their work resources from their own
MAM-enabled machine, but also come to work and use an Intune MDM-managed device. Are there
any caveats to this idea?
If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the
BYOD device and the Intune-managed device. You can also apply a MAM policy based on the managed state. So
when you create an app protection policy, next to Target to all app types, you'd select No. Then do any of the
following:
Apply a less strict MAM policy to Intune managed devices, and apply a more restrictive MAM policy to non
MDM-enrolled devices.
Apply an equally strict MAM policy to Intune managed devices as to 3rd party managed devices.
Apply a MAM policy to unenrolled devices only.
For more information, see How to monitor app protection policies.

Apps you can manage with app protection policies

Which apps can be managed by app protection policies?
Any app that has been integrated with the Intune App SDK or wrapped by the Intune App Wrapping Tool can be
managed using Intune app protection policies. See the official list of Intune-managed apps available for public use.
What are the baseline requirements to use app protection policies on an Intune-managed app?
The end user must have an Azure Active Directory (Azure AD) account. See Add users and give
administrative permission to Intune to learn how to create Intune users in Azure Active Directory.
The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account. See
Manage Intune licenses to learn how to assign Intune licenses to end users.
The end user must belong to a security group that is targeted by an app protection policy. The same app
protection policy must target the specific app being used. App protection policies can be created and
deployed in the Microsoft Endpoint Manager admin center. Security groups can currently be created in the
Microsoft 365 admin center.
The end user must sign into the app using their Azure AD account.
What if I want to enable an app with Intune App Protection but it is not using a suppor ted app
development platform?
The Intune SDK development team actively tests and maintains support for apps built with the native Android,
iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success with
Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit
guidance or plugins for app developers using anything other than our supported platforms.
Does the Intune APP SDK suppor t Microsoft Authentication Librar y (MSAL)?
The Intune App SDK can use the Microsoft Authentication Library for its authentication and conditional launch
scenarios. It also relies on MSAL to register the user identity with the MAM service for management without device
enrollment scenarios.
What are the additional requirements to use the Outlook mobile app ?
The end user must have the Outlook mobile app installed to their device.
The end user must have a Microsoft 365 Exchange Online mailbox and license linked to their Azure Active
Directory account.

NOTE
The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and Exchange
Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.

What are the additional requirements to use the Word, Excel, and PowerPoint apps?
The end user must have a license for Microsoft 365 Apps for business or enterprise linked to their Azure
 Active Directory account. The subscription must include the Office apps on mobile devices and can include a
cloud storage account with OneDrive for Business. Microsoft 365 licenses can be assigned in the Microsoft
365 admin center following these instructions.
The end user must have a managed location configured using the granular save as functionality under the
"Save copies of org data" application protection policy setting. For example, if the managed location is
OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the
end user.

NOTE
The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

Why is a managed location (i.e. OneDrive) needed for Office?

Intune marks all data in the app as either "corporate" or "personal." Data is considered "corporate" when it
originates from a business location. For the Office apps, Intune considers the following as business locations: email
(Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).
What are the additional requirements to use Skype for Business?
See Skype for Business license requirements. For Skype for Business (SfB) hybrid and on-prem configurations, see
Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB OnPrem with Azure AD, respectively.

App protection features

What is multi-identity suppor t?
Multi-identity support is the ability for the Intune App SDK to only apply app protection policies to the work or
school account signed into the app. If a personal account is signed into the app, the data is untouched.
What is the purpose of multi-identity suppor t?
Multi-identity support allows apps with both "corporate" and consumer audiences (i.e. the Office apps) to be
released publicly with Intune app protection capabilities for the "corporate" accounts.
What about Outlook and multi-identity?
Because Outlook has a combined email view of both personal and "corporate" emails, the Outlook app prompts for
the Intune PIN on launch.
What is the Intune app PIN?
The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the
organization's data in an application.
When is the user prompted to enter their PIN?
Intune prompts for the user's app PIN when the user is about to access "corporate" data. In multi-identity
apps such as Word/Excel/PowerPoint, the user is prompted for their PIN when they try to open a "corporate"
document or file. In single-identity apps, such as line-of-business apps managed using the Intune App
Wrapping Tool, the PIN is prompted at launch, because the Intune App SDK knows the user's experience in
the app is always "corporate."
How often will the user be prompted for the Intune PIN?
The IT admin can define the Intune app protection policy setting 'Recheck the access requirements after
(minutes)' in the Intune admin console. This setting specifies the amount of time before the access
requirements are checked on the device, and the application PIN screen is shown again. However, important
details about PIN that affect how often the user will be prompted are:
The PIN is shared among apps of the same publisher to improve usability: On iOS/iPadOS, one
 app PIN is shared amongst all apps of the same app publisher . On Android, one app PIN is shared
amongst all apps.
The 'Recheck the access requirements after (minutes)' behavior after a device reboot: A "PIN
timer" tracks the number of minutes of inactivity that determine when to show the Intune app PIN next.
On iOS/iPadOS, the PIN timer is unaffected by device reboot. Thus, device restart has no effect on the
number of minutes the user has been inactive from an iOS/iPadOS app with Intune PIN policy. On
Android, the PIN timer is reset on device reboot. As such, Android apps with Intune PIN policy will likely
prompt for an app PIN regardless of the 'Recheck the access requirements after (minutes)' setting value
after a device reboot .
The rolling nature of the timer associated with the PIN: Once a PIN is entered to access an app
(app A), and the app leaves the foreground (main input focus) on the device, the PIN timer gets reset for
that PIN. Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer
has reset. The prompt will show up again once the 'Recheck the access requirements after (minutes)'
value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up
again when the Recheck the access requirements after (minutes) value is met again for the app that is not
the main input focus. So, for example, a user has app A from publisher X and app B from publisher Y, and those two
apps share the same PIN. The user is focused on app A (foreground), and app B is minimized. After the Recheck
the access requirements after (minutes) value is met and the user switches to app B, the PIN would be
required.

NOTE
In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is
recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting.

How does the Intune PIN work with built-in app PINs for Outlook and OneDrive?
The Intune PIN works based on an inactivity-based timer (the value of 'Recheck the access requirements
after (minutes)'). As such, Intune PIN prompts show up independently from the built-in app PIN prompts for
Outlook and OneDrive which often are tied to app launch by default. If the user receives both PIN prompts
at the same time, the expected behavior should be that the Intune PIN takes precedence.
Is the PIN secure?
The PIN serves to allow only the correct user to access their organization's data in the app. Therefore, an end
user must sign in with their work or school account before they can set or reset their Intune app PIN. This
authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the
Intune App SDK. From a security perspective, the best way to protect work or school data is to encrypt it.
Encryption is not related to the app PIN but is its own app protection policy.
How does Intune protect the PIN against brute force attacks?
As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to
authenticate their PIN before locking the app. After the number of attempts has been met, the Intune App
SDK can wipe the "corporate" data in the app.
Why do I have to set a PIN twice on apps from same publisher?
MAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and special characters
(called 'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser,
Yammer) to integrate the Intune APP SDK for iOS/iPadOS. Without this, the passcode settings are not
properly enforced for the targeted applications. This was a feature released in the Intune SDK for
iOS/iPadOS v. 7.1.12.

In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK
 for iOS/iPadOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric
PIN in previous versions of the SDK. Therefore, if a device has applications with Intune SDK for iOS/iPadOS
versions before 7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs.

That being said, the two PINs (for each app) are not related in any way i.e. they must adhere to the app
protection policy that's applied to the app. As such, only if apps A and B have the same policies applied (with
respect to PIN), user may setup the same PIN twice.

This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with Intune Mobile App
Management. Over time, as applications adopt later versions of the Intune SDK for iOS/iPadOS, having to set
a PIN twice on apps from the same publisher becomes less of an issue. Please see the note below for an
example.

NOTE
For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to
7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on
an iOS/iPadOS device.

If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A.

An app D built with 7.1.14 will share the same PIN as app B.

If only apps A and C are installed on a device, then one PIN will need to be set. The same applies to if only apps B and
D are installed on a device.

What about encr yption?

IT administrators can deploy an app protection policy that requires app data to be encrypted. As part of the policy,
the IT administrator can also specify when the content is encrypted.
How does Intune encr ypt data?
See the Android app protection policy settings and iOS/iPadOS app protection policy settings for detailed
information on the encryption app protection policy setting.
What gets encr ypted?
Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. Data
is considered "corporate" when it originates from a business location. For the Office apps, Intune considers
the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for
Business account). For line-of-business apps managed by the Intune App Wrapping Tool, all app data is
considered "corporate."
How does Intune remotely wipe data?
Intune can wipe app data in three different ways: full device wipe, selective wipe for MDM, and MAM selective wipe.
For more information about remote wipe for MDM, see Remove devices by using wipe or retire. For more
information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps.
What is wipe?
Wipe removes all user data and settings from the device by restoring the device to its factory default
settings. The device is removed from Intune.

NOTE
Wipe can only be achieved on devices enrolled with Intune mobile device management (MDM).
 What is selective wipe for MDM?
See Remove devices - retire to read about removing company data.
What is selective wipe for MAM?
Selective wipe for MAM simply removes company app data from an app. The request is initiated using the
Microsoft Endpoint Manager admin center. To learn how to initiate a wipe request, see How to wipe only
corporate data from apps.
How quickly does selective wipe for MAM happen?
If the user is using the app when selective wipe is initiated, the Intune App SDK checks every 30 minutes for
a selective wipe request from the Intune MAM service. It also checks for selective wipe when the user
launches the app for the first time and signs in with their work or school account.
Why don't On-Premises (on-prem) ser vices work with Intune protected apps?
Intune app protection depends on the identity of the user to be consistent between the application and the Intune
App SDK. The only way to guarantee that is through modern authentication. There are scenarios in which apps may
work with an on-prem configuration, but they are neither consistent nor guaranteed.
Is there a secure way to open web links from managed apps?
Yes! The IT administrator can deploy and set app protection policy for the Microsoft Edge app. The IT administrator
can require all web links in Intune-managed apps to be opened using the Microsoft Edge app.

App experience on Android

Why is the Company Por tal app needed for Intune app protection to work on Android devices?
Much of app protection functionality is built into the Company Portal app. Device enrollment is not required even
though the Company Portal app is always required. For MAM-WE, the end user just needs to have the Company
Portal app installed on the device.
How do multiple Intune app protection access settings that are configured to the same set of apps
and users work on Android?
Intune app protection policies for access will be applied in a specific order on end user devices as they try to access
a targeted app from their corporate account. In general, a block would take precedence, then a dismissible warning.
For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to
take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from
access. So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the
min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch
version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch
version that results in blocked access.
When dealing with different types of settings, an app version requirement would take precedence, followed by
Android operating system version requirement and Android patch version requirement. Then, any warnings for all
types of settings in the same order are checked.
Intune App Protection Policies provide the capability for admins to require end user devices to pass
Google's SafetyNet Attestation for Android devices. How often is a new SafetyNet Attestation result
sent to the ser vice?

A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune
service. How often the service call is made is throttled due to load, thus this value is maintained internally and is
not configurable. Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based
on the last reported result to the Intune service at the time of conditional launch. If there is no data, access will be
allowed depending on no other conditional launch checks failing, and Google Play Service "roundtrip" for
determining attestation results will begin in the backend and prompt the user asynchronously if the device has
failed. If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a
Google Play Service "roundtrip" for determining attestation results will begin and prompt the user asynchronously
if the device has failed.
Intune App Protection Policies provide the capability for admins to require end user devices to send
signals via Google's Verify Apps API for Android devices. How can an end user turn on the app scan
so that they are not blocked from access due to this?

The instructions on how to do this vary slightly by device. The general process involves going to the Google Play
Store, then clicking on My apps & games , clicking on the result of the last app scan which will take you into the
Play Protect menu. Ensure the toggle for Scan device for security threats is switched to on.
What does Google's SafetyNet Attestation API actually check on Android devices? What is the
difference between the configurable values of 'Check basic integrity' and 'Check basic integrity &
cer tified devices'?

Intune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled
devices. Google has developed and maintained this API set for Android apps to adopt if they do not want their apps
to run on rooted devices. The Android Pay app has incorporated this, for example. While Google does not share
publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have rooted
their devices. These users can then be blocked from accessing, or their corporate accounts wiped from their policy
enabled apps. 'Check basic integrity' tells you about the general integrity of the device. Rooted devices, emulators,
virtual devices, and devices with signs of tampering fail basic integrity. 'Check basic integrity & certified devices'
tells you about the compatibility of the device with Google's services. Only unmodified devices that have been
certified by Google can pass this check. Devices that will fail include the following:
Devices that fail basic integrity
Devices with an unlocked bootloader
Devices with a custom system image/ROM
Devices for which the manufacturer didn't apply for, or pass, Google certification
Devices with a system image built directly from the Android Open Source Program source files
Devices with a beta/developer preview system image
See Google's documentation on the SafetyNet Attestation for technical details.
There are two similar checks in the Conditional Launch section when creating an Intune App
Protection Policy for Android devices. Should I be requiring the 'SafetyNet device attestation' setting
or the 'jailbroken/rooted devices' setting?

Google Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the time
when the "roundtrip" for determining attestation results executes. If end user is offline, IT admin can still expect a
result to be enforced from the 'jailbroken/rooted devices' setting. That being said, if the end user has been offline
too long, the 'Offline grace period' value comes into play, and all access to work or school data is blocked once that
timer value is reached, until network access is available. Turning on both settings allows for a layered approach to
keeping end user devices healthy which is important when end users access work or school data on mobile.
The app protection policy settings that leverage Google Play Protect APIs require Google Play
Ser vices to function. What if Google Play Ser vices are not allowed in the location where the end user
may be?

Both the 'SafetyNet device attestation', and 'Threat scan on apps' settings require Google determined version of
Google Play Services to function correctly. Since these are settings that fall in the area of security, the end user will
be blocked if they have been targeted with these settings and are not meeting the appropriate version of Google
Play Services or have no access to Google Play Services.
App experience on iOS
What happens if I add or remove a fingerprint or face to my device?
Intune app protection policies allow control over app access to only the Intune licensed user. One of the ways to
control access to the app is to require either Apple's Touch ID or Face ID on supported devices. Intune implements a
behavior where if there is any change to the device's biometric database, Intune prompts the user for a PIN when
the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint,
or face. If the Intune user does not have a PIN set, they are led to set up an Intune PIN.
The intent of this is to continue keeping your organization's data within the app secure and protected at the app
level. This feature is only available for iOS/iPadOS, and requires the participation of applications that integrate the
Intune APP SDK for iOS/iPadOS, version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can
be enforced on the targeted applications. This integration happens on a rolling basis and is dependent on the
specific application teams. Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.
I am able to use the iOS share extension to open work or school data in unmanaged apps, even with
the data transfer policy set to "managed apps only" or "no apps." Doesn't this leak data?
Intune app protection policy cannot control the iOS share extension without managing the device. Therefore, Intune
encr ypts "corporate" data before it is shared outside the app . You can validate this by attempting to open
the "corporate" file outside of the managed app. The file should be encrypted and unable to be opened outside the
managed app.
How do multiple Intune app protection access settings that are configured to the same set of apps
and users work on iOS?
Intune app protection policies for access will be applied in a specific order on end user devices as they try to access
a targeted app from their corporate account. In general, a wipe would take precedence, followed by a block, then a
dismissible warning. For example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system
setting that warns a user to update their iOS/iPadOS version will be applied after the minimum iOS/iPadOS
operating system setting that blocks the user from access. So, in the scenario where the IT admin configures the
min iOS/iPadOS operating system to 11.0.0.0 and the min iOS/iPadOS operating system (Warning only) to 11.1.0.0,
while the device trying to access the app was on iOS/iPadOS 10, the end user would be blocked based on the more
restrictive setting for min iOS/iPadOS operating system version that results in blocked access.
When dealing with different types of settings, an Intune App SDK version requirement would take precedence, then
an app version requirement, followed by the iOS/iPadOS operating system version requirement. Then, any
warnings for all types of settings in the same order are checked. We recommend the Intune App SDK version
requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.

See also
Implement your Intune plan
Intune testing and validation
Android mobile app management policy settings in Microsoft Intune
iOS/iPadOS mobile app management policy settings
App protection policies policy refresh
Validate your app protection policies
Add app configuration policies for managed apps without device enrollment
How to get support for Microsoft Intune
 Add apps to Microsoft Intune
9/4/2020 • 15 minutes to read • Edit Online

Before you can configure, assign, protect, or monitor apps, you must add them to Microsoft Intune.
The users of apps and devices at your company (your company's workforce) might have several app
requirements. Before adding apps to Intune and making them available to your workforce, you may find it
helpful to assess and understand a few app fundamentals. There are various types of apps that are available for
Intune. You must determine app requirements that are needed by the users at your company, such as the
platforms and capabilities that your workforce needs. You must determine whether to use Intune to manage the
devices (including apps) or have Intune manage the apps without managing the devices. Also, you must
determine the apps and capabilities that your workforce needs, and who needs them. The information in this
article helps you get started.

App types in Microsoft Intune

Intune supports a wide range of app types. The available options differ for each app type. Intune lets you add and
assign the following app types:

A P P T Y P ES IN STA L L AT IO N UP DAT ES

Apps from the store (store apps) Intune installs the app on the device. App updates are automatic.

Apps written in-house (line-of- Intune installs the app on the device You must update the app.
business) (you supply the installation file).

Apps that are built-in (built-in apps) Intune installs the app on the device. App updates are automatic.

Apps on the web (web link) Intune creates a shortcut to the web App updates are automatic.
app on the device home screen.

Apps from other Microsoft services Intune creates a shortcut to the app in App updates are automatic.
the Company Portal. For more
information, see App source setting
options.

Specific app type details

The following table lists the specific app types and how you can add them in the Intune Add app pane:

A P P - SP EC IF IC T Y P E GEN ERA L T Y P E A P P - SP EC IF IC P RO C EDURES

Android store apps Store app Select Android as the app type , and
enter the Google Play store URL for
the app.

Android Enterprise apps Store app Select Android as the app type , and
enter the Managed Google Play store
URL for the app. 1

iOS/iPadOS store apps Store app Select iOS as the app type , search for
the app, and select the app in Intune.
A P P - SP EC IF IC T Y P E GEN ERA L T Y P E A P P - SP EC IF IC P RO C EDURES

Microsoft store apps Store app Select Windows as the app type , and
enter the Microsoft store URL for the
app.

Managed Google Play apps Store app Select Managed Google Play as the
app type , search for the app, and
select the app in Intune.

Microsoft 365 apps for Windows 10 Store app (Microsoft 365) Select Windows 10 under Microsoft
365 Apps as the app type , and then
select the Microsoft 365 app that you
want to install.

Microsoft 365 apps for macOS Store app (Microsoft 365) Select macOS under Microsoft 365
Apps as the app type , and then
select the Microsoft 365 app suite.

Microsoft Edge, version 77 and later Store app Select Windows 10 under Microsoft
for Windows 10 Edge, version 77 and later as the
app type .

Microsoft Edge, version 77 and later Store app Select macOS under Microsoft Edge,
for macOS version 77 and later as the app
type .

Android line-of-business (LOB) apps LOB app Select Line-of-business app as the
app type , select the App package
file , and then enter an Android
installation file with the extension .apk .

iOS/iPadOS LOB apps LOB app Select Line-of-business app as the

app type , select the App package
file , and then enter an iOS/iPadOS
installation file with the extension .ipa .

Windows LOB apps LOB app Select Line-of-business app as the

app type, select the App package
file , and then enter a Windows
installation file with the extension .msi,
.appx, .appxbundle , .msix, and
.msixbundle .

Built-in iOS/iPadOS app Built-in app Select Built-In app as the app type ,
and then select the built-in app in the
list of provided apps.

Built-in Android app Built-in app Select Built-In app as the app type ,
and then select the built-in app in the
list of provided apps.

Web apps Web app Select Web link as the app type , and
then enter a valid URL pointing to the
web app.
 A P P - SP EC IF IC T Y P E GEN ERA L T Y P E A P P - SP EC IF IC P RO C EDURES

Android Enterprise system apps Store app Select Android Enterprise system
app as the app type , and then enter
the app name, publisher, and package
file.

Windows app (Win32) LOB app Select Windows app (Win32) as the
app type , select the App package
file , and then select an installation file
with the extension .intunewin .

macOS LOB apps LOB app Select Line-of-business as the app

type , select the App package file ,
and then select an installation file with
the extension .intunemac.

1 Formore information about Android Enterprise and Android work profiles, see Understanding licensed apps
below.
You can add an app in Microsoft Intune by selecting Apps > All apps > Add . The Select app type pane is
displayed and allows you to select the App type .

TIP
An LOB app is one that you add from an app installation file. For example, to install an iOS/iPadOS LOB app, you add the
application by selecting Line-of-business app as the App type in the Select app type pane. You then select the app
package file (extension .ipa). These types of apps are typically written in-house.

Assess app requirements

As an IT Admin, you determine not only which apps your group must use, but you also determine the capabilities
needed for each group and subgroup. For each app, you determine the platforms needed, the groups of users
that need the app, the configuration policies to apply for those groups, and the protection policies to apply.
Additionally, you must determine whether to focus on Mobile Device Management (MDM) or only on Mobile
Application Management (MAM).
Using Intune to manage the device with MDM is useful when:
Users need a Wi-Fi or a VPN corporate connectivity profile to be productive.
Users need a set of apps to be pushed to their device.
Your organization needs to comply with regulatory or other policies that call out specific MDM controls, such
as security or encryption.
Using Intune to manage apps with MAM without managing the device is useful when:
You want to allow users to use their own device (BYOD).
You want to provide a one-time pop-up message to let users know that MAM protections are in place, rather
than continual device-level notification.
You want to comply with policies that require less management capability on personal devices. For instance,
you want to manage the corporate data for the apps, rather than manage the corporate data for the entire
device.
For more information, Compare MDM and MAM.
Determine who will use the app
As you're determining which apps your workforce needs, consider the various groups of users and the various
apps they use. Knowing these groups is also helpful after you've added an app. After you add an app, you assign
a group of users that can use the app.
First, you must determine which group should have access to the app, based on the sensitivity of the data the
app contains. You might need to include or exclude certain types of roles within your organization. For example,
only certain LOB apps might be required for your sales group, whereas people focused on engineering, finance,
HR, or legal might not need to use the LOB apps. In addition, your sales group might need additional data
protection and access to internal corporate services on their mobile devices. You must determine how this group
will connect to resources using the app. Will the data that the app accesses live in the cloud or on-premises? Also,
how will the users connect to resources by using the app?
Intune also supports enabling access to client apps that require secure access to on-premises data, such as line-
of-business app servers. You ordinarily provide this type of access by using Intune-managed certificates for
access control, combined with a standard VPN gateway or proxy in the perimeter, such as Azure Active Directory
Application Proxy. The Intune App Wrapping Tool and App SDK can help contain the accessed data within your
line-of-business app, so that it can't pass corporate data to consumer apps or services.
Use the Intune deployment planning, design and implementation guide to help determine how you identify the
organizational groups that are associated with each use-case and sub-use-case app scenario. For information
about assigning apps to groups, see Assign apps to groups with Microsoft Intune.
Determine the type of app for your solution
You can choose from the following app types:
Apps from the store : Apps that have been uploaded to either the Microsoft store, the iOS/iPadOS store, or
the Android store are store apps. The provider of a store app maintains and provides updates to the app. You
select the app in the store list and add it by using Intune as an available app for your users.
Apps written in-house (line-of-business) : Apps that are created in-house are line-of-business (LOB) apps.
The functionality of this type of app has been created for one of the Intune supported platforms, such as
Windows, iOS/iPadOS, macOS, or Android. Your organization creates and provides you with updates as a
separate file. You provide updates of the app to users by adding and deploying the updates using Intune.
Apps on the web : Web apps are client-server applications. The server provides the web app, which includes
the UI, content, and functionality. Additionally, modern web hosting platforms commonly offer security, load
balancing, and other benefits. This type of app is separately maintained on the web. You use Intune to point to
this app type. You also assign which groups of users can access the app. Note that Android does not support
web apps.
Apps from other Microsoft ser vices : Apps that have been sourced from either Azure AD or Office Online.
Azure AD Enterprise applications are registered and assigned via the Azure portal. Office Online
applications are assigned using the licensing controls available in the M365 Admin Center. You can hide or
show Azure AD Enterprise and Office Online applications to end-users in the Company Portal. From the
Microsoft Endpoint Manager admin center, select Tenant administration > Customization to find this
configuration setting. Select to Hide or Show either Azure AD Enterprise applications or Office Online
applications in the Company Portal for each end-user. Each end-user will see their entire application catalog
from the chosen Microsoft service. By default, each additional app source will be set to Hide . For more
information, see App source setting options.
As you're determining which apps your organization needs, consider how the apps integrate with cloud services,
what data the apps access, whether the apps are available to BYOD users, and whether the apps require internet
access.
For more information about the types of apps that your organization needs, see "Apps" section within the
"Feature requirements" section of Create a design.
Understanding app management and protection policies
Intune lets you modify the functionality of apps that you deploy to help align them with your company's
compliance and security policies. This control allows you to determine how your company data is protected.
Intune-managed apps are enabled with a rich set of mobile application protection policies, such as:
Restricting copy-and-paste and save-as functions.
Configuring web links to open inside the Microsoft Edge app.
Enabling multi-identity use and app-level Conditional Access.
Intune-managed apps can also enable app protection without requiring enrollment, which gives you the choice
of applying data loss-prevention policies without managing the user's device. Additionally, you can incorporate
mobile-app management in your mobile and line-of-business apps by using the Intune App SDK and App
Wrapping Tool. For more information about these tools, see Intune App SDK overview.
Understanding licensed apps
In addition to understanding web apps, store apps, and LOB apps, you should also be aware of the destination of
volume-purchase-program apps and licensed apps, such as:
Apple Volume Purchasing Program for Business (iOS) : The iOS/iPadOS App Store lets you
purchase multiple licenses for an app that you want to run in your company. Purchasing multiple copies
helps you to efficiently manage apps in your company. For more information, see Manage iOiOS/iPadOSS
volume-purchased apps.
Android work profile : How you assign apps to Android work profile devices differs from how you
assign them to standard Android devices. All apps you install for Android work profiles come from the
Managed Google Play store. You use Intune to browse for the apps you want and approve them. The app
then appears in the Licensed apps node of the Azure portal, and you can manage assignment of the app
as you would any other app.
Microsoft Store for Business (Windows 10) : Microsoft Store for Business gives you a place to find
and purchase apps for your organization, individually or in volume. By connecting the store to Microsoft
Intune, you can manage volume-purchased apps in the Azure portal. For more information, see Manage
apps from Microsoft Store for Business.

NOTE
The file extensions for Windows apps include .msi, .appx, .appxbundle , .msix and .msixbundle .

Before you add apps

Before you begin to add and assign apps, consider the following points:
When you add and assign an app from a store, your users must have an account with that store to be able to
install the app.
Some apps or items that you assign might depend on built-in iOS/iPadOS apps. For example, if you assign a
book in the iOS/iPadOS store, the iBooks app must be present on the device. If you have removed the iBooks
built-in app, you cannot use Intune to reinstate it.

IMPORTANT
If you change the name of the app through the Intune azure portal after you have deployed and installed the app, the app
will no longer be able to be targeted using commands.
Cloud storage space
All apps that you create by using the software installer installation type (for example, a line-of-business app) are
packaged and uploaded to Intune cloud storage. A trial subscription of Intune includes 2 gigabytes (GB) of cloud-
based storage that is used to store managed apps and updates. A full subscription does not limit the total
amount of storage space.
Requirements for cloud storage space are as follows:
All app installation files must be in the same folder.
The maximum file size for any file that you upload is 8 GB.

NOTE
Windows Line-of-business (LOB) apps, including Win32, Windows Universal AppX, Windows Universal AppX
bundle, Windows Universal MSI X, and Windows Universal MSI X bundle, have a maximum size limit of 8 GB per
app. All other LOB apps, including iOS/iPadOS LOB apps, have a maximum size limit of 2 GB per app.

Create and edit categories for apps

App categories can be used to help you sort apps to make them easier for users to find in the company portal.
You can assign one or more categories to an app, for example, Developer apps or Communication apps.
When you add an app to Intune, you are given the option to select the category you want. Use the platform-
specific topics to add an app and assign categories. To create and edit your own categories, use the following
procedure:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App categories .
The App categories pane displays a list of current categories.
3. Do either of the following:
To add a category, in the Create categor y pane, select Add , and then enter a name for the category.
Names can be entered in one language only, and they are not translated by Intune.
To edit a category, select the ellipsis (...) next to the category, and then select Pin to dashboard or
Delete .
4. Select Create .

Apps that are added automatically by Intune

Previously, Intune contained a number of built-in apps that you could quickly assign. Based on Intune customer
feedback, we removed this list, and the built-in apps are no longer displayed. However, if you have already
assigned any built-in apps, the apps remain visible in the list of apps. You can continue to assign the apps as
required.

NOTE
For the installation of a required non-Line-of-Business app, Intune will attempt to install the app by sending an install
command whenever the device checks-in, given that the app is not detected and the app's install state is not Install
Pending.

Installing, updating, or removing required apps

Intune will automatically reinstall, update, or remove a required app within 24 hours, rather than waiting for the
 7 day re-evaluation cycle.
Intune will automatically reinstall, update, or remove a required app based on the following conditions:
If an end user uninstalls an app that you have required to be installed on the end user's device, Intune will
automatically reinstall the app when this schedule elapses.
If a required app install fails or somehow the app is not present on the device, Intune evaluates compliance
and reinstalls the app when this schedule elapses.
An admin targets an app as available to a user group and an end user installs the app from the company
portal on the device. Later, the admin updates the app from v1 to v2. Intune will update the app when this
schedule elapses, provided that any previous version of the app is still present on the device.
If the admin deploys uninstall intent and the app is present on the device and failed to uninstall, Intune
evaluates compliance and uninstalls the app when this schedule elapses.

Uninstall an app
When you need to uninstall an app from user's devices, use the following steps.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > the app > Assignments > Add group .
3. In the Add group pane, select Uninstall .
4. Select Included Groups to select the groups of users that are affected by this app assignment.
5. Select the groups that you want to apply the uninstall assignment.
6. Click Select on the Select groups pane.
7. Click OK on the Assign pane to set the assignment.
8. If you want to exclude any groups of users from being affected by this app assignment, select Exclude
Groups .
9. If you have chosen to exclude any groups, in Select groups , select Select .
10. Select OK in the Add group pane.
11. Select Save in the app Assignments pane.

IMPORTANT
To uninstall the app successfully, make sure to remove the members or group assignment for install before assigning them
to be uninstalled. If a group is assigned to both install an app and uninstall an app, the app will remain and not be
removed.

App installation errors

For details about Intune app installation errors, see App installation errors.

Next steps
To learn how to add apps for each platform to Intune, see:
Android store apps
Android LOB apps
iOS store apps
iOS LOB apps
macOS LOB apps
Web apps (for all platforms)
Microsoft store apps
Windows LOB app
Microsoft 365 apps for Windows 10
Microsoft 365 apps for macOS
Managed Google Play apps
Microsoft Edge for Windows 10
Microsoft Edge for macOS
Built-in apps
Android Enterprise system app
Win32 apps
 Microsoft Intune protected apps
9/4/2020 • 23 minutes to read • Edit Online

The apps listed in this topic are supported partner and Microsoft apps that are commonly used with Microsoft
Intune. Intune protected apps are enabled with a rich set of mobile application protection policies. These apps
allow you to:
Restrict copy-and-paste and save-as functions
Configure web links to open inside the secure Microsoft browser
Enable multi-identity use and app-level Conditional Access
Apply data loss prevention policies without managing the user's device
Enable app protection without requiring enrollment
Enable app protection on devices managed with 3rd party EMM tools

NOTE
For your client line-of-business apps, you can incorporate mobile app management using the Intune App Software
Development Kit (SDK), or the App Wrapping Tool for iOS and the App Wrapping Tool for Android.

The following tables provide details of supported partner and Microsoft apps that are commonly used with
Microsoft Intune.

Microsoft apps
A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Field Ser vice Mobile Dynamics 365 for Field Service provides Google Play link (Android), App Store
the cross-platform, multi-device Field link (iOS)
Service Mobile application that is
specifically crafted to the field service
worker's needs. Robust offline
capabilities allow field service workers
to continue accessing and interacting
with the data that they need when
visiting remote destinations without
internet connectivity. Field service
workers can keep the back-office
informed of work being performed in
the field by periodically synchronizing
data up to the server so that the
proper actions can be taken or kick-
started as appropriate. The mobile
application is entirely customizable and
extensible, allowing any organization to
brand the application as its own, define
what types of data field service workers
can access, and much more.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft Azure Information Securely collaborate with others using Google Play link (Android), App Store
Protection Viewer the AIP Viewer App. View protected link (iOS)
files (rights protected email messages,
PDF files, pictures, text files) that
someone has shared with you.

Microsoft Bookings Microsoft Bookings is an appointment Google Play link (Android),

scheduling app that helps you keep App Store link (iOS)
track of your bookings, your staff, and
your customers. You'll never miss an
appointment, and you'll have fewer no-
shows.
With the Bookings app you can:
View and manage your calendar
Create bookings or make
changes to existing ones on-
the-go
See real-time availability of your
staff members
Respond to customers quickly
and easily
Quickly get directions to where
your next booking is
Manage your customer list

Microsoft Cor tana Fast, easy and fun to stay on top of Google Play link (Android),
work & life with your personal assistant App Store link (iOS)
Cortana. Bring your smart digital
assistant to your phone to help keep
track of the important stuff wherever
you are, across your devices.

Microsoft Dynamics CRM Engage your customers while staying Google Play link (Android),
productive at work and on the go with App Store link (iOS)
Microsoft Dynamics CRM. Arrive
prepared for every appointment and
update notes, tasks, contacts, accounts,
cases, and leads while the details are
still fresh. Allows salespeople to
manage their sales data, guided by
contextual business process, while on
the go. Gives agents and supervisors
freedom of mobility with the full scope
of case management. Get a seamless
user experience in a 'configure once,
deploy everywhere' model. Available for
iOS/iPadOS and Android.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft Edge Microsoft Edge creates one continuous Google Play link (Android),
browsing experience for Windows 10 App Store link (iOS)
users across their devices. Content and
data sync seamlessly in the
background, so users can browse
across devices, without skipping a beat.
Familiar Microsoft Edge features like the
Hub allow users to organize the web in
a way that cuts through the clutter,
making it easier to find, view and
manage their content on-the-go.
Microsoft Edge is designed for
Windows 10 users to browse the web
how they need to, wherever they are,
without disrupting their flow.

Microsoft Excel Make Excel spreadsheets look better Google Play link (Android),
than ever on your tablet and phone. Be App Store link (iOS)
confident that when you edit or create
spreadsheets, they'll look exactly how
you want across computers, Macs,
tablets, and phones. Be up and running
in no time with a familiar Office look
and feel, along with an intuitive touch
experience.
This app can be used as a multi-
identity app for Android and
iOS/iPadOS.

Power Automate Carry the full power of Power Google Play link (Android),
Automate in your pocket. With Power App Store link (iOS)
Automate, you can create automated
workflows between your favorite apps
and services to streamline your
business, save time, and work more
efficiently.

Microsoft Kaizala Microsoft Kaizala is a mobile app and Google Play link (Android),
service designed for large group App Store link (iOS)
communications and work
management. Kaizala makes it easy to
connect and coordinate work with your
entire value chain, including field
employees, vendors, partners, and
customers wherever they are.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft Launcher Microsoft Launcher (formerly known as Google Play link (Android)
Arrow Launcher) can personalize your
Android device to match your style
with wallpapers, theme colors, icon
packs, and more. With a Microsoft
account or work/school account, you
can access your calendar, documents,
and recent activities in your
personalized feed. You can even open
photos, docs and webpages on your
Windows PC, to be productive across
all your devices.

Microsoft Office The Microsoft Office app combines the Google Play link (Android),
Word, Excel, and PowerPoint apps you App Store link (iOS)
know and rely on with new capabilities
that create a simpler, yet more powerful
Office experience on the go.

Microsoft OneDrive Get online storage for your work files Google Play link (Android),
to share and collaborate on them with App Store link (iOS)
other people at your work or school.
Plus, easily access your personal and
work files when you're on the go.
This app can be used as a multi-
identity app for Android and
iOS/iPadOS.

Microsoft OneNote Capture your thoughts, discoveries, Google Play link (Android),
and ideas with OneNote, your very App Store link (iOS)
own digital notebook. Seize that
moment of inspiration, take your class
notes, or track that list of errands that
are too important to forget. Whether
you're at home, in the office, or on the
go, your notes are available to you on
all your devices.
This app can be used as a multi-
identity app for Android and
iOS/iPadOS.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft Outlook Get more done from anywhere with Google Play link (Android),
one unified view of your email, calendar, App Store link (iOS)
contacts, and attachments using this
free email app. Automatically extract
your most important messages—
across all your email accounts. Easily
view your calendar, share available
times, schedule meetings, and attach
files from email, OneDrive, or Dropbox
with just a few taps.
This app can be used as a multi-
identity app for Android and
iOS/iPadOS.

Microsoft Planner Take the chaos out of teamwork and Google Play link (Android),
get more done. Microsoft Planner App Store link (iOS/iPadOS)
makes it easy for your team to create
new plans, organize and assign tasks,
share files, chat about what you're
working on, and get updates on
progress.

Microsoft PowerApps PowerApps is a service that lets you Google Play link (Android),
build business apps that run in a App Store link (iOS/iPadOS)
browser or on a phone or tablet, and
no coding experience is required.

Microsoft Power BI Get live mobile access to your Google Play link (Android),
important business information with App Store link (iOS)
the Microsoft Power BI app. Easily view
and interact with your dashboards and
reports for all your business data.

Microsoft PowerPoint Make PowerPoint presentations look Google Play link (Android),
great on your tablet and phone. Be App Store link (iOS)
confident that when you edit or create
presentations, they'll look exactly how
you want across computers, Macs,
tablets, and phones. Be up and running
in no time with a familiar Office look
and feel, along with an intuitive touch
experience.
This app can be used as a multi-
identity app for Android and
iOS/iPadOS.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft SharePoint Bring your company intranet in your Google Play link (Android),
pocket with on-the-go-access from the App Store link (iOS)
SharePoint mobile app. Get quick
access to your team sites, organization
portals and resources, and the people
you work with—both on-premises or
online in Microsoft 365.

Microsoft To-Do Microsoft To-Do is a simple and Google Play link (Android),
intelligent to-do list that makes it easy App Store link (iOS)
to plan your day. Whether it's for work,
school or home, To-Do will help you to
increase your productivity and decrease
your stress levels. It combines
intelligent technology and beautiful
design to empower you to create a
simple daily workflow.

Microsoft Skype for Business Get a single easy-to-use interface for Google Play link (Android),
any mobile device to access your App Store link (iOS)
favorite Skype features: voice and video
over wireless, rich presence, instant
messaging, conferencing, and calling.
Available for iOS/iPadOS and Android.

Microsoft StaffHub Microsoft StaffHub is a cloud-based Google Play link (Android),

platform that slips work (and the tools App Store link (iOS)
to manage it) into everyone's back
pocket. With Microsoft StaffHub,
Firstline Workers can view schedules,
swap shifts, and request time off.
Managers can create schedules,
approve requests, and share
information. On mobile or web, it's the
one-stop app for scheduling, sharing,
and communicating. Microsoft StaffHub
gives everyone the freedom to manage
work.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft Stream Microsoft Stream is your central Google Play link (Android),
destination for enterprise video content App Store link (iOS)
with built-in intelligence features, deep
integration across Microsoft 365, and
IT management and security
capabilities that businesses of all sizes
require.
With the Microsoft Stream mobile
app you can:
Find and engage with videos
you need fast with smart search
tools
Watch videos at your own
convenience by saving content
for offline viewing
Enjoy the best experience for
consuming Stream videos by
deep-linking into the app
Get the enterprise-level security
and compliance features you
expect from Office 365
This app requires an appropriate
commercial Microsoft 365
subscription. If you are not sure
about your organization's
subscription or the services you
have access to, please contact your
IT department. To learn more about
managing Microsoft Stream with
Intune, visit aka.ms/streamintune.
By downloading this app, you
agree to the license terms (see
aka.ms/eulastreamios) and privacy
terms (see aka.ms/privacy).
To learn more, please visit
aka.ms/microsoftstreamdocs.
For support or feedback, email us
at streamiosstore@microsoft.com.

Microsoft Teams Microsoft Teams is your chat-centered Google Play link (Android),
workspace in Microsoft 365. Instantly App Store link (iOS)
access all your team's content from a
single place where messages, files,
people and tools live together. Take it
with you on your favorite mobile
device.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N A N D IN F O RM AT IO N P L AT F O RM ( S)

Microsoft Visio Viewer You can view and interact with Visio App Store link (iOS)
diagrams on iPhone on the go for free.
Sign in with your Microsoft Account or
open a Visio attachment from email,
and enjoy the amazing view of Visio
diagrams on any iPhone running iOS
9.0 or later. You can also share the
diagrams with anyone who can then
view Visio diagrams on their iPhone or
in a web browser even they don't have
Visio installed on their Windows
desktop.

Microsoft Whiteboard Microsoft Whiteboard app provides a App Store link (iOS)
freeform intelligent canvas where teams
can ideate, create, and collaborate
visually via the cloud. It enhances
teamwork by allowing all team
members to edit and comment directly
on the canvas in real time, no matter
where they are. And all your work stays
safe in the cloud, ready to be picked
back up from any device.

Microsoft Word Make Word documents look better Google Play link (Android),
than ever on your tablet and phone. Be App Store link (iOS)
confident that when you edit or create
documents, they'll look exactly how you
want across computers, Macs, tablets,
and phones. Be up and running in no
time with a familiar Office look and feel,
along with an intuitive touch
experience.
This app can be used as a multi-
identity app for Android and
iOS/iPadOS.

Microsoft Work Folders Allow individual employees to securely App Store link (iOS)
access their files from both inside and
outside the corporate environment
using Work Folders, a Windows Server
feature.

Yammer Break down organizational silos and Google Play link (Android),
facilitate team collaboration with App Store link (iOS)
Yammer. Connect to the right people in
your organization, share and search for
information across teams, and organize
around projects and ideas so you can
do more.

Partner apps
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Acronis Access Safely access your business files from App Store link (iOS)
anywhere and any device with Acronis
Access. Easily share documents with
colleagues, customers, and vendors
while keeping files and data secure and
private, where only you and your
organization can touch them. The app
is designed for extreme ease of use
with unparalleled security, privacy, and
management capabilities.

Adobe Acrobat Reader Open, view, and work with PDFs in a Google Play link (Android),
Microsoft Intune managed App Store link (iOS)
environment with Adobe Acrobat
Reader. Available for iOS/iPadOS and
Android.

Blackberr y Enterprise BRIDGE BlackBerry Enterprise BRIDGE allows Google Play link (Android),
you to securely view, edit, and save App Store link (iOS)
documents using Intune-managed
Microsoft apps, such as Microsoft
Word, Microsoft PowerPoint, and
Microsoft Excel from BlackBerry
Dynamics. You can share your
documents as email attachments and
maintain data encryption during the
document-sharing process between
BlackBerry Dynamics and Intune-
managed mobile apps.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Bluejeans Video Conferencing BlueJeans delivers a premium video Google Play link (Android),
conferencing experience that is App Store link (iOS)
optimized for the mobile workforce.
With amazing features, like Dolby
Voice® audio, BlueJeans helps make
every meeting more productive
regardless of where the participants are
located.
Features:
Participate in BlueJeans video
meetings with up to 150
attendees.
Experience HD video and Dolby
Voice® audio for the highest
fidelity meetings.
Share and receive content for
maximum productivity on-the-
go.
Facilitate professional meetings
with intuitive controls that make
meeting moderation a breeze.
Integrate your calendar to
enable one touch to join and
easily jump from meeting-to-
meeting.
Eliminate low-bandwidth spots
with intelligent bandwidth
management that optimize
network settings.
Select safe driving mode while
on the road for distraction-free
meetings.

Board Papers Board Papers is a board portal solution App Store link (iOS)
that combines an iPad application with
Microsoft SharePoint® integration.

Breezy for Intune Breezy For Intune provides secure print App Store link (iOS)
capabilities for your iOS device. Our
integration with Intune ensures that
your data stays secure while on-device,
and own our end-to-end encryption
and enterprise grade security ensure
that it stays that way on its way to the
printer.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Box for EMM Keep your employees connected and App Store link (iOS)
collaborative while you centrally
manage security, policy, and
provisioning across any mobile device
using Box for EMM.

CellTrust SL2™ for Microsoft CellTrust SL2™ for Microsoft Intune is Google Play link (Android),
Intune an enterprise-level application that App Store link (iOS)
works by assigning a secure Mobile
Business Number (MBN) on bring-
your-own devices to keep personal and
business communications separate on a
single device. The seamless solutions
secures SMS messages and business
calls on the device without using the
personal number. This capability is vital
for enterprises that require greater
security for business communications,
as well as archiving for eDiscovery and
compliance needs.

Microsoft Intune is a cloud-based

service in the enterprise mobility
management (EMM) space that helps
enable your workforce to be productive
while keeping your corporate data
protected.

CellTrust SL2™ for Microsoft Intune

delivers a powerful enterprise mobility
platform, allowing employees to work
on the go—with easy access to secure
business applications, and voice and
text messaging. The app was developed
with Microsoft Intune SDKs and
customized features to allow
organizations to tailor it based on their
industry and IT needs.

Cisco Jabber for Intune Cisco Jabber for Intune is for admins to Google Play link (Android),
organize and protect BYOD App Store link (iOS)
environments with mobile application
management (MAM). This app allows
admins to protect corporate data while
keeping employees connected.

Citrix Secure Mail Citrix Secure Mail is a containerized Google Play link (Android),
email, calendar, and contacts app with a App Store link (iOS)
rich user experience.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Citrix ShareFile for Intune Protect corporate data while accessing Google Play link (Android),
and sharing files from ShareFile. It App Store link (iOS)
directly integrates with Microsoft Word,
Excel, and PowerPoint, to allow access
to files from ShareFile without ever
leaving your office application.

Egress Secure Mail for Intune Send and receive encrypted emails and Google Play link (Android)
files from your mobile device. Egress
Secure Email provides user-friendly
tools to secure sensitive data, with end-
to-end encryption, access revocation
and message restrictions to empower
users to stay in control of the
information they share.
The Egress Secure Email app
requires you to be a licensed user
of the Egress platform, with a valid
subscription and appropriate
infrastructure.

Hearsay Relate for Intune Hearsay Relate for Intune enables Google Play link (Android),
advisors to manage and nurture their App Store link (iOS)
book of business in a protected BYOD
environment with mobile application
management (MAM). This version of
Hearsay Relate allows IT administrators
to protect corporate data while keeping
advisors in touch with their book of
business.

Hearsay Relate, a mobile application

that enables financial services
professionals to move business
forward. Leverage compliant texting
and seamless voice calling to connect
with your entire book of business. Stay
productive with calendar integration to
set appointments, and schedule
reminder messages for upcoming
meetings, birthday greetings, and
more.
Hearsay Relate for Intune gives
enterprise users all the features they
expect from Hearsay Relate, while
providing IT administrators the MAM
functionality they need to keep
corporate data safe. In the event of a
lost or stolen device, IT can remove
Hearsay Relate for Intune from the
device along with any sensitive data
associated with it.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

iBabs for Intune ISEC7 Mobile Exchange Delegate allows App Store link (iOS)
authorized representatives via iPhone
and iPad to agree to appointments for
their colleagues, to manage their
contacts, and to answer emails on
behalf of other users.

ISEC7 MED for Intune Make your meetings simpler, more App Store link (iOS)
substantive, and more environmentally
friendly.

Lexmark Mobile Print Intune Mobile computing has become App Store link (iOS)
pervasive—it's simply a state of always
on, barrier-free connectedness that
entertains, enlightens and helps you
get more work done.

While business users expect desktop

and mobile printing to be equally
convenient, IT managers know how
complicated it can be to provide
seamless output due to mobile's unique
characteristics. With connectivity,
security and network challenges to
solve across multiple operating
systems, providing your users with the
flexible printing they expect can be
complex.

Lexmark offers the experience and

innovation to help you meet the
printing needs of your users in a way
that's easy and hassle-free for IT. By
addressing your challenges with a
comprehensive set of tools and
options, we can help you achieve a
mobile printing experience that is more
transparent, simple and secure.

Meetio Enterprise Meetio's mobile app for organizations Google Play link (Android),
using Meetio room management App Store link (iOS)
solutions. Meetio Enterprise simplifies
your workday by allowing you to
schedule meetings and meeting rooms
- all at once, while you're on the go.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Nine Work for Intune Nine is a full-fledged email application Google Play link (Android),
for Android based on Direct Push App Store link (iOS)
technology to synchronize with
Microsoft Exchange Server using
Microsoft Exchange ActiveSync, and
also designed for entrepreneurs or
ordinary people who want to have
efficient communication with their
colleagues, friends, and family members
at any time, anywhere.

Now ® Mobile - Intune Now employees can find answers and Google Play link (Android),
get work done across IT, HR, Facilities, App Store link (iOS)
Finance, Legal and other departments,
all from a modern mobile app powered
by the Now Platform® .
The Now Platform® delivers
employee experiences and
productivity through digital
workflows across departments,
systems and people.
Examples of things you can do in
the app:
IT: Request a laptop or a reset
password
Facilities: Find and book a
conference room
Finance: Request a corporate
credit card
Legal: Have a new vendor sign a
non-disclosure agreement
(NDA)
HR: Find the next company
holiday and check the vacation
policy
Now® Mobile powered by the
Now Platform® - finally work life
can be as great as real life

PrinterOn for Microsoft PrinterOn's wireless mobile printing Google Play link (Android),
solutions enable users to remotely print App Store link (iOS)
from anywhere at any time over a
secure network.

Qlik Sense Mobile Qlik Sense is a market leading, next Google Play link (Android),
generation application for self-service App Store link (iOS)
oriented analytics. Qlik's patented
associative technology allows people to
easily combine data from many
different sources and explore it freely,
without the limitations of query-based
tools.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

SAP Fiori Increase your daily productivity by App Store link (iOS)
tackling your most common business
tasks anywhere and anytime with the
SAP Fiori Client mobile app for iPhone
and iPad. Deliver a next-level mobile
experience with enhanced attachment
handling and full-screen operations
using this enhanced mobile runtime for
the Web version of over 750 SAP Fiori
app. Plus, access custom SAP Fiori
mobile apps—built by customers using
SAP Fiori mobile service—that are
ready to support Intune mobile app
management.

Ser viceNow ® Agent - Intune ServiceNow Mobile Agent app delivers Google Play link (Android),
out-of-the-box, mobile-first experiences App Store link (iOS)
for the most common service desk
agent workflows, making it easy for
agents to triage, act on and resolve
requests on the go. The app enables
service desk agents to promptly
manage and resolve end user issues
from their mobile devices. Agents use
the app’s intuitive interface to accept
and update work even without Internet
connectivity. The app greatly simplifies
work by leveraging native device
capabilities for tasks like navigation,
barcode scanning, or collecting a
signature.

The app comes with out-of-the-box

workflows for service desk agents in IT,
Customer Service, HR, Field Services,
Security Ops and IT Asset
Management. Organizations can easily
configure and extend the workflows to
meet their own unique needs.
With Mobile Agent you can:
Manage the work assigned to
your teams.
Triage incidents and cases.
Act on approvals with swipe
gestures and quick actions.
Complete work while offline.
Access the full issue details,
activity stream, and related lists
of records.
Optimize workflows with
location, camera, and
touchscreen hardware
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Ser viceNow ® Onboarding - ServiceNow® Mobile Onboarding Google Play link (Android),
Intune empowers new hires to complete tasks, App Store link (iOS)
view content, and get help across
departments—including IT, HR,
Facilities, Finance, and Legal—all from a
single native mobile app.

Streamline the onboarding experience

by allowing new hires to:
Order a laptop and phone from
IT.
Setup a workspace with
Facilities.
Sign a non-disclosure
agreement (NDA) from Legal.
Submit a photo and update
their profile with HR.
Review an expense policy from
Finance and get help if they
have questions.
Powered by the Now Platform® ,
Mobile Onboarding manages
workflows across multiple departments
and systems, hiding the complexity of
backend processes. New hires don't
even have to know which departments
are involved in any given process. They
receive a simple and easy onboarding
experience and can complete tasks
before they even start, ensuring they
are day-one ready.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Smar tcr ypt for Intune Smartcrypt for Intune is specifically App Store link (iOS)
designed for existing PKWARE
customers operating in an Intune
environment. Smartcrypt lets you get
your work done on the go. It's fast,
secure and simple to use so you can be
productive from anywhere. If you are
unsure if you have Smartcrypt please
contact your company's IT
administrator. With Smartcrypt, you
can: Encrypt and decrypt files using
Smartkeys, Decrypt archives with X.509
Digital Certificates, Create and manage
Smartkeys, Perform digital signing and
authentication of data with X.509
Digital Certificates, Encrypt and decrypt
files with Strong Passphrase encryption,
including AE2, Login with existing
Active Directory credentials, Create and
view unencrypted zip archives.
Smartcrypt armors data at its core,
eliminating vulnerabilities everywhere
data is used, shared or stored. For
nearly three decades, PKWARE has
provided encryption and compression
software to more than 30,000
enterprise customers and over 200
government agencies. Available for
iOS/iPadOS and Android.

Speaking Email Get more time in your day by having App Store link (iOS)
your email read to you on the move.
Voice commands and simple gestures
designed to be safe to use while driving
give you the ability to archive, flag or
even reply on the move.
Smart content detection skips over
disclaimers, reply headers, and
email signatures to speak only the
content without the clutter.
Employees can sign in via Intune to
access Microsoft 365 Exchange
email.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Synergi Life Synergi Life Mobile App, an extension Google Play link (Android), App Store
of Synergi Life, lets users easily create link (iOS)
observations and incident reports
anytime and from anywhere, using
their phones to take a snapshot and
make a voice recording.
Synergi Life (previously named
Synergi) is a complete business
solution for risk and QHSE
management, managing all non-
conformances, incidents, risk, risk
analyses, audits, assessments and
improvement suggestions.
The Synergi Life Mobile App
requires you to be a licensed user
of the Synergi Life risk and QHSE
management system, and have the
necessary back-end licensed
software and services.

Tableau Mobile for Intune Tableau Mobile gives you the freedom App Store link (iOS)
to stay on top of your data, no matter
where you are or when you need it.
With a fast, intuitive, and interactive
experience, explore your dashboards
and find just what you’re looking for, all
from the convenience of your mobile
device.
The Tableau Mobile app requires a
Tableau Server or Tableau Online
account. Please note, it does not
work with Tableau Public.
Features:
Interactive previews let you
access your data even when
you’re offline.
Mark your favorite dashboards
or views to always have them at
your fingertips.
Scroll, search, and browse your
organization’s dashboards with
a navigation experience that’s
both intuitive and familiar.
Interact with your data to ask
and answer questions on the
go.
 A P P STO RE L IN K S F O R SUP P O RT ED
A P P T IT L E A P P DESC RIP T IO N P L AT F O RM ( S)

Tact for Intune Tact for Intune is the first CRM and Google Play link (Android), App Store
Sales Assistant that unifies data from link (iOS)
Salesforce.com, email, calendar, maps
and other everyday tools into a
conversational, human-friendly
experience. Powered by AI, Tact
automates the administrative work for
the salesperson, unifies CRM with other
data sources to deliver a single pane of
glass, and pushes intelligence to each
seller in order to nudge them into
high-performance behavior. Enterprises
can now gain increased seller
productivity, richer customer data and
better CRM adoption while ensuring
enterprise-grade security at the
application layer with Tact for Intune.

Vera for Intune Encrypt, track, and revoke access to App Store link (iOS)
files and email attachments directly
from your mobile device with Vera for
Intune. Protect your most valuable
information, no matter what apps you
use: Microsoft, Box, Google, Dropbox,
and more.

Workspace ONE Send Workspace ONE Send provides Google Play link (Android),
seamless editing and sending App Store link (iOS)
capabilities for customers using
Microsoft Intune to manage Microsoft
365 apps using VMware productivity
apps.

Zero for Intune The ZERØ for Intune application is App Store link (iOS)
specifically designed for MDM
deployment via Microsoft Intune. This
app allows both ZERØ and Microsoft
Intune customers to take advantage of
a secure Intune MDM deployment, as
well as organize and protect BYOD
environments with mobile application
management (MAM).

Zoom for Intune Zoom is your communications hub for Google Play link (Android),
meetings, webinars, chat and cloud App Store link (iOS)
phone. Start or join meetings with
flawless video, crystal clear audio and
instant screen sharing from desktop,
mobile or conference rooms.

Next steps
To learn how to add apps for each platform to Intune, see:
Android store apps
Android LOB apps
iOS store apps
iOS LOB apps
Web apps (for all platforms)
Microsoft store apps
Windows LOB app
Microsoft 365 apps for Windows 10
Microsoft 365 apps for macOS
Built-in apps
Win32 apps
 Add Android store apps to Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Before you assign an app to a device or a group of users, you must first add the app to Microsoft Intune.

Add an app
You can add an Android store app to Intune from the Azure portal by doing the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Android store app .
4. Click Select .
The Add app steps are displayed.
5. To configure the App information for the Android app, navigate to the Google Play store and search for the
app you want to deploy. Display the app page and make a note of the app details.
6. In the App information page, add the app details:
Name : Enter the name of the app as it is to be displayed in the company portal. Make sure that any app
name that you use is unique. If an app name is duplicated, only one name is displayed to users in the
company portal.
Description : Enter a description for the app. This description is displayed to users in the company
portal.
Publisher : Enter the name of the publisher of the app.
Appstore URL : Enter the app store URL of the app that you want to create. Use the URL of the app page
when the details of the app are displayed in the store.
Minimum operating system : In the list, select the earliest operating system version on which the app
can be installed. If you assign the app to a device with an earlier operating system, it will not be installed.
Categor y : Optionally, select one or more of the built-in app categories, or a category that you created.
Doing so makes it easier for users to find the app when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps. Applies to apps
deployed with Available intent.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app, for example, HR department.
Notes : Optionally, enter any notes that you want to associate with this app.
Logo : Optionally, upload an icon that will be associated with the app. This icon is displayed with the app
when users browse the company portal.
7. Click Next to display the Scope tags page.
8. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
9. Click Next to display the Assignments page.
10. Select the group assignments for the app. For more information, see Add groups to organize users and devices.
11. Click Next to display the Review + create page. Review the values and settings you entered for the app.
12. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.

Next steps
Assign apps to groups
 Add iOS store apps to Microsoft Intune
9/4/2020 • 3 minutes to read • Edit Online

Use the information in this article to help you add iOS store apps to Microsoft Intune. iOS store apps are apps that
Intune installs on your users' devices. A user is part of your company's workforce. iOS store apps are automatically
updated.

NOTE
Although users of iOS/iPadOS devices can remove some built-in iOS/iPadOS apps, such as Stocks and Maps, you cannot use
Intune to redeploy those apps. If your users delete these apps, they must go to the App Store and manually reinstall them.

Before you start

You can assign apps by using this method only if they are free of charge in the App Store. If you want to assign
paid apps by using Intune, consider using the iOS/iPadOS volume-purchase program.

NOTE
When you work with Microsoft Intune, we recommend that you use either the Microsoft Edge or Google Chrome browser.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select iOS store app .
4. Click Select .
The Add app steps are displayed.
5. Select Search the App Store .
6. In the Search the App Store pane, select the App Store country/region locale.
7. In the Search box, type the name (or part of the name) of the app.
Intune searches the store and returns a list of relevant results.
8. In the results list, select the app you want, and then select Select .
The App information page will be displayed in the Add app pane. When possible, app information will be
added based on the app you selected from the store.
9. In the App information page, add the app details. Depending on the app you have chosen, some of the
values in this pane might have been automatically filled in:
Name : Enter the name of the app as it is to be displayed in the company portal. Make sure that any app
name that you use is unique. If an app name is duplicated, only one name is displayed to users in the
company portal.
Description : Enter a description for the app. This description is displayed to users in the company
portal.
Publisher : Enter the name of the publisher of the app.
Appstore URL : Type the App Store URL of the app that you want to create.
 Minimum operating system : In the list, select the earliest operating system version on which the app
can be installed. If you assign the app to a device with an earlier operating system, it will not be installed.
Applicable device type : In the list, select the devices that are used by the app.
Categor y : Optionally, select one or more of the built-in app categories, or a category that you created.
Doing so makes it easier for users to find the app when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Optionally, enter the name of the app developer. This field is visible only to administrators
and is not visible to your users.
Owner : Optionally, enter a name for the owner of this app, for example, HR department. This field is
visible only to administrators and is not visible to your users.
Notes : Optionally, enter any notes that you want to associate with this app. This field is only visible an
administrator and will not be visible to end users.
Logo : Optionally, upload an icon that will be associated with the app. This icon is displayed with the app
when users browse the company portal.
10. Click Next to display the Scope tags page.
11. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
12. Click Next to display the Assignments page.
13. Select the group assignments for the app. For more information, see Add groups to organize users and
devices.
14. Click Next to display the Review + create page. Review the values and settings you entered for the app.
15. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.

Next steps
Assign apps to groups
 Add Windows Phone 8.1 store apps to Microsoft
Intune
9/4/2020 • 3 minutes to read • Edit Online

IMPORTANT
Windows 10 Mobile and Windows Phone 8.1 support has ended. Windows 10 Mobile and Windows Phone 8.1 enrollments
will fail and related apps can no longer be added to Intune. These profile types are being removed from the Intune UI.
Devices currently enrolled will stop syncing with the Intune service.
Existing policies and profiles on these platforms are becoming read-only, and can't be changed. You can remove assignments,
and then delete the policies and profiles.
If Windows Phone 8.1 or Windows 10 Mobile are being used, we recommend moving to Windows 10 devices. Windows 10
has built-in security and device features that have a first class integration with Microsoft Intune.

Before you assign an app to a device or a group of users, you must first add the app to Microsoft Intune.

Add an app to Intune

You can add a Windows Phone 8.1 store app to Intune from the Azure portal by doing the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Windows Phone 8.1 store app .
4. Click Select .
The Add app steps are displayed.
5. To configure the App information for Windows Phone 8.1 store apps, navigate to the Microsoft store and
search for the app you want to deploy. Display the app page and make a note of the app details.
6. In the App information page, add the app details:
Name : Enter the name of the app as it is to be displayed in the company portal. Make sure that any app
name that you use is unique. If an app name is duplicated, only one name is displayed to users in the
company portal.
Description : Enter a description for the app. This description is displayed to users in the company portal.
Publisher : Enter the name of the publisher of the app.
App Store URL : Type the App Store URL of the app that you want to create.
Categor y : Optionally, select one or more of the built-in app categories, or a category that you created.
Doing so makes it easier for users to find the app when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app, for example, HR department.
Notes : Optionally, enter any notes that you want to associate with this app.
 Logo : Optionally, upload an icon that will be associated with the app. This icon is displayed with the app
when users browse the company portal.
7. Click Next to display the Scope tags page.
8. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
9. Click Next to display the Assignments page.
10. Select the group assignments for the app. For more information, see Add groups to organize users and devices.
11. Click Next to display the Review + create page. Review the values and settings you entered for the app.
12. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.
The app that you've created is displayed in the apps list, where you can assign it to the groups that you select.

Next steps
Assign apps to groups
 Add Microsoft Store apps to Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Before you can assign, monitor, configure, or protect apps, you must add them to Intune.

Add an app to Intune

You can add a Microsoft Store app to Intune by doing the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Windows store app .
4. Click Select . The Add app steps are displayed.
5. To configure the App information for Windows store apps, navigate to the Microsoft store and search for the
app you want to deploy. Display the app page and make a note of the app details.
6. In the App information page, add the app details:
Name : Enter the name of the app as it is to be displayed in the company portal. Make sure that any app
name that you use is unique. If an app name is duplicated, only one name is displayed to users in the
company portal.
Description : Enter a description for the app. This description is displayed to users in the company
portal.
Publisher : Enter the name of the publisher of the app.
Appstore URL : Type the App Store URL of the app that you want to create. The URL can be found by
searching the Microsoft Store for the desired app. Use the URL from the browser address bar.
Categor y : Optionally, select one or more of the built-in app categories, or a category that you created.
Doing so makes it easier for users to find the app when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app, for example, HR department.
Notes : Optionally, enter any notes that you want to associate with this app.
Logo : Optionally, upload an icon that will be associated with the app. This icon is displayed with the app
when users browse the company portal.
7. Click Next to display the Scope tags page.
8. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
9. Click Next to display the Assignments page.
10. Select the group assignments for the app. For more information, see Add groups to organize users and devices.
11. Click Next to display the Review + create page. Review the values and settings you entered for the app.
12. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.
The app that you've created is displayed in the apps list, where you can assign it to the groups that you select.

IMPORTANT
Microsoft Store apps can only be assigned to groups with the assignment type Available for enrolled devices (users
install the app from the Company Portal app or website).

Next steps
Assign apps to groups
 How to manage volume purchased apps from the
Microsoft Store for Business with Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or
in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure
portal. For example:
You can synchronize the list of apps you have purchased (or that are free) from the store with Intune.
Apps that are synchronized appear in the Intune administration console; you can assign these apps like any
other apps.
Both Online and Offline licensed versions of Apps are synchronized to Intune. App names will be appended with
"Online" or "Offline" in the portal.
You can track how many licenses are available, and how many are being used in the Intune administration
console.
Intune blocks assignment and installation of apps if there are an insufficient number of licenses available.
Apps managed by Microsoft Store for Business will automatically revoke licenses when a user leaves the
enterprise, or when the administrator removes the user and the user devices.

Before you start

Review the following information before you start syncing and assigning apps from the Microsoft Store for
Business:
Configure Intune as the mobile device management authority for your organization.
You must have signed up for an account on the Microsoft Store for Business.
Once you have associated a Microsoft Business Store account with Intune, you cannot change to a different
account in the future.
Apps purchased from the store cannot be manually added to or deleted from Intune. They can only be
synchronized with the Microsoft Store for Business.
Both online and offline licensed apps that you have purchased from the Microsoft Store for Business are synced
into the Intune portal. You can then deploy these apps to device groups or user groups.
Online app installations are managed by the store.
Offline apps that are free of charge can also be synced to Intune. These apps are installed by Intune, not by the
store.
To use this capability, devices must be joined to Active Directory Domain Services, Azure AD joined, or
workplace-joined.
Enrolled devices must be using the 1511 release of Windows 10 or later.

NOTE
If you disable access to the Store on managed devices (either manually, via policy or Group Policy), Online licensed apps will
fail to install.

Associate your Microsoft Store for Business account with Intune

Before you enable synchronization in the Intune console, you must configure your store account to use Intune as a
management tool:
1. Ensure that you sign into the Microsoft Store for Business using the same tenant account you use to sign into
Intune.
2. In the Business Store, choose the Manage tab, select Settings , and choose the Distribute tab.
3. If you don't specifically have Microsoft Intune available as a mobile device management tool, choose Add
management tool to add Microsoft Intune . If you don't have Microsoft Intune activated as your mobile
device management tool, click Activate next to Microsoft Intune . Note that you should activate Microsoft
Intune rather than Microsoft Intune Enrollment .

NOTE
You could previously only associate one management tool to assign apps with the Microsoft Store for Business. You can now
associate multiple management tools with the store, for example, Intune and Configuration Manager.

You can now continue, and set up synchronization in the Intune console.

Configure synchronization
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Connectors and tokens > Microsoft Store for Business .
3. Click Enable .
4. If you haven't already done so, click the link to sign up for the Microsoft Store for Business and associate your
account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the Microsoft Store for Business
are displayed in the Azure portal. Regardless of the language in which they are displayed, they are installed in
the end user's language when available.
6. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.

Synchronize apps
If you've already associated your Microsoft Store for Business account with your Intune admin credentials, you can
manually sync your Microsoft Store for Business apps with Intune using the following steps.
1. Select Tenant administration > Connectors and tokens > Microsoft Store for Business .
2. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.

NOTE
Apps with encrypted app packages are currently not supported and will not be synchronized to Intune.

Assign apps
You assign apps from the store in the same way you assign any other Intune app. For more information, see How to
assign apps to groups with Microsoft Intune.
Offline apps can be targeted to user groups, device groups, or groups with users and devices. Offline apps can be
installed for a specific user on a device or for all users on a device.
When you assign a Microsoft Store for Business app, a license is used by each user who installs the app. If you use
all of the available licenses for an assigned app, you cannot assign any more copies. Take one of the following
actions:
 Uninstall the app from some devices.
Reduce the scope of the current assignment, targeting only the users you have sufficient licenses for.
Buy more copies of the app from the Microsoft Store for Business.

Remove apps
To remove an app that is synced from the Microsoft Store for Business, you need to log into the Microsoft Store for
Business and refund the app. The process is the same whether the app is free or not. For a free app, the store will
refund $0. The example below shows a refund for a free app.

NOTE
Removing an app's visibility in the private store won't keep Intune from syncing the app. You must refund the app to fully
remove the app.

Next steps
Manage volume-purchased apps and books with Microsoft Intune
 Add Managed Google Play apps to Android
Enterprise devices with Intune
9/4/2020 • 15 minutes to read • Edit Online

Managed Google Play is Google's enterprise app store and sole source of applications for Android Enterprise. You
can use Intune to orchestrate app deployment through Managed Google Play for any Android Enterprise scenario
(including work profile, dedicated, fully managed, and corporate-owned work profile enrollments). How you add
Managed Google Play apps to Intune differs from how Android apps are added for non-Android Enterprise. Store
apps, line-of-business (LOB) apps, and web apps are approved in or added to Managed Google Play, and then
synchronized into Intune so that they appear in the Client Apps list. Once they appear in the Client Apps list list,
you can manage assignment of any Managed Google Play app as you would any other app.
To make it easier for you to configure and use Android Enterprise management, upon connecting your Intune
tenant to Managed Google Play, Intune will automatically add four common Android Enterprise related apps to the
Intune admin console. The four apps are the following:
Microsoft Intune - Used for Android Enterprise fully managed scenarios. This app is automatically installed to
fully managed devices during the device enrollment process.
Microsoft Authenticator - Helps you sign-in to your accounts if you use two-factor verification. This app is
automatically installed to fully managed devices during the device enrollment process.
Intune Company Por tal - Used for App Protection Policies (APP) and Android Enterprise work profile
scenarios. This app is automatically installed to fully managed devices during the device enrollment process.
Managed Home Screen - Used for Android Enterprise dedicated multi-app kiosk scenarios. IT admins should
create an assignment to install this app on dedicated devices that are going to be used in multi-app kiosk
scenarios.

NOTE
When an end user enrolls their Android Enterprise fully managed device, the Intune Company Portal app is automatically
installed and the application icon may be visible to the end user. If the end user attempts to launch the Intune Company
Portal app, the end user will be redirected to the Microsoft Intune app and the Company Portal app icon will be
subsequently hidden.

Before you start

Make sure you have connected your Intune tenant to Managed Google Play. For more information, see Connect
your Intune account to your Managed Google Play account.
If you intend to enroll work profile devices, make sure you have configured Intune and Android work profiles to
work together in the Device enrollment workload of the Azure portal. For more information, see Enroll
Android devices.

NOTE
When you work with Microsoft Intune, we recommend that you use either the Microsoft Edge or Google Chrome browser.

Managed Google Play app types

There are three types of apps that are available with Managed Google Play:
 Managed Google Play store app - Public apps that are generally available in the Play Store. Manage these
apps in Intune by browsing for the apps you want to manage, approving them, and then synchronizing them
into Intune.
Managed Google Play private app - These are LOB apps published to Managed Google Play by Intune
admins. These apps are private and are available only to your Intune tenant. This is how LOB apps are managed
and deployed with Managed Google Play and Android Enterprise.
Managed Google Play web link - Web links with IT admin-defined icons that are deployable to Android
Enterprise devices. These appear on devices in the device's app list just like regular apps.

Managed Google Play store apps

There are two ways to browse and approve Managed Google Play store apps with Intune:
1. Directly in the Intune console - browse and approve store apps in a view hosted within Intune. This opens
directly in the Intune console and does not require you to reauthenticate with a different account.
2. In Managed Google Play console - you can optionally open the Managed Google Play console directly and
approve apps there. See Sync a Managed Google Play app with Intune for more information. This requires a
separate login using the account you used to connect your Intune tenant to Managed Google Play.
Add a Managed Google Play store app directly in the Intune console
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Managed Google Play app .
4. Click Select . The Managed Google Play app store is displayed.

NOTE
Your Intune tenant account must be connected to your Android Enterprise account to browse managed Google Play
store apps. For more information, see Connect your Intune account to your Managed Google Play account.

5. Select an app to view the app details.

6. On the page that displays the app, click Approve . A window for the app opens asking you to give
permissions for the app to perform various operations.
7. Select Approve to accept the app permissions and continue.
8. Select Keep approved when app requests new permissions in the Approval Settings tab and then
click Done .

IMPORTANT
If you do not choose this option, you will need to manually approve any new permissions if the app developer
publishes an update. This will cause installations and updates of the app to stop until permissions are approved. For
this reason, it is recommended to select the option to automatically approve new permissions.

9. Click Select to select the app.

10. Click Sync at the top of the blade to sync the app with the Managed Google Play service.
11. Click Refresh to update the app list and display the newly added app.
Add a Managed Google Play store app in the Managed Google Play console (Alternative )
If you prefer to synchronize a Managed Google Play app with Intune rather than adding it directly using Intune,
use the following steps.

IMPORTANT
The information provided below is an alternative method to adding a Managed Google Play app using Intune as described
above.

1. Go to the Managed Google Play store. Sign in with the same account you used to configure the connection
between Intune and Android Enterprise.
2. Search the store and select the app you want to assign by using Intune.
3. On the page that displays the app, click Approve .
In the following example, the Microsoft Excel app has been chosen.

A window for the app opens asking you to give permissions for the app to perform various operations.
4. Select Approve to accept the app permissions and continue.

5. Select an option for handling new app permission requests, and then select Save .
 The app is approved, and it is displayed in your IT admin console. Next, you can Sync the Android work
profile app with Intune.

Managed Google Play private (LOB) apps

There are two ways to add LOB apps to Managed Google Play:
1. Directly in the Intune console - This allows you to add LOB apps by submitting just the app APK and a title,
directly within Intune. This method does not require you to have a Google developer account and does not
require you to pay the fee to register with Google as a developer. This method is simpler and has a significantly
reduced number of steps, and makes LOB apps available for management in as little as ten minutes.
2. In the Google Play Developer Console - If you have a Google developer account or want to configure advanced
distribution features that are only available in the Google Play Developer Console (like adding additional app
screenshots), you can use the Google Play Developer Console.
Managed Google Play private (LOB ) app publishing directly in the Intune console
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Managed Google Play app .
4. Click Select . The Managed Google Play app store is displayed within Intune.
5. Select Private apps (next to the lock icon) in the Google Play window.
6. Click the "+" button at the lower right to add a new app.
7. Add an app Title and click Upload APK add the APK app package.

NOTE
Your app's package name must be globally unique in Google Play (not just unique within your enterprise or Google
Play Developer account). Otherwise, you will receive the Upload a new APK file with a different package
name error.

8. Click Create .
9. Close the Managed Google Play pane if you are done adding apps.
10. Click Sync on the App app pane to sync with the Managed Google Play service.

NOTE
Private apps may take several minutes to become available to sync. If the app does not appear the first time you
perform a sync, wait a couple minutes and initiate a new sync.

For more information about Managed Google Play private apps including a FAQ, see Google's support article:
https://support.google.com/googleplay/work/answer/9146439

IMPORTANT
Private apps added using this method can never be made public. Only use this publishing option if you are sure that this
app will always be private to your organization.

Managed Google Play private (LOB ) app publishing using the Google Developer Console
1. Sign in to the Google Play Developer Console with the same account you used to configure the connection
between Intune and Android Enterprise.
If you are signing in for the first time, you must register and pay a fee to become a member of the Google
Developer program.
2. In the console, select Add new application .
3. You upload and provide information about your app in the same way as you publish any app to the Google
Play store. However, you must select Only make this application available to my organization
(< organization name >) .
This operation makes the app available only to your organization. It won't be available on the public Google
Play store.
For more information about uploading and publishing Android apps, see Google Developer Console Help.
4. After you've published your app, sign in to the Managed Google Play store with the same account that you
used to configure the connection between Intune and Android Enterprise.
5. In the Apps node of the store, verify that the app you've published is displayed.
The app is automatically approved to be synchronized with Intune.

Managed Google Play web links

Managed Google Play web links are installable and manageable just like other Android apps. When installed on a
device, they will appear in the user's app list alongside the other apps they have installed. When tapped, they will
launch in the device's browser.
Web links will open with Microsoft Edge or any other browser app you choose to deploy. Be sure to deploy at least
one browser app to devices in order for web links to be able to open properly. However, all of the Display options
available for web links (full screen, standalone, and minimal UI) will only work with the Chrome browser.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Managed Google Play app .
4. Click Select . The Managed Google Play app store is displayed within Intune.
5. Select Web apps (next to the Globe icon) in the Google Play window.
 6. Click the "+" button at the lower right to add a new app.
7. Add an app Title , the web app URL , select how the app should be displayed, and select an app icon.
8. Click Create .
9. Close the Managed Google Play pane if you are done adding apps.
10. Click Sync on the App app pane to sync with the Managed Google Play service.

NOTE
Web apps may take several minutes to become available to sync. If the app does not appear the first time you
perform a sync, wait a couple minutes and initiate a new sync.

Sync a Managed Google Play app with Intune

If you have approved an app from the store and don't see it in the Apps workload, force an immediate sync as
follows:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Connectors and tokens > Managed Google Play .
3. In the Managed Google Play pane, choose Sync .
The page updates the time and status of the last sync.
4. In the Microsoft Endpoint Manager admin center select Apps > All apps .
The newly available Managed Google Play app is displayed.

Assigning a Managed Google Play app to Android Enterprise work

profile and corporate-owned work profile devices
When the app is displayed in the App licenses node of the Apps workload pane, you can assign it just as you
would assign any other app by assigning the app to groups of users.
After you assign the app, it is installed (or available for install) on the devices of the users that you've targeted. The
user of the device is not asked to approve the installation. For more information about Android Enterprise work
profile devices, see Set up enrollment of Android Enterprise work profile devices.

NOTE
Only apps that have been assigned will show up in the Managed Google Play store for an end user. As such, this is a key
step for the admin to take when setting up apps with Managed Google Play.

Assigning a Managed Google Play app to Android Enterprise fully

managed devices
Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used
exclusively for work and not personal use. Users on fully managed devices can get their available company apps
from the managed Google Play app on their device.
By default, an Android Enterprise fully managed device will not allow employees to install any apps that are not
approved by the organization. Also, employees will not be able to remove any installed apps against policy. If you
wish to allow users to access the full Google Play store to install apps rather than only having access to the
approved apps in Managed Google Play store, you can set the Allow access to all apps in Google Play store
to Allow . With this setting, the user can access all the apps in the Google Play store using their corporate account,
however purchases may limited. You can remove the limited purchases restriction by allowing users to add new
accounts to the device. Doing so will enable end users to have the ability to purchase apps from the Google Play
store using personal accounts, as well as conduct in-app purchases. For more information, see Android Enterprise
device settings to allow or restrict features using Intune.

NOTE
The Microsoft Intune app, the Microsoft Authenticator app, and the Company Portal app will be installed as required apps
onto all fully managed devices during onboarding. Having these apps automatically installed provides Conditional Access
support, and Microsoft Intune app users can see and resolve compliance issues.

Manage Android Enterprise app permissions

Android Enterprise requires you to approve apps in the managed Google Play web console before you sync them
with Intune and assign them to your users. Because Android Enterprise allows you to silently and automatically
push the apps to users' devices, you must accept the app permissions on behalf of all your users. Users don't see
any app permissions when they install the apps, so it's important that you understand the permissions.
When an app developer updates permissions with a new version of the app, the permissions are not automatically
accepted even if you approved the previous permissions. Devices that run the previous version of the app can still
use it. However, the app is not upgraded until the new permissions are approved. Devices without the app installed
do not install the app until you approve the app's new permissions.
Update app permissions
Periodically visit the managed Google Play console to check for new permissions. You can configure Google Play
to send you or others an email when new permissions are required for an approved app. If you assign an app and
observe that it isn't installed on devices, check for new permissions following these steps:
1. Go to Google Play.
2. Sign in with the Google account that you used to publish and approve the apps.
3. Select the Updates tab, and check to see whether any apps require an update.
Any listed apps require new permissions and are not assigned until they are applied.
Alternatively, you can configure Google Play to automatically reapprove app permissions on a per-app basis.

Additional Managed Google Play app reporting for Android Enterprise

work profile devices
For Managed Google Play apps deployed to Android Enterprise work profile devices, you can view the status and
version number of the app installed on a device using Intune.

Working with Managed Google Play closed testing tracks

You can distribute a non-production version of a Managed Google Play app to devices enrolled in an Android
Enterprise scenario (Android Enterprise Work Profile , Fully Managed , Dedicated , and Corporate-owned
Work Profile ) in order to perform testing. In Intune, you can see whether an app has a pre-production build test
track published to it, as well as be able to assign that track to AAD user groups or device groups. The workflow for
assigning a production version to a group that currently exists is the same as assigning a non-production channel.
After deployment, the install status of each track will correspond with the track's version number in Managed
Google Play. For more information, see Google Play's closed test tracks for app pre-release testing.

Delete Managed Google Play apps

When necessary, you can delete managed Google Play apps from Microsoft Intune. To delete a managed Google
Play app, open Microsoft Intune in the Azure portal and select Apps > All apps . From the app list, select the
ellipses (...) to the right of the managed Google Play app, then select Delete from the displayed list. When you
delete a managed Google Play app from the app list, the managed Google Play app is automatically unapproved.

NOTE
If an app is unapproved or deleted from the managed Google Play store, it will not be removed from the Intune client apps
list. This allows you to still target an uninstall policy to users even if the app is unapproved.
To turn off Android Enterprise enrollment and management, see Disconnect your Android Enterprise administrative account.

Android Enterprise system apps

You can enable an Android Enterprise system app for Android Enterprise dedicated devices or fully managed
devices. For more information about adding an Android Enterprise system app, see Add Android Enterprise
system apps to Microsoft Intune.

Next steps
Assign apps to groups
 Add Microsoft 365 apps to Windows 10 devices with
Microsoft Intune
9/4/2020 • 13 minutes to read • Edit Online

Before you can assign, monitor, configure, or protect apps, you must add them to Intune. One of the available app
types is Microsoft 365 apps for Windows 10 devices. By selecting this app type in Intune, you can assign and install
Microsoft 365 apps to devices you manage that run Windows 10. You can also assign and install apps for the
Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own licenses for them. The
available Microsoft 365 apps are displayed as a single entry in the list of apps in the Intune console within Azure.

NOTE
Microsoft Office 365 ProPlus has been renamed to Microsoft 365 Apps for enterprise . In our documentation, we'll
commonly refer to it as Microsoft 365 Apps .
You must use Microsoft 365 Apps licenses to activate Microsoft 365 Apps apps deployed through Microsoft Intune.
Microsoft 365 Apps for business edition is supported by Intune, however you must configure the app suite of the Microsoft
365 Apps for business edition using XML data. For more information, see Configure app suite using XML data.

Before you start

IMPORTANT
If there are .msi Office apps on the end-user device, you must use the Remove MSI feature to safely uninstall these apps.
Otherwise, the Intune delivered Microsoft 365 apps will fail to install.

Devices to which you deploy these apps must be running the Windows 10 Creators Update or later.
Intune supports adding Office apps from the Microsoft 365 Apps suite only.
If any Office apps are open when Intune installs the app suite, the installation might fail, and users might lose
data from unsaved files.
This installation method is not supported on Windows Home, Windows Team, Windows Holographic, or
Windows Holographic for Business devices.
Intune does not support installing Microsoft 365 desktop apps from the Microsoft Store (known as Office
Centennial apps) on a device to which you have already deployed Microsoft 365 apps with Intune. If you install
this configuration, it might cause data loss or corruption.
Multiple required or available app assignments are not additive. A later app assignment will overwrite pre-
existing installed app assignments. For example, if the first set of Office apps contains Word, and the later one
does not, Word will be uninstalled. This condition does not apply to any Visio or Project applications.
Multiple Microsoft 365 deployments are not currently supported. Only one deployment will be delivered to the
device.
Office version - Choose whether you want to assign the 32-bit or 64-bit version of Office. You can install the
32-bit version on both 32-bit and 64-bit devices, but you can install the 64-bit version on 64-bit devices only.
Remove MSI from end-user devices - Choose whether you want to remove pre-existing Office .MSI apps
from end-user devices. The installation won't succeed if there are pre-existing .MSI apps on end-user devices.
The apps to be uninstalled are not limited to the apps selected for installation in Configure App Suite , as it
will remove all Office (MSI) apps from the end user device. For more information, see Remove existing MSI
versions of Office when upgrading toMicrosoft 365 Apps. When Intune reinstalls Office on your end user's
 machines, end users will automatically get the same language packs that they had with previous .MSI Office
installations.

Select Microsoft 365 Apps

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. Select Windows 10 in the Microsoft 365 Apps section of the Select app type pane.
4. Click Select . The Add Microsoft 365 Apps steps are displayed.

Step 1 - App suite information

In this step, you provide information about the app suite. This information helps you to identify the app suite in
Intune, and it helps users to find the app suite in the company portal.
1. In the App suite information page, you can confirm or modify the default values:
Suite Name : Enter the name of the app suite as it is displayed in the company portal. Make sure that all
suite names that you use are unique. If the same app suite name exists twice, only one of the apps is
displayed to users in the company portal.
Suite Description : Enter a description for the app suite. For example, you could list the apps you've
selected to include.
Publisher : Microsoft appears as the publisher.
Categor y : Optionally, select one or more of the built-in app categories or a category that you created.
This setting makes it easier for users to find the app suite when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Microsoft appears as the developer.
Owner : Microsoft appears as the owner.
Notes : Enter any notes that you want to associate with this app.
Logo : The Microsoft 365 Apps logo is displayed with the app when users browse the company portal.
2. Click Next to display the Configure app suite page.

Step 2 - (Option 1) Configure app suite using the configuration

designer
You can choose a method for configuring app setting by selecting a Configuration settings format . Setting
format options include:
Configuration designer
Enter XML data
When you choose Configuration designer the Add app pane will change to offer three additional settings
areas:
Configure app suite
App suite information
Properties
1. On the Configuration app suite page choose Configuration designer .
Select Office apps : Select the standard Office apps that you want to assign to devices by choosing
the apps in the dropdown list.
Select other Office apps (license required) : Select additional Office apps that you want to
assign to devices and that you have licenses for by choosing the apps in the dropdown list. These
apps include licensed apps, such as Microsoft Project Online desktop client and Microsoft Visio
Online Plan 2.
Architecture : Choose whether you want to assign the 32-bit or 64-bit version of Microsoft 365
Apps. You can install the 32-bit version on both 32-bit and 64-bit devices, but you can install the 64-
bit version on 64-bit devices only.
Update Channel : Choose how Office is updated on devices. For information about the various
update channels, see Overview of update channels for Microsoft 365 Apps for enterprise. Choose
from:
Monthly
Monthly (Targeted)
Semi-Annual
Semi-Annual (Targeted)
After you choose a channel, you can choose the following:
 Remove other versions : Choose Yes to remove other versions of Office (MSI) from user
devices. Choose this option when you want to remove pre-existing Office .MSI apps from end-
user devices. The installation won't succeed if there are pre-existing .MSI apps on end-user
devices. The apps to be uninstalled are not limited to the apps selected for installation in
Configure App Suite , as it will remove all Office (MSI) apps from the end user device. For
more information, see Remove existing MSI versions of Office when upgrading to Microsoft
365 Apps. When Intune reinstalls Office on your end user's machines, end users will
automatically get the same language packs that they had with previous .MSI Office
installations.
Version to install : Choose the version of Office that should be installed.
Specific version : If you have chosen Specific as the Version to install in the above setting,
you can select to install a specific version of Office for the selected channel on end user
devices.
The available versions will change over time. Therefore, when creating a new deployment, the
versions available may be newer and not have certain older versions available. Current
deployments will continue to deploy the older version, but the version list will be continually
updated per channel.
For devices that update their pinned version (or update any other properties) and are
deployed as available, the reporting status will show as Installed if they installed the previous
version until the device check-in occurs. When the device check-in happens, the status will
temporarily change to Unknown, however it will not be shown to the user. When the user
initiates the install for the newer available version, the user will see the status changed to
Installed.
For more information, see Overview of update channels for Microsoft 365 Apps.
Use shared computer activation : Select this option when multiple users share a computer. For
more information, see Overview of shared computer activation for Microsoft 365 Apps.
Automatically accept the app end user license agreement : Select this option if you don't
require end users to accept the license agreement. Intune then automatically accepts the agreement.
Languages : Office is automatically installed in any of the supported languages that are installed
with Windows on the end-user's device. Select this option if you want to install additional languages
with the app suite.
You can deploy additional languages for Microsoft 365 Apps managed through Intune. The list of
available languages includes the Type of language pack (core, partial, and proofing). In the Azure
portal, select Microsoft Intune > Apps > All apps > Add . In the App type list of the Add app
pane, select Windows 10 under Microsoft 365 Apps . Select Languages in the App Suite
Settings pane. For additional information, see Overview of deploying languages in Microsoft 365
Apps.
2. Click Next to display the Scope tags page.

Step 2 - (Option 2) Configure app suite using XML data

If you selected the Enter XML data option under the Setting format dropdown box on the Configure app
suite page, you can configure the Office app suite using a custom configuration file.
1. Added your configuration XML.

NOTE
The Product ID can either be Business ( O365BusinessRetail ) or Proplus ( O365ProPlusRetail ). However, you can
only configure the app suite of the Microsoft 365 Apps for business edition using XML data. Note that Microsoft
Office 365 ProPlus has been renamed to Microsoft 365 Apps for enterprise .

2. Click Next to display the Scope tags page.

For more information about entering XML data, see Configuration options for the Office Deployment Tool.

Step 3 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app suite.
2. Click Next to display the Assignments page.

Step 4 - Assignments
1. Select the Required , Available for enrolled devices , or Uninstall group assignments for the app suite. For
 more information, see Add groups to organize users and devices and Assign apps to groups with Microsoft
Intune.
2. Click Next to display the Review + create page.

Step 5 - Review + create

1. Review the values and settings you entered for the app suite.
2. When you are done, click Create to add the app to Intune.
The Over view blade is displayed.

Deployment details
Once the deployment policy from Intune is assigned to the target machines through Office configuration service
provider (CSP), the end device will automatically download the installation package from the
officecdn.microsoft.com location. You will see two directories appearing in the Program Files directory:

Under the Microsoft Office directory, a new folder is created where the installation files are stored:

Under the Microsoft Office 15 directory, the Office Click-to-Run installation launcher files are stored. The
installation will start automatically if the assignment type is required:
The installation will be in silent mode if the assignment of Microsoft 365 is configured as required. The
downloaded installation files will be deleted once the installation succeeded. If the assignment is configured as
Available , the Office applications will appear in the Company Portal application so that end-users can trigger the
installation manually.

Troubleshooting
Intune uses the Office Deployment Tool to download and deploy Office 365 ProPlus to your client computers using
the Office 365 CDN. Reference the best practices outlined in Managing Office 365 endpoints to ensure that your
network configuration permits clients to access the CDN directly rather than routing CDN traffic through central
proxies to avoid introducing unnecessary latency.
Run the Microsoft Support and Recovery Assistant for Microsoft 365 on a targeted device if you encounter
installation or run-time issues.
Additional troubleshooting details
When you are unable to install the Microsoft 365 apps to a device, you must identify whether the issue is Intune-
related or OS/Office-related. If you can see the two folders Microsoft Office and Microsoft Office 15 appearing in
the Program Files directory of the device, you can confirm that Intune has initiated the deployment successfully. If
you cannot see the two folders appearing under Program Files, you should confirm the below cases:
The device is properly enrolled into Microsoft Intune.
There is an active network connection on the device. If the device is in airplane mode, is turned off, or is in a
location with no service, the policy will not apply until network connectivity is established.
Both Intune and Microsoft 365 network requirements are met and the related IP ranges are accessible
based on the following articles:
Intune network configuration requirements and bandwidth
Office 365 URLs and IP address ranges
The correct groups have been assigned the Microsoft 365 app suite.
In addition, monitor the size of the directory C:\Program Files\Microsoft Office\Updates\Download. The installation
package downloaded from the Intune cloud will be stored in this location. If the size does not increase or only
increases very slowly, it is recommended to double-check the network connectivity and bandwidth.
Once you can conclude that both Intune and the network infrastructure work as expected, you should further
analyze the issue from an OS perspective. Consider the following conditions:
The target device must run on Windows 10 Creators Update or later.
No existing Office apps are opened while Intune deploys the applications.
Existing MSI versions of Office have been properly removed from the device. Intune utilizes Office Click-to-Run
which is not compatible with Office MSI. This behavior is further mentioned in this document:
Office installed with Click-to-Run and Windows Installer on same computer isn't supported
 The sign-in user should have permission to install applications on the device.
Confirm there are no issues based on the Windows Event Viewer log Windows Logs -> Applications .
Capture Office installation verbose logs during the installation. To do this, follow these steps:
1. Activate verbose logging for Office installation on the target machines. To do this, run the following
command to modify the registry:
reg add HKLM\SOFTWARE\Microsoft\ClickToRun\OverRide /v LogLevel /t REG_DWORD /d 3
2. Deploy the Microsoft 365 Apps to the target devices again.
3. Wait approximately 15 to 20 minutes and go to the %temp% folder and the %windir%\temp folder,
sort by Date Modified , pick the {Machine Name}-{TimeStamp}.log files that are modified according to
your repro time.
4. Run the following command to disable verbose log:
reg delete HKLM\SOFTWARE\Microsoft\ClickToRun\OverRide /v LogLevel /f
The verbose logs can provide further detailed information on the installation process.

Errors during installation of the app suite

See How to enable Microsoft 365 Apps ULS logging for information on how to view verbose installation logs.
The following tables list common error codes you might encounter and their meaning.
Status for Office CSP
STAT US P H A SE DESC RIP T IO N

1460 (ERROR_TIMEOUT) Download Failed to download the Office

Deployment Tool

13 (ERROR_INVALID_DATA) - Cannot verify the signature of the

downloaded Office Deployment Tool

Error code from - Failed certification check for the

CertVerifyCertificateChainPolicy downloaded Office Deployment Tool

997 WIP Installing

0 After installation Installation succeeded

1603 (ERROR_INSTALL_FAILURE) - Failed any prerequisite check, such

as:SxS (Tried to install when 2016 MSI is
installed)Version mismatchOthers

0x8000ffff (E_UNEXPECTED) - Tried to uninstall when there is no Click-

to-Run Office on the machine

17002 - Failed to complete the scenario (install).

Possible reasons:Installation canceled by
userInstallation canceled by another
installationOut of disk space during
installationUnknown language ID

17004 - Unknown SKUs

Office Deployment Tool error codes

 SC EN A RIO RET URN C O DE UI N OT E

Uninstall effort when there -2147418113, 0x8000ffff or Error Code: 30088- Office Deployment Tool
is no active Click-to-Run 2147549183 1008Error Code: 30125-
installation 1011 (404)

Install when there is MSI 1603 - Office Deployment Tool

version installed

Installation canceled by user, 17002 - Click-to-Run

or by another installation

Try to install 64-bit on a 1603 - Office Deployment Tool

device that has 32-bit return code
installed.

Try to install an unknown 17004 - Click-to-Run

SKU (not a legitimate use
case for Office CSP since we
should only pass in valid
SKUs)

Lack of space 17002 - Click-to-Run

The Click-to-Run client failed 17000 - Click-to-Run

to start (unexpected)

The Click-to-Run client failed 17001 - Click-to-Run

to queue scenario
(unexpected)

Next steps
To assign the app suite to additional groups, see Assign apps to groups.
 Assign Microsoft 365 to macOS devices with
Microsoft Intune
9/4/2020 • 3 minutes to read • Edit Online

This app type makes it easy for you to assign Microsoft 365 apps to macOS devices. By using this app type, you
can install Word, Excel, PowerPoint, Outlook, OneNote, and Teams. To help keep the apps more secure and up to
date, the apps come with Microsoft AutoUpdate (MAU). The apps that you want are displayed as one app in the list
of apps in the Intune console.

NOTE
Microsoft Office 365 ProPlus has been renamed to Microsoft 365 Apps for enterprise . In our documentation, we'll
commonly refer to it as Microsoft 365 Apps .

Before you start

Before you begin adding Microsoft 365 apps to macOS devices, understand the following details:
Devices to which you deploy these apps must be running macOS 10.10 or later.
Intune supports adding the Office apps that are included with Office 2016 for Mac suite only.
If any Office apps are open when Intune installs the app suite, users might lose data from unsaved files.

Select Microsoft 365 Apps

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. Select macOS in the Microsoft 365 Apps section of the Select app type pane.
4. d. Click Select . The Add Microsoft 365 Apps steps are displayed.

Step 1 - App suite information

In this step, you provide information about the app suite. This information helps you to identify the app suite in
Intune, and it helps users to find the app suite in the company portal.
1. In the App suite information page, you can confirm or modify the default values:
Suite Name : Enter the name of the app suite as it is displayed in the company portal. Make sure that all
suite names that you use are unique. If the same app suite name exists twice, only one of the apps is
displayed to users in the company portal.
Suite Description : Enter a description for the app suite. For example, you could list the apps you've
selected to include.
Publisher : Microsoft appears as the publisher.
Categor y : Optionally, select one or more of the built-in app categories or a category that you created.
This setting makes it easier for users to find the app suite when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
 Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Microsoft appears as the developer.
Owner : Microsoft appears as the owner.
Notes : Enter any notes that you want to associate with this app.
Logo : The Microsoft 365 Apps logo is displayed with the app when users browse the company portal.
2. Click Next to display the Scope tags page.

Step 2 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app suite.
2. Click Next to display the Assignments page.

Step 3 - Assignments
1. Select the Required or Available for enrolled devices group assignments for the app suite. For more
information, see Add groups to organize users and devices and Assign apps to groups with Microsoft
Intune.

NOTE
You cannot uninstall the 'Microsoft 365 apps for macOS' app suite through Intune.

2. Click Next to display the Review + create page.

Step 4 - Review + create

1. Review the values and settings you entered for the app suite.
2. When you are done, click Create to add the app to Intune.
The Over view blade is displayed. The suite appears in the list of apps as a single entry.

Next steps
To learn about adding Microsoft 365 apps to Windows 10 devices, see Assign Microsoft 365 Apps to Windows
10 devices with Microsoft Intune.
To learn about including and excluding app assignments from groups of users, see Include and exclude app
assignments.
 Add Android Enterprise system apps to Microsoft
Intune
9/4/2020 • 2 minutes to read • Edit Online

Before you assign an app to a device or a group of users, you must first add the app to Microsoft Intune. System
apps are supported on Android Enterprise devices. You can enable a system app for Android Enterprise dedicated
devices, fully managed devices, or Android Enterprise corporate-owned with work profile.

Add the app

You can add an Android Enterprise system app to Intune from the Azure portal by doing the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Other types, select Android Enterprise system app .
4. Click Select . The Add app steps are displayed. In the App information page, add the app details:
App Name : Enter the name of the app.
Publisher : Enter the name of the publisher of the app.
Package Name : Enter a package name. Intune will validate that the package name is valid.
5. Click Next to display the Scope tags page.
6. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
7. Click Next to display the Assignments page.
8. Select the group assignments for the app. For more information, see Add groups to organize users and devices.
9. Click Next to display the Review + create page. Review the values and settings you entered for the app.
10. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.

NOTE
You will need to work with the OEM of your device to find the package name of the app you would like to enable/disable.

The app you've created is displayed in the apps list, where you can assign it to the groups that you select.
Android Enterprise system apps will enable or disable apps that are already part of the platform. To enable an app,
assign the system app as Required . To disable an app, assign the system app as Uninstall . System apps cannot be
assigned as available for a user.

Next steps
Assign apps to groups
 Add web apps to Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

Intune supports a variety of app types, including web apps. A web app is a client-server application. The server
provides the web app, which includes the UI, content, and functionality. Additionally, modern web-hosting
platforms commonly offer security, load balancing, and other benefits. A web app is separately maintained on the
web. You use Microsoft Intune to point to this app type. You also assign the groups of users that can access this
app.
Before you can manage and assign an app for your users, add the app to Intune.
Intune creates a shortcut to the web app on the user's device. For iOS/iPadOS devices, a shortcut to the web app is
added to the home screen. For Android Device Admin devices, a shortcut to the web app is added to the Intune
company portal widget and the widget needs to be pinned manually by the user. For Windows devices, a shortcut
to the web app is placed on the Start Menu.

NOTE
A browser must be installed on the user's device to launch web apps.
For Android Enterprise devices, see Managed Google Play web links.
For iOS devices, new web clips (pinned web apps) will open in Microsoft Edge instead of the Intune Managed Browser when
required to open in a protected browser. For older iOS web clips, you must retarget these web clips to ensure they open in
Microsoft Edge rather then the Managed Browser.
For legacy device admin Android devices, web links pinned through the Company Portal widget can only open with the
Intune Managed Browser if users' Company Portal version is older than 5.0.4737.0.

Add a web app to Intune

To add an app to Intune as a shortcut to an app on the web, do the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Other types, select Web link .
4. Click Select . The Add app steps are displayed.
5. On the App information page, add the following information:
Name : Enter the name of the app as it is to be displayed in the company portal.

NOTE
If you change the name of the app through the Intune azure portal after you have deployed and installed the
app, the app will no longer be able to be targeted using commands.

Description : Enter a description for the app. This description is displayed to users in the company
portal.
Publisher : Enter the name of the publisher of this app.
 App URL : Enter the URL of the website that hosts the app that you want to assign.
Categor y : Optionally, select one or more of the built-in app categories, or a category that you
created. Doing so makes it easier for users to find the app when they browse the company portal.
Show this as a featured app in the Company Por tal : Select this option to display the app suite
prominently on the main page of the company portal when users browse for apps.
Require a managed browser to open this link : Select this option to assign to your users a link to
a website or web app that they can open in the Intune managed browser. This browser must be
installed on their device.
Logo : Upload an icon that will be associated with the app. This icon is displayed with the app when
users browse the company portal.
6. Click Next to display the Scope tags page.
7. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
8. Click Next to display the Assignments page.
9. Select the group assignments for the app. For more information, see Add groups to organize users and
devices.
10. Click Next to display the Review + create page. Review the values and settings you entered for the app.
11. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.

NOTE
Currently, deployment of Intune web apps to iOS/iPadOS devices is associated with the management profile and cannot be
removed manually. You can change the deployment type to Uninstall in the Intune portal, at which point the web app can
be removed automatically. However, if you remove the deployment before changing the app assignment intent to Uninstall,
the web app will be permanently in place on the device until the device is un-enrolled from Intune.

End-users can launch web apps directly from the Windows Company Portal app by selecting the web app and then
choosing the option Open in browser . The published web URL is opened directly in the web browser.

Next steps
The app that you've created is displayed in the apps list, where you can assign it to the groups that you select. For
help, see Assign apps to groups.
 Add built-in apps to Microsoft Intune
9/4/2020 • 3 minutes to read • Edit Online

The built-in app type makes it easy for you to assign curated managed apps, such as Microsoft 365 apps, to
iOS/iPadOS and Android devices. You can assign specific apps for this app type, such as Excel, OneDrive, Outlook,
Skype, and others. After you add an app, the app type is displayed as either Built-in iOS app or Built-in Android app.
By using the built-in app type, you can choose which of these apps to publish to device users.
In earlier versions of the Intune console, Intune provided several default managed Microsoft 365 apps, such as
Outlook and OneDrive. The app types for these managed apps were tagged as Managed iOS Store App or
Managed Android App. Instead of using these app types, we recommend that you use the built-in app type. By
using the built-in app type, you have the additional flexibility to edit and delete Microsoft 365 apps.

NOTE
Default Microsoft 365 apps that are tagged as Managed iOS Store and Managed Android App are removed from the app list
when all assignments are deleted.

Add a built-in app

To add a built-in app to your available apps in Microsoft Intune, do the following:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the available Store app types, select Built-In app .
4. Click Select . The Add app steps are displayed.
5. In the Select Built-in apps page, click Select app to select the apps that you want to include.
6. Select the built-in apps that you want to include.
7. Once you have selected the apps, click Select on the Select Built-in apps pane.
8. Click Next to display the Scope tags page.
9. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
10. Click Next to display the Assignments page.
11. Select the group assignments for the app. For more information, see Add groups to organize users and
devices.
12. Click Next to display the Review + create page. Review the values and settings you entered for the app.
13. When you are done, click Create to add the app to Intune.
The Over view blade of the app you've created is displayed.

Configure app information

You can modify information about the built-in app. This information helps you to identify the app in Intune and
helps users find the app in the company portal.
1. Select Apps > All apps and select the built-in app that you want to modify.
A pane for the built-in app is displayed.
2. Select Proper ties .
3. Select Edit next to App information .
4. In the App information pane, you can modify the following information:
Name : Enter the name of the built-in app as it is displayed in the company portal. Make sure all names
that you use are unique. If the same app name exists twice, only one of the apps is displayed to users in
the company portal.
Description : Enter a description for the app.
Publisher : Enter the name of the publisher of the app.
Categor y : Optionally, select one or more of the built-in app categories. Setting this option makes it
easier for users to find the app when they browse the company portal.
Show this as a featured app in the company por tal : Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app (for example, HR department).
Notes : Enter any notes that you want to associate with this app.
Upload Icon : Upload an icon that is displayed with the app when users browse the company portal.
5. Click Review + save to display the Review + create page. Review the values and settings you entered for
the app.
6. When you are done, click Save to update the app in Intune.
The Over view blade of the app you've created is displayed.

Next steps
You can now assign the apps to the groups that you choose. For more information, see Assign apps to groups.
 Add an Android line-of-business app to Microsoft
Intune
9/4/2020 • 4 minutes to read • Edit Online

A line-of-business (LOB) app is an app that you add to Intune from an app installation file. This kind of app is
typically written in-house. Intune installs the LOB app on the user's device.

NOTE
For more information about LOB apps and the Google Play Developer Console, see Managed Google Play private (LOB) app
publishing using the Google Developer Console.

NOTE
For Android for Work devices, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Select the app type

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the Other app types, select Line-of-business app .
4. Click Select . The Add app steps are displayed.

Step 1 - App information

Select the app package file
1. In the Add app pane, click Select app package file .
2. In the App package file pane, select the browse button. Then, select an Android installation file with the
extension .apk . The app details will be displayed.
3. When you're finished, select OK on the App package file pane to add the app.
Set app information
1. In the App information page, add the details for your app. Depending on the app that you chose, some of the
values in this pane might be automatically filled in.
Name : Enter the name of the app as it appears in the company portal. Make sure all app names that you
use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
Description : Enter the description of the app. The description appears in the company portal.
Publisher : Enter the name of the publisher of the app.
Minimum Operating System : From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Categor y : Select one or more of the built-in app categories, or select a category that you created.
Categories make it easier for users to find the app when they browse through the company portal.
Show this as a featured app in the Company Por tal : Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
 URL appears in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL appears in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app. An example is HR depar tment .
Notes : Enter any notes that you want to associate with this app.
Logo : Upload an icon that is associated with the app. This icon is displayed with the app when users
browse through the company portal.
2. Click Next to display the Scope tags page.

Step 2 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.

Step 3 - Assignments
1. Select the Required , Available for enrolled devices , or Uninstall group assignments for the app. For more
information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.

Step 4 - Review + create

1. Review the values and settings you entered for the app.
2. When you are done, click Create to add the app to Intune.
The Over view blade for the line-of-business app is displayed.

Step 5: Update a line-of-business app

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. Find and select your app from the list of apps.
4. Select Proper ties under Manage from the app pane.
5. Select Edit next to App information .
6. Click on the listed file next to Select file to update . The App package file pane is displayed.
7. Select the folder icon and browse to the location of your updated app file. Select Open . The app information is
updated with the package information.
8. Verify that App version reflects the updated app package.
If Check apps from external sources is enabled on the Android device, the user will be prompted before
installing the update. Otherwise the update will be installed automatically.

NOTE
For the Intune service to successfully deploy a new APK file to the device, you must increment the android:versionCode
string in the AndroidManifest.xml file in your APK package.
Next steps
The app that you created appears in the list of apps. You can now assign it to groups that you choose. For
help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and assignment of your app. See How
to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of device and app lifecycles.
 Add an iOS line-of-business app to Microsoft Intune
9/4/2020 • 5 minutes to read • Edit Online

Use the information in this article to help you add an iOS line-of-business (LOB) app to Microsoft Intune. A line-of-
business (LOB) app is an app that you add to Intune from an IPA app installation file. This kind of app is typically
written in-house. You will first need to join the iOS Developer Enterprise Program. For more information about
how to do this see Apple's website.

NOTE
Users of iOS devices can remove some of the built-in iOS apps, like Stocks and Maps. You cannot use Intune to redeploy
these apps. If users delete these apps, they must go to the app store and manually reinstall them.
iOS LOB apps have a maximum size limit of 2 GB per app.

NOTE
Bundle identifiers (for example, com.contoso.app) are meant to be unique identifiers of an app. For example, to install a beta
version of an LOB app next to the production version for testing purposes, the beta version must have a different unique
identifier (for example, com.contoso.app-beta). Otherwise, the beta version will overlap with the production and be treated
as an upgrade. Renaming the .ipa file has no effect on this behavior.

Select the app type

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the Other app types, select Line-of-business app .
4. Click Select . The Add app steps are displayed.

Step 1 - App information

Select the app package file
1. In the Add app pane, click Select app package file .
2. In the App package file pane, select the browse button. Then, select an iOS installation file with the extension
.ipa . The app details will be displayed.
3. When you're finished, select OK on the App package file pane to add the app.
Set app information
1. In the App information page, add the details for your app. Depending on the app that you chose, some of the
values in this pane might be automatically filled in.
Name : Enter the name of the app as it appears in the company portal. Make sure all app names that you
use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
Description : Enter the description of the app. The description appears in the company portal.
Publisher : Enter the name of the publisher of the app.
Minimum Operating System : From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
 Categor y : Select one or more of the built-in app categories, or select a category that you created.
Categories make it easier for users to find the app when they browse through the company portal.
Show this as a featured app in the Company Por tal : Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL appears in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL appears in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app. An example is HR depar tment .
Notes : Enter any notes that you want to associate with this app.
Logo : Upload an icon that is associated with the app. This icon is displayed with the app when users
browse through the company portal.
2. Click Next to display the Scope tags page.

Step 2 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.

Step 3 - Assignments
1. Select the Required , Available for enrolled devices , Available with or without enrollment , or
Uninstall group assignments for the app. For more information, see Add groups to organize users and devices
and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.

Step 4 - Review + create

1. Review the values and settings you entered for the app.
2. When you are done, click Create to add the app to Intune.
The Over view blade for the line-of-business app is displayed.
The app that you created now appears in the list of apps. From the list, you can assign the apps to groups that you
choose. For help, see How to assign apps to groups.

NOTE
Provisioning profiles for iOS LOB apps have a 30 day notice before they will expire.

Step 5: Update a line-of-business app

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. Find and select your app from the list of apps.
4. Select Proper ties under Manage from the app pane.
5. Select Edit next to App information .
6. Click on the listed file next to Select file to update . The App package file pane is displayed.
7. Select the folder icon and browse to the location of your updated app file. Select Open . The app information is
updated with the package information.
8. Verify that App version reflects the updated app package.
The update to the line-of-business app will be installed automatically.

NOTE
For the Intune service to successfully deploy a new IPA file to the device, you must increment the CFBundleVersion string
in the Info.plist file in your IPA package.

Next steps
The app that you created appears in the list of apps. You can now assign it to groups that you choose. For
help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and assignment of your app. See How
to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of device and app lifecycles.
 Add a Windows Phone line-of-business app to
Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

IMPORTANT
Windows 10 Mobile and Windows Phone 8.1 support has ended. Windows 10 Mobile and Windows Phone 8.1 enrollments
will fail and related apps can no longer be added to Intune. These profile types are being removed from the Intune UI.
Devices currently enrolled will stop syncing with the Intune service.
Existing policies and profiles on these platforms are becoming read-only, and can't be changed. You can remove assignments,
and then delete the policies and profiles.
If Windows Phone 8.1 or Windows 10 Mobile are being used, we recommend moving to Windows 10 devices. Windows 10
has built-in security and device features that have a first class integration with Microsoft Intune.

Use the information in this article to add a Windows Phone line-of-business (LOB) app to Microsoft Intune. An LOB
app is an app that you add to Intune from an app installation file. This kind of app is typically written in-house.
Intune installs the LOB app on the user's device.

Select the app type

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the Other app types, select Line-of-business app .
4. Click Select . The Add app steps are displayed.

Step 1 - App information

Select the app package file
1. In the Add app pane, click Select app package file .
2. In the App package file pane, select the browse button. Then, select a Windows Phone installation file with the
extension .xap . The app details will be displayed.
3. When you're finished, select OK on the App package file pane to add the app.
Set app information
1. In the App information page, add the details for your app. Depending on the app that you chose, some of the
values in this pane might be automatically filled in.
Name : Enter the name of the app as it appears in the company portal. Make sure all app names that you
use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
Description : Enter the description of the app. The description appears in the company portal.
Publisher : Enter the name of the publisher of the app.
Minimum Operating System : From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Categor y : Select one or more of the built-in app categories, or select a category that you created.
Categories make it easier for users to find the app when they browse through the company portal.
Show this as a featured app in the Company Por tal : Display the app prominently on the main page
 of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL appears in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL appears in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app. An example is HR depar tment .
Notes : Enter any notes that you want to associate with this app.
Logo : Upload an icon that is associated with the app. This icon is displayed with the app when users
browse through the company portal.
2. Click Next to display the Scope tags page.

Step 2 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.

Step 3 - Assignments
1. Select the Required , Available for enrolled devices , or Uninstall group assignments for the app. For more
information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.

Step 4 - Review + create

1. Review the values and settings you entered for the app.
2. When you are done, click Create to add the app to Intune.
The Over view blade for the line-of-business app is displayed.
The app that you created now appears in the list of apps. From the list, you can assign the apps to groups that you
choose. For help, see How to assign apps to groups.

Next steps
The app that you created appears in the list of apps. You can now assign it to groups that you choose. For
help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and assignment of your app. See How
to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of device and app lifecycles.
 Add a Windows line-of-business app to Microsoft
Intune
9/4/2020 • 5 minutes to read • Edit Online

A line-of-business (LOB) app is one that you add from an app installation file. This kind of app is typically written
in-house. The following steps provide guidance to help you add a Windows LOB app to Microsoft Intune.

IMPORTANT
When deploying Win32 apps using an installation file with the .msi extension (packaged in an .intunewin file using the
Content Prep Tool), consider using Intune Management Extension. If you mix the installation of Win32 apps and line-of-
business apps during AutoPilot enrollment, the app installation may fail.

Select the app type

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the Other app types, select Line-of-business app .
4. Click Select . The Add app steps are displayed.

Step 1 - App information

Select the app package file
1. In the Add app pane, click Select app package file .
2. In the App package file pane, select the browse button. Then, select a Windows installation file with the
extension .msi , .appx , or .appxbundle . The app details will be displayed.

NOTE
The file extensions for Windows apps include .msi, .appx, .appxbundle , .msix, and .msixbundle . For more
information about .msix, see MSIX documentation and MSIX App Distribution.

3. When you're finished, select OK on the App package file pane to add the app.
Set app information
1. In the App information page, add the details for your app. Depending on the app that you chose, some of the
values in this pane might be automatically filled in.
Name : Enter the name of the app as it appears in the company portal. Make sure all app names that you
use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
Description : Enter the description of the app. The description appears in the company portal.
Publisher : Enter the name of the publisher of the app.
App Install Context : Select the install context to be associated with this app. For dual mode apps, select
the desired context for this app. For all other apps, this is pre-selected based on the package and cannot
be modified.
Ignore app version : Set to Yes if the app developer automatically updates the app. This option applies
to mobile .msi apps only.
 Command-line arguments : Optionally, enter any command-line arguments that you want to apply to
the .msi file when it runs. An example is /q . Do not include the msiexec command or arguments, such as
/i or /x , as they are automatically used. For more information, see Command-Line Options. If the .MSI
file needs additional command-line options consider using Win32 app management.
Categor y : Select one or more of the built-in app categories, or select a category that you created.
Categories make it easier for users to find the app when they browse through the company portal.
Show this as a featured app in the Company Por tal : Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL appears in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL appears in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app. An example is HR depar tment .
Notes : Enter any notes that you want to associate with this app.
Logo : Upload an icon that is associated with the app. This icon is displayed with the app when users
browse through the company portal.
2. Click Next to display the Scope tags page.

Step 2 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.

Step 3 - Assignments
1. Select the Required , Available for enrolled devices , or Uninstall group assignments for the app. For more
information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.

Step 4 - Review + create

1. Review the values and settings you entered for the app.
2. When you are done, click Create to add the app to Intune.
The Over view blade for the line-of-business app is displayed.
The app that you created now appears in the list of apps. From the list, you can assign the apps to groups that you
choose. For help, see How to assign apps to groups.

Update a line-of-business app

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. Find and select your app from the list of apps.
4. Select Proper ties under Manage from the app pane.
5. Select Edit next to App information .
6. Click on the listed file next to Select file to update . The App package file pane is displayed.
7. Select the folder icon and browse to the location of your updated app file. Select Open . The app information is
updated with the package information.
8. Verify that App version reflects the updated app package.

NOTE
For the Intune service to successfully deploy a new APPX file to the device, you must increment the Version string in the
AppxManifest.xml file in your APPX package.

Configure a self-updating mobile MSI app to ignore the version check

process
You can configure a known self-updating mobile MSI app to ignore the version check process.
Some MSI installer-based apps are automatically updated by the app developer or another update method. For
these automatically updated MSI apps, you can configure the Ignore app version setting in the App
information pane. When you switch this setting to Yes , Microsoft Intune will not enforce the app version that's
installed on the Windows client.
This capability is useful to avoid getting into a race condition. For instance, a race condition can occur when the
app is automatically updated by the app developer and is updated by Intune. Both might try to enforce a version of
the app on a Windows client, which creates a conflict.

Next steps
The app that you created appears in the list of apps. You can now assign it to groups that you choose. For
help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and assignment of your app. See How
to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of the app lifecycle in Microsoft Intune.
Learn more about Win32 apps. See Win32 app management.
 Sign line-of-business apps so they can be deployed
to Windows devices with Intune
9/4/2020 • 7 minutes to read • Edit Online

As an Intune administrator, you can deploy line-of-business (LOB) Universal apps to Windows 8.1 Desktop or
Windows 10 Desktop & Mobile devices, including the Company Portal app. To deploy .appx apps to Windows 8.1
Desktop or Windows 10 Desktop & Mobile devices you can use code-signing certificate from a public certification
authority already trusted by your Windows devices, or you can use your own certificate authority.

NOTE
Windows 8.1 Desktop requires either an enterprise policy to enable sideloading or the use of Sideloading Keys (automatically
enabled for domain-joined devices). For more information, see Windows 8 sideloading.

Windows 10 sideloading
In Windows 10, sideloading is different than in earlier versions of Windows:
You can unlock a device for sideloading using an enterprise policy. Intune provides a device config policy
called "Trusted app installation". Setting this to is all that is needed for devices that already trust the
certificate used to sign the appx app.
Symantec Phone certificates and Sideloading License keys are not required. However if an on-premise
certificate authority is not available then you may need to obtain a code signing certificate from a public
certification authority. For more information, see Introduction to Code Signing.
Code sign your app
The first step is to code sign your appx package. For details, see Sign app package using SignTool.
Upload your app
Next, you must upload the signed appx file. For details, see Add a Windows line-of-business app to Microsoft
Intune.
If you deploy the app as required to users or devices then you do not need the Inutne Company Portal app.
However if you deploy the app as available to users, then they can either use the Company Portal app from the
Public Microsoft Store, use the Company Portal app from the Private Microsoft Store for Business, or you will need
to sign and manually deploy the Intune Company Portal app.
Upload the code -signing certificate
If your Windows 10 device does not already trust the certificate authority, then after you have signed your appx
package and uploaded it to the Intune service, you need to upload the code signing certificate to the Intune portal:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Click Tenant administration > Connectors and tokens > Windows enterprise cer tificates .
3. Select a file under Code-signing cer tificate file .
4. Select your .cer file and click Open .
5. Click Upload to add your certificate file to Intune.
Now any Windows 10 Desktop & Mobile device with an appx deployment by the Intune service will automatically
download the corresponding enterprise certificate and the application will be allowed to launch after installation.
Intune only deploys the latest .cer file that was uploaded. If you have multiple appx files created by different
developers that are not associated with your organization, then you will need to either have them provide unsigned
appx files for signing with your certificate, or provide them the code signing certificate used by your organization.

How to renew the Symantec enterprise code-signing certificate

The certificate used to deploy Windows Phone 8.1 mobile apps was discontinued on February 28 2019 and is no
longer available for renewal from Symantec. Also, Intune has ended support for Windows 10 mobile as of August
10, 2020.

How to install the updated certificate for line-of-business (LOB) apps

Windows Phone 8.1
The Intune service can no longer deploy LOB apps for this platform once the existing Symantec Mobile Enterprise
code-signing certificate expires.
Windows 8.1 Desktop/Windows 10 Desktop & Mobile
If the cert period has expired then the appx files may stop launching. You should obtain a new .cer file and follow
the instructions to code-sign each deployed appx file and re-upload all appx files and the updated .cer file to the
Windows Enterprise Certificates section of the Intune portal

Manually deploy Windows 10 Company Portal app

If you do not want to provide access to the Microsoft Store, you can manually deploy the Windows 10 Company
Portal app directly from Intune even if you haven't integrated Intune with the Microsoft Store for Business (MSFB).
Alternatively, if you have integrated, then you could deploy the Company Portal app using deploy apps using
MSFB.

NOTE
This option will require deploying manual updates each time an app update is released.

1. Sign in to your account in the Microsoft Store for Business and acquire the offline license version of the
Company Portal app.
2. Once the app has been acquired, select the app in the Inventor y page.
3. Select Windows 10 all devices as the Platform , then the appropriate Architecture and download. An
app license file is not needed for this app.
4. Download all the packages under "Required Frameworks". This must be done for x86, x64, ARM, and ARM64
architectures – resulting in a total of 9 packages as shown below.

5. Before uploading the Company Portal app to Intune, create a folder (e.g., C:\Company Portal) with the
packages structured in the following way:
a. Place the Company Portal package into C:\Company Portal. Create a Dependencies subfolder in this
location as well.

b. Place the nine dependencies packages in the Dependencies folder.

If the dependencies are not placed in this format, Intune will not be able to recognize and upload them
during the package upload, causing the upload to fail with the following error.
6. Return to Intune, then upload the Company Portal app as a new app. Deploy it as a required app to the
desired set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more information about how
Intune handles dependencies for Universal apps.
How do I update the Company Portal on my users' devices if they have already installed the older apps from the
store?
If your users have already installed the Windows 8.1 Company Portal apps from the Store, then they should be
automatically updated to the new version with no action required from you or your user. If the update does not
happen, ask your users to check that they have enabled autoupdates for Store apps on their devices.
How do I upgrade my sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the deployment for the Windows 8.1 Company Portal app by setting
the deployment action to "Uninstall". Once this is done, the Windows 10 Company Portal app can be deployed
using any of the above options.
If you need to sideload the app and deployed the Windows 8.1 Company Portal without signing it with the
Symantec Certificate, follow the steps in the Deploy directly via Intune section above to complete the upgrade.
If you need to sideload the app and you signed and deployed the Windows 8.1 Company Portal with the Symantec
code-signing certificate, follow the steps in the section below.
How do I upgrade my signed and sideloaded Windows 8.1 Company Portal app to the Windows 10 Company
Portal app?
Our recommended migration path is to delete the existing deployment for the Windows 8.1 Company Portal app
by setting the deployment action to "Uninstall". Once this is done, the Windows 10 Company Portal app can be
deployed normally.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and signed to ensure that the
upgrade path is respected.
If the Windows 10 Company Portal app is signed and deployed in this way, you will need to repeat this process for
each new app update when it is available in the store. The app will not automatically update when the store is
updated.
Here's how you sign and deploy the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script from
https://aka.ms/win10cpscript. This script requires the Windows SDK for Windows 10 to be installed on the host
computer. To download the Windows SDK for Windows 10, visit https://go.microsoft.com/fwlink/?
LinkId=619296.
2. Download the Windows 10 Company Portal app from the Microsoft Store for Business, as detailed above.
3. Run the script with the input parameters detailed in the script header to sign the Windows 10 Company Portal
app (extracted below). Dependencies do not need to be passed into the script. These are only required when the
app is being uploaded to the Intune Admin Console.

PA RA M ET ER DESC RIP T IO N

InputWin10AppxBundle The path to where the source appxbundle file is located.

OutputWin10AppxBundle The output path for the signed appxbundle file.

 PA RA M ET ER DESC RIP T IO N

Win81Appx The path to where the Windows 8.1 Company Portal (.APPX)
file is located.

PfxFilePath The path to Symantec Enterprise Mobile Code Signing

Certificate (.PFX) file.

PfxPassword The password of the Symantec Enterprise Mobile Code

Signing Certificate.

PublisherId The Publisher ID of the enterprise. If absent, the 'Subject' field

of the Symantec Enterprise Mobile Code Signing Certificate is
used.

SdkPath The path to the root folder of the Windows SDK for Windows
10. This argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10

The script will output the signed version of the Windows 10 Company Portal app when it has finished running. You
can then deploy the signed version of the app as an LOB app via Intune, which will upgrade the currently deployed
versions to this new app.
 How to add macOS line-of-business (LOB) apps to
Microsoft Intune
9/4/2020 • 6 minutes to read • Edit Online

Use the information in this article to help you add macOS line-of-business apps to Microsoft Intune. You must
download an external tool to pre-process your .pkg files before you can upload your line-of-business file to
Microsoft Intune. The pre-processing of your .pkg files must take place on a macOS device.

NOTE
Starting with the release of macOS Catalina 10.15, prior to adding your apps to Intune, check to make sure your macOS LOB
apps are notarized. If the developers of your LOB apps did not notarize their apps, the apps will fail to run on your users'
macOS devices. For more information about how to check if an app is notarized, visit Notarize your macOS apps to prepare
for macOS Catalina.

NOTE
While users of macOS devices can remove some of the built-in macOS apps like Stocks, and Maps, you cannot use Intune to
redeploy those apps. If end users delete these apps, they must go to the app store, and manually re install them.

Before your start

You must download an external tool, mark the downloaded tool as an executable, and pre-process your .pkg files
with the tool before you can upload your line-of-business file to Microsoft Intune. The pre-processing of your .pkg
files must take place on a macOS device. Use the Intune App Wrapping Tool for Mac to enable Mac apps to be
managed by Microsoft Intune.

IMPORTANT
The .pkg file must be signed using "Developer ID Installer" certificate, obtained from an Apple Developer account. Only .pkg
files may be used to upload macOS LOB apps to Microsoft Intune. However, conversion of other formats, such as .dmg to
.pkg is supported. For more information about converting non-pkg application types, see How to deploy DMG or APP-
format apps to Intune-managed Macs.

1. Download the Intune App Wrapping Tool for Mac.

NOTE
The Intune App Wrapping Tool for Mac must be run on a macOS machine.

2. Mark the downloaded tool as an executable:

Start the terminal app.
Change the directory to the location where IntuneAppUtil is located.
Run the following command to make the tool executable:
chmod +x IntuneAppUtil
3. Use the IntuneAppUtil command within the Intune App Wrapping Tool for Mac to wrap .pkg LOB app
 file from a .intunemac file.
Sample commands to use for the Microsoft Intune App Wrapping Tool for macOS:

IMPORTANT
Ensure that the argument <source_file> does not contain spaces before running the IntuneAppUtil
commands.

IntuneAppUtil -h
This command will show usage information for the tool.
IntuneAppUtil -c <source_file> -o <output_directory_path> [-v]
This command will wrap the .pkg LOB app file provided in <source_file> to a .intunemac file of the
same name and place it in the folder pointed to by <output_directory_path> .
IntuneAppUtil -r <filename.intunemac> [-v]
This command will extract the detected parameters and version for the created .intunemac file.

Select the app type

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the Other app types, select Line-of-business app .
4. Click Select . The Add app steps are displayed.

Step 1 - App information

Select the app package file
1. In the Add app pane, click Select app package file .
2. In the App package file pane, select the browse button. Then, select an macOS installation file with the
extension .intunemac. The app details will be displayed.
3. When you're finished, select OK on the App package file pane to add the app.
Set app information
1. In the App information page, add the details for your app. Depending on the app that you chose, some of the
values in this pane might be automatically filled in.
Name : Enter the name of the app as it appears in the company portal. Make sure all app names that you
use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
Description : Enter the description of the app. The description appears in the company portal.
Publisher : Enter the name of the publisher of the app.
Minimum Operating System : From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Categor y : Select one or more of the built-in app categories, or select a category that you created.
Categories make it easier for users to find the app when they browse through the company portal.
Show this as a featured app in the Company Por tal : Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL appears in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL appears in the company portal.
 Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app. An example is HR depar tment .
Notes : Enter any notes that you want to associate with this app.
Logo : Upload an icon that is associated with the app. This icon is displayed with the app when users
browse through the company portal.
2. Click Next to display the Scope tags page.

Step 2 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.

Step 3 - Assignments
1. Select the Required , Available for enrolled devices , or Uninstall group assignments for the app. For more
information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.

Step 4 - Review + create

1. Review the values and settings you entered for the app.
2. When you are done, click Create to add the app to Intune.
The Over view blade for the line-of-business app is displayed.
The app you have created appears in the apps list where you can assign it to the groups you choose. For help, see
How to assign apps to groups.

NOTE
If the .pkg file contains multiple apps or app installers, then Microsoft Intune will only report that the app is successfully
installed when all installed apps are detected on the device.

Update a line-of-business app

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. Find and select your app from the list of apps.
4. Select Proper ties under Manage from the app pane.
5. Select Edit next to App information .
6. Click on the listed file next to Select file to update . The App package file pane is displayed.
7. Select the folder icon and browse to the location of your updated app file. Select Open . The app information is
updated with the package information.
8. Verify that App version reflects the updated app package.
 NOTE
For the Intune service to successfully deploy a new .pkg file to the device you must increment the package version and
CFBundleVersion string in the packageinfo file in your .pkg package.

Next steps
The app you have created is displayed in the apps list. You can now assign it to the groups you choose. For
help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and assignment of your app. For more
information, see How to monitor app information and assignments.
Learn more about the context of your app in Intune. For more information, see Overview of device and app
lifecycles
 Intune Standalone - Win32 app management
9/4/2020 • 25 minutes to read • Edit Online

Intune standalone now allows greater Win32 app management capabilities. While it is possible for cloud
connected customers to use Configuration Manager for Win32 app management, Intune-only customers will have
greater management capabilities for their Win32 line-of-business (LOB) apps. This topic provides an overview of
the Intune Win32 app management feature and troubleshooting information.

NOTE
This app management capability supports both 32-bit and 64-bit operating system architecture for Windows applications.

IMPORTANT
When deploying Win32 apps, consider using the Intune Management Extension approach exclusively, particularly when you
have a multi-file Win32 app installer. If you mix the installation of Win32 apps and line-of-business apps during AutoPilot
enrollment, the app installation may fail. The Intune management extension is installed automatically when a PowerShell
script or Win32 app is assigned to the user or device.

Prerequisites
To use Win32 app management, be sure you meet the following criteria:
Windows 10 version 1607 or later (Enterprise, Pro, and Education versions)
Windows 10 client needs to be:
Devices must be joined to Azure AD and auto-enrolled. The Intune management extension supports
Azure AD joined, hybrid domain joined, group policy enrolled devices are supported.

NOTE
For the group policy enrolled scenario - The end user uses the local user account to AAD join their Windows 10
device. The user must log onto the device using their AAD user account and enroll into Intune. Intune will install the
Intune Management extension on the device if a PowerShell script or a Win32 app is targeted to the user or device.

Windows application size is capped at 8 GB per app.

Prepare the Win32 app content for upload

Use the Microsoft Win32 Content Prep Tool to pre-process Windows Classic (Win32) apps. The tool converts
application installation files into the .intunewin format. The tool also detects some of the attributes required by
Intune to determine the application installation state. After you use this tool on the app installer folder, you will be
able to create a Win32 app in the Intune console.

IMPORTANT
The Microsoft Win32 Content Prep Tool zips all files and subfolders when it creates the .intunewin file. Be sure to keep the
Microsoft Win32 Content Prep Tool separate from the installer files and folders, so that you don't include the tool or other
unnecessary files and folders in your .intunewin file.
You can download the Microsoft Win32 Content Prep Tool from GitHub as a zip file. The zipped file contains a
folder named Microsoft-Win32-Content-Prep-Tool-master . The folder contains the prep tool, the license, a
readme, and the release notes.
Process flow to create .intunewin file

Run the Microsoft Win32 Content Prep Tool

If you run IntuneWinAppUtil.exe from the command window without parameters, the tool will guide you to input
the required parameters step by step. Or, you can add the parameters to the command based on the following
available command-line parameters.
Available command-line parameters
C O M M A N D- L IN E PA RA M ET ER DESC RIP T IO N

-h Help

-c <setup_folder> Folder for all setup files. All files in this folder will be
compressed into .intunewin file.

-s <setup_file> Setup file (such as setup.exe or setup.msi).

-o <output_folder> Output folder for the generated .intunewin file.

-q Quiet mode

Example commands
EXA M P L E C O M M A N D DESC RIP T IO N

IntuneWinAppUtil -h This command will show usage information for the tool.
 EXA M P L E C O M M A N D DESC RIP T IO N

IntuneWinAppUtil -c c:\testapp\v1.0 -s This command will generate the .intunewin file from the
c:\testapp\v1.0\setup.exe -o c:\testappoutput\v1.0 -
q
specified source folder and setup file. For the MSI setup file,
this tool will retrieve required information for Intune. If -q is
specified, the command will run in quiet mode, and if the
output file already exists, it will be overwritten. Also, if the
output folder does not exist, it will be created automatically.

When generating an .intunewin file, put any files you need to reference into a subfolder of the setup folder. Then,
use a relative path to reference the specific file you need. For example:
Setup source folder : c:\testapp\v1.0
License file: c:\testapp\v1.0\licenses\license.txt
Refer to the license.txt file by using the relative path licenses\license.txt.

Create, assign, and monitor a Win32 app

Much like a line-of-business (LOB) app, you can add a Win32 app to Microsoft Intune. This type of app is typically
written in-house or by a 3rd party.
Process flow to add a Win32 app to Intune

Add a Win32 app to Intune

The following steps provide guidance to help you add a Windows app to Intune.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the Select app type pane, under the Other app types, select Windows app (Win32) .

IMPORTANT
Be sure to use the latest version of the Microsoft Win32 Content Prep Tool. If you don't use the latest version, you
will see a warning indicating that the app was packaged using an older version of the Microsoft Win32 Content Prep
Tool.

4. Click Select . The Add app steps are displayed.

Step 1 - App information

Select the app package file
1. In the Add app pane, click Select app package file .
2. In the App package file pane, select the browse button. Then, select a Windows installation file with the
extension .intunewin. The app details will be displayed.
3. When you're finished, select OK on the App package file pane.
Set app information
1. In the App information page, add the details for your app. Depending on the app that you chose, some of the
values in this pane might be automatically filled in.
Name : Enter the name of the app as it appears in the company portal. Make sure all app names that you
use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
 Description : Enter the description of the app. The description appears in the company portal.
Publisher : Enter the name of the publisher of the app.
Categor y : Select one or more of the built-in app categories, or select a category that you created.
Categories make it easier for users to find the app when they browse through the company portal.
Show this as a featured app in the Company Por tal : Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL appears in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL appears in the company portal.
Developer : Optionally, enter the name of the app developer.
Owner : Optionally, enter a name for the owner of this app. An example is HR depar tment .
Notes : Enter any notes that you want to associate with this app.
Logo : Upload an icon that is associated with the app. This icon is displayed with the app when users
browse through the company portal.
2. Click Next to display the Program page.

Step 2: Program
1. In the Program page, configure the app installation and removal commands for the app:
Install command : Add the complete installation command line to install the app.
For example, if your app filename is MyApp123 , add the following:
msiexec /p "MyApp123.msp"

And, if the application is ApplicationName.exe , the command would be the application name followed
by the command arguments (switches) supported by the package.
For example:
ApplicationName.exe /quiet
In the above command, the ApplicationName.exe package supports the /quiet command argument.
For the specific arguments supported by the application package, contact your application vendor.

IMPORTANT
Admins must be careful when they utilize the command tools. Unexpected or harmful commands may be
passed using the the install and uninstall command field.

Uninstall command : Add the complete uninstall command line to uninstall the app based on the
app's GUID.
For example:
msiexec /x "{12345A67-89B0-1234-5678-000001000000}"

Install behavior : Set the install behavior to either System or User .

 NOTE
You can configure a Win32 app to be installed in User or System context. User context refers to only a
given user. System context refers to all users of a Windows 10 device.
End users are not required to be logged in on the device to install Win32 apps.
The Win32 app install and uninstall will be executed under admin privilege (by default) when the app is set to
install in user context and the end user on the device has admin privileges.

Device restar t behavior : Select one of the following options:

Determine behavior based on return codes : Choose this option to restart the device based
on the return codes.
No specific action : Choose this option to suppress device restarts during the app installation of
MSI-based apps.
App install may force a device restar t : Choose this option to allow the app installation to
complete without suppressing restarts.
Intune will force a mandator y device restar t : Choose this option to always restart the device
after a successful app installation.
Specify return codes to indicate post-installation behavior : Add the return codes used to
specify either app installation retry behavior or post-installation behavior. Return code entries are
added by default during app creation. However, you can add additional return codes or change
existing return codes.
a. In the Code type column, set the Code type to one of the following:
Failed – The return value that indicates an app installation failure.
Hard reboot – The hard reboot return code does not allow next Win32 apps to be
installed on the client without reboot.
Soft reboot – The soft reboot return code allows the next Win32 app to be installed
without requiring a client reboot. Reboot is necessary to complete installation of the
current application.
Retr y – The retry return code agent will attempt to install the app three times. It will wait
for 5 minutes between each attempt.
Success – The return value that indicates the app was successfully installed.
b. If needed, click Add to add additional return codes, or modify existing return codes.
2. Click Next to display the Requirements page.

Step 3: Requirements
1. In the Requirements page, specify the requirements that devices must meet before the app is installed:
Operating system architecture : Choose the architectures need to install the app.
Minimum operating system : Select the minimum operating system needed to install the app.
Disk space required (MB) : Optionally, add the free disk space needed on the system drive to install
the app.
Physical memor y required (MB) : Optionally, add the physical memory (RAM) required to install the
app.
Minimum number of logical processors required : Optionally, add the minimum number of logical
processors required to install the app.
Minimum CPU speed required (MHz) : Optionally, add the minimum CPU speed required to install
the app.
Configure additional requirement rules :
 a. Click Add to display the Add a Requirement rule pane and configure additional requirement
rules. Select the Requirement type to choose the type of rule that you will use to determine how
a requirement is validated. Requirement rules can be based on file system information, registry
values, or PowerShell scripts.
File : When you choose File as the Requirement type , the requirement rule must detect a
file or folder, date, version, or size.
Path – The full path of the folder containing the file or folder to detect.
File or folder - The file or folder to detect.
Proper ty – Select the type of rule used to validate the presence of the app.
Associated with a 32-bit app on 64-bit clients - Select Yes to expand any path
environment variables in the 32-bit context on 64-bit clients. Select No (default) to
expand any path variables in the 64-bit context on 64-bit clients. 32-bit clients will
always use the 32-bit context.
Registr y : When you choose Registr y as the Requirement type , the requirement rule
must detect a registry setting based on value, string, integer, or version.
Key path – The full path of the registry entry containing the value to detect.
Value name - The name of the registry value to detect. If this value is empty, the
detection will happen on the key. The (default) value of a key will be used as
detection value if the detection method is other than file or folder existence.
Registr y key requirement – Select the type of registry key comparison used to
determine how the requirement rule is validated.
Associated with a 32-bit app on 64-bit clients - Select Yes to search the 32-bit
registry on 64-bit clients. Select No (default) search the 64-bit registry on 64-bit
clients. 32-bit clients will always search the 32-bit registry.
Script : Choose Script as the Requirement type , when you cannot create a requirement
rule based on file, registry, or any other method available to you in the Intune console.
Script file – For PowerShell script based requirement rule, if exist code is 0, we will
detect the STDOUT in more detail. For example, we can detect STDOUT as an integer
that has a value of 1.
Run script as 32-bit process on 64-bit clients - Select Yes to run the script in a
32-bit process on 64-bit clients. Select No (default) to run the script in a 64-bit
process on 64-bit clients. 32-bit clients run the script in a 32-bit process.
Run this script using the logged on credentials : Select Yes to run the script
using the signed in device credentials**.
Enforce script signature check - Select Yes to verify that the script is signed by a
trusted publisher, which will allow the script to run with no warnings or prompts
displayed. The script will run unblocked. Select No (default) to run the script with
end-user confirmation without signature verification.
Select output data type : Select the data type used when determining a
requirement rule match.
b. When you're finished setting the requirement rules, select OK .
2. Click Next to display the Detection rules page.

Step 4: Detection rules

1. In the Detection rules page, configure the rules to detect the presence of the app:
Rules format : Select how the presence of the app will be detected. You can choose to either manually
configure the detection rules or use a custom script to detect the presence of the app. You must choose at
least one detection rule.
NOTE
In the Detection rules pane, you can choose to add multiple rules. The conditions for all rules must be met to
detect the app.
If Intune detects that the app is not present on the device, Intune will offer the app again after 24 hours. This will
only occur for apps targeted with required intent.

Manually configure detection rules - You can select one of the following rule types:
a. MSI – Verify based on MSI version check. This option can only be added once. When you
choose this rule type, you have two settings:
MSI product code – Add a valid MSI product code for the app.
MSI product version check – Select Yes to verify the MSI product version in addition to
the MSI product code.
b. File – Verify based on file or folder detection, date, version, or size.
Path – The full path of the folder containing the file or folder to detect.
File or folder - The file or folder to detect.
Detection method – Select the type of detection method used to validate the presence of
the app.
Associated with a 32-bit app on 64-bit clients - Select Yes to expand any path
environment variables in the 32-bit context on 64-bit clients. Select No (default) to expand
any path variables in the 64-bit context on 64-bit clients. 32-bit clients will always use the
32-bit context.
Examples of file-based detection
a. Check for file existence.
 b. Check for folder existence.

c. Registr y – Verify based on value, string, integer, or version.

 Key path – The full path of the registry entry containing the value to detect. A valid syntax
is HKEY_LOCAL_MACHINE\Software\WinRAR or HKLM\Software\WinRAR.
Value name - The name of the registry value to detect. If this value is empty, the detection
will happen on the key. The (default) value of a key will be used as detection value if the
detection method is other than file or folder existence.
Detection method – Select the type of detection method used to validate the presence of
the app.
Associated with a 32-bit app on 64-bit clients - Select Yes to search the 32-bit
registry on 64-bit clients. Select No (default) search the 64-bit registry on 64-bit clients.
32-bit clients will always search the 32-bit registry.
Examples for registr y-based detection
a. Check for registry key exists.

b. Check if registry value exists.

 c. Check for registry value string equals.

Use a custom detection script – Specify the PowerShell script that will be used to detect this app.
 a. Script file – Select a PowerShell script that will detect the presence of the app on the client.
The app will be detected when the script both returns a 0 value exit code and writes a string
value to STDOUT.
b. Run script as 32-bit process on 64-bit clients - Select Yes to run the script in a 32-bit
process on 64-bit clients. Select No (default) to run the script in a 64-bit process on 64-bit
clients. 32-bit clients run the script in a 32-bit process.
c. Enforce script signature check - Select Yes to verify that the script is signed by a trusted
publisher, which will allow the script to run with no warnings or prompts displayed. The script
will run unblocked. Select No (default) to run the script with end-user confirmation without
signature verification.
Intune agent checks the results from the script. It reads the values written by the script to the
standard output (STDOUT) stream, the standard error (STDERR) stream, and the exit code. If
the script exits with a nonzero value, the script fails and the application detection status is not
installed. If the exit code is zero and STDOUT has data, the application detection status is
Installed.

NOTE
Microsoft recommends encoding your script as UTF-8. When the script exits with the value of 0, the
script execution was success. Second output channel indicates app was detected - STDOUT data
indicates that the app was found on the client. We do not look for a particular string from STDOUT.

2. Once you have added your rule(s), select Next to display the Dependencies page.

Step 5: Dependencies
App dependencies are applications that must be installed before your Win32 app can be installed. You can require
that other apps are installed as dependencies. Specifically, the device must install the dependent app(s) before it
installs the Win32 app. There is a maximum of 100 dependencies, which includes the dependencies of any
included dependencies, as well as the app itself. You can add Win32 app dependencies only after your Win32 app
has been added and uploaded to Intune. Once your Win32 app has been added, you'll see the Dependencies
option on the pane for your Win32 app.
Any Win32 app dependency needs to be also be a Win32 app. It does not support depending on other app types,
such as single MSI LOB apps or Store apps.
When adding an app dependency, you can search based on the app name and publisher. Additionally, you can sort
your added dependencies based on app name and publisher. Previously added app dependencies cannot be
selected in the added app dependency list.
You can choose whether or not to install each dependent app automatically. By default, the Automatically install
option is set to Yes for each dependency. By automatically installing a dependent app, even if the dependent app is
not targeted to the user or device, Intune will install the app on the device to satisfy the dependency before
installing your Win32 app. It's important to note that a dependency can have recursive sub-dependencies, and
each sub-dependency will be installed before installing the main dependency. Additionally, installation of
dependencies does not follow an install order at a given dependency level.
Select the dependencies
In the Dependencies page, select applications that must be installed before your Win32 app can be installed:
1. Click Add to display the Add dependency pane.
2. Once you have added the dependent app(s), click Select .
3. Choose whether to automatically install the dependent app by selecting Yes or No under the Automatically
Install column.
4. Click Next to display the Scope tags page.
Understand additional dependency details
The end user will see Windows Toast Notifications indicating that dependent apps are being downloaded and
installed as part of the Win32 app installation process. Additionally, when a dependent app is not installed, the end
user will commonly see one of the following notifications:
1 or more dependent apps failed to install
1 or more dependent app requirements not met
1 or more dependent apps are pending a device reboot
If you choose not to Automatically install a dependency, the Win32 app installation will not be attempted.
Additionally, app reporting will show that the dependency was flagged as failed and also provide a failure
reason. You can view the dependency installation failure by clicking on a failure (or warning) provided in the Win
32 app installation details.
Each dependency will adhere to Intune Win32 app retry logic (try to install 3 times after waiting for 5 minutes) and
the global re-evaluation schedule. Also, dependencies are only applicable at the time of installing the Win32 app
on the device. Dependencies are not applicable for uninstalling a Win32 app. To delete a dependency, you must
click on the ellipses (three dots) to the left of the dependent app located at the end of the row of the dependency
list.

Step 6 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.

Step 7 - Assignments
You can select the Required , Available for enrolled devices , or Uninstall group assignments for the app. For
more information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune.
1. For the specific app, select an assignment type:
Required : The app is installed on devices in the selected groups.
Available for enrolled devices : Users install the app from the Company Portal app or Company
Portal website.
Uninstall : The app is uninstalled from devices in the selected groups.
2. Click Add group and assign the groups that will use this app.
3. In the Select groups pane, select to assign based on users or devices.
4. After you have selected your groups, you can also set End user notifications , Availability , and Installation
deadline . For more information, see Set Win32 app availability and notifications.
5. If you want to exclude any groups of users from being affected by this app assignment, select Included under
the MODE column. The Edit assignment pane will be displayed. You can set the mode from being Included
to being Excluded . Click OK to close the Edit assignment pane.
6. In the App settings section, select the Deliver y optimization priority for the app. This setting will
determine how the app content will be downloaded. You can choose to download the app content in
background mode or foreground mode based on assignment.
7. Once you have completed setting the assignments for the apps, click Next to display the Review + create
 page.

Step 8 - Review + create

1. Review the values and settings you entered for the app. Verify that you configured the app information
correctly.
2. When you are done, click Create to add the app to Intune.
The Over view blade for the line-of-business app is displayed.
At this point, you have completed steps to add a Win32 app to Intune. For information about app assignment and
monitoring, see Assign apps to groups with Microsoft Intune and Monitor app information and assignments with
Microsoft Intune.

Delivery Optimization
Windows 10 1709 and above clients will download Intune Win32 app content using a delivery optimization
component on the Windows 10 client. Delivery optimization provides peer-to-peer functionality that it is turned on
by default. You can configure the Delivery Optimization agent to download Win32 app content either in
background or foreground mode based on assignment. Delivery optimization can be configured by group policy
and via Intune Device configuration. For more information, see Delivery Optimization for Windows 10.

NOTE
You can also install a Microsoft Connected Cache server on your Configuration Manager distribution points to cache Intune
Win32 app content. For more information, see Microsoft Connected Cache in Configuration Manager - Support for Intune
Win32 apps.

Install required and available apps on devices

The end user will see Windows Toast Notifications for the required and available app installations. The following
image shows an example toast notification where the app installation is not complete until the device is restarted.

The following image notifies the end user that app changes are being made to the device.
Additionally, the Company Portal app shows additional app installation status messages to end users. The
following conditions apply to Win32 dependency features:
App failed to install. Dependencies defined by the admin were not met.
App installed successfully but requires a restart.
App is in the process of installing, but requires a restart to continue.

Set Win32 app availability and notifications

You can configure the start time and deadline time for a Win32 app. At the start time, Intune management
extension will start the app content download and cache it for required intent. The app will be installed at the
deadline time. For available apps, start time will dictate when the app is visible in the Company Portal and content
will be downloaded when the end user requests the app from the Company Portal. Additionally, you can enable a
restart grace period.

IMPORTANT
The Restar t grace period setting in the Assignment section is only available when the Device restar t behavior of the
Program section is set to either of the following options:
Determine behavior based on return codes
Intune will force a mandator y device restar t

Set the app availability based on a date and time for a required app using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. Select an existing Windows app (Win32) from the list.
4. From the app pane, select Proper ties > Edit next to the Assignments section > Add group below the
Required assignment type. Note that app availability can be set based on the assignment type. The
Assignment type can be Required , Available for enrolled devices , or Uninstall .
5. Select a group in the Select group pane to specify which group of users will be assigned the app.
 NOTE
Assignment type options included the following:
Required : You can choose to make this app required for all users and/or make this app required on all
devices .
Available for enrolled devices : You can choose to make Make this app available to all users with
enrolled devices .
Uninstall: You can choose to *uninstall this app for all users and/or uninstall this app for all devices .

6. To modify the End user notification options select Show all toast notifications .
7. In the Edit assignment pane, set the Ender user notifications to Show all toast notifications . Note
that you can set End user notifications to Show all toast notifications , Show toast notifications for
computer restar ts , or Hide all toast notifications .
8. Set the App availability to A specific date and time and select your date and time. This date and time
specifies when the app is downloaded to the end users device.
9. Set the App installation deadline to A specific date and time and select your date and time. This date
and time specifies when the app is installed on the end users device. When more than one assignment is
made for the same user or device, the app installation deadline time is picked based on the earliest time
possible.
10. Click Enabled next to the Restar t grace period . The restart grace period starts as soon as the app install
has been completed on the device. When disabled, the device can restart without warning.
You can customize the following options:
Device restar t grace period (minutes) : The default value is 1440 minutes (24 hours). This value can
be a maximum of 2 weeks.
Select when to display the restar t countdown dialog box before the restar t occurs
(minutes) : The default value is 15 minutes.
Allow user to snooze the restar t notification : You can choose Yes or No .
Select the snooze duration (minutes) : The default value is 240 minutes (4 hours). The snooze
value cannot be more than reboot grace period.
11. Click Review + save .

Toast notifications for Win32 apps

If needed, you can suppress showing end user toast notifications per app assignment. From Intune, select Apps >
All apps > select the app > Assignments > Include Groups .

NOTE
Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices. Admins can leverage
assignment exclusion to not offer Win32 apps to BYOD Devices.

Troubleshoot Win32 app issues

Agent logs on the client machine are commonly in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs . You
can leverage CMTrace.exe to view these log files. For more information, see CMTrace.
 IMPORTANT
To allow proper installation and execution of LOB Win32 apps, anti-malware settings should exclude the following directories
from being scanned:
On X64 client machines :
C:\Program Files (x86)\Microsoft Intune Management Extension\Content
C:\windows\IMECache
On X86 client machines :
C:\Program Files\Microsoft Intune Management Extension\Content
C:\windows\IMECache
For more information, see Virus scanning recommendations for Enterprise computers that are running currently supported
versions of Windows.

Detecting the Win32 app file version using PowerShell

If you have difficulty detecting the Win32 app file version, consider using or modifying the following PowerShell
command:

$FileVersion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo("<path to binary file>").FileVersion

#The below line trims the spaces before and after the version name
$FileVersion = $FileVersion.Trim();
if ("<file version of successfully detected file>" -eq $FileVersion)
{
#Write the version to STDOUT by default
$FileVersion
exit 0
}
else
{
#Exit with non-zero failure code
exit 1
}

In the above PowerShell command, replace the <path to binary file> string with the path to your Win32 app file.
An example path would be similar to the following:
C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\ssms.exe

Also, replace the <file version of successfully detected file> string with the file version that you need to detect.
An example file version string would be similar to the following:
2019.0150.18118.00 ((SSMS_Rel).190420-0019)

If you need to get the version information of your Win32 app, you can use the following PowerShell command:
 [System.Diagnostics.FileVersionInfo]::GetVersionInfo("<path to binary file>").FileVersion

In the above PowerShell command, replace <path to binary file> with your file path.
Additional troubleshooting areas to consider
Check targeting to make sure agent is installed on the device - Win32 app targeted to a group or PowerShell
Script targeted to a group will create agent install policy for security group.
Check OS Version – Windows 10 1607 and above.
Check Windows 10 SKU - Windows 10 S, or Windows versions running with S-mode enabled, do not support
MSI installation.
For more information about troubleshooting Win32 apps, see Win32 app installation troubleshooting. For
information about app types on ARM64 devices, see App types supported on ARM64 devices.

Next steps
For more information about adding apps to Intune, see Add apps to Microsoft Intune.
 Enable Win32 apps on S mode devices
9/4/2020 • 5 minutes to read • Edit Online

Windows 10 S mode is a locked-down operating system that only runs Store apps. By default, Windows S mode
devices do not allow installation and execution of Win32 apps. These devices include a a single Win 10S base
policy, which locks the S mode device from running any Win32 apps on it. However, by creating and using an S
mode supplemental policy in Intune, you can install and run Win32 apps on Windows 10 S mode managed
devices. By using the Microsoft Defender Application Control (WDAC) PowerShell tools, you can create one or more
supplemental policies for Windows S mode. You must sign the supplemental policies with the Device Guard
Signing Service (DGSS) or with SignTool.exe and then upload and distribute the policies via Intune. As an
alternative, you can sign the supplemental policies with a codesigning certificate from your organization, however
the preferred method is to use DGSS. In the instance that you use the codesigning certificate from your
organization, the root certificate that the codesigning certificate chains up to, must be present on the device.

IMPORTANT
Device Guard Signing Service v2 will be available for consumption starting mid-September 2020, and you will have until the
end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the
current version of the DGSS service will be retired and will no longer be available for use. You must make plans to migrate to
the new version of the service between September and December 2020. For more information, please contact
DGSSMigration@Microsoft.com.

By assigning the S mode supplemental policy in Intune, you enable the device to make an exception to the device's
existing S mode policy, which allows the uploaded corresponding signed app catalog. The policy sets an allow list
of apps (the app catalog) that can be used on the S mode device.

NOTE
Win32 apps on S mode devices are only supported on Windows 10 November 2019 Update (build 18363) or later versions.

The steps to allow Win32 apps to run on a Windows 10 device in S mode are the following:
1. Enable S mode devices through Intune as part of Windows 10 S enrollment process.
2. Create a supplemental policy to allow Win32 apps:
You can use Microsoft Defender Application Control (WDAC) tools to create a supplemental policy. The
base policy Id within the policy must match the S mode base policy Id (which is hard coded on the client).
Also, make sure that the policy version is higher than the previous version.
You use DGSS to sign your supplemental policy. For more information, see Sign code integrity policy with
Device Guard signing.
You upload the signed supplemental policy to Intune by creating a Windows 10 S mode supplemental
policy (see below).
3. You allow Win32 app catalogs through Intune:
You create catalog files (1 for every app) and signs them using DGSS or other certificate infrastructure.
You package the signed catalog into the .intunewin file using the Microsoft Win32 Content Prep Tool.
There are no naming restrictions when creating a catalog file using the Microsoft Win32 Content Prep
Tool. When generating the .intunewin file from the specified source folder and setup file, you can provide
a separate folder containing only catalog files by using the -a cmdline option. For more information, see
Win32 app management - Prepare the Win32 app content for upload.
 Intune applies the signed app catalog to install the Win32 app on the S mode device using the Intune
Management Extension.

NOTE
Line-of-business (LOB) .appx and .appx bundles on Windows 10 S mode will be supported via Microsoft Store for
Business (MSFB) signing.
S mode supplemental policy for apps must be delivered via Intune Management Extension.
S mode policies are enforced at the device level. Multiple targeted policies will be merged on the device. The merged policy
will be enforced on the device.

To create a Windows 10 S mode supplemental policy, use the following steps:

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > S mode supplemental policies > Create policy .
3. Before adding the Policy file , you must create and sign it. For more information, see:
Create a WDAC policy using PowerShell tools and convert it to a binary format
Sign using Device Guard Signing Service (recommended)
4. On the Basics page, add the following values:

VA L UE DESC RIP T IO N

Policy file The the file that contains the WDAC policy.

Name The name of this policy.

Description [Optional] The description of this policy.

5. Click Next: Scope tags .

On the Scope tags page you can optionally configure scope tags to determine who can see the app policy
in Intune. For more information about scope tags, see Use role-based access control and scope tags for
distributed IT.
6. Click Next: Assignments .
The Assignments page allows you can assign the policy to users and devices. It is important to note that
you can assign a policy to a device whether or not the device is managed by Intune.
7. Click Next: Review + create to review the values you entered for the profile.
8. When you are done, click Create to create the S mode supplemental policy in Intune.
Once the policy is created, you will see it added to the list of S mode supplemental policies in Intune. Once the
policy is assigned, the policy gets deployed to the devices. Note that you must deploy the app to same security
group as the supplemental policy. You can start targeting and assigning apps to those devices. This will allow your
end users to install and execute the apps on the S mode devices.

Removal of S mode policy

Currently, to remove the S mode supplemental policy from the device, you must assign and deploy an empty policy
to overwrite the existing S mode supplemental policy.
Policy Reporting
The S mode supplemental policy, which is enforced at device level, only has device level reporting. Device level
reporting is available for success and error conditions.
Reporting values that are shown in the Intune console for S mode reporting polices:
Success : The S mode supplemental policy is in effect.
Unknown : The status of the S mode supplemental policy is not known.
TokenError : The S mode supplemental policy is structurally okay but there is an error with authorizing the
token.
NotAuthorizedByToken : The token does not authorize this S mode supplemental policy.
PolicyNotFound : The S mode supplemental policy is not found.

Next steps
For more information, see Win32 apps on s mode.
For more information about adding apps to Intune, see Add apps to Microsoft Intune.
For more information about Win32 apps, see Intune Win32 app management.
 Add and assign the Windows 10 Company Portal app
for Autopilot provisioned devices
9/4/2020 • 2 minutes to read • Edit Online

To manage devices and install apps, your users can use the Company Portal app. You can assign the Windows 10
Company Portal app directly from Intune.

Prerequisites
For Windows 10 Autopilot provisioned devices, it is recommended that you associate your Microsoft Store for
Business account with Intune. For more information, see How to manage volume purchased apps from the
Microsoft Store for Business with Microsoft Intune.
You can choose to install the Company Por tal (Offline) app using the steps below. The Company Portal app will
be installed in device context when assigned to the Autopilot group and will be installed on the device before the
user logs in.

Configure the store settings to show the offline app

1. Sign in to the Microsoft Store for Business with your admin account.
2. Select the Manage tab near the top of the window.
3. In the left pane, select Settings .
4. Under Shopping experience , set Show offline apps to On .
The offline licensed apps are displayed.

Get the offline Company Portal app from the store

1. Search for and then select the Company Por tal app.
2. Set the License type to Offline .
3. Select Get the app to acquire and add the offline Company Portal app to your inventory. In order for the app to
be listed in Intune, you must either wait for the sync schedule to complete or do a manual sync from Microsoft
Endpoint Manager admin center.

Manually sync Company Portal app with Intune

1. Sign in to theMicrosoft Endpoint Manager admin centerwith your admin account.
2. Select Tenant administration > Connectors and tokens > Microsoft Store for Business .
3. Click Enable .
4. If you haven't already done so, click the link to sign up for the Microsoft Store for Business and associate your
account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the Microsoft Store for Business
are displayed in the Azure portal. Regardless of the language in which they are displayed, they are installed in
the end user's language when available.
6. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.

Assign the Company Portal app

1. Sign in to theMicrosoft Endpoint Manager admin centerwith your admin account.
2. Select Apps > Windows .
3. From the list of Windows apps, select Company Por tal (Offline) .
4. Assign the Company Portal app as a required app to your selected autopilot device groups.

Next steps
To learn more about assigning apps, see Assign apps to groups.
 Add the Windows 10 Company Portal app by using
Microsoft Intune
9/4/2020 • 5 minutes to read • Edit Online

To manage devices and install apps, your users can install the Company Portal app themselves from the Microsoft
Store. If your business needs require that you assign the Company Portal app to them, however, you can assign the
Windows 10 Company Portal app directly from Intune. You can do so even if you haven't integrated Intune with the
Microsoft Store for Business.

IMPORTANT
If you download the Company Portal app, the option described in this article requires that you assign manual updates each
time an app update is released. To deploy the Company Portal app for Windows 10 Autopilot provisioned devices, see Add
Windows 10 Company Portal app Autopilot devices.

NOTE
The Company Portal supports Configuration Manager applications. This feature allows end users to see both Configuration
Manager and Intune deployed applications in the Company Portal for co-managed customers. This new version of the
Company Portal will display Configuration Manager deployed apps for all co-managed customers. This support will help
administrators consolidate their different end user portal experiences. For more information, see Use the Company Portal app
on co-managed devices.

Configure settings to show offline apps

1. Sign in to the Microsoft Store for Business with your admin account.
2. Select the Manage tab near the top of the window.
3. In the left pane, select Settings .
4. Under Shopping experience , set Show offline apps to On .
The offline licensed apps are displayed.

Download the offline Company Portal app

1. Search for and then select the Company Por tal app.
2. Set the License type to Offline .
3. Select Get the app to acquire and add the offline Company Portal app to your inventory.
4. On the Company por tal app page, select Manage .
5. For Platform , select Windows 10 all devices , and then select the appropriate Minimum version ,
Architecture , and Download app metadata values.
6. Select Download under Package details to save the file to your local machine.
 7. Download all the packages under "Required Frameworks" by selecting Download .
This action must be completed for x86, x64, and ARM architectures:
There are 9 Required Framework Packages when selecting 1507 as the minimum OS Version, 12 packages
when selecting 1511, and 15 packages when selecting 1607.
8. In Microsoft Intune in the Azure portal, upload the Company Portal app as a new app. You add the
application by selecting Line-of-business app as the App type in the Select app type pane. You then select
the app package file (extension .AppxBundle).
9. Under Select dependency app files select all the dependencies you downloaded in step 7 by using shift-
click, and verify that the Added column displays Yes for the architectures you need.

NOTE
If the dependencies are not added, the app might not install on the specified device types.

10. Click Ok , enter any desired App Information , and click Add .
11. Assign the Company Portal app as a required app to your selected set of user or device groups.
For more information about how Intune handles dependencies for Universal apps, see Deploying an appxbundle
with dependencies via Microsoft Intune MDM.

Frequently asked questions

How do I update the Company Portal app on my users' devices if they have already installed the older apps from
the store?
If your users have already installed the Windows 8.1 Company Portal apps from the Microsoft Store, their apps
should be automatically updated to the latest version with no action required from you or your users. If the update
does not happen, ask your users to confirm that they have enabled auto-updates for Store apps on their devices.
How do I upgrade my sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the assignment for the Windows 8.1 Company Portal app by setting
the assignment action to Uninstall . After you select this setting, you can assign the Windows 10 Company Portal
app by using any of the previously discussed options.
If you need to sideload the app and you assigned the Windows 8.1 Company Portal without signing it with the
Symantec Certificate, complete the upgrade by completing the steps in the preceding sections of this article.
If you need to sideload the app and you signed and assigned the Windows 8.1 Company Portal app with the
Symantec code-signing certificate, follow the steps in the next section.
How do I upgrade my signed and sideloaded Windows 8.1 Company Portal app to the Windows 10 Company
Portal app?
Our recommended migration path is to delete the existing assignment for the Windows 8.1 Company Portal app by
setting the assignment action to Uninstall . After you select this setting, you can assign the Windows 10 Company
Portal app normally.
Otherwise, the Windows 10 Company Portal app must be appropriately updated and signed to ensure that the
upgrade path is respected.
If you sign and assign the Windows 10 Company Portal app in this way, you will need to repeat this process for
each new app update when it is available in the store. The app is not automatically updated when the store is
updated.
Here's how you sign and assign the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script.
This script requires the Windows SDK for Windows 10 to be installed on the host computer. Download the
Windows SDK for Windows 10.
2. Download the Windows 10 Company Portal app from the Microsoft Store for Business, as discussed previously.
3. To sign the Windows 10 Company Portal app, run the script with the input parameters detailed in the script
header, as shown in the following table.
Dependencies do not need to be passed into the script. They are required only when the app is being uploaded
to the Intune Admin Console.

PA RA M ET ER DESC RIP T IO N

InputWin10AppxBundle The path to the source appxbundle file.

OutputWin10AppxBundle The output path for the signed appxbundle file.

Win81Appx The path to the Windows 8.1 Company Portal (.APPX) file.

PfxFilePath The path to the Symantec Enterprise Mobile Code Signing

Certificate (.PFX) file.

PfxPassword The password of the Symantec Enterprise Mobile Code Signing

Certificate.

PublisherId The Publisher ID of the enterprise. If it is absent, the Subject

field of the Symantec Enterprise Mobile Code Signing
Certificate is used.

SdkPath The path to the root folder of the Windows SDK for Windows
10. This argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10.

When the script has finished running, it outputs the signed version of the Windows 10 Company Portal app. You
can then assign the signed version of the app as a line-of-business (LOB) app via Intune, which upgrades the
currently assigned versions to this new app.

Next steps
Assign apps to groups
 Add the macOS Company Portal app
9/4/2020 • 2 minutes to read • Edit Online

To manage devices, install optional apps, and gain access to resources protected by Conditional Access on macOS
devices with user affinity, users must install and sign in to the Company Portal app. You can provide instructions to
your users to install Company Portal for macOS or install it on devices already enrolled directly from Intune.
You can use any of the following options to install the Company Portal for macOS app:
Instruct users to download and install Company Portal
Install Company Portal for macOS as a macOS LOB app
Install Company Portal for macOS by using a macOS Shell Script
To help keep the apps more secure and up to date once installed, the Company Portal app comes with Microsoft
AutoUpdate (MAU).

NOTE
The Company Portal app can only be installed automatically on devices using Intune that are already enrolled using direct
enrolment or Automated Device Enrolment. For personal device or manual enrolment, the Company Portal app must be
downloaded and installed to initiate enrollment. See Instruct users to download and install Company Portal.

Instruct users to download and install Company Portal

You can instruct users to download, install, and sign in to Company Portal for macOS. For instructions on
downloading, installing, and signing into the Company Portal, see Enroll your macOS device using the Company
Portal app.

Install Company Portal for macOS as a macOS LOB app

Company Portal for macOS can be downloaded and installed using the macOS LOB apps feature. The version
downloaded is the version that will always be installed and may need to be updated periodically to ensure users get
the best experience during initial enrollment.
1. Download Company Portal for macOS from https://go.microsoft.com/fwlink/?linkid=853070.
2. Follow the instructions to create a macOS LOB app in macOS LOB apps.

NOTE
Once installed, the Company Portal for macOS app will automatically update using Microsoft AutoUpdate (MAU).

Install Company Portal for macOS by using a macOS Shell Script

Company Portal for macOS can be downloaded and installed using the macOS Shell Scripts feature. This option will
always install the current version of Company Portal for macOS, but will not provide you with application install
reporting you might be used to when deploying applications using macOS LOB apps.
1. Download a sample script to install Company Portal for macOS from Intune Shell Script Samples - Company
Portal.
2. Follow instructions to deploy the macOS Shell Script using macOS Shell Scripts.
Set Run script as signed-in user to No (to run in the system context).
Set Maximum number of retries if script fails to 3 .

NOTE
The script will require Internet access when it runs to download the current version of the Company Portal for macOS.

Next steps
To learn more about assigning apps, see Assign apps to groups.
To learn more about configuring Automated Device Enrollment, see Device Enrollment Program - Enroll macOS.
To learn more about configuring Microsoft AutoUpdate settings on macOS, see Mac Updates.
 Add Microsoft Edge for Windows 10 to Microsoft
Intune
9/4/2020 • 6 minutes to read • Edit Online

Before you can deploy, configure, monitor, or protect apps, you must add them to Intune. One of the available app
types is Microsoft Edge version 77 and later. By selecting this app type in Intune, you can assign and install
Microsoft Edge version 77 and later to devices you manage that run Windows 10.

IMPORTANT
This app type offers stable, beta, and dev channels for Windows 10. The deployment is in English (EN) only, however end
users can change the display language in the browser under Settings > Languages . Microsoft Edge is a Win32 app
installed in system context and on like architectures (x86 app on x86 OS, and x64 app on x64 OS). Intune will detect any
preexisting Microsoft Edge installations. If it is installed in user context, a system installation will overwrite it. If it is installed in
system context, installation success is reported. In addition, automatic updates of Microsoft Edge are On by default.

NOTE
Microsoft Edge version 77 and later is available for macOS as well.
You cannot use the built-in application deployment of Microsoft Edge for workplace join computers. Built-in application
deployment requires the Intune management extension, which only exists for AAD joined devices. You can still deploy
Microsoft Edge version 77 and later using an .msi uploaded to Apps , see Add a Windows line-of-business app to Microsoft
Intune.

Prerequisites
Windows 10 version 1709 or later.
Any pre-installed versions of Microsoft Edge version 77 and later for all channels in user context will be
overwritten with Edge installed in system context.

Configure the app in Intune

You can add a Microsoft Edge version 77 and later to Intune using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the App type list under the Microsoft Edge, version 77 and later , select Windows 10 .

Configure app information

In this step, you provide information about this app deployment. This information helps you identify the app in
Intune, and it helps users find the app in the company portal.
1. Click App information to display the App information pane.
2. In the App information pane, you provide information about this app deployment. This information helps you
identify the app in Intune, and it helps users find the app in the company portal.
Name : Enter the name of the app as it will be displayed in the company portal. Make sure that all names
are unique. If the same app name exists twice, only one of the apps is displayed to users in the company
 portal.
Description : Enter a description for the app. For example, you could list the targeted users in the
description.
Publisher : Microsoft appears as the publisher.
Categor y : Optionally, select one or more of the built-in app categories or a category that you created.
This setting makes it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Por tal : Select this option to display the app
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Microsoft appears as the developer.
Owner : Microsoft appears as the owner.
Notes : Optionally, enter any notes that you want to associate with this app.
3. Select OK .

Configure app settings

In this step, configure installation options for the app.
1. In the Add App pane, select App settings .
2. In the App settings pane, select either Stable , Beta or Dev from the Channel list to determine which Edge
Channel you will deploy the app from.
Stable channel is the recommended channel for deploying broadly in Enterprise environments. It
updates every six weeks, each release incorporating improvements from the Beta channel.
Beta channel is the most stable Microsoft Edge preview experience and the best choice for a full pilot
within your organization. With major updates every six weeks, each release incorporates the learnings
and improvements from the Dev channel.
Dev channel is ready for enterprise feedback on Windows, Windows Server and macOS. It updates every
week and contains the latest improvements and fixes.

NOTE
The Microsoft Edge browser logo is displayed with the app when users browse the company portal.

3. Select OK .

Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Select Scope (Tags) > Add .
2. Use the Select box to search for scope tags.
3. Select the check box next to the scope tags you want to assign to this app.
4. Click Select > OK .

Add the app

When you've completed configuring the app, select Add from the App app pane.
 The app you've created is displayed in the apps list, where you can assign it to the groups that you select.

NOTE
Currently, if you unassign the deployment of Microsoft Edge, it will remain on the device.

Uninstall the app

When you need to uninstall Microsoft Edge from user's devices, use the following steps.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Microsoft Edge app > Assignments > Add group .
3. In the Add group pane, select Uninstall .

NOTE
The app is uninstalled from devices in the selected groups if Intune has previously installed the application onto the
device via an Available for enrolled devices or Required assignment using the same deployment.

4. Select Included Groups to select the groups of users that are affected by this app assignment.
5. Select the groups that you want to apply the uninstall assignment.
6. Click Select on the Select groups pane.
7. Click OK on the Assign pane to set the assignment.
8. If you want to exclude any groups of users from being affected by this app assignment, select Exclude
Groups .
9. If you have chosen to exclude any groups, in Select groups , select Select .
10. Select OK in the Add group pane.
11. Select Save in the app Assignments pane.

IMPORTANT
To uninstall the app successfully, make sure to remove the members or group assignment for install before assigning them to
be uninstalled. If a group is assigned to both install an app and uninstall an app, the app will remain and not be removed.

Troubleshooting
Microsoft Edge version 77 and later for Windows 10:
Intune uses the Intune management extension to download and deploy the Microsoft Edge installer to assigned
Windows 10 devices, then communicates the deployment settings to the Microsoft Edge installer, which downloads
and installs the Microsoft Edge browser directly from the CDN. Reference the prerequisites for the Intune
management extension, and the best practices outlined in accessing Azure Update Service and the CDN to ensure
that your network configuration permits Windows 10 devices to access these locations. In addition, to allow access
to installation files from a CDN to install the browser, you need to allow access to Windows Update endpoints. For
more information, see Manage connection endpoints for Windows 10, version 1809 – Windows Update and
Network endpoints for Microsoft Intune.
Next steps
Assign apps to groups
 Add Microsoft Edge to macOS devices using
Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

Before you can deploy, configure, monitor, or protect apps, you must add them to Intune. One of the available app
types is Microsoft Edge version 77 and later. By selecting this app type in Intune, you can assign and install
Microsoft Edge version 77 and later to devices you manage that run macOS. This app type makes it easy for you to
assign Microsoft Edge to macOS devices without requiring you to use the macOS app wrapping tool. To help keep
the apps more secure and up to date, the app comes with Microsoft AutoUpdate (MAU).

IMPORTANT
This app type offers developer and beta channels for macOS. The deployment is in English (EN) only, however end users can
change the display language in the browser under Settings > Languages .

NOTE
Microsoft Edge version 77 and later is available for Windows 10 as well.

Prerequisites
The macOS device must be running macOS 10.12 or later before installing Microsoft Edge.

Add Microsoft Edge to Intune

You can add Microsoft Edge version 77 and later to Intune using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the App type list under the Microsoft Edge, version 77 and later , select macOS .

Configure app information

In this step, you provide information about this app deployment. This information helps you identify the app in
Intune, and it helps users find the app in the company portal.
1. Click App information to display the App information pane.
2. In the App information pane, you provide information about this app deployment. This information helps you
identify the app in Intune, and it helps users find the app in the company portal.
Name : Enter the name of the app as it will be displayed in the company portal. Make sure that all names
are unique. If the same app name exists twice, only one of the apps is displayed to users in the company
portal.
Description : Enter a description for the app. For example, you could list the targeted users in the
description.
Publisher : Microsoft appears as the publisher.
Categor y : Optionally, select one or more of the built-in app categories or a category that you created.
This setting makes it easier for users to find the app when they browse the company portal.
 Display this as a featured app in the Company Por tal : Select this option to display the app
prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Microsoft appears as the developer.
Owner : Microsoft appears as the owner.
Notes : Optionally, enter any notes that you want to associate with this app.
3. Select OK .

Configure Microsoft Edge settings

In this step, configure installation options for the app.
1. In the Add App pane, select App settings .
2. In the App settings pane, select either Stable , Beta or Dev from the Channel list to determine which Edge
Channel you will deploy the app from.
Stable channel is the recommended channel for deploying broadly in Enterprise environments. It
updates every six weeks, each release incorporating improvements from the Beta channel.
Beta channel is the most stable Microsoft Edge preview experience and the best choice for a full pilot
within your organization. With major updates every six weeks, each release incorporates the learnings
and improvements from the Dev channel.
Dev channel is ready for enterprise feedback on Windows, Windows Server and macOS. It updates every
week and contains the latest improvements and fixes.

NOTE
The Microsoft Edge browser logo is displayed with the app when users browse the company portal.

3. Select OK .

Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Select Scope (Tags) > Add .
2. Use the Select box to search for scope tags.
3. Select the check box next to the scope tags you want to assign to this app.
4. Click Select > OK .

Add the app

When you've completed configuring, select Add from the App app pane.
The app you've created is displayed in the apps list, where you can assign it to the groups that you select.

NOTE
Currently, Apple does not provide a way for Intune to uninstall Microsoft Edge on macOS devices.
Next steps
To learn how to configure Microsoft Edge on macOS devices, see Configure Microsoft Edge on macOS devices.
To learn about including and excluding app assignments from groups of users, see Include and exclude app
assignments.
Assign apps to groups
 Add Microsoft Defender ATP to macOS devices using
Microsoft Intune
9/4/2020 • 3 minutes to read • Edit Online

Before you can deploy, configure, monitor, or protect apps, you must add them to Intune. One of the available app
types is Microsoft Defender Advanced Threat Protection (ATP). By selecting this app type in Intune, you can assign
and install Microsoft Defender ATP to devices you manage that run macOS. This app type makes it easy for you to
assign Microsoft Defender ATP to macOS devices without requiring you to use the macOS app wrapping tool. To
help keep the apps more secure and up to date, the app comes with Microsoft AutoUpdate (MAU).

Prerequisites
The macOS device must be running macOS 10.13 or later.
The macOS device must have at least 650 MB of disk space.
Deploy kernel extension in Intune. See more information, see Add macOS kernel extensions in Intune.

IMPORTANT
The kernel extension can be automatically approved only if it is present on the device before the Microsoft Defender ATP app
is installed. Else, users will see "System extension blocked" message on Macs and must approve the extension by going to
Security Preferences or System Preferences > Security & Privacy and then selecting Allow . For more information,
see Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac.

Add Microsoft Defender ATP to Intune

You can add Microsoft Defender ATP to Intune using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add .
3. In the App type list under the Microsoft Defender ATP , select macOS .

Configure app information

In this step, you provide information about this app deployment. This information helps you identify the app in
Intune, and it helps users find the app in the company portal.
1. Click App information to display the App information pane.
2. In the App information pane, you provide information about this app deployment. This information helps you
identify the app in Intune, and it helps users find the app in the company portal.
Name : Enter the name of the app as it will be displayed in the company portal. Make sure that all names
are unique. If the same app name exists twice, only one of the apps is displayed to users in the company
portal.
Description : Enter a description for the app. For example, you could list the targeted users in the
description.
Publisher : Microsoft appears as the publisher.
Categor y : Optionally, select one or more of the built-in app categories or a category that you created.
This setting makes it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Por tal : Select this option to display the app
 prominently on the main page of the company portal when users browse for apps.
Information URL : Optionally, enter the URL of a website that contains information about this app. The
URL is displayed to users in the company portal.
Privacy URL : Optionally, enter the URL of a website that contains privacy information for this app. The
URL is displayed to users in the company portal.
Developer : Microsoft appears as the developer.
Owner : Microsoft appears as the owner.
Notes : Optionally, enter any notes that you want to associate with this app.
3. Select OK .

Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For full details about scope tags,
see Use role-based access control and scope tags for distributed IT.
1. Select Scope (Tags) > Add .
2. Use the Select box to search for scope tags.
3. Select the check box next to the scope tags you want to assign to this app.
4. Click Select > OK .

Add the app

When you've completed configuring, select Add from the App app pane.
The app you've created is displayed in the apps list, where you can assign it to the groups that you select.

NOTE
Currently, Apple does not provide a way for Intune to uninstall Microsoft Defender ATP on macOS devices.

Next steps
To learn about applying an antivirus policy for endpoint security in Intune, see Antivirus policy for endpoint
security in Intune
To learn about including and excluding app assignments from groups of users, see Include and exclude app
assignments.
To learn how to assign apps to groups in Intune, see Assign apps to groups.
 Use PowerShell scripts on Windows 10 devices in
Intune
9/4/2020 • 10 minutes to read • Edit Online

Use the Microsoft Intune management extension to upload PowerShell scripts in Intune to run on Windows 10
devices. The management extension enhances Windows device management (MDM), and makes it easier to move
to modern management.
This feature applies to:
Windows 10 and later (excluding Windows 10 Home)

NOTE
Once the Intune management extension prerequisites are met, the Intune management extension is installed automatically
when a PowerShell script or Win32 app is assigned to the user or device. For more information, see Intune Management
Extensions prerequisites.

Move to modern management

End-user computing is going through a digital transformation. Classic, traditional IT focuses on a single device
platform, business-owned devices, users that work from the office, and different manual, reactive IT processes. The
modern workplace uses many platforms that are user and business owned, allows users to work from anywhere,
and provides automated and proactive IT processes.
MDM services, such as Microsoft Intune, can manage mobile and desktop devices running Windows 10. The built-
in Windows 10 management client communicates with Intune to run enterprise management tasks. There are
some tasks that you might need, such as advanced device configuration and troubleshooting. For Win32 app
management, you can use the Win32 app management feature on your Windows 10 devices.
The Intune management extension supplements the in-box Windows 10 MDM features. You can create PowerShell
scripts to run on Windows 10 devices. For example, create a PowerShell script that does advanced device
configurations. Then, upload the script to Intune, assign the script to an Azure Active Directory (AD) group, and run
the script. You can then monitor the run status of the script from start to finish.

Prerequisites
The Intune management extension has the following prerequisites. Once the prerequisites are met, the Intune
management extension installs automatically when a PowerShell script or Win32 app is assigned to the user or
device.
Devices running Windows 10 version 1607 or later. If the device is enrolled using bulk auto-enrollment,
devices must run Windows 10 version 1709 or later. The Intune management extension isn't supported on
Windows 10 in S mode, as S mode doesn't allow running non-store apps.
Devices joined to Azure Active Directory (AD), including:
Hybrid Azure AD-joined: Devices joined to Azure Active Directory (AD), and also joined to on-premises
Active Directory (AD). See Plan your hybrid Azure Active Directory join implementation for guidance.
 TIP
Be sure devices are joined to Azure AD. Devices that are only registered in Azure AD won't receive your scripts.

Devices enrolled in Intune, including:

Devices enrolled in a group policy (GPO). See Enroll a Windows 10 device automatically using Group
Policy for guidance.
Devices manually enrolled in Intune, which is when:
Auto-enrollment to Intune is enabled in Azure AD. The end user signs in to the device using a local
user account, manually joins the device to Azure AD, and then signs in to the device using their
Azure AD account.
OR
User signs in to the device using their Azure AD account, and then enrolls in Intune.
Co-managed devices that use Configuration Manager and Intune. When installing Win32 apps, make
sure the Apps workload is set to Pilot Intune or Intune . PowerShell scripts will be run even if the
Apps workload is set to Configuration Manager . The Intune management extension will be
deployed to a device when you target a PowerShell script to the device. However, as noted above, the
device must be an Azure AD or Hybrid Azure AD joined device and must be running Windows 10
version 1607 or later. See the following articles for guidance:
What is co-management
Client apps workload
How to switch Configuration Manager workloads to Intune

NOTE
For information about using Window 10 VMs, see Using Windows 10 virtual machines with Intune.

Create a script policy and assign it

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > PowerShell scripts > Add .

3. In Basics , enter the following properties, and select Next :

Name : Enter a name for the PowerShell script.
 Description : Enter a description for the PowerShell script. This setting is optional, but recommended.
4. In Script settings , enter the following properties, and select Next :
Script location : Browse to the PowerShell script. The script must be less than 200 KB (ASCII).
Run this script using the logged on credentials : Select Yes to run the script with the user's
credentials on the device. Choose No (default) to run the script in the system context. Many
administrators choose Yes . If the script is required to run in the system context, choose No .
Enforce script signature check : Select Yes if the script must be signed by a trusted publisher.
Select No (default) if there isn't a requirement for the script to be signed.
Run script in 64-bit PowerShell host : Select Yes to run the script in a 64-bit PowerShell (PS) host
on a 64-bit client architecture. Select No (default) runs the script in a 32-bit PowerShell host.
When setting to Yes or No , use the following table for new and existing policy behavior:

RUN SC RIP T IN 64- B IT EXIST IN G P O L IC Y P S

P S H O ST C L IEN T A RC H IT EC T URE N EW P S SC RIP T SC RIP T

No 32-bit 32-bit PS host Runs only in 32-bit PS

supported host, which works on
32-bit and 64-bit
architectures.

Yes 64-bit Runs script in 64-bit PS Runs script in 32-bit PS

host for 64-bit host. If this setting
architectures. When ran changes to 64-bit, the
on 32-bit, the script runs script opens (it doesn't
in a 32-bit PS host. run) in a 64-bit PS host,
and reports the results.
When ran on 32-bit, the
script runs in 32-bit PS
host.

5. Select Scope tags . Scope tags are optional. Use role-based access control (RBAC) and scope tags for
distributed IT has more information.
To add a scope tag:
a. Choose Select scope tags > select an existing scope tag from the list > Select .
b. When finished, select Next .
6. Select Assignments > Select groups to include . An existing list of Azure AD groups is shown.
a. Select one or more groups that include the users whose devices receive the script. Choose Select .
The groups you chose are shown in the list, and will receive your policy.

NOTE
PowerShell scripts in Intune can be targeted to Azure AD device security groups or Azure AD user security
groups.

b. Select Next .
7. In Review + add , a summary is shown of the settings you configured. Select Add to save the script. When
you select Add , the policy is deployed to the groups you chose.

Important considerations
When scripts are set to user context and the end user has administrator rights, by default, the PowerShell
script runs under the administrator privilege.
End users aren't required to sign in to the device to execute PowerShell scripts.
The Intune management extension agent checks with Intune once every hour and after every reboot for any
new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and
the run results are reported. Once the script executes, it doesn't execute again unless there's a change in the
script or policy. If the script fails, the Intune management extension agent will attempt to retry the script
three times for the next 3 consecutive Intune management extension agent check-ins.
For shared devices, the PowerShell script will run for every new user that signs in.
Failure to run script example
8 AM
Check in
Run script ConfigScript01
Script fails
9AM
Check in
Run script ConfigScript01
Script fails (retry count = 1)
10 AM
Check in
Run script ConfigScript01
 Script fails (retry count = 2)
11 AM
Check in
Run script ConfigScript01
Script fails (retry count = 3)
12 PM
Check in
No additional attempts are made to run ConfigScript01 script.
Going forward, if no additional changes are made to the script, no additional attempts will be made to run the
script.

Monitor run status

You can monitor the run status of PowerShell scripts for users and devices in the Azure portal.
In PowerShell scripts , select the script to monitor, choose Monitor , and then choose one of the following
reports:
Device status
User status

Intune management extension logs

Agent logs on the client machine are typically in \ProgramData\Microsoft\IntuneManagementExtension\Logs . You can
use CMTrace.exe to view these log files.

Delete a script
In PowerShell scripts , right-click the script, and select Delete .

Common issues and resolutions

Issue: Intune management extension doesn't download
Possible resolutions :
The device isn't joined to Azure AD. Be sure the devices meet the prerequisites (in this article).
There are no PowerShell scripts or Win32 apps assigned to the groups that the user or device belongs.
The device can't check-in with the Intune service, due to no internet access, no access to Windows Push
Notification Services (WNS), and so on.
The device is in S mode. The Intune management extension isn't supported on devices running in S mode.
To see if the device is auto-enrolled, you can:
1. Go to Settings > Accounts > Access work or school .
2. Select the joined account > Info .
3. Under Advanced Diagnostic Repor t , select Create Repor t .
4. Open the MDMDiagReport in a web browser.
5. Search for the MDMDeviceWithAAD property. If the property exists, the device is auto-enrolled. If this
property doesn't exist, then the device isn't auto-enrolled.
Enable Windows 10 automatic enrollment includes the steps to configure automatic enrollment in Intune.
Issue: PowerShell scripts do not run
Possible resolutions :
The PowerShell scripts don't run at every sign-in. They run:
When the script is assigned to a device
If you change the script, upload it, and assign the script to a user or device

TIP
The Microsoft Intune Management Extension is a service that runs on the device, just like any other
service listed in the Services app (services.msc). After a device reboots, this service may also restart, and
check for any assigned PowerShell scripts with the Intune service. If the Microsoft Intune Management
Extension service is set to Manual, then the service may not restart after the device reboots.

Be sure devices are joined to Azure AD. Devices that are only joined to your workplace or organization
(registered in Azure AD) won't receive the scripts.
The Intune management extension client checks once per hour for any changes in the script or policy in
Intune.
Confirm the Intune management extension is downloaded to
%ProgramFiles(x86)%\Microsoft Intune Management Extension .

Scripts don't run on Surface Hubs or Windows 10 in S mode.

Review the logs for any errors. See Intune management extension logs (in this article).
For possible permission issues, be sure the properties of the PowerShell script are set to
Run this script using the logged on credentials . Also check that the signed in user has the appropriate
permissions to run the script.
To isolate scripting problems, you can:
Review the PowerShell execution configuration on your devices. See the PowerShell execution policy
for guidance.
Run a sample script using the Intune management extension. For example, create the C:\Scripts
directory, and give everyone full control. Run the following script:

write-output "Script worked" | out-file c:\Scripts\output.txt

If it succeeds, output.txt should be created, and should include the "Script worked" text.
To test script execution without Intune, run the scripts in the System account using the psexec tool
locally:
 psexec -i -s

If the script reports that it succeeded, but it didn't actually succeed, then it's possible your antivirus
service may be sandboxing AgentExecutor. The following script always reports a failure in Intune. As
a test, you can use this script:

Write-Error -Message "Forced Fail" -Category OperationStopped

mkdir "c:\temp"
echo "Forced Fail" | out-file c:\temp\Fail.txt

If the script reports a success, look at the AgentExecutor.log to confirm the error output. If the script
executes, the length should be >2.
To capture the .error and .output files, the following snippet executes the script through
AgentExecutor to PSx86 ( C:\Windows\SysWOW64\WindowsPowerShell\v1.0 ). It keeps the logs for your
review. Remember, the Intune Management Extension cleans up the logs after the script executes:

$scriptPath = read-host "Enter the path to the script file to execute"

$logFolder = read-host "Enter the path to a folder to output the logs to"
$outputPath = $logFolder+"\output.output"
$errorPath = $logFolder+"\error.error"
$timeoutPath = $logFolder+"\timeout.timeout"
$timeoutVal = 60000
$PSFolder = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"
$AgentExec = "C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe"
&$AgentExec -powershell $scriptPath $outputPath $errorPath $timeoutPath $timeoutVal $PSFolder 0
0

Next steps
Monitor and troubleshoot your profiles.
 Use shell scripts on macOS devices in Intune
9/4/2020 • 10 minutes to read • Edit Online

Use shell scripts to extend device management capabilities on Intune beyond what is supported by the macOS
operating system.

Prerequisites
Ensure that the following prerequisites are met when composing shell scripts and assigning them to macOS
devices.
Devices are running macOS 10.12 or later.
Devices are managed by Intune.
Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh .
Command-line interpreters for the applicable shells are installed.

Important considerations before using shell scripts

Shell scripts require that the Microsoft Intune management agent is successfully installed on the macOS device.
For more information, see Microsoft Intune management agent for macOS.
Shell scripts run in parallel on devices as separate processes.
Shell scripts that are run as the signed-in user will run for all currently signed-in user accounts on the device at
the time of the run.
An end user is required to sign in to the device to execute scripts running as a signed-in user.
Root user privileges are required if the script requires making changes that a standard user account cannot.
Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions, such as
if the disk is full, if the storage location is tampered with, if the local cache is deleted, or if the Mac device
restarts.

Create and assign a shell script policy

1. Sign in to the Microsoft Endpoint Manager Admin Center.
2. Select Devices > macOS > Scripts > Add .
3. In Basics , enter the following properties, and select Next :
Name : Enter a name for the shell script.
Description : Enter a description for the shell script. This setting is optional, but recommended.
4. In Script settings , enter the following properties, and select Next :
Upload script : Browse to the shell script. The script file must be less than 200 KB in size.
Run script as signed-in user : Select Yes to run the script with the user's credentials on the device.
Choose No (default) to run the script as the root user.
Hide script notifications on devices: By default, script notifications are shown for each script that is
run. End users see a IT is configuring your computer notification from Intune on macOS devices.
Script frequency: Select how often the script is to be run. Choose Not configured (default) to run a
script only once.
Max number of times to retr y if script fails: Select how many times the script should be run if it
 returns a non-zero exit code (zero meaning success). Choose Not configured (default) to not retry
when a script fails.
5. In Scope tags , optionally add scope tags for the script, and select Next . You can use scope tags to
determine who can see scripts in Intune. For full details about scope tags, see Use role-based access control
and scope tags for distributed IT.
6. Select Assignments > Select groups to include . An existing list of Azure AD groups is shown. Select one
or more user or device groups that are to receive the script. Choose Select . The groups you choose are
shown in the list, and will receive your script policy.

NOTE
Shell scripts assigned to user groups applies to any user logging in to the Mac.
Updating assignments for shell scripts also updates assignments for Microsoft Intune MDM Agent for macOS.

7. In Review + add , a summary is shown of the settings you configured. Select Add to save the script. When
you select Add , the script policy is deployed to the groups you chose.
The script you created now appears in the list of scripts.

Monitor a shell script policy

You can monitor the run status of all assigned scripts for users and devices by choosing one of the following
reports:
Scripts > select the script to monitor > Device status
Scripts > select the script to monitor > User status

IMPORTANT
Irrespective of the selected Script frequency , the script run status is reported only the first time a script is run. Script run
status is not updated on subsequent runs. However, updated scripts are treated as new scripts and will report the run status
again.

Once a script runs, it returns one of the following statuses:

A script run status of Failed indicates that the script returned a non-zero exit code or the script is malformed.
A script run status of Success indicated that the script returned zero as the exit code.

Troubleshoot macOS shell script policies using log collection

You can collect device logs to help troubleshoot script issues on macOS devices.
Requirements for log collection
The following items are required to collect logs on a macOS device:
You must specify the full absolute log file path.
File paths must be separated using only a semicolon (;).
The maximum log collection size to upload is 60 MB (compressed) or 25 files, whichever occurs first.
File types that are allowed for log collection include the following extensions: .log, .zip, .gz, .tar, .txt, .xml, .crash,
.rtf
Collect device logs
1. Sign in to the Microsoft Endpoint Manager admin center.
2. In Device status or User status report, select a device.
3. Select Collect logs , provide folder paths of log files separated only by a semicolon (;) without spaces or
newlines in between paths.
For example, multiple paths should be written as /Path/to/logfile1.zip;/Path/to/logfile2.log .

IMPORTANT
Multiple log file paths separated using comma, period, newline or quotation marks with or without spaces will result
in log collection error. Spaces are also not allowed as separators between paths.

4. Select OK . Logs are collected the next time the Intune management agent on the device checks in with
Intune. This check-in usually occurs every 8 hours.

NOTE
Collected logs are encrypted on the device, transmitted and stored in Microsoft Azure storage for 30 days. Stored
logs are decrypted on demand and downloaded using Microsoft Endpoint Manager admin center.
In addition to the admin-specified logs, the Intune management agent logs are also collected from these folders:
/Library/Logs/Microsoft/Intune and ~/Library/Logs/Microsoft/Intune . The agent log file-names are
IntuneMDMDaemon date--time.log and IntuneMDMAgent date--time.log .
If any admin-specified file is missing or has the wrong file-extension, you will find these file-names listed in
LogCollectionInfo.txt .

Log collection errors

Log collection may not be successful due to any of the following reasons provided in the table below. To resolve
these errors, follow the remediation steps.

ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE REM EDIAT IO N ST EP S

0X87D300D1 2016214834 Log file size cannot exceed Ensure that compressed logs
60 MB. are less than 60 MB in size.

0X87D300D1 2016214831 The provided log file path Ensure that the provided file
must exist. The system user path is valid and accessible.
folder is an invalid location
for log files.

0X87D300D2 2016214830 Log collection file upload Retry the Collect logs
failed due to expiration of action.
upload URL.

0X87D300D3, 2016214829, 2016214827, Log collection file upload Retry the Collect logs
0X87D300D5, 0X87D300D7 2016214825 failed due to encryption action.
failure. Retry log upload.

2016214828 The number of log files Only up to 25 log files can

exceeded the allowed limit of be collected at a time.
25 files.

0X87D300D6 2016214826 Log collection file upload Retry the Collect logs
failed due to zip error. Retry action.
log upload.
 ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE REM EDIAT IO N ST EP S

2016214740 The logs couldn't be Retry the Collect logs

encrypted as compressed action.
logs were not found.

2016214739 The logs were collected but Retry the Collect logs
couldn't be stored. action.

Frequently asked questions

Why are assigned shell scripts not running on the device?
There could be several reasons:
The agent might need to check-in to receive new or updated scripts. This check-in process occurs every 8 hours
and is different from the MDM check-in. Make sure that the device is awake and connected to a network for a
successful agent check-in and wait for the agent to check-in. You can also request the end-user to open
Company Portal on the Mac, select the device and click Check settings .
The agent may not be installed. Check that the agent is installed at /Library/Intune/Microsoft Intune Agent.app
on the macOS device.
The agent may not be in a healthy state. The agent will attempt to recover for 24 hours, remove itself and
reinstall if shell scripts are still assigned.
How frequently is script run status reported?
Script run status is reported to Microsoft Endpoint Manager Admin Console as soon as script run is complete. If a
script is scheduled to run periodically at a set frequency, it only reports status the first time it runs.
When are shell scripts run again?
A script is run again only when the Max number of times to retr y if script fails setting is configured and the
script fails on run. If the Max number of times to retr y if script fails is not configured and a script fails on run,
it will not be run again and run status will be reported as failed .
What Intune role permissions are required for shell scripts?
Your assigned-intune role requires Device configurations permissions to delete, assign, create, update, or read
shell scripts.

Microsoft Intune management agent for macOS

Why is the agent required?
The Microsoft Intune management agent is necessary to be installed on managed macOS devices in order to
enable advanced device management capabilities that are not supported by the native macOS operating system.
How is the agent installed?
The agent is automatically and silently installed on Intune-managed macOS devices that you assign at least one
shell script to in Microsoft Endpoint Manager Admin Center. The agent is installed at
/Library/Intune/Microsoft Intune Agent.app when applicable and doesn't appear in Finder > Applications on
macOS devices. The agent appears as IntuneMdmAgent in Activity Monitor when running on macOS devices.
What does the agent do?
The agent silently authenticates with Intune services before checking in to receive assigned shell scripts for the
macOS device.
The agent receives assigned shell scripts and runs the scripts based on the configured schedule, retry attempts,
notification settings, and other settings set by the admin.
 The agent checks for new or updated scripts with Intune services usually every 8 hours. This check-in process is
independent of the MDM check-in.
How can I manually initiate an agent check-in from a Mac?
On a managed Mac that has the agent installed, open Company Por tal , select the local device, click on Check
settings . This initiates an MDM check-in as well as an agent check-in.
Alternatively, open Terminal , run the sudo killall IntuneMdmAgent command to terminate the IntuneMdmAgent
process. The IntuneMdmAgent process will restart immediately, which will initiate a check-in with Intune.

NOTE
The Sync action for devices in Microsoft Endpoint Manager Admin Console initiates an MDM check-in and does not force an
agent check-in.

When is the agent removed?

There are several conditions that can cause the agent to be removed from the device such as:
Shell scripts are no longer assigned to the device.
The macOS device is no longer managed.
The agent is in an irrecoverable state for more than 24 hours (device-awake time).
Why are scripts running even though the Mac is no longer managed?
When a Mac with assigned scripts is no longer managed, the agent is not removed immediately. The agent detects
that the Mac is not managed at the next agent check-in (usually every 8 hours) and cancels scheduled script-runs.
So, any locally stored scripts scheduled to run more frequently than the next scheduled agent check-in will run.
When the agent is unable to check-in, it retries checking in for up to 24 hours (device-awake time) and then
removes itself from the Mac.
How to turn off usage data sent to Microsoft for shell scripts?
To turn off usage data sent to Microsoft from the Intune management agent, open Company Portal and select
Menu > Preferences > uncheck 'allow Microsoft to collect usage data'. This will turn off usage data sent for both
the agent and Company Portal.

Known issues
No script run status: In the unlikely event that a script is received on the device and the device goes offline
before the run status is reported, the device will not report run status for the script in the admin console.

Next steps
Create a compliance policy in Microsoft Intune
 Assign apps to groups with Microsoft Intune
9/4/2020 • 8 minutes to read • Edit Online

After you've added an app to Microsoft Intune, you can assign the app to users and devices. It is
important to note that you can assign an app to a device whether or not the device is managed by
Intune.

NOTE
The Available deployment intent is only supported for device groups when targeting Android Enterprise fully
managed devices (COBO) and Android Enterprise corporate-owned personally-enabled (COPE) devices.

The following table lists the various options for assigning apps to users and devices:

DEVIC ES N OT EN RO L L ED W IT H
O P T IO N DEVIC ES EN RO L L ED W IT H IN T UN E IN T UN E

Assign to users Yes Yes

Assign to devices Yes No

Assign wrapped apps or apps that Yes Yes

incorporate the Intune SDK (for app
protection policies)

Assign apps as Available Yes Yes

Assign apps as Required Yes No

Uninstall apps Yes No

Receive app updates from Intune Yes No

End users install available apps Yes No

from the Company Portal app

End users install available apps Yes Yes

from the web-based Company
Portal

NOTE
Currently, you can assign iOS/iPadOS and Android apps (line-of-business and store-purchased apps) to devices
that aren't enrolled with Intune.
To receive app updates on devices that aren't enrolled with Intune, device users must go to their organization's
Company Portal and manually install app updates.

Assign an app
 1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. In the Apps pane, select the app you want to assign.
4. In the Manage section of the menu, select Assignments .
5. Select Add Group to open the Add group pane that is related to the app.
6. For the specific app, select an assignment type :
Available for enrolled devices : Assign the app to groups of users who can install the
app from the Company Portal app or website.
Available with or without enrollment : Assign this app to groups of users whose
devices are not enrolled with Intune. Users must be assigned an Intune license, see Intune
Licenses.
Required : The app is installed on devices in the selected groups. Some platforms may
have additional prompts for the end user to acknowledge before app installation begins.
Uninstall : The app is uninstalled from devices in the selected groups if Intune has
previously installed the application onto the device via an "Available for enrolled devices"
or "Required" assignment using the same deployment. Web links cannot be removed after
deployment.

NOTE
For iOS/iPadOS apps only :
To configure what happens to managed apps when devices are no longer managed, you can
select the intended setting under Uninstall on device removal. For more information, see
App uninstall setting for iOS/iPadOS managed apps.
If you have created an iOS/iPadOS VPN profile that contains per-app VPN settings, you can
select the VPN profile under VPN. When the app is run, the VPN connection is opened. For
more information, see VPN settings for iOS/iPadOS devices.
For Android apps only : If you deploy an Android app as Available with or without
enrollment , reporting status will only be available on enrolled devices.
For Available for enrolled devices : The app is only displayed as available if the user logged
into the Company Portal is the primary user who enrolled the device and the app is applicable to
the device.

7. To select the groups of users that are affected by this app assignment, select Included Groups .
8. After you have selected one or more groups to include, select Select .
9. In the Assign pane, select OK to complete the included groups selection.
10. If you want to exclude any groups of users from being affected by this app assignment, select
Exclude Groups .
11. If you have chosen to exclude any groups, in Select groups , select Select .
12. In the Add group pane, select OK .
13. In the app Assignments pane, select Save .
The app is now assigned to the groups that you selected. For more information about including and
excluding app assignments, see Include and exclude app assignments.

How conflicts between app intents are resolved

A single group is prevented from being targeted for multiple app assignment intents, however if a user
or a device is a member of multiple groups that are each assigned with different intents it will result in a
conflict. Creating assignment conflicts for applications is not recommended. The information in the
following table can help you understand the resulting intent when a conflict occurs:

GRO UP 1 IN T EN T GRO UP 2 IN T EN T RESULT IN G IN T EN T

User Required User Available Required and Available

User Required User Uninstall Required

User Available User Uninstall Uninstall

User Required Device Required Both exist, Intune treats Required

User Required Device Uninstall Both exist, Intune resolves Required

User Available Device Required Both exist, Intune resolves Required

(Required and Available)

User Available Device Uninstall Both exist, Intune resolves

Available.

App shows up in the Company

Portal.

If the app is already installed (as a

required app with previous intent),
the app is uninstalled.

If the user selects Install from the

Company Por tal, the app is
installed, and the uninstall intent is
not honored.

User Uninstall Device Required Both exist, Intune resolves Required

User Uninstall Device Uninstall Both exist, Intune resolves Uninstall

Device Required Device Uninstall Required

User Required and Available User Available Required and Available

User Required and Available User Uninstall Required and Available

User Required and Available Device Required Both exist, Required and Available

User Required and Available Device Uninstall Both exist, Intune resolves Required
(Required and Available)

User Available without enrollment User Required and Available Required and Available
 GRO UP 1 IN T EN T GRO UP 2 IN T EN T RESULT IN G IN T EN T

User Available without enrollment User Required Required

User Available without enrollment User Available Available

User Available without enrollment Device Required Required and Available without
enrollment

User Available without enrollment Device Uninstall Uninstall and Available without
enrollment.

If the user didn't install the app

from the Company Portal, the
uninstall is honored.

If the user installs the app from the

Company Portal, the install is
prioritized over the uninstall.

NOTE
For managed iOS store apps only, when you add these apps to Microsoft Intune and assign them as Required ,
the apps are automatically created with both Required and Available intents.

iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device
at the time of the device check-in and will also show in the Company Portal app.

When conflicts occur in Uninstall on device removal setting, the app is not removed from the device when
the device is no longer managed.

Managed Google Play app deployment to unmanaged devices

For Android devices in a non-enrolled App Protection Policy Without Enrollment (APP-WE) deployment
scenario, you can use Managed Google Play to deploy store apps and line-of-business (LOB) apps to
users. Managed Google Play apps targeted as Available with or without enrollment will appear in
the Play Store app on the end user's device, and not in the Company Portal app. End user will browse
and install apps deployed in this manner from the Play app. Because the apps are being installed from
managed Google Play, the end user will not need to alter their device settings to allow app installation
from unknown sources, which means the devices will be more secure. If the app developer publishes a
new version of an app to Play that was installed on a user's device, the app will be automatically
updated by Play.
Steps to assign a Managed Google Play app to unmanaged devices:
1. Connect your Intune tenant to managed Google Play. If you have already done this in order to
manage Android Enterprise work profile, dedicated, fully managed, or corporate-owned work profile
devices, you do not need to do it again.
2. Add apps from managed Google Play to your Intune console.
3. Target managed Google Play apps as Available with or without enrollment to the desired user
group. Required and Uninstall app targeting are not supported for non-enrolled devices.
4. Assign an App Protection Policy to the user group.
5. The next time the end user opens the Company Portal app, they will see a message indicating that
there are apps available for them in the Play Store app. The user can tap this notification to be
 brought directly to the Play app to see corporate apps, or they can navigate to the Play Store app
separately.
6. The end user can expand the context menu within the Play Store app and switch between their
personal Google account (where they see their personal apps), and their work account (where they
will see store and LOB apps targeted to them). End users install the apps by tapping Install in the Play
Store app.
When an APP selective wipe is issued in the Intune console, the work account will be automatically
removed from the Play Store app and the end user will from that point no longer see work apps in the
Play Store app catalog. When the work account is removed from a device, apps installed from the Play
Store will remain installed on the device and will not uninstall.

App uninstall setting for iOS managed apps

For iOS/iPadOS devices, you can choose what happens to managed apps on unenrolling the device
from Intune or removing the management profile using Uninstall on device removal setting. This
setting only applies to apps after the device is enrolled and apps are installed as managed. The setting
cannot be configured for web apps or web links. Only data protected by Mobile Application
Management (MAM) is removed after retirement by an App Selective Wipe.
Default values for the setting are prepopulated for new assignments as follows:

DEFA ULT SET T IN G F O R " UN IN STA L L O N DEVIC E

IO S A P P T Y P E REM O VA L "

Line-of-business app Yes

Store app No

VPP app No

Built-in app No

NOTE
"Available" assignment types: If you're updating this setting for "available for enrolled devices" or "available
with or without enrollment" groups, users who already have the managed app won't get the updated setting
until they sync the device with Intune and re-install the app.
Pre-existing assignments: Assignments that existed prior to the introduction of this setting are unmodified
and all managed apps will be removed on device removal from management.

Next steps
To learn more about monitoring app assignments, see How to monitor apps.
 Include and exclude app assignments in Microsoft
Intune
9/4/2020 • 3 minutes to read • Edit Online

In Intune, you can determine who has access to an app by assigning groups of users to include and exclude.
Before you assign groups to the app, you must set the assignment type for an app. The assignment type makes
the app available, required, or uninstalls the app.
To set the availability of an app, you include and exclude app assignments to a group of users or devices by using
a combination of include and exclude group assignments. This capability can be useful when you make the app
available by including a large group, and then narrow the selected users by also excluding a smaller group. The
smaller group might be a test group or an executive group.
As a best practice, create and assign apps specifically for your user groups, and separately for your device groups.
For more information on groups, see Add groups to organize users and devices.
Important scenarios exist when including or excluding app assignments:
Exclusion takes precedence over inclusion in the following same group type scenarios:
Including user groups and excluding user groups when assigning apps
Including device groups and excluding device group when assigning apps
For example, if you assign a device group to the All corporate users user group, but exclude
members in the Senior Management Staff user group, All corporate users except the Senior
Management staff get the assignment, because both groups are user groups.
Intune doesn't evaluate user-to-device group relationships. If you assign apps to mixed groups, the results
may not be what you want or expect.
For example, if you assign a device group to the All Users user group, but exclude an All personal
devices device group. In this mixed group app assignment, All users get the app. The exclusion does not
apply.
As a result, it's not recommended to assign apps to mixed groups.

NOTE
When you set a group assignment for an app, the Not Applicable type is deprecated and replaced with exclude group
functionality.
Intune provides pre-created All Users and All Devices groups in the console. The groups have built-in optimizations for
your convenience. It's highly recommended that you use these groups to target all users and all devices instead of any "all
users" or "all devices" groups that you might create yourself.
Android enterprise supports including and excluding groups. You can leverage the built-in All Users and All Devices
groups for Android enterprise app assignment.

Include and exclude groups when assigning apps

To assign an app to groups by using the include and exclude assignment:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps . The list of added apps is shown.
3. Select the app that you want to assign. A dashboard displays information about the app.
4. In the Manage section of the menu, select Assignments .

5. Select Add group to add the groups of users who are assigned the app.
6. In the Add group pane, select an Assignment type from the available assignment types.
7. For the assignment type, select Available with or without enrollment .

8. Select Included Groups to select the group of users that you want to make this app available to.

NOTE
When you add a group, if any other group has already been included for a specific assignment type, the app is
preselected and can't be modified for other include assignment types. The group that has been used can't be used
as an included group.

9. Select Yes to make this app available to all users.

10. Select OK to set the group to include.
11. Select Excluded Groups to select the groups of users that you want to make this app unavailable to.
12. Select the groups to exclude. This makes this app unavailable to those groups.

13. Select Select to complete your group selection.

14. In the Add group pane, select OK . The app Assignments list appears.
15. Click Save to make your group assignments active for the app.
When you make group assignments, groups that have already been assigned aren't available to be modified. If
you want to select a group that currently isn't available, first remove the app from the app's assigned list.
To edit assignments, in the app Assignments list, select the row that contains the specific assignment that you
want to change. You can also remove an assignment by selecting the ellipse (… ) at the end of a row, and then
selecting Remove .

NOTE
Removing a group assignment does not remove the related app. The installed app will remain on the device.

To change the view of the Assignments list, group by Assignment type or by Included/Excluded .

Next steps
For more information about including and excluding group assignments for apps, see the Microsoft Intune
blog.
Learn how to monitor app information and assignments.
 Windows 10 app deployment by using Microsoft
Intune
9/4/2020 • 5 minutes to read • Edit Online

Microsoft Intune supports a variety of app types and deployment scenarios on Windows 10 devices. After you've
added an app to Intune, you can assign the app to users and devices. This article provides more details on the
supported Windows 10 scenarios, and also covers key details to note when you're deploying apps to Windows.
Line-of-business (LOB) apps and Microsoft Store for Business apps are the app types supported on Windows 10
devices. The file extensions for Windows apps include .msi, .appx, and .appxbundle.

NOTE
To deploy modern apps, you need at least:
For Windows 10 1803, May 23, 2018—KB4100403 (OS Build 17134.81).
For Windows 10 1709, June 21, 2018—KB4284822 (OS Build 16299.522).
Only Windows 10 1803 and later support installing apps when there is no primary user associated.
LOB app deployment isn't supported on devices running Windows 10 Home editions.

Supported Windows 10 app types

Specific app types are supported based on the version of Windows 10 that your users are running. The following
table provides the app type and Windows 10 supportability.

APP B USIN E EN T ER EDUC A S- H O LO L SURFA M O B IL

TYPE H OME P RO SS P RISE T IO N M O DE EN S 1 C E H UB WC OS E

.MSI No Yes Yes Yes Yes No No No No No

.Intune No Yes Yes Yes Yes 19H2+ No No No No

Win

Office No Yes Yes Yes Yes RS4+ No No No No

C2R

LOB: Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
APPX/
MSIX

MSFB Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Offline

MSFB Yes Yes Yes Yes Yes Yes RS4+ No Yes Yes
Online

Web Yes Yes Yes Yes Yes Yes Yes2 Yes2 Yes Yes2
Apps
 APP B USIN E EN T ER EDUC A S- H O LO L SURFA M O B IL
TYPE H OME P RO SS P RISE T IO N M O DE EN S C E H UB WC OS E

Store Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Link

Micros No Yes Yes Yes Yes 19H2+ No No No No

oft 3
Edge

1 To unlock app management, upgrade your HoloLens device to Holographic for Business.
2 Launch from the Company Portal only.
3 For Edge app to install successfully, devices must also be assigned an S-Mode policy.

NOTE
All Windows app types require enrollment.

Windows 10 LOB apps

You can sign and upload Windows 10 LOB apps to the Intune admin console. These can include modern apps, such
as Universal Windows Platform (UWP) apps and Windows App Packages (AppX), as well as Win 32 apps, such as
simple Microsoft Installer package files (MSI). The admin must manually upload and deploy updates of LOB apps.
These updates are automatically installed on user devices that have installed the app. No user intervention is
required, and the user has no control over the updates.

Microsoft Store for Business apps

Microsoft Store for Business apps are modern apps, purchased from the Microsoft Store for Business admin portal.
They are then synced over to Microsoft Intune for management. The apps can either be online licensed or offline
licensed. The Microsoft Store directly manages updates, with no additional action required by the admin. You can
also prevent updates to specific apps by using a custom Uniform Resource Identifier (URI). For more information,
see Enterprise app management - Prevent app from automatic updates. The user can also disable updates for all
Microsoft Store for Business apps on the device.
Categorize Microsoft Store for Business apps
To categorize Microsoft Store for Business apps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. Select a Microsoft Store for Business app. Then select Proper ties > App Information > Categor y .
4. Select a category.

Install apps on Windows 10 devices

Depending on the app type, you can install the app on a Windows 10 device in one of two ways:
User Context : When an app is deployed in user context, the managed app is installed for that user on the
device when the user signs in to the device. Note that the app installation doesn't succeed until the user signs in
to the device.
Modern LOB apps and Microsoft Store for Business apps (both online and offline) can be deployed in user
context. The apps support both the Required and Available intents.
Win32 apps built as User Mode or Dual Mode can be deployed in user context, and support both the
 Required and Available intents.
Device Context : When an app is deployed in device context, the managed app is installed directly to the device
by Intune.
Only modern LOB apps and offline licensed Microsoft Store for Business apps can be deployed in device
context. These apps only support the Required intent.
Win32 apps built as Machine Mode or Dual Mode can be deployed in device context, and support only
the Required intent.

NOTE
For Win32 apps built as Dual Mode apps, the admin must choose if the app will function as a User Mode or Machine Mode
app for all assignments associated with that instance. The deployment context can't be changed per assignment.

Apps can only be installed in the device context when supported by the device and the Intune app type. Device
context installs are supported on Windows 10 desktops and Teams devices, such as the Surface Hub. They aren't
supported on devices running Windows Holographic for Business, such as the Microsoft HoloLens.
You can install the following app types in the device context and assign these apps to a device group:
Win32 apps
Offline licensed Microsoft Store for Business apps
LOB apps (MSI, APPX and MSIX)
Microsoft 365 Apps for enterprise
Windows LOB apps (specifically APPX and MSIX) and Microsoft Store for Business apps (Offline apps) that you've
selected to install in device context must be assigned to a device group. The installation fails if one of these apps is
deployed in the user context. The following status and error appears in the admin console:
Status: Failed.
Error: A user can't be targeted with a device context install.

IMPORTANT
When used in combination with an Autopilot white glove provisioning scenario, there is no requirement for LOB apps and
Microsoft Store for Business apps deployed in device context to target a device group. For more information, see Windows
Autopilot white glove deployment.

NOTE
After you save an app assignment with a specific deployment, you can't change the context for that assignment, except for
modern apps. For modern apps, you can change the context from user context to device context.

If there's a conflict in policies on a single user or device, the following priorities apply:
A device context policy is a higher priority than a user context policy.
An install policy is a higher priority than an uninstall policy.
For more information, see Include and exclude app assignments in Microsoft Intune. For more information about
app types in Intune, see Add apps to Microsoft Intune.

Next steps
Assign apps to groups with Microsoft Intune
How to monitor apps
 Deploying apps using Intune on the GCC High and
DoD Environments
9/4/2020 • 2 minutes to read • Edit Online

Microsoft Intune can be used by tenant administrators to distribute apps to their workforce. The workforce is the
company employee, the users of the apps. There are many types of apps that can be deployed from Intune on GCC
High or DoD environments. If an administrator needs to upload and distribute a Windows app intended for a GCC
High or DoD audience that is custom-made, created by third-party vendors, or as an offline app downloaded from
the Microsoft Store for Business, the admin can choose to distribute it as a line-of-business app.

NOTE
For commercial environments, a tenant admin can sync their Store for Business with Intune, however for GCC High and DoD
environments, this service is not available. Admins in this situation must deploy an app by uploading directly to Intune.

Add line-of-business apps using Intune

To add a line-of-business app intended for a GCC High or DoD environment using Intune, you can follow the
Windows LOB app instructions. You may choose to deploy the Company Portal first from the Microsoft Store for
Business. If you choose to use the Company Portal, you can manually install and deploy the Company Portal. For
more information, see How to configure the Microsoft Intune Company Portal app.

Distribute Offline Apps from the Store for Business using Intune
If you need to download an offline-licensed app from the Microsoft Store for Business, follow these steps to
download the application:
1. Sign in to the Store for Business.
2. Select Manage > Settings .
3. Under Shopping Experience , set Show offline apps to On .
When shopping for apps, if an offline version is available, you can choose to change the license type to offline. After
getting the app, you can then manage it by selecting Manage > Products & Ser vices in the Store for Business.
Additionally, you can download the app and its dependencies. Then, you can deploy this downloaded app (and its
dependencies) to users using Intune.

Syncing Intune to the Store for Business

In a commercial (non-government) environment, an admin can sync Intune to the Microsoft Store for Business. This
is not an available feature on the government environments. For details about differences between Intune in
commercial environments and Intune for government environments, see Enterprise Mobility + Security for US
Government Service Description.
To sync Intune to your Store for Business account, see How to manage apps you purchased from the Microsoft
Store for Business with Microsoft Intune.

Compliance
Review the privacy and compliance statements of apps and compare them to the compliance, security and privacy
requirements of your organization when assessing the appropriate use of these services.

Next steps
To learn more about deploying and assigning apps, see Assign apps to groups with Microsoft Intune.
 Monitor app information and assignments with
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Intune provides several ways to monitor the properties of apps that you manage and to manage app
assignment status.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps .
3. In the list of apps, select an app to monitor. You'll then see the app pane, which includes an overview of the
device status and the user status.

NOTE
Android Store apps that are deployed as Available do not report their installation status.
For Managed Google Play apps deployed to Android Enterprise work profile devices, you can view the status and version
number of the app installed on a device using Intune.

App overview pane

In the app pane, you can review details about the status of an app in your environment.
Essentials
The Essentials section contains the following information about the app:

A P P DETA IL S DESC RIP T IO N

Publisher The publisher of the app.

Operating system The app operating system (Windows, iOS/iPadOS, Android,

and so on).

Created The date and time when this revision was created. Note :
This date value is updated when an IT admin
changes app metadata, such as changing the app
categor y or app description.

Assigned Whether the app has been assigned (Yes or No ).

Device and user status graphs

The graphs show the number of apps for the following status:

DEVIC E STAT US DESC RIP T IO N

Installed The number of apps installed.

Not Installed The number of apps not installed.

 DEVIC E STAT US DESC RIP T IO N

Failed The number of failed installations.

Install Pending The number of apps that are in the process of being
installed.

Not Applicable The number of apps for which status is not applicable.

NOTE
Be aware that Android LOB apps (.APK) deployed as Available with or without enrollment only report app
installation status for enrolled devices. App installation status is not available for devices that are not enrolled in Intune.

Device install status

A device status list is shown when you select Device install status in the Monitor section of the menu. The
details table includes the following columns:

DEVIC E C O L UM N DESC RIP T IO N

Device name The name of the device on platforms that allow naming a
device. On other platforms, Intune creates a name from
other properties. This attribute isn't available to any other
device.

User name The name of the user.

Platform The operating system of the device (Windows, iOS/iPadOS,

Android, and so on).

Version The version number of the app. For line-of-business (LOB)

apps and Microsoft Store for Business apps, the full version
number of the app is shown. The full version number
identifies a specific release of the app. The number appears
as Version(Build). For example, 2.2(2.2.17560800). For
standard Store apps, no versions are shown.

Status The status of the app.

Status details The details of the status.

Last check-in The date of the device's last sync with Intune.

User install status

A user status list is shown when you select User install status in the Monitor section of the menu. The details
table includes the following columns:

USER C O L UM N DESC RIP T IO N

Name The name of the user in Azure Active Directory.

User name The unique name of the user.

 USER C O L UM N DESC RIP T IO N

Installations The number of apps installed by the user.

Failures The number of failed app installations for the user.

Not installed The number of apps not installed by the user.

Next steps
To learn more about working with your Intune data, see Use the Intune Data Warehouse.
To learn about app configuration policies, see App configuration policies for Intune.
 Intune discovered apps
9/4/2020 • 3 minutes to read • Edit Online

Intune discovered apps is a list of detected apps on the Intune enrolled devices in your tenant. It acts as a
software inventory for your tenant. Discovered apps is a separate report from the app installation reports. For
personal devices, Intune never collects information on applications that are unmanaged. On corporate devices, any
app whether it is a managed app or not is collected for this report. Below is the table mapping the expected
behavior. In general, the report refreshes every 7 days from the time of enrollment (not a weekly refresh for the
entire tenant). The only exception to this refresh period is application information collected through the Intune
Management Extension for Win32 Apps, which is collected every 24 hours.

Monitor discovered apps with Intune

Intune provides an aggregated list of detected apps on the Intune enrolled devices in your tenant.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > Monitor > Discovered apps .

NOTE
You can export the list of discovered apps to a .csv file by selecting Expor t from the Discovered apps pane.
For discovered Win32 apps, there currently is no aggregate count. This type of data can only be viewed on a per-device basis.

Intune also provides the list of discovered apps for the individual device in your tenant.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > All Devices .
3. Select a device.
4. To view detected apps for this device, select Discovered Apps in the Monitor section.

Details of discovered apps

The following list provides the app platform type, the apps that are monitored for personal devices, the apps that
are monitored for company-owned devices, and the refresh cycle. For more information about app types
supported by Intune, see App types in Microsoft Intune.

F O R P ERSO N A L LY - O W N ED F O R C O M PA N Y - O W N ED
P L AT F O RM DEVIC ES DEVIC ES REF RESH C Y C L E

Windows 10 (Win32 Apps) Not Applicable MSI installed apps on the Every 24 hours from device
NOTE: Requires Intune device enrollment
Management Extension on
device

Windows 10 (Modern Apps) Only managed modern apps All modern apps installed on Every 7 days from device
the device enrollment

Windows 8.1 Only managed apps Only managed apps Every 7 days from device
enrollment
 F O R P ERSO N A L LY - O W N ED F O R C O M PA N Y - O W N ED
P L AT F O RM DEVIC ES DEVIC ES REF RESH C Y C L E

Windows RT Only managed apps Only managed apps Every 7 days from device
enrollment

iOS/iPadOS Only managed apps All apps installed on the Every 7 days from device
device enrollment

macOS Only managed apps All apps installed on the Every 7 days from device
device enrollment

Android Only managed apps All apps installed on the Every 7 days from device
device enrollment

Android Enterprise Only managed apps Only apps installed in the Every 7 days from device
Work Profile enrollment

NOTE
Windows 10 co-managed devices, as shown in the client apps workload in Configuration Manager, do not currently
collect app inventory through the Intune Management Extension (IME) as per the above schedule. To mitigate this issue,
the client apps workload in Configuration Manager should be switched to Intune for the IME to be installed on the device
(IME is required for Win32 inventory and PowerShell deployment). Note that any changes or updates on this behavior are
announced in in development and/or what's new.
Personally-owned macOS devices enrolled before November 2019 may continue to show all apps installed on the device
until the devices are enrolled again.
Android Enterprise Fully Managed and Dedicated do not display discovered apps.

The number of discovered apps may not match the app install status count. Possibilities for inconsistencies include:
A targeting change of an installed managed app can cause the install count in the status pane to decrement, but
remain reported in the detected apps.
Targeting multiple instances of the same app in a tenant will result in different counts due to potential overlap of
users or devices. Each instance of the app will count overlapping users, but discovered apps will have duplicated
counts.
Discovered apps and app status are collected at different time intervals, which could cause a discrepancy in the
app counts.

Next steps
App types in Microsoft Intune
Monitor app information and assignments with Microsoft Intune
 App configuration policies for Microsoft Intune
9/4/2020 • 8 minutes to read • Edit Online

App configuration policies can help you eliminate app setup up problems by letting you assign configuration
settings to a policy that is assigned to end-users before they run the app. The settings are then supplied
automatically when the app is configured on the end-users device, and end-users don't need to take action. The
configuration settings are unique for each app.
You can create and use app configuration policies to provide configuration settings for both iOS/iPadOS or
Android apps. These configuration settings allow an app to be customized by using app configuration and
management. The configuration policy settings are used when the app checks for these settings, typically the first
time the app is run.
An app configuration setting, for example, might require you to specify any of the following details:
A custom port number
Language settings
Security settings
Branding settings such as a company logo
If end-users were to enter these settings instead, they could do this incorrectly. App configuration policies can
help provide consistency across an enterprise and reduce helpdesk calls from end-users trying to configure
settings on their own. By using app configuration policies, the adoption of new apps can be easier and quicker.
The available configuration parameters are ultimately decided by the developers of the app. Documentation from
the application vendor should be reviewed to see if an app supports configuration and what configurations are
available. For some applications, Intune will populate the available configuration settings.

NOTE
In the Managed Google Play Store, apps that support configuration will be marked as such:

You will only see apps from Managed Google Play store, not the Google Play store, when using Managed Devices as the
Enrollment Type for Android devices. Managed Google Play Store, which you may also know as Android for Work (AfW) and
Android Enterprise, are the apps in the Work Profile that contain the app versions that support app configuration.

You can assign an app configuration policy to a group of end-users and devices by using a combination of include
and exclude assignments. Once you add an app configuration policy, you can set the assignments for the app
configuration policy. When you set the assignments for the policy, you can choose to include and exclude the
groups of end-users for which the policy applies. When you choose to include one or more groups, you can
choose to select specific groups to include or select built-in groups. Built-in groups include All Users , All
Devices , and All Users + All Devices .
You have two options to use app configuration policies with Intune:
Managed devices - The device is managed by Intune as the mobile device management (MDM) provider.
The app must be designed to support the app configuration.
Managed apps - An app that has been developed to integrate the Intune App SDK. This is known as
Mobile Application Management without enrollment (MAM-WE). You can also wrap an app to implement
and support the Intune App SDK. For more information about wrapping an app, see Prepare line-of-
business apps for app protection policies.

NOTE
Intune managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status, when
deployed in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to
the user, then the Intune App Configuration Policy check-in interval is set to 720 minutes.

Apps that support app configuration

Managed devices
You can use app configuration policies for apps that support it. To support app configuration in Intune, apps must
be written to support the use of app configurations as defined by the OS. Consult your app vendor for details for
which app config keys they support.
Managed apps
You can prepare your line-of-business apps by either incorporating the Intune App SDK into the app, or wrapping
the app after it is developed using the Intune App Wrapping Tool. The Intune App SDK strives to minimize the
amount of code changes required from the app developer. For more information, see the Intune App SDK
overview. For a comparison between the Intune App SDK and the Intune App Wrapping Tool, see Prepare line-of-
business apps for app protection policies.
Selecting Managed apps as the Device Enrollment Type specifically refers to apps configured by Intune
configuration policies on a device that is not enrolled in device management, whereas Managed devices applies
to apps deployed through the MDM channel and thus are managed by Intune. Select the appropriate choice based
on these descriptions.

NOTE
For multi-identity apps, such as Microsoft Outlook, user preferences may be considered. Focused Inbox, for example, will
respect the user setting and not change the configuration. Other parameters do let you control whether a user can or
cannot change the setting. For more information, see Deploying Outlook for iOS/iPadOS and Android app configuration
settings.
Android app configuration policies
For Android app configuration policies, you can select the device enrollment type before creating an app
configuration profile. You can account for certificate profiles that are based on enrollment type (work profile, fully
managed, dedicated, and corporate-owned work profile). This update provides the following:
1. If a new profile is created and All Profile Types is selected for device enrollment type, you will not be able to
associate a certificate profile with the app config policy.
2. If a new profile is created and Work Profile only is selected, Work Profile certificate policies created under
Device Configuration can be utilized.
3. If a new profile is created and Fully Managed, Dedicated, and Corporate-Owned Work Profile Only is
selected, Fully Managed, Dedicated, and Corporate-Owned Work Profile certificate policies created
under Device Configuration can be utilized.
4. If you deploy a Gmail or Nine configuration profile to an Android Enterprise dedicated device which doesn’t
involve a user, it will fail because Intune can’t resolve the user.

IMPORTANT
Existing policies created prior to the release of this feature (April 2020 release - 2004) that do not have any certificate
profiles associated with the policy will default to All Profile Types for device enrollment type. Also, existing policies created
prior to the release of this feature that have certificate profiles associated with them will default to Work Profile only.
Existing policies will not remediate or issue new certificates.

Validate the applied app configuration policy

You can validate the app configuration policy using the following three methods:
1. Visibly on the device. Is the targeted app exhibiting the behavior applied in the App Configuration policy?
2. Via Diagnostic Logs (see the Diagnostic Logs section below).
3. In the Intune Portal. The Monitor section of a policy can provide the relevant status:
 Additionally, under Intune -> Devices -> All Devices on the left side of the screen, the App
Configuration option will display all the assigned policies and their state:

Diagnostic Logs
iOS/iPadOS configuration on unmanaged devices
You can validate iOS/iPadOS configuration with the Intune Diagnostic Log on unmanaged devices for managed
app configuration. In addition to the below steps, you can access managed app logs using Microsoft Edge. For
more information, see Use Edge for iOS and Android to access managed app logs.
1. If not already installed on the device, download and install the Microsoft Edge from the App Store. For
more information, see Microsoft Intune protected apps.
2. Launch the Microsoft Edge and select about > intunehelp from the navigation bar.
3. Click Get Star ted .
4. Click Share Logs .
5. Use the mail app of your choice to send the log to yourself so they can be viewed on your PC.
6. Review IntuneMAMDiagnostics.txt in your text file viewer.
7. Search for ApplicationConfiguration . The results will look like the following:
 {
(
{
Name = "com.microsoft.intune.mam.managedbrowser.BlockListURLs";
Value = "https://www.aol.com";
},
{
Name = "com.microsoft.intune.mam.managedbrowser.bookmarks";
Value = "Outlook Web|https://outlook.office.com||Bing|https://www.bing.com";
}
);
},
{
ApplicationConfiguration =
(
{
Name = IntuneMAMUPN;
Value =
"CMARScrubbedM:13c45c42712a47a1739577e5c92b5bc86c3b44fd9a27aeec3f32857f69ddef79cbb988a92f8241af6df8b3c
ed7d5ce06e2d23c33639ddc2ca8ad8d9947385f8a";
},
{
Name = "com.microsoft.outlook.Mail.NotificationsEnabled";
Value = false;
}
);
}

Your application configuration details should match the application configuration policies configured for your
tenant.

iOS/iPadOS configuration on managed devices

You can validate iOS/iPadOS configuration with the Intune Diagnostic Log on managed devices for managed
app configuration.
1. If not already installed on the device, download and install the Microsoft Edge from the App Store. For more
information, see Microsoft Intune protected apps.
2. Launch Microsoft Edge and select about > intunehelp from the navigation bar.
3. Click Get Star ted .
4. Click Share Logs .
5. Use the mail app of your choice to send the log to yourself so they can be viewed on your PC.
6. Review IntuneMAMDiagnostics.txt in your text file viewer.
7. Search for AppConfig . Your results should match the application configuration policies configured for your
tenant.
Android configuration on managed devices
You can validate Android configuration with the Intune Diagnostic Log on managed devices for managed app
configuration.
To collect logs from an Android device, you or the end user must download the logs from the device via a USB
connection (or the File Explorer equivalent on the device). Here are the steps:
1. Connect the Android device to your computer with the USB cable.
2. On the computer, look for a directory that has the name of your device. In that directory, find
Android Device\Phone\Android\data\com.microsoft.windowsintune.companyportal .

3. In the com.microsoft.windowsintune.companyportal folder, open the Files folder and open OMADMLog_0 .
4. Search for AppConfigHelper to find app configuration related messages. The results will look similar to the
following block of data:
2019-06-17T20:09:29.1970000 INFO AppConfigHelper 10888 02256 Returning app config JSON
[{"ApplicationConfiguration":
[{"Name":"com.microsoft.intune.mam.managedbrowser.BlockListURLs","Value":"https:\/\/www.aol.com"},
{"Name":"com.microsoft.intune.mam.managedbrowser.bookmarks","Value":"Outlook
Web|https:\/\/outlook.office.com||Bing|https:\/\/www.bing.com"},
{"Name":"com.microsoft.intune.mam.managedbrowser.homepage","Value":"https:\/\/www.arstechnica.com"}]},
{"ApplicationConfiguration":[{"Name":"IntuneMAMUPN","Value":"AdeleV@M365x935807.OnMicrosoft.com"},
{"Name":"com.microsoft.outlook.Mail.NotificationsEnabled","Value":"false"},
{"Name":"com.microsoft.outlook.Mail.NotificationsEnabled.UserChangeAllowed","Value":"false"}]}] for
user User-875363642

Graph API support for app configuration

You can use Graph API to accomplish app configuration tasks. For details, see Graph API Reference MAM Targeted
Config. For more information about Intune and Graph, see Working with Intune in Microsoft Graph.

Troubleshooting
Using logs to show a configuration parameter
When the logs show a configuration parameter that is confirmed to be applying but doesn't seem to work, there
may be an issue with the configuration implementation by the app developer. Reaching out to that app developer
first, or checking their knowledge base, may save you a support call with Microsoft. If it is an issue with how the
configuration is being handled within an app, it would have to be addressed in a future updated version of that
app.

Next steps
Managed devices
Learn how to use app configuration with your iOS/iPadOS devices. See Add app configuration policies for
managed iOS/iPadOS devices.
Learn how to use app configuration with your Android devices. See Add app configuration policies for
managed Android devices.
Managed apps
Learn how to use app configuration with managed apps. See Add app configuration policies for managed apps
without device enrollment.
 Add app configuration policies for managed
iOS/iPadOS devices
9/4/2020 • 7 minutes to read • Edit Online

Use app configuration policies in Microsoft Intune to provide custom configuration settings for an iOS/iPadOS
app. These configuration settings allow an app to be customized based on the app suppliers direction. You must
get these configuration settings (keys and values) from the supplier of the app. To configure the app, you specify
the settings as keys and values, or as XML containing the keys and values.
As the Microsoft Intune admin, you can control which user accounts are added to Microsoft Office applications on
managed devices. You can limit access to only allowed organization user accounts and block personal accounts on
enrolled devices. The supporting applications process the app configuration and remove and block unapproved
accounts. The configuration policy settings are used when the app checks for them, typically the first time it is run.
Once you add an app configuration policy, you can set the assignments for the app configuration policy. When
you set the assignments for the policy, you can choose to include and exclude the groups of users for which the
policy applies. When you choose to include one or more groups, you can choose to select specific groups to
include or select built-in groups. Built-in groups include All Users , All Devices , and All Users + All Devices .

NOTE
Intune provides pre-created All Users and All Devices groups in the console with built-in optimizations for your
convenience. It is highly recommended that you use these groups to target all users and all devices instead of any 'All
users' or 'All devices' groups you may have created yourself.

Once you have selected the included groups for your application configuration policy, you can also choose the
specific groups to exclude. For more information, see Include and exclude app assignments in Microsoft Intune.

TIP
This policy type is currently available only for devices running iOS/iPadOS 8.0 and later. It supports the following app
installation types:
Managed iOS/iPadOS app from the app store
App package for iOS
For more information about app installation types, see How to add an app to Microsoft Intune. For more information about
incorporating app config into your .ipa app package for managed devices, see Managed App Configuration in the iOS
developer documentation.

Create an app configuration policy

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Choose the Apps > App configuration policies > Add > Managed devices . Note that you can choose
between Managed devices and Managed apps . For more information see Apps that support app
configuration.
3. On the Basics page, set the following details:
Name - The name of the profile that appears in the Azure portal.
 Description - The description of the profile that appears in the Azure portal.
Device enrollment type - This setting is set to Managed devices .
4. Select iOS/iPadOS as the Platform .
5. Click Select app next to Targeted app . The Associated app pane is displayed.
6. On the Targeted app pane, choose the managed app to associate with the configuration policy and click
OK .
7. Click Next to display the Settings page.
8. In the dropdown box, select the Configuration settings format . Select one of the following methods to
add configuration information:
Use configuration designer
Enter XML data

For details about using the configuration designer, see Use configuration designer. For details about
entering XML data, see Enter XML data.
9. Click Next to display the Assignments page.
10. In the dropdown box next to Assign to , select either Selected groups , All users , All devices , or All
users and all devies to assign the app configuration policy to.
11. Select All users in the dropdown box.
12. Click Select groups to exclude to display the related pane.
13. Choose the groups you want to exclude and then click Select .

NOTE
When adding a group, if any other group has already been included for a given assignment type, it is pre-selected
and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as
an excluded group.

14. Click Next to display the Review + create page.

15. Click Create to add the app configuration policy to Intune.

Use configuration designer

Microsoft Intune provides configuration settings that are unique to an app. You can use the configuration
designer for apps on devices that are enrolled or not enrolled in Microsoft Intune. The designer lets you configure
specific configuration keys and values that helps you create the underlying XML. You must also specify the data
type for each value. These settings are supplied to apps automatically when the apps are installed.
Add a setting
1. For each key and value in the configuration, set:
Configuration key - The key that uniquely identifies the specific setting configuration.
Value type - The data type of the configuration value. Types include Integer, Real, String, or Boolean.
Configuration value - The value for the configuration.
2. Choose OK to set your configuration settings.
Delete a setting
1. Choose the ellipsis (...) next to the setting.
2. Select Delete .
The {{ and }} characters are used by token types only and must not be used for other purposes.
Allow only configured organization accounts in multi-identity apps
As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft
apps on managed devices. You can limit access to only allowed organization user accounts and block personal
accounts on enrolled devices. For iOS/iPadOS devices, use the following key/value pairs in a Managed Devices
app configuration policy:

K EY VA L UES

IntuneMAMAllowedAccountsOnly Enabled : The only account allowed is the managed

user account defined by the IntuneMAMUPN key.
Disabled (or any value that is not a case insensitive
match to Enabled ): Any account is allowed.

IntuneMAMUPN UPN of the account allowed to sign into the app.

For Intune enrolled devices, the
{{userprincipalname}} token may be used to
represent the enrolled user account.

NOTE
The following apps process the above app configuration and only allow organization accounts:
Edge for iOS (44.8.7 and later)
OneDrive for iOS (10.34 and later)
Outlook for iOS (2.99.0 and later)
Teams for iOS (2.0.15 and later)

Enter XML data

You can type or paste an XML property list that contains the app configuration settings for devices enrolled in
Intune. The format of the XML property list varies depending on the app that you are configuring. For details
about the exact format to use, contact the supplier of the app.
Intune validates the XML format. However, Intune does not check that the XML property list (PList) works with the
target app.
To learn more about XML property lists:
Refer to Understand XML Property Lists in the iOS Developer Library.
Example format for an app configuration XML file
When you create an app configuration file, you can specify one or more of the following values by using this
format:

<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
<key>aaddeviceid</key>
<string>{{aaddeviceid}}</string>
</dict>

Supported XML PList data types

Intune supports the following data types in a property list:
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
Tokens used in the property list
Additionally, Intune supports the following token types in the property list:
{{userprincipalname}}—for example, John@contoso.com
{{mail}}—for example, John@contoso.com
{{partialupn}}—for example, John
{{accountid}}—for example, fc0dc142-71d8-4b12-bbea-bae2a8514c81
{{deviceid}}—for example, b9841cd9-9843-405f-be28-b2265c59ef97
{{userid}}—for example, 3ec2c00f-b125-4519-acf0-302ac3761822
 {{username}}—for example, John Doe
{{serialnumber}}—for example, F4KN99ZUG5V2 (for iOS/iPadOS devices)
{{serialnumberlast4digits}}—for example, G5V2 (for iOS/iPadOS devices)
{{aaddeviceid}}—for example, ab0dc123-45d6-7e89-aabb-cde0a1234b56

Configure the Company Portal app to support iOS and iPadOS DEP
devices
DEP (Apple's Device Enrollment Program) enrollments are not compatible with the app store version of the
Company Portal app. However, you can configure the Company Portal app to support iOS/iPadOS DEP devices
using the following steps.
1. In Intune, add the Intune Company Portal app if necessary, by going to Intune > Apps > All apps > Add .
2. Go to Apps > App configuration policies , to create an app configuration policy for the Company Portal
app.
3. Create an app configuration policy with the XML below. More information on how to create an app
configuration policy and enter XML data can be found at Add app configuration policies for managed
iOS/iPadOS devices.
Use the Company Por tal on a DEP device enrolled with user affinity:

<dict>
<key>IntuneCompanyPortalEnrollmentAfterUDA</key>
<dict>
<key>IntuneDeviceId</key>
<string>{{deviceid}}</string>
<key>UserId</key>
<string>{{userid}}</string>
</dict>
</dict>

Use the Company Por tal on a DEP device enrolled without user affinity :

NOTE
The user signing in to Company Portal is set as the primary user of the device.

<dict>
<key>IntuneUDAUserlessDevice</key>
<string>{{SIGNEDDEVICEID}}</string>
</dict>

4. Deploy the Company Portal to devices with the app configuration policy targeted to desired groups. Be
sure to only deploy the policy to groups of devices that are already DEP enrolled.
5. Tell end users to sign into the Company Portal app when it is automatically installed.

Monitor iOS/iPadOS app configuration status per device

Once a configuration policy has been assigned, you can monitor iOS/iPadOS app configuration status for each
managed device. From Microsoft Intune in the Azure portal, select Devices > All devices . From the list of
managed devices, select a specific device to display a pane for the device. On the device pane, select App
configuration .
Additional information
Deploying Outlook for iOS/iPadOS and Android app configuration settings

Next steps
Continue to assign and monitor the app.
 Add app configuration policies for managed Android
Enterprise devices
9/4/2020 • 6 minutes to read • Edit Online

App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on managed Android
Enterprise devices. The app developer exposes Android-managed app configuration settings. Intune uses these
exposed setting to let the admin configure features for the app. The app configuration policy is assigned to your
user groups. The policy settings are used when the app checks for them, typically the first time the app runs.

NOTE
Not every app supports app configuration. Check with the app developer to see if their app supports app configuration
policies.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Choose the Apps > App configuration policies > Add > Managed devices . Note that you can choose
between Managed devices and Managed apps . For more information see Apps that support app
configuration.
3. On the Basics page, set the following details:
Name - The name of the profile that appears in the Azure portal.
Description - The description of the profile that appears in the Azure portal.
Device enrollment type - This setting is set to Managed devices .
4. Select Android Enterprise as the Platform .
5. Click Select app next to Targeted app . The Associated app pane is displayed.
6. On the Associated app pane, choose the managed app to associate with the configuration policy and click
OK .
7. Click Next to display the Settings page.
8. Click Add to display the Add permissions pane.
9. Click the permissions that you want to override. Permissions granted will override the "Default app
permissions" policy for the selected apps.
10. Set the Permission state for each permission. You can choose from Prompt , Auto grant , or Auto deny .
For more information about permissions, see Android Enterprise settings to mark devices as compliant or
not compliant using Intune.
11. If the managed app supports configuration settings, the Configuration settings format dropdown box is
visible. Select one of the following methods to add configuration information:
Use configuration designer
Enter JSON data

For details about using the configuration designer, see Use configuration designer. For details about
entering XML data, see Enter JSON data.
12. Click Next to display the Assignments page.
13. In the dropdown box next to Assign to , select either Selected groups , All users , All devices , or All
users and all devies to assign the app configuration policy to.

14. Select All users in the dropdown box.

15. Click Select groups to exclude to display the related pane.
16. Choose the groups you want to exclude and then click Select .

NOTE
When adding a group, if any other group has already been included for a given assignment type, it is pre-selected
and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as
an excluded group.

17. Click Next to display the Review + create page.

18. Click Create to add the app configuration policy to Intune.

Use the configuration designer

You can use the configuration designer for Managed Google Play apps when the app is designed to support
configuration settings. Configuration applies to devices enrolled in Intune. The designer lets you configure specific
configuration values for the settings exposed by the app.
1. Select Add . Choose the list of configuration settings that you want to enter for the app.
If you're using GMail or Nine Work for your email app, see Android Enterprise device settings to configure
email for more information on these settings.
2. For each key and value in the configuration, set:
Value type : The data type of the configuration value. For String value types, you can optionally choose a
variable or certificate profile as the value type.
Configuration value : The value for the configuration. If you select variable or certificate for the Value
type , choose from a list of variables or certificate profiles. If you choose a certificate, then the certificate
alias of the certificate deployed to the device is populated at runtime.
Supported variables for configuration values
You can choose the following options if you choose variable as the value type:

O P T IO N EXA M P L E

AAD Device ID dc0dc142-11d8-4b12-bfea-cae2a8514c82

Account ID fc0dc142-71d8-4b12-bbea-bae2a8514c81

Intune Device ID b9841cd9-9843-405f-be28-b2265c59ef97

Domain contoso.com

Mail john@contoso.com

Partial UPN john

User ID 3ec2c00f-b125-4519-acf0-302ac3761822

User name John Doe

User Principal Name john@contoso.com

Allow only configured organization accounts in multi-identity apps

As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps
on managed devices. You can limit access to only allowed organization user accounts and block personal accounts
on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app
configuration policy:

K EY C O M . M IC RO SO F T. IN T UN E. M A M . A L LO W EDA C C O UN T UP N S
 K EY C O M . M IC RO SO F T. IN T UN E. M A M . A L LO W EDA C C O UN T UP N S

Values One or more ; delimited UPNs.

Only account(s) allowed are the managed user
account(s) defined by this key.
For Intune enrolled devices, the
{{userprincipalname}} token may be used to
represent the enrolled user account.

NOTE
The following apps process the above app configuration and only allow organization accounts:
Edge for Android (42.0.4.4048 and later)
Office, Word, Excel, PowerPoint for Android (16.0.9327.1000 and later)
OneDrive for Android (5.28 and later)
Outlook for Android (2.2.222 and later)
Teams for Android (1416/1.0.0.2020073101 and later)

Enter JSON data

Some configuration settings on apps (such as apps with Bundle types) can't be configured with the configuration
designer. Use the JSON editor for those values. Settings are supplied to apps automatically when the app is
installed.
1. For Configuration settings format , select Enter JSON editor .
2. In the editor, you can define JSON values for configuration settings. You can choose Download JSON
template to download a sample file that you can then configure.
3. Choose OK , and then choose Add .
The policy is created and shown in the list.
When the assigned app is run on a device, it runs with the settings that you configured in the app configuration
policy.

Preconfigure the permissions grant state for apps

You can also preconfigure app permissions to access Android device features. By default, Android apps that
require device permissions, such as access to location or the device camera, prompt users to accept or deny
permissions.
For example, an app uses the device's microphone. The user is prompted to grant the app permission to use the
microphone.
1. In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add >
Managed devices .
2. Add the following properties:
Name : Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
For example, a good policy name is Android Enterprise prompt permissions app policy for
entire company .
Description . Enter a description for the profile. This setting is optional, but recommended.
Device enrollment type : This setting is set to Managed devices .
 Platform : Select Android .
3. Select Associated App . Choose the app you want to define a configuration policy. Select from the list of
Android work profile apps that you've approved and synchronized with Intune.
4. Select Permissions > Add . From the list, select the available app permissions > OK .
5. Select an option for each permission to grant with this policy:
Prompt . Prompt the user to accept or deny.
Auto grant . Automatically approve without notifying the user.
Auto deny . Automatically deny without notifying the user.
6. To assign the app configuration policy, select the app configuration policy > Assignment > Select
groups . Choose the user groups to assign > Select .
7. Choose Save to assign the policy.

Additional information
Assigning a Managed Google Play app to Android Enterprise devices
Deploying Outlook for iOS/iPadOS and Android app configuration settings

Next steps
Continue to assign and monitor the app.
 Add app configuration policies for managed apps
without device enrollment
9/4/2020 • 2 minutes to read • Edit Online

You can use app configuration policies with managed apps that support the Intune App SDK, even on devices that
are not enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Choose the Apps > App configuration policies > Add > Managed apps .
3. On the Basics page, set the following details:
Name : The name of the profile that will appear in the Azure portal.
Description : The description of the profile that will appear in the Azure portal.
Device enrollment type : Managed apps is selected.
4. Choose either Select public apps or Select custom apps to choose the app that you are going to
configure. Select the app from the list of apps that you have approved and synchronized with Intune.
5. Click Next to display the Settings page.
6. The Settings page provides options that are displayed based on the app that you're configuring:
General configuration settings - For each general configuration setting that the app supports,
type the Name and Value .
Intune App SDK-enabled apps support configurations in key/value pairs. To learn more about which
key-value configurations are supported, consult the documentation for each app. Note that you can
use tokens that will be dynamically populated with data generated by the application. To delete a
general configuration setting, choose the ellipsis (… ) and select Delete . For more information, see
Configuration values for using tokens.
Outlook configuration settings - Outlook for iOS and Android offers administrators the ability to
customize the default configuration for several in-app settings. For more information, see Outlook
for iOS and Android - General app configuration scenarios.
S/MIME - Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification that allows users
to send and receive digitally signed and encrypted emails.
Enable S/MIME - Specify whether or not S/MIME controls are enabled when composing an
email. Default value: Not configured .
Allow user to change setting - Specify if the user is allowed to change the setting. S/MIME
must be enabled. Default value: Yes .
For information about Outlook app configuration policy settings, see Deploying Outlook for iOS and
Android app configuration settings.
7. Click Next to display the Assignments page.
8. Click Select groups to include .
9. Select a group in the Select groups to include pane and click Select .
10. Click Select groups to exclude to display the related pane.
11. Choose the groups you want to exclude and then click Select .

NOTE
When adding a group, if any other group has already been included for a given assignment type, it is pre-selected
and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as
an excluded group.

12. Click Next to display the Review + create page.

13. Click Create to add the app configuration policy to Intune.

Configuration values for using tokens

Intune can generate certain tokens and send them to the managed application. For example, if your app
configuration can use an email setting, you can add a dynamic email by using a token. Type the name expected by
the app in the Name field, and then type {{mail}} in the Value field.
Intune supports the following token types in the configuration settings. Other custom key/value pairs are not
supported.
{{userprincipalname}}—for example, John@contoso.com
{{mail}}—for example, John@contoso.com
{{partialupn}}—for example, John
{{accountid}}—for example, fc0dc142-71d8-4b12-bbea-bae2a8514c81
{{userid}}—for example, 3ec2c00f-b125-4519-acf0-302ac3761822
{{username}}—for example, John Doe
{{PrimarySMTPAddress}}—for example, testuser@ad.domain.com

NOTE
The {{ and }} characters are used by token types only and must not be used for other purposes.

Next steps
Continue to assign and monitor the app as usual.
 Use iOS app provisioning profiles to prevent your
apps from expiring
9/4/2020 • 2 minutes to read • Edit Online

Introduction
Apple iOS/iPadOS line-of-business apps that are assigned to iPhones and iPads are built with an included
provisioning profile and code that is signed with a certificate. When the app is run, iOS/iPadOS confirms the
integrity of the iOS/iPadOS app and enforces policies that are defined by the provisioning profile. The following
validations happen:
Installation file integrity - iOS/iPadOS compares the app's details with the enterprise signing certificate's
public key. If they differ, the app's content might have changed, and the app is not allowed to run.
Capabilities enforcement - iOS/iPadOS attempts to enforce the app's capabilities from the enterprise
provisioning profile (not individual developer provisioning profiles) that are in the app installation (.ipa) file.
The enterprise signing certificate that you use to sign apps typically lasts for three years. However, the provisioning
profile expires after a year. While the certificate is still valid, Intune gives you the tools to proactively assign a new
provisioning profile to devices that have apps that are nearing expiry. After the certificate expires, you must sign
the app again with a new certificate and embed a new provisioning profile with the key of the new certificate.
As the admin, you can include and exclude security groups to assign iOS/iPadOS app provisioning configuration.
For example, you can assign an iOS/iPadOS app provisioning configuration to All Users, but exclude an executive
group.

How to create an iOS mobile app provisioning profile

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > iOS app provisioning profiles > Create profile .
3. On the Basics page, add the following values:
Name - Provide a name for this mobile provisioning profile.
Description - Optionally, provide a description for the policy.
Upload profile file - Choose Open icon, and then choose an Apple Mobile Configuration Profile file
(with the extension .mobileprovision ) that you downloaded from the Apple Developer website.
The Expiration date will be populated from a value in the Apple Mobile Configuration Profile file that you
added above.
4. Click Next: Scope tags .
On the Scope tags page you can optionally configure scope tags to determine who can see iOS/iPadOS
app provisioning profile in Intune. For more information about scope tags, see Use role-based access control
and scope tags for distributed IT.
5. Click Next: Assignments .
The Assignments page allows you can assign the profile to users and devices. It is important to note that
you can assign a profile to a device whether or not the device is managed by Intune.
6. Click Next: Review + create to review the values you entered for the profile.
7. When you are done, click Create to create the iOS/iPadOS app provisioning profile in Intune.

Next steps
Assign the profile to the required iOS/iPadOS devices. For more information, use the steps in How to assign device
profiles.
 Configure the Microsoft Managed Home Screen app
for Android Enterprise
9/4/2020 • 13 minutes to read • Edit Online

The Managed Home Screen is the application used for corporate-owned Android Enterprise dedicated devices
enrolled via Intune and running in multi-app kiosk mode. For these devices, the Managed Home Screen acts as the
launcher for other approved apps to run on top of it. The Managed Home Screen provides IT admins the ability to
customize their devices and to restrict the capabilities that the end user can access.

When to configure the Microsoft Managed Home Screen app

Typically, if settings are available to you through Device configuration, configure the settings there. Doing so will
save you time, minimize errors, and will give you a better Intune-support experience. However, some of the
Managed Home Screen settings are currently only available via the App configuration policies pane in the
Intune console. Use this document to learn how to configure the different settings either using the configuration
designer or a JSON script.

NOTE
It is currently possible, and advisable, to set allow-listed applications and pinned web links through Apps and Device
configuration . For the full list of settings available in Device configuration that impact Managed Home Screen, see
Dedicated device settings.

First, navigate to the Microsoft Endpoint Manager admin center and select Apps > App configuration policies .
Add a configuration policy for Managed devices running Android and choose Managed Home Screen as the
associated app. Click on Configuration settings to configure the different available Managed Home Screen
settings.

Choosing a Configuration Settings Format

There are two methods that you can use to define configuration settings for Managed Home Screen:
Configuration designer allows you to configure settings with an easy-to-use UI that lets you toggle features
on or off and set values. In this method, there are a few disabled configuration keys with value type BundleArray
. These configuration keys can only be configured by entering JSON data.
JSON data allows you to define all possible configuration keys using a JSON script.
If you add properties with Configuration Designer, you can automatically convert these properties to JSON by
selecting Enter JSON data from the Configuration settings format dropdown.

Using Configuration Designer

Configuration designer allows you to select pre-populated settings and their associated values.
The following table lists the Managed Home Screen available configuration keys, value types, default values, and
descriptions. The description provides the expected device behavior based on the selected values. Configuration
keys that are disabled in Configuration Designer are not listed in the table.

C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Set Grid Size string Auto Allows you to set the grid
size for apps to be
positioned on the managed
home screen. You can set the
number of app rows and
columns to define grid size in
the following format
columns;rows . If you
define the grid size, the
maximum number of apps
that will be shown in a row
on the home screen would
be the number of rows you
set and the maximum
number of apps that will be
shown in a column in the
home screen would be the
number of columns you set.

Enable notifications badge bool FALSE Enables the notification

badge for app icons that
shows the number of new
notifications on the app. If
you enable this setting, end
users will see notification
badges on apps that have
unread notifications. If you
keep this configuration key
disabled, the end user will
not see any notification
badged to apps that might
have unread notifications.
C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Lock Home Screen bool TRUE Removes the ability of the

end user to move around
app icons on the home
screen. If you enable this
configuration key, the app
icons on the home screen
will be locked and the end
user would not be able to
drag and drop to different
grid positions of the home
screen. If turned to false ,
end users will be able to
move around application
and weblink icons on the
Managed Home Screen.

Set device wall paper string Default Allows you to set a wallpaper
of your choice by entering
the URL of the image that
you want to set as a
wallpaper.

Set app icon size integer 2 Allows you to set the icon
size for apps displayed on
the home screen. You can
choose the following values
in this configuration for
different sizes - 0 (Smallest),
1 (Small), 2 (Regular), 3
(Large) and 4 (Largest).

Set app folder icon integer 0 Allows you to define the

appearance of app folders on
the home screen. You can
choose the appearance from
following values: Dark
Square(0); Dark Circle(1);
Light Square(2); Light
Circle(3).

Set screen orientation integer 1 Allows you to set the

orientation of the home
screen to portrait mode,
landscape mode or allow
auto rotate. You can set the
orientation by entering
values 1 (for portrait mode),
2 (for Landscape mode), 3
(for Autorotate).
C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Set allow-listed applications bundleArray FALSE Allows you to define the set
of apps visible on the home
screen from amongst the
apps installed on the device.
You can define the apps by
entering the app package
name of the apps that you
would like to make visible,
for example
com.microsoft.emmx would
make settings accessible on
the home screen. The apps
that you allow-list in this
section should already be
installed on the device in
order to be visible on the
home screen.

Set pinned web links bundleArray FALSE Allows you to pin websites
as quick launch icons on the
home screen. With this
configuration, you can define
the URL and add it to the
home screen for the end
user to launch in the
browser with a single tap.
Note: We recommend that
you create, assign and
approve Managed Google
Play web links to your
devices, which are treated
like allow-listed applications.

Enable screen saver bool FALSE To enable screen saver mode

or not. If set to true, you can
configure
screen_saver_image ,
screen_saver_show_time ,
inactive_time_to_show_sc
reen_saver , and
media_detect_screen_sav
er .

Screen saver image string Set the URL of the screen

saver image. If no URL is set,
devices will show the default
screen saver image when
screen saver is activated. The
default image shows the
Managed Home Screen app
icon.
C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Screen saver show time integer 0 Gives option to set the

amount of time in seconds
the device will display the
screen saver during screen
saver mode. If set to 0, the
screen saver will show on
screen saver mode
indefinitely until the device
becomes active.

Inactive time to enable integer 30 The number of seconds the

screen saver device is inactive before
triggering the screen saver. If
set to 0, the device will never
go into screen saver mode.

Media detect before bool TRUE Choose whether the device

showing screen saver screen should show screen
saver if audio/video is
playing on device. If set to
true, the device will not play
audio/video, regardless of
the value in
inactive_time_to_show_sc
ree_saver . If set to false,
device screen will show
screen saver according to
value set in
inactive_time_to_show_sc
reen_saver .

Enable virtual home button bool FALSE Turn this setting to True to
allow the end user to have
access to a Managed Home
Screen home button that will
return the user to the
Managed Home Screen from
the current task they are in.

Type of virtual home button string swipe_up Use swipe_up to access

home button with a swipe
up gesture. Use float to
access a sticky, persistent
home button that can be
moved around the screen by
the end user.

Battery and Signal Strength bool True Turning this setting to True
indicator bar shows the battery and signal
strength indicator bar.

Exit lock task mode string Enter a 4-6-digit code to use

password to temporarily drop out of
lock-task mode for
troubleshooting.
C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Show Managed Setting bool TRUE "Managed Setting" is a

Managed Home Screen app
that appears only if you've
configured any settings for
quick access including, Show
Wi-Fi Setting , Show
Bluetooth setting , Show
volume setting , and show
flashlight setting . These
settings can also be accessed
by swiping-down on the
screen. Set this key to
False to hide the
"Managed Setting" app and
have end-users access
settings only via swiping-
down.

Enable easy access debug bool FALSE Turn this setting to True to
menu access the debug menu from
the Managed Settings app
or from swipe-down while in
Managed Home Screen. The
debug menu is currently
where the capability to exit
kiosk mode lives, and is
accessed by clicking the back
button about 15 times. Keep
this setting set to False to
keep the entry point to
debug menu only accessible
via the back button.

Show Wi-Fi setting bool FALSE Turning this setting to True

allows the end user to turn
on or off Wi-Fi, or to connect
to different Wi-Fi networks.

Enable Wi-Fi allow-list bool FALSE Turn this setting to True

and fill out the Wi-Fi allow-
list key to restrict what Wi-
Fi networks are shown within
Managed Home Screen. Set
to False to show all
possible available Wi-Fi
networks the device has
discovered. Note that this
setting is only relevant if
show Wi-Fi setting has
been set to True and the
Wi-Fi allow-list has been
filled out.
C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Wi-Fi allow-list bundleArray FALSE Allows you to list all the

SSIDs of what Wi-Fi
networks you want the
device to show within
Managed Home Screen. This
list is only relevant if show
Wi-Fi setting and Enable
Wi-Fi allow-list have been
set to True . If either of
those have been set to
False , then you do not
need to modify this
configuration.

Show Bluetooth setting bool FALSE Turning this setting to True

allows the end user to turn
on or off Bluetooth and to
connect to different
Bluetooth-capable devices.

Show volume setting bool FALSE Turning this setting to True

allows the end user to access
a volume slider to adjust
media volume.

Show flashlight setting bool FALSE Turning this setting to True

allows the end user to on or
off the device's flashlight. If
the device does not support
a flashlight, then this setting
will not appear even if
configured to True .

Show device info setting bool FALSE Turning this setting to True
allows the end user to access
quick info about the device
from the Managed Setting
app or swipe-down.
Accessible information
includes device's make,
model and serial number.

Applications in folder are bool TRUE Turning this setting to

ordered by name False allows items in a
folder to appear in the order
in which they are specified.
Otherwise, they will appear
in the folder alphabetically.

Application order enabled bool FALSE Turning this setting to True

allows enables the ability to
set the order of applications,
weblinks, and folders on the
Managed Home Screen.
Once enabled, set the
ordering with app_order .
 C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Application order bundleArray FALSE Allows you to specify the

order of applications,
weblinks and folders on the
Managed Home Screen. To
use this setting, Lock Home
Screen must be enabled,
Set grid size must be
defined and Application
order enabled must be set
to True .

Enter JSON Data

Enter JSON data to configure all available settings for Managed Home Screen, as well as the settings disabled in
Configuration Designer .

In addition to the list of configurable settings listed in the Configuration Designer table (above), the following
table provides the configuration keys you can only configure via JSON data.

C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Set allow-listed applications bundleArray Allows you to define the set

of apps visible on the home
screen from amongst the
apps installed on the device.
You can define the apps by
entering the app package
name of the apps that you
would like to make visible,
for example,
com.android.settings would
make settings accessible on
the home screen. The apps
that you allow-list in this
section should already be
installed on the device in
order to be visible on the
home screen.
 C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Set pinned web links bundleArray Allows you to pin websites

as quick launch icons on the
home screen. With this
configuration, you can define
the URL and add it to the
home screen for the end
user to launch in the
browser with a single tap.
Note: We recommend that
you create, assign and
approve Managed Google
Play web links to your
devices, which are treated
like allow-listed applications.

Create Managed Folder for bundleArray Allows you to create and

grouping apps name folders and group
apps within these folders.
End users will not be able to
move folders, rename the
folders, or move the apps
within the folders. Folders
will appear in the order
created, and apps within the
folders will appear
alphabetically. Note: all apps
that you want to group into
folders must be assigned as
required to the device and
must have been added to
the Managed Home Screen.

The following is an example JSON script with all the available configuration keys included:

{
"kind": "androidenterprise#managedConfiguration",
"productId": "com.microsoft.launcher.enterprise",
"managedProperty": [
{
"key": "lock_home_screen",
"valueBool": true
},
{
"key": "wallpaper",
"valueString": "default"
},
{
"key": "icon_size",
"valueInteger": 2
},
{
"key": "app_folder_icon",
"valueInteger": 0
},
{
"key": "screen_orientation",
"valueInteger": 1
},
{
"key": "applications",
"valueBundleArray": [
{
 {
"managedProperty": [
{
"key": "package",
"valueString": "app package name here"
}
]
}
]
},
{
"key": "weblinks",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "link",
"valueString": "link here"
},
{
"key": "label",
"valueString": "weblink label here"
}
]
}
]
},
{
"key": "show_virtual_home",
"valueBool": false
},
{
"key": "virtual_home_type",
"valueString": "swipe_up"
},
{
"key": "show_virtual_status_bar",
"valueBool": true
},
{
"key": "exit_lock_task_mode_code",
"valueString": ""
},
{
"key": "show_wifi_setting",
"valueBool": false
},
{
"key": "show_bluetooth_setting",
"valueBool": false
},
{
"key": "show_flashlight_setting",
"valueBool": false
},
{
"key": "show_volume_setting",
"valueBool": false
},
{
"key": "show_device_info_setting",
"valueBool": false
},
{
"key": "show_managed_setting",
"valueBool": false
},
{
"key": "enable_easy_access_debugmenu",
"valueBool": false
 "valueBool": false
},
{
"key": "enable_wifi_allowlist",
"valueBool": false
},
{
"key": "wifi_allowlist",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "SSID",
"valueString": "name of Wi-Fi network 1 here"
}
]
},
{
"managedProperty": [
{
"key": "SSID",
"valueString": "name of Wi-Fi network 2 here"
}
]
}
]
},
{
"key": "grid_size",
"valueString": "4;5"
},
{
"key": "app_order_enabled",
"valueBool": true
},
{
"key": "apps_in_folder_ordered_by_name",
"valueBool": true
},
{
"key": "app_orders",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "com.Microsoft.emmx"
},
{
"key": "type",
"valueString": "application"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 1
}
]
},
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Work"
},
{
 "key": "type",
"valueString": "managed_folder"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 2
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "com.microsoft.launcher.enterprise"
},
{
"key": "type",
"valueString": "application"
},
{
"key": "class",
"valueString": "com.microsoft.launcher.launcher"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 3
}
]
}
]
},
{
"key": "managed_folders",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Folder name here"
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "com.microsoft.emmx"
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "com.microsoft.bing"
}
]
},
{
"managedProperty": [
 {
"key": "link",
"valueString": "https://microsoft.com/"
}
]
}
]
}
]
},
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Example folder name 2"
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "com.microsoft.office.word"
}
]
}
]
}
]
}
]
}
]
}

Google's Android Device Policy app

The Managed Home Screen app now provides access to Google's Android Device Policy app. The Managed Home
Screen app is a custom launcher used for devices enrolled in Intune as Android Enterprise (AE) dedicated devices
using multi-app kiosk mode. You can access the Android Device Policy app, or guide users to the Android Device
Policy app, for support and debug purposes. This launching capability is available at the time the device enrolls and
locks into Managed Home Screen. No additional installations are needed to use this functionality.

Managed Home Screen debug screen

You can access the Managed Home Screen's debug screen by clicking the back button until the debug screen is
displayed (click the back button 15 times or more). From this debug screen, you are able to launch the Android
Device Policy application, view and upload logs, or temporarily pause kiosk mode to update the device. For more
information about pausing kiosk mode, see the Leave kiosk mode item in the Android Enterprise dedicated
device settings. If you would like an easier way to access Managed Home Screen's debug screen, you can set the
Enable easy access debug menu to True using application configuration policies.

Next steps
For more information about Android Enterprise dedicated devices, see Set up Intune enrollment of Android
Enterprise dedicated devices.
 How to customize the Intune Company Portal apps,
Company Portal website, and Intune app
9/4/2020 • 14 minutes to read • Edit Online

The Company Portal apps, Company Portal website, and Intune app on Android are where users access company
data and can do common tasks. Common task may include enrolling devices, installing apps, and locating
information (such as for assistance from your IT department). Additionally, they allow users to securely access
company resources. The end-user experience provides several different pages, such as Home, Apps, App details,
Devices, and Device details. To quickly find apps within the Company Portal, you can filter the apps on the Apps
page.

NOTE
The Company Portal supports Configuration Manager applications. This feature allows end users to see both Configuration
Manager and Intune deployed applications in the Company Portal for co-managed customers. This new version of the
Company Portal will display Configuration Manager deployed apps for all co-managed customers. This support will help
administrators consolidate their different end user portal experiences. For more information, see Use the Company Portal
app on co-managed devices.

Customizing the user experience

By customizing the end-user experience, you will help provide a familiar and helpful experience for your end users.
To do this, navigate to Microsoft Endpoint Manager admin center, and select Tenant Administration >
Customization , where you can either edit the default policy or create up to 10 group targeted policies. These
settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android.

Branding
The following table provides the branding customization details for the end-user experience:

F IEL D N A M E M O RE IN F O RM AT IO N

Organization name This name is displayed throughout the messaging in the end-
user experience. It can be set to display in headers as well
using the Show in header setting. Max length is 40
characters.

Color Choose Standard to choose from five standard colors.

Choose Custom to select a specific color based on a hex code
value.

Theme color Set theme color to show across end-user experience. We'll
automatically set the text color to black or white so that it's
most visible on top of your selected theme color.

Show in header Select whether the header in the end-user experiences should
display the Organization logo and name , the
Organization logo only , or the Organization name
only . The preview boxes below will only show the logos, not
the name.
 F IEL D N A M E M O RE IN F O RM AT IO N

Upload logo for theme color background Upload the logo you want to show on top of your selected
theme color. For the best appearance, upload a logo with a
transparent background. You can see how this will look in the
preview box below the setting.
Maximum image size: 400 x 400 px
Maximum file size: 750KB
File type: PNG, JPG, or JPEG

Upload logo for white or light background Upload the logo you want to show on top of white or light-
colored backgrounds. For the best appearance, upload a logo
with a transparent background. You can see how this will look
on a white background in the preview box below the setting.
Maximum image size: 400 x 400 px
Maximum file size: 750KB
File type: PNG, JPG, or JPEG

Upload brand image Upload an image that reflects your organization's brand.
Recommended image width: Greater than 1125 px
(required to be at least 650 px)
Maximum image size: 1.3 MB
File type: PNG, JPG, or JPEG
It is displayed in these locations:
iOS/iPadOS Company Portal: Background image
on the user's profile page.
Windows Company Portal: Background image on
the user's profile page.
Company Portal website: Background image on
the user's profile page.
Android Intune app: In the drawer and as a
background image on the user's profile page.

NOTE
When a user is installing an iOS/iPadOS application from the Company Portal they will receive a prompt. This occurs when
the iOS/iPadOS app is linked to the app store, linked to a volume-purchase program (VPP), or linked to a line-of-business
(LOB) app. The prompt allows the users to accept the action or allow management of the app. The prompt will display your
company name, or when your company name is unavailable, Company Por tal will be displayed.

Brand image best practices

The right brand image can enhance the user's trust by presenting a strong sense of your organization's brand.
Here are some tips you may want to consider for acquiring, choosing, and optimizing the image for the display
locations.
Reach out to your marketing or art department. They may already have an approved set of brand images. They
may also be able to help you optimize images as needed.
Consider both landscape and portrait composition. The image should have sufficient background surrounding
the focal point. The image may be cropped differently based on device size, orientation, and platform.
Avoid using a generic, stock image. The image should reflect your organization's brand and feel familiar to
users. If you don't have one, it's better to not use one than use a generic one that has no meaning to your user.
Remove unnecessary metadata. Image file can come with metadata such as camera profile, geo location, title,
caption, and so on. Use an image optimization tool to strip out this information to maintain quality while
meeting file size limit.
Brand image examples
The following image shows an example of the brand image on an iPhone:

The following shows an example of the brand image in the Intune app for Android:

Support information
Enter your organization's support information, so employees can reach out with questions. This support
information will be displayed on Suppor t , Help & Suppor t , and Helpdesk pages across the end-user
experience.
 F IEL D N A M E M A XIM UM L EN GT H M O RE IN F O RM AT IO N

Contact name 40 This name is who users will reach when

they contact support.

Phone number 20 This number enables users to call for

support.

Email address 40 This email address is where users can

send emails for support. You must
enter a valid email address in the
format alias@domainname.com .

Website name 40 This is the friendly name that is

displayed in some locations for the URL
to the support website. If you specify a
support website URL and no friendly
name, then the URL itself is displayed in
the end-user experiences.

Website URL 150 The support website that users should

use. The URL must be in the format
https://www.contoso.com .

Additional information 120 Include any additional support-related

messaging to users here.

Configuration
You can configure the Company Portal experience specifically for enrollment, privacy, notifications, app sources,
and self-service actions.
Enrollment
The following table provides enrollment-specific configuration details:

F IEL D N A M E M A XIM UM L EN GT H M O RE IN F O RM AT IO N

Device enrollment N/A Specify if and how users should be

prompted to enroll into mobile device
management. For more information,
see Device enrollment setting options.

Device enrollment setting options

NOTE
Support for the device enrollment setting requires end users have these Company Portal versions:
Company Portal on iOS/iPadOS: version 4.4 or later
Company Portal on Android: version 5.0.4715.0 or later
 IMPORTANT
The following settings do not apply to iOS/iPadOS devices configured to enroll with Automated Device Enrollment.
Regardless of how these setting are configured, iOS/iPadOS devices configured to enroll with Automated Device Enrollment
will enroll during the out of box flow and users will be prompted to sign in when they launch the Company Portal.
The following settings do apply to Android devices configured with Samsung Knox Mobile Enrollment (KME). If a device has
been configured for KME and device enrollment is set to Unavailable, the device will not be able to enroll during the out of
box flow.

A P P DETA IL S
STAT US ( O F A N
DEVIC E A P P T H AT
EN RO L L M EN T C H EC K L IST DEVIC E DETA IL S REQ UIRES
O P T IO N S DESC RIP T IO N P RO M P T S N OT IF IC AT IO N STAT US EN RO L L M EN T )

Available, with The default Yes Yes Yes Yes

prompts experience with
prompts to enroll
in all possible
locations.

Available, no User can enroll No No Yes Yes

prompts via the status in
device details for
their current
device or from
apps that require
enrollment.

Unavailable There is no way No No No No

for users to
enroll.

Privacy
The following table provides privacy-specific configuration details:

F IEL D N A M E M A XIM UM L EN GT H M O RE IN F O RM AT IO N

Privacy statement URL 79 Set your organization's privacy

statement to appear when users click
on privacy links. You must enter a valid
URL in the format
https://www.contoso.com .

Privacy message in the Company Portal 520 Keep the Default or set a Custom
for iOS/iPadOS message to list the items that your
organization can't see on managed
iOS/iPadOS devices. You can use
markdown to add bullets, bolding,
italics, and links. Users will also see a list
of things that your organization can see
and do, but that list is automatically
generated by Intune and not
customizable.

Device ownership notification

The following table provides notification-specific configuration details:
 F IEL D N A M E M A XIM UM L EN GT H M O RE IN F O RM AT IO N

Send a push notification to users when N/A Send a push notification to both your
their device ownership type changes Android and iOS Company Portal users
from personal to corporate (Android when their device ownership type has
and iOS/iPadOS only) been changed from personal to
corporate. By default, this push
notification is set to off. When device
ownership is set to corporate
ownership, Intune has greater access to
the device, which includes the full app
inventory, FileVault key rotation, phone
number retrieval, and a select few
remote actions. For more information,
see Change device ownership.

App sources
You can choose which additional app sources will be shown in Company Portal.

NOTE
The Company Portal supports Configuration Manager applications. This feature allows end users to see both Configuration
Manager and Intune deployed applications in the Company Portal for co-managed customers. For more information, see
Use the Company Portal app on co-managed devices.

The following table provides app source specific configuration details:

F IEL D N A M E M A XIM UM L EN GT H M O RE IN F O RM AT IO N

Azure AD Enterprise Applications N/A Select Hide or Show to display Azure

AD Enterprise applications in the
Company Portal for each end user. For
more information, see App source
setting options.

Office Online Applications N/A Select Hide or Show to display Office

Online applications in the Company
Portal for each end user. For more
information, see App source setting
options.

App source setting options

NOTE
The Company Portal website will initially support the display of apps from other Microsoft services.

You can hide or show Azure AD Enterprise applications and Office Online applications in the Company
Portal for each end user. Show will cause the Company Portal to display the entire applications catalog from the
chosen Microsoft service(s) assigned to the user. Azure AD Enterprise applications are registered and assigned
via the Azure portal. Office Online applications are assigned using the licensing controls available in the M365
Admin Center. In the Microsoft Endpoint Manager admin center, select Tenant administration >
Customization to find this configuration setting. By default, each additional app source will be set to Hide .
Customizing user self-service actions for the Company Portal
You can customize the available self-service device actions that are shown to end users in the Company Portal app
and website. To help prevent unintended device actions, you can configure settings for the Company Portal app by
selecting Tenant Administration > Customization .
The following actions are available:
Hide Remove button on corporate Windows devices.
Hide Reset button on corporate Windows devices.
Hide Remove button on corporate iOS/iPadOS devices.
Hide Reset button on corporate iOS/iPadOS devices.

NOTE
These actions can be used to restrict device actions in the Company Portal app and website and do not implement any
device restriction policies. To restrict users from performing factory reset or MDM removal from settings, you must configure
device restriction policies.

Opening Web Company Portal applications

For Web Company Portal applications, if the end user has the Company Portal application installed, the end users
will see a dialog box asking how they want to open the application when opening outside of the browser. If the app
is not in the path of the Company Portal, then the Company Portal will open the homepage. If the app is in the
path, then the Company Portal will open the specific app.
Upon selecting the Company Portal, the user will be directed to the corresponding page in the application when
the URI path is one of the following:
/apps - The Web Company Portal will open the Apps page that lists all of the apps.
/apps/[appID] - The Web Company Portal will open the Details page of the corresponding app.
The URI path is different or unexpected - The Web Company Portal home page will be displayed.
If the user does not have the Company Portal app installed, the user will be taken to the Web Company Portal.

Company Portal derived credentials for iOS/iPadOS devices

Intune supports Personal Identity Verification (PIV) and Common Access Card (CAC) Derived Credentials in
partnership with credential providers DISA Purebred, Entrust Datacard, and Intercede. End users will go through
additional steps post-enrollment of their iOS/iPadOS device to verify their identity in the Company Portal
application. Derived Credentials will be enabled for users by first setting up a credential provider for your tenant,
then targeting a profile that uses Derived Credentials to users or devices.

NOTE
The user will see instructions about derived credentials based on the link that you have specified via Intune.

For more information about derived credentials for iOS/iPadOS devices, see Use derived credentials in Microsoft
Intune.

Dark Mode for the Company Portal

Dark Mode is available for the iOS/iPadOS, macOS, and Windows Company Portal. Users can download apps,
manage their devices, and get IT support in the color scheme of their choice based on device settings. The
iOS/iPadOS, macOS, and Windows Company Portal will automatically match the end user's device settings for
dark or light mode.
Windows Company Portal keyboard shortcuts
End users can trigger navigation, app, and device actions in the Windows Company Portal using keyboard
shortcuts (accelerators).
The following keyboard shortcuts are available in the Windows Company Portal app.

A REA DESC RIP T IO N K EY B O A RD SH O RTC UT

Navigation menu Navigation Alt+M

Home Alt+H

All apps Alt+A

Installed apps Alt+I

Send feedback Alt+F

My profile Alt+U

Settings Alt+T

Home - Device tile Rename F2

Remove Ctrl+D or Delete

Check access Ctrl+M or F9

Device details Rename F2

Remove Ctrl+D or Delete

Check access Ctrl+M or F9

App details Install Ctrl+I

Devices Available Ctrl+D

End users will also be able to see the available shortcuts in the Windows Company Portal app.
User self-service device actions from the Company Portal
Users can perform actions on their local or remote devices via the Company Portal app, Company Portal website,
or the Intune app on Android. The actions that a user can perform vary based on device platform and
configuration. In all cases, the remote device actions can only be performed by device's Primary User.
Available self-service device actions include the following:
Retire – Removes the device from Intune Management. In the company portal app and website, this shows as
Remove .
Wipe – This action initiates a device reset. In the company portal website this is shown as Reset , or Factor y
Reset in the iOS/iPadOS Company Portal App.
Rename – This action changes the device name that the user can see in the Company Portal. It does not change
the local device name, only the listing in the Company Portal.
Sync – This action initiates a device check-in with the Intune service. This shows as Check Status in the
Company Portal.
Remote Lock – This locks the device, requiring a PIN to unlock it.
Reset Passcode – This action is used to reset device passcode. On iOS/iPadOS devices the passcode will be
removed and the end user will be required to enter a new code in settings. On supported Android devices, a
new passcode is generated by Intune and temporarily displayed in the Company Portal.
Key Recover y – This action is used to recover a personal recovery key for encrypted macOS devices from the
Company Portal website.
To customize the available user self-service actions, see Customizing user self-service actions for the Company
Portal.
Self-Service Actions
Some platforms and configurations do not allow self-service device actions. This table below provides further
details about self-service actions:

A C T IO N W IN DO W S 10 ( 3) IO S/ IPA DO S ( 3) M A C O S ( 3) A N DRO ID ( 3)

Retire Available(1) Available(9) Available Available(7)

Wipe Available Available(5)(9) NA Available(7)

Rename(4) Available Available Available Available

Sync Available Available Available Available

Key Recovery NA NA Available(2) NA

(1) Retire is always blocked on Azure AD Joined Windows devices.

(2) Key Recover y for macOS is only available via the Web Portal.
(3) All remote actions are disabled if using a Device Enrollment Manager enrollment.
(4) Rename only changes the device name in the Company Portal app or Web Portal, not on the device.
(5) Wipe is not available on User Enrolled iOS/iPadOS devices.
(6) Reset Passcode is not supported on some Android and Android Enterprise configurations. For more

information, see Reset or remove a device passcode in Intune.

(7) Retire and Wipe are not available on Android Enterprise Device Owner scenarios (COPE, COBO, COSU).
(8) Reset Passcode is not supported on User Enrolled iOS/iPadOS devices.
(9) All iOS/iPadOS Automated Device Enrollment devices (formerly known as DEP) have Retire and Wipe options

disabled.
App logs
If you are using Azure Government, app logs are offered to the end user to decide how they will share when they
initiate the process to get help with an issue. However, if you are not using Azure Government, the Company Portal
will send app logs directly to Microsoft when the user initiates the process to get help with an issue. Sending the
app logs to Microsoft will make it easier to troubleshoot and resolve issues.

NOTE
Consistent with Microsoft and Apple policy, we do not sell any data collected by our service to any third parties for any
reason.

Next steps
Configure your organization's logo and brand color for new tab pages in Microsoft Edge for iOS and Android
Add apps
 Configure Microsoft Launcher
9/4/2020 • 10 minutes to read • Edit Online

Microsoft Launcher is an Android application that lets users personalize their phone, stay organized on the go, and transfer from working from their
phone to their PC.
On Android Enterprise fully managed devices, Launcher allows enterprise IT admins to customize managed device home screens by selecting the
wallpaper, apps, and icon positions. This standardizes the look and feel of all managed Android devices across different OEM devices and system
versions.

How to configure the Microsoft Launcher app

Once the Microsoft Launcher application has been added to Intune, navigate to the Microsoft Endpoint Manager Admin Center and select Apps >
App configuration policies . Add a configuration policy for Managed devices running Android and choose Microsoft Launcher as the
associated app. Click on Configuration settings to configure the different available Microsoft Launcher settings.

Choosing a Configuration Settings Format

There are two methods that you can use to define configuration settings for Microsoft Launcher:
Configuration designer allows you to configure settings with an easy-to-use UI that lets you toggle features on or off and set values. In this
method, there are a few disabled configuration keys with value type BundleArray. These configuration keys can only be configured by entering
JSON data.
JSON data allows you to define all possible configuration keys using a JSON script.
If you add properties with Configuration Designer , you can automatically convert these properties to JSON by selecting Enter JSON data from
the Configuration settings format dropdown list as shown below.

NOTE
Once properties are configured via the Configuration Designer, the JSON data will also be updated to only reflect these properties. To add additional configuration
keys into the JSON Data, use the JSON script example to copy the necessary lines for each configuration key.

When editing previously created app configuration policies, if complex properties have been configured, the edit process will display the JSON Data
editor. All previously configured settings will be preserved and you can switch to use the configuration designer to modify supported settings.

Using Configuration Designer

Configuration designer allows you to select pre-populated settings and their associated values.
The following table lists the Microsoft Launcher available configuration keys, value types, default values, and descriptions. The description provides
the expected device behavior based on the selected values. Configuration keys that are disabled in Configuration Designer are not listed in the table.

C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Enrollment Type String Default Allows you to set the enrollment type
this policy should apply to. Currently,
the value Default refers to
CorporateOwnedBuisnessOnly .
There are no other supported
enrollment types at present. JSON key
name: management_mode_key

Home Screen App Order User Change Boolean True Allows you to specify if the Home
Allowed Screen App Order setting can be
changed by the end user.
If set to True , the app order
defined in the policy will only
be enforced for the initial
deployment. Subsequently, the
policy will not be enforced to
respect any changes the user
may have made.
If set to False , the app order
will be enforced on every sync.

Note: The Home Screen App order

can only be configured via the JSON
editor.

JSON key name:

com.microsoft.launcher.HomeScreen.AppOrder.UserChan

Set Grid Size String Auto Allows you to set the grid size for
apps to be positioned on the home
screen. You can set the number of app
rows and columns to define grid size
in the following format:
columns;rows . If you define the grid
size, the maximum number of apps
that will be shown in a row on the
home screen would be the number of
rows you set and the maximum
number of apps that will be shown in
a column in the home screen would
be the number of columns you set.

JSON key name:

com.microsoft.launcher.HomeScreen.GridSize
C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Set Device Wallpaper String Null Allows you to set a wallpaper of your
choice by entering the URL of the
image that you want to set as a
wallpaper.

JSON key name:

com.microsoft.launcher.Wallpaper.URL

Set Device Wallpaper User Change Bool True Allows you to specify if the Set Device
Allowed Wallpaper setting can be changed by
the end user.
If set to True , the wallpaper in
the policy will only be enforced
for the initial deployment.
Subsequently, the policy will
not be enforced to respect any
changes the user may have
made.
If set to False , the wallpaper
will be enforced on every sync.

JSON key name:

com.microsoft.launcher.Wallpaper.URL.UserChangeAllo

Feed Enable Boolean True Allows you to enable the launcher

feed on the device when the user
swipes to the right on the home
screen.
If set to True , the feed will be
enabled.
If set to False , the feed will be
disabled.

JSON key name:

com.microsoft.launcher.Feed.Enabled

Feed Enable User Change Allowed Boolean True Allows you to specify if the Feed
Enable setting can be changed by the
end user.
If set to True , the feed will only
be enforced for the initial
deployment. Subsequently, the
policy will not be enforced to
respect any changes the user
may have made.
If set to False , the feed will be
enforced on every sync.

JSON key name:

com.microsoft.launcher.Feed.Enabled.UserChangeAllow

Search Bar Placement String Bottom Allows you to specify the placement
of search bar on the home screen.
If set to Bottom , the search
bar will be located on the
bottom of the home screen.
If set to Top , the search bar
will be located on the top of
the home screen.
If set to Hidden , the search
bar will be removed from the
home screen.

JSON key name:

com.microsoft.launcher.Search.SearchBar.Placement
 C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Search Bar Placement User Change Bool True Allows you to specify if the Search
Allowed Bar Placement setting can be
changed by the end user.
If set to True , the search bar
placement will only be
enforced for the initial
deployment. Subsequently, the
policy will not be enforced to
respect any changes the user
may have made.
If set to False , the placement
of search bar will be enforced
on every sync.

JSON key name:

com.microsoft.launcher.Search.SearchBar.Placement.U
NOTE: For Microsoft Launcher v
6.2 and later, this setting will no
longer be enforced. Therefore,
setting this value to True will
have no effect. Your end users will
not be able to customize the
location of the search bar
placement on their device.

Dock Mode String Show Allows you to enable the dock on the
device when the user swipes to the
right on the home screen.
If set to Show , the dock will be
enabled.
If set to Hidden , the dock will
hide from the home screen,
but the user can display it
when it is needed.
If set to Disabled , the dock
will be disabled.

JSON key name:

com.microsoft.launcher.Dock.Mode

Dock Mode User Change Allowed String True Allows you to specify if the Dock
Mode setting can be changed by the
end user.
If set to True , the dock mode
setting will only be enforced
for the initial deployment.
Subsequently, the policy will
not be enforced to respect any
changes the user may have
made.
If set to False , the dock mode
setting will be enforced on
every sync.

JSON key name:

com.microsoft.launcher.Dock.Mode.UserChangeAllowed

Enter JSON Data

Enter JSON data to configure all available settings for Microsoft Launcher, as well as the settings disabled in Configuration Designer , as shown
below.
In addition to the list of configurable settings listed in the Configuration Designer table (above), the following table provides the configuration keys
you can only configure via JSON data.

C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Set Allow-Listed Applications BundleArray See: Set allow-listed applications Allows you to define the set of apps
JSON key: visible on the home screen from
com.microsoft.launcher.HomeScreen.Applications amongst the apps installed on the
device. You can define the apps by
entering the app package name of the
apps that you would like to make
visible, for example,
com.android.settings would make
settings accessible on the home
screen. The apps that you allow-list in
this section should already be installed
on the device in order to be visible on
the home screen.
Properties:
Package: The application
package name
Class: The application activity,
which is specific to a certain
app page. It would use the
default app page if this value is
empty.
 C O N F IGURAT IO N K EY VA L UE T Y P E DEFA ULT VA L UE DESC RIP T IO N

Home Screen App Order BundleArray See: Home screen app order Allows you to specify the app order on
JSON key: the home screen.
com.microsoft.launcher.HomeScreen.AppOrder Properties:
Type: If you want to specify
positions of apps, tThe only
type supported is
application . If you want to
specify positions of web links,
the type is weblink .
Position: This specifies
application icon slot on home
screen. This starts from
position 1 on the top left, and
goes left to right, top to
bottom.
Package: This is application
package name used for
specifying app order.
Class: The is an application
activity, which is specific to a
certain app page. The default
app page will be used if this
value is empty. This property is
used for app.
Label: The is an application
activity, which is specific to a
certain app page. The default
app page will be used if this
value is empty. This property is
used for app.
Link : The url to be launched
after end user clicks the web
link icon. This property is used
for web link.

Set Pinned Web Links BundleArray See: Set Pinned Web Links This key allows you to pin website to
JSON key: the home screen as quick launch icon.
com.microsoft.launcher.HomeScreen.WebLinks That way you can make sure that end
user can have quick and easy access
to essential websites. You can modify
location of each web link icon in
'Home Screen App Order'
configuration.
Properties:
• Label: The weblink title
displayed on MS Launcher
home screen.
Link : The url to be launched
after end user clicks the web
link icon.

Set allow-listed applications

{
"key": "com.microsoft.launcher.HomeScreen.Applications",
"valueBundleArray":
[
{
"managedProperty": [
{
"key": "package",
"valueString": ""
},
{
"key": "class",
"valueString": ""
}
]
}
]
}

Home screen app order

 {
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray":
[
{
"managedProperty": [
{
"key": "type",
"valueString": "application"
},
{
"key": "position",
"valueInteger": 0
},
{
"key": "package",
"valueString": ""
},
{
"key": "class",
"valueString": ""
}
]
}
]
}

Set Pinned Web link

{
"key": "com.microsoft.launcher.HomeScreen.WebLinks",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "label",
"valueString": ""
},
{
"key": "link",
"valueString": ""
}
]
}
]
},
{
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "type",
"valueString": ""
},
{
"key": "position",
"valueInteger":
},
{
"key": "label",
"valueString": ""
},
{
"key": "link",
"valueString": ""
}
]
}
]
}

Microsoft Launcher configuration example

The following is an example JSON script with all the available configuration keys included:

{
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.microsoft.launcher",
"managedProperty": [
{
"key": "management_mode_key",
"valueString": "Default"
},
{
"key": "com.microsoft.launcher.Feed.Enable.UserChangeAllowed",
"valueBool": false
},
{
"key": "com.microsoft.launcher.Feed.Enable",
"valueBool": true
},
{
"key": "com.microsoft.launcher.Wallpaper.Url.UserChangeAllowed",
"valueBool": false
},
{
"key": "com.microsoft.launcher.Wallpaper.Url",
"valueString": "http://www.contoso.com/wallpaper.png"
},
{
"key": "com.microsoft.launcher.HomeScreen.GridSize",
"valueString": "5;5"
},
{
"key": "com.microsoft.launcher.HomeScreen.Applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "com.ups.mobile.android"
},
{
"key": "class",
"valueString": ""
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "com.microsoft.teams"
},
{
"key": "class",
"valueString": ""
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "com.microsoft.bing"
},
{
"key": "class",
"valueString": ""
}
]
}
]
},
{
"key": "com.microsoft.launcher.HomeScreen.WebLinks",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "label",
"valueString": "News"
},
{
"key": "link",
"valueString": "https://www.bbc.com"
}
]
}
]
},
{
"key": "com.microsoft.launcher.HomeScreen.AppOrder.UserChangeAllowed",
"valueBool": false
},
{
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "type",
 "key": "type",
"valueString": "application"
},
{
"key": "position",
"valueInteger": 17
},
{
"key": "package",
"valueString": "com.ups.mobile.android"
},
{
"key": "class",
"valueString": ""
}
]
},
{
"managedProperty": [
{
"key": "type",
"valueString": "application"
},
{
"key": "position",
"valueInteger": 18
},
{
"key": "package",
"valueString": "com.microsoft.teams"
},
{
"key": "class",
"valueString": ""
}
]
},
{
"managedProperty": [
{
"key": "type",
"valueString": "application"
},
{
"key": "position",
"valueInteger": 19
},
{
"key": "package",
"valueString": "com.microsoft.bing"
},
{
"key": "class",
"valueString": ""
}
]
},
{
"managedProperty": [
{
"key": "type",
"valueString": "weblink"
},
{
"key": "position",
"valueInteger": 20
},
{
"key": "label",
"valueString": "News"
},
{
"key": "link",
"valueString": "https://www.bbc.com"
}
]
}
]
}
]
}

Next steps
For more information about Android Enterprise fully managed devices, see Set up Intune enrollment of Android Enterprise fully manage devices.
 Manage web access by using Edge for iOS and Android
with Microsoft Intune
9/4/2020 • 22 minutes to read • Edit Online

Edge for iOS and Android is designed to enable users to browse the web and supports multi-identity. Users can add a
work account, as well as a personal account, for browsing. There is complete separation between the two identities, which
is like what is offered in other Microsoft mobile apps.
Edge for iOS is supported on iOS 12.0 and later. Edge for Android is supported on Android 5 and later.

NOTE
Edge for iOS and Android doesn't consume settings that users set for the native browser on their devices, because Edge for iOS and
Android can't access these settings.

The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise
Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as
conditional access. At a minimum, you will want to deploy a conditional access policy that only allows connectivity to Edge
for iOS and Android from mobile devices and an Intune app protection policy that ensures the browsing experience is
protected.

NOTE
New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser when
required to open in a protected browser. For older iOS web clips, you must re-target these web clips to ensure they open in Edge for
iOS and Android rather than the Managed Browser.

Apply Conditional Access

Organizations can use Azure AD Conditional Access policies to ensure that users can only access work or school content
using Edge for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. Details
on creating this policy can be found in Require app protection policy for cloud app access with Conditional Access.
1. Follow Scenario 2: Browser apps require approved apps with app protection policies, which allows Edge for iOS
and Android, but blocks other mobile device web browsers from connecting to Office 365 endpoints.

NOTE
This policy ensures mobile users can access all Microsoft 365 endpoints from within Edge for iOS and Android. This policy also
prevents users from using InPrivate to access Microsoft 365 endpoints.

With Conditional Access, you can also target on-premises sites that you have exposed to external users via the Azure AD
Application Proxy.

Create Intune app protection policies

App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data.
The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it may not be
obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile
client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android
mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the
previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs
selective wipe operations. For Android devices, this level validates Android device attestation. This is an entry level
configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and
the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum
OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN
configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high risk
data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review
Data protection framework using app protection policies.
Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app protection
policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection
policies. These policies, at a minimum, must meet the following conditions:
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this
ensures that users can access and manipulate work or school data within any Microsoft app in a secure fashion.
2. They are assigned to all users. This ensures that all users are protected, regardless of whether they use Edge for iOS
or Android.
3. Determine which framework level meets your requirements. Most organizations should implement the settings
defined in Enterprise enhanced data protection (Level 2) as that enables data protection and access
requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection policy
settings.

IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the
Intune Company Portal. For more information, see What to expect when your Android app is managed by app protection policies.

Single sign-on to Azure AD-connected web apps in policy-protected

browsers
Edge for iOS and Android can take advantage of single sign-on (SSO) to all web apps (SaaS and on-premises) that are
Azure AD-connected. SSO allows users to access Azure AD-connected web apps through Edge for iOS and Android,
without having to re-enter their credentials.
SSO requires your device to be registered by either the Microsoft Authenticator app for iOS devices, or the Intune
Company Portal on Android. When users have either of these, they are prompted to register their device when they go to
an Azure AD-connected web app in a policy-protected browser (this is only true if their device hasn't already been
registered). After the device is registered with the user's account managed by Intune, that account has SSO enabled for
Azure AD-connected web apps.

NOTE
Device registration is a simple check-in with the Azure AD service. It doesn't require full device enrollment, and doesn't give IT any
additional privileges on the device.

Utilize app configuration to manage the browsing experience

Edge for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint
Manager, administrators to customize the behavior of the app.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices
(Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Intune
App Protection Policy (APP) channel. Edge for iOS and Android supports the following configuration scenarios:
Only allow work or school accounts
General app configuration settings
Data protection settings

IMPORTANT
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Edge
for Android must be deployed via the Managed Google Play store. For more information, see Set up enrollment of Android
Enterprise work profile devices and Add app configuration policies for managed Android Enterprise devices.

Each configuration scenario highlights its specific requirements. For example, whether the configuration scenario requires
device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.

NOTE
With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed Devices
App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to as a Managed
Apps App Configuration Policy.

Only allow work or school accounts

Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to the
Microsoft 365 value. Some companies have a requirement to capture all communications information within their
corporate environment, as well as, ensure the devices are only used for corporate communications. To support these
requirements, Edge for iOS and Android on enrolled devices can be configured to only allow a single corporate account to
be provisioned within the app.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM provider is supported. If you are not
using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these
configuration keys.

General app configuration scenarios

Edge for iOS and Android offers administrators the ability to customize the default configuration for several in-app
settings. This capability is currently only offered when Edge for iOS and Android has an Intune App Protection Policy
applied to the work or school account that is signed into the app and the policy settings are delivered through a managed
apps App Configuration Policy.

IMPORTANT
Edge for Android does not support Chromium settings that are available in Managed Google Play.

Edge supports the following settings for configuration:

New Tab Page experiences
 Bookmark experiences
App behavior experiences
Kiosk mode experiences
These settings can be deployed to the app regardless of device enrollment status.
New Tab Page experiences
Edge for iOS and Android offers organizations several options for adjusting the New Tab Page experience.
Organization logo and brand color
These settings allow you to customize the New Tab Page for Edge for iOS and Android to display your organization's logo
and brand color as the page background.
To upload your organization's logo and color, first complete the following steps:
1. Within Microsoft Endpoint Manager, navigate to Tenant Administration -> Customization -> Company Identity
Branding .
2. To set your brand's logo, next to Show in header , choose "Organization logo only". Transparent background logos are
recommended.
3. To set your brand's background color, select a Theme color . Edge for iOS and Android applies a lighter shade of the
color on the New Tab Page, which ensures the page has high readability.
Next, utilize the following key/value pairs to pull your organization's branding into Edge for iOS and Android:

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandLo true shows organization's brand logo

go false (default) will not expose a logo

com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandCo true shows organization's brand color

lor false (default) will not expose a color

Homepage shortcut
This setting allows you to configure a homepage shortcut for Edge for iOS and Android. The homepage shortcut you
configure appears as the first icon beneath the search bar when the user opens a new tab in Edge for iOS and Android.
The user can't edit or delete this shortcut in their managed context. The homepage shortcut displays your organization's
name to distinguish it.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.homepage Specify a valid URL. Incorrect URLs are blocked as a security

measure.
For example: https://www.bing.com

Multiple top site shortcuts

Similarly to configuring a homepage shortcut, you can configure multiple top site shortcuts on new tab pages in Edge for
iOS and Android. The user can't edit or delete these shortcuts in a managed context. Note: you can configure a total of 8
shortcuts, including a homepage shortcut. If you have configured a homepage shortcut, that will override the first top site
configured.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.managedTopSites Specify set of value URLs. Each top site shortcut consists of a title
and URL. Separate the title and URL with the | character.
For example:
GitHub|https://github.com/||LinkedIn|https://www.linkedin.com

Industry news
You can configure the New Tab Page experience within Edge for iOS and Android to display industry news that is relevant
to your organization. When you enable this feature, Edge for iOS and Android uses your organization's domain name to
aggregate news from the web about your organization, organization's industry, and competitors, so your users can find
relevant external news all from the centralized new tab pages within Edge for iOS and Android. Industry News is off by
default.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.NewTabPage.Industry true shows Industry News on the New Tab Page

News false (default) hides Industry News from the New Tab Page

Bookmark experiences
Edge for iOS and Android offers organizations several options for managing bookmarks.
Managed bookmarks
For ease of access, you can configure bookmarks that you'd like your users to have available when they are using Edge for
iOS and Android.
Bookmarks only appear in the work or school account and are not exposed to personal accounts.
Bookmarks can't be deleted or modified by users.
Bookmarks appear at the top of the list. Any bookmarks that users create appear below these bookmarks.
If you have enabled Application Proxy redirection, you can add Application Proxy web apps by using either their
internal or external URL.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
Bookmarks are created in a folder named after the organization's name which is defined in Azure Active Directory.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.bookmarks The value for this configuration is a list of bookmarks. Each

bookmark consists of the bookmark title and the bookmark URL.
Separate the title and URL with the | character.
For example: Microsoft Bing|https://www.bing.com
To configure multiple bookmarks, separate each pair with the
double character || .
For example:
Microsoft
Bing|https://www.bing.com||Contoso|https://www.contoso.com

My Apps bookmark
By default, users have the My Apps bookmark configured within the organization folder inside Edge for iOS and Android.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.MyApps true (default) shows My Apps within the Edge for iOS and
Android bookmarks
false hides My Apps within Edge for iOS and Android

App behavior experiences

Edge for iOS and Android offers organizations several options for managing the app's behavior.
Default protocol handler
By default, Edge for iOS and Android uses the HTTPS protocol handler when the user doesn't specify the protocol in the
URL. Generally, this is considered a best practice, but can be disabled.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.defaultHTTPS true (default) default protocol handler is HTTPS

false default protocol handler is HTTP

Disable data sharing for personalization

By default, Edge for iOS and Android prompts users for usage data collection and sharing browsing history to personalize
their browsing experience. Organizations can disable this data sharing by preventing this prompt from being shown to
end users.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.disableShareUsageDa true disables this prompt from displaying to end users

ta false (default) users are prompted to share usage data

com.microsoft.intune.mam.managedbrowser.disableShareBrowsing true disables this prompt from displaying to end users

History false (default) users are prompted to share browsing history

Disable specific features

Edge for iOS and Android allows organizations to disable certain features that are enabled by default. To disable these
features, configure the following setting:

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.disabledFeatures password disables prompts that offer to save passwords for the
end user
inprivate disables InPrivate browsing
To disable multiple features, separate values with | . For
example, inprivate|password disables both InPrivate and
password storage.

NOTE
Edge for Android does not support disabling the password manager.

Disable extensions
You can disable the extension framework within Edge for Android to prevent users from installing any app extensions. To
do this, configure the following setting:

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.disableExtensionFram true disables the extension framework

ework false (default) enables the extension framework

Kiosk mode experiences on Android devices

Edge for Android can be enabled as a kiosk app with the following settings:

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.enableKioskMode true enables kiosk mode for Edge for Android

false (default) disables kiosk mode

com.microsoft.intune.mam.managedbrowser.showAddressBarInKio true shows the address bar in kiosk mode

skMode false (default) hides the address bar when kiosk mode is enabled

com.microsoft.intune.mam.managedbrowser.showBottomBarInKio true shows the bottom action bar in kiosk mode

skMode false (default) hides the bottom bar when kiosk mode is enabled

Data protection app configuration scenarios

Edge for iOS and Android supports app configuration policies for the following data protection settings when the app is
managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied to the work or school account that
is signed into the app and the policy settings are delivered through a managed apps App Configuration Policy:
 Manage account synchronization
Manage restricted web sites
Manage proxy configuration
Manage NTLM single sign-on sites
These settings can be deployed to the app regardless of device enrollment status.
Manage account synchronization
By default, Microsoft Edge sync enables users to access their browsing data across all their signed-in devices. The data
supported by sync includes:
Favorites
Passwords
Addresses and more (autofill form entry)
Sync functionality is enabled via user consent and users can turn sync on or off for each of the data types listed above. For
more information see Microsoft Edge Sync.
Organizations have the capability to disable Edge sync on iOS and Android.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.account.syncDisabled true (default) allows Edge sync

false disables Edge sync

Manage restricted web sites

Organizations can define which sites users can access within the work or school account context in Edge for iOS and
Android. If you use an allow list, your users are only able to access the sites explicitly listed. If you use a blocked list, users
can access all sites except for those explicitly blocked. You should only impose either an allowed or a blocked list, not both.
If you impose both, only the allowed list is honored.
Organization also define what happens when a user attempts to navigate to a restricted web site. By default, transitions
are allowed. If the organization allows it, restricted web sites can be opened in the personal account context, the Azure AD
account’s InPrivate context, or whether the site is blocked entirely. For more information on the various scenarios that are
supported, see Restricted website transitions in Microsoft Edge mobile. By allowing transitioning experiences, the
organization's users stay protected, while keeping corporate resources safe.

NOTE
Edge for iOS and Android can block access to sites only when they are accessed directly. It doesn't block access when users use
intermediate services (such as a translation service) to access the site.

Use the following key/value pairs to configure either an allowed or blocked site list for Edge for iOS and Android.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.AllowListURLs The corresponding value for the key is a list of URLs. You enter all
the URLs you want to allow as a single value, separated by a pipe
| character.
Examples:
URL1|URL2|URL3
http://.contoso.com/|https://.bing.com/|https://expenses.contoso.com
 K EY VA L UE

com.microsoft.intune.mam.managedbrowser.BlockListURLs The corresponding value for the key is a list of URLs. You enter all
the URLs you want to block as a single value, separated by a pipe
| character.
Examples:
URL1|URL2|URL3
http://.contoso.com/|https://.bing.com/|https://expenses.contoso.com

com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlo true (default) allows Edge for iOS and Android to transition
ck restricted sites. When personal accounts are not disabled, users
are prompted to either switch to the personal context to open the
restricted site, or to add a personal account. If
com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocke
d is set to true, users have the capability of opening the restricted
site in the InPrivate context.
false prevents Edge for iOS and Android from transitioning
users. Users are simply shown a message stating that the site
they are trying to access is blocked.

com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocke true allows restricted sites to be opened in the Azure AD

d account's InPrivate context. If the Azure AD account is the only
account configured in Edge for iOS and Android, the restricted site
is opened automatically in the InPrivate context. If the user has a
personal account configured, the user is prompted to choose
between opening InPrivate or switch to the personal account.
false (default) requires the restricted site to be opened in the
user's personal account. If personal accounts are disabled,
then the site is blocked.
In order for this setting to take effect,
com.microsoft.intune.mam.managedbrowser.AllowTransitionO
nBlock must be set to true.

com.microsoft.intune.mam.managedbrowser.durationOfOpenInPri Enter the number of seconds that users will see the snack bar
vateSnackBar notification "Link opened with InPrivate mode. Your organization
requires the use of InPrivate mode for this content." By default,
the snack bar notification is shown for 7 seconds.

The following sites are always allowed regardless of the defined allow list or block list settings:
https://*.microsoft.com/*
http://*.microsoft.com/*
https://microsoft.com/*
http://microsoft.com/*
https://*.windowsazure.com/*
https://*.microsoftonline.com/*
https://*.microsoftonline-p.com/*

URL formats for allowed and blocked site list

You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the
following table.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
You can use the wildcard symbol (*) according to the rules in the following permitted patterns list.
A wildcard can only match a portion (e.g., news-contoso.com ) or entire component of the hostname (e.g.,
host.contoso.com ) or entire parts of the path when separated by forward slashes ( www.contoso.com/images ).

You can specify port numbers in the address. If you do not specify a port number, the values used are:
 Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported. For example, http://www.contoso.com:* and
http://www.contoso.com:*/ are not supported.

URL DETA IL S M ATC H ES DO ES N OT M ATC H

http://www.contoso.com Matches a single page www.contoso.com host.contoso.com

www.contoso.com/images
contoso.com/

http://contoso.com Matches a single page contoso.com/ host.contoso.com

www.contoso.com/images
www.contoso.com

http://www.contoso.com/* Matches all URLs that begin www.contoso.com host.contoso.com

with www.contoso.com www.contoso.com/images host.contoso.com/images
www.contoso.com/videos/tvshows

http://*.contoso.com/* Matches all subdomains developer.contoso.com/resources

contoso.host.com
under contoso.com news.contoso.com/images news-contoso.com
news.contoso.com/videos

http://*contoso.com/* Matches all subdomains news-contoso.com news-contoso.host.com

ending with contoso.com/ news- news.contoso.com
contoso.com.com/daily

http://www.contoso.com/imagesMatches a single folder www.contoso.com/images www.contoso.com/images/dogs

http://www.contoso.com:80 Matches a single page, by www.contoso.com:80

using a port number

https://www.contoso.com Matches a single, secure www.contoso.com www.contoso.com

page

Matches a single folder and

http://www.contoso.com/images/* www.contoso.com/images/dogs www.contoso.com/videos
all subfolders www.contoso.com/images/cats

The following are examples of some of the inputs that you can't specify:
*.com
*.contoso/*
www.contoso.com/*images
www.contoso.com/*images*pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*

Manage proxy configuration

You can use Edge for iOS and Android and Azure AD Application Proxy together to give users access to intranet sites on
their mobile devices. For example:
A user is using the Outlook mobile app, which is protected by Intune. They then click a link to an intranet site in an
email, and Edge for iOS and Android recognizes that this intranet site has been exposed to the user through
 Application Proxy. The user is automatically routed through Application Proxy, to authenticate with any applicable
multi-factor authentication and Conditional Access, before reaching the intranet site. The user is now able to access
internal sites, even on their mobile devices, and the link in Outlook works as expected.
A user opens Edge for iOS and Android on their iOS or Android device. If Edge for iOS and Android is protected with
Intune, and Application Proxy is enabled, the user can go to an intranet site by using the internal URL they are used to.
Edge for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy.
The user is automatically routed through Application Proxy, to authenticate before reaching the intranet site.
Before you start:
Set up your internal applications through Azure AD Application Proxy.
To configure Application Proxy and publish applications, see the setup documentation.
The Edge for iOS and Android app must have an Intune app protection policy assigned.
Microsoft apps must have an app protection policy that has Restrict web content transfer with other apps data
transfer setting set to Microsoft Edge .

NOTE
Updated Application Proxy redirection data can take up to 24 hours to take effect in Edge for iOS and Android.

Target Edge for iOS with the following key/value pair, to enable Application Proxy:

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.AppProxyRedirection true enables Azure AD App Proxy redirection scenarios

false (default) prevents Azure AD App Proxy scenarios

NOTE
Edge for Android does not consume this key. Instead, Edge for Android consumes Azure AD Application Proxy configuration
automatically as long as the signed-in Azure AD account has an App Protection Policy applied.

For more information about how to use Edge for iOS and Android and Azure AD Application Proxy in tandem for
seamless (and protected) access to on-premises web apps, see Better together: Intune and Azure Active Directory team up
to improve user access. This blog post references the Intune Managed Browser, but the content applies to Edge for iOS
and Android as well.
Manage NTLM single sign-on sites
Organizations may require users to authenticate with NTLM to access intranet web sites. By default, users are prompted to
enter credentials each time they access a web site that requires NTLM authentication as NTLM credential caching is
disabled.
Organizations can enable NTLM credential caching for particular web sites. For these sites, after the user enters
credentials and successfully authenticates, the credentials are cached by default for 30 days.

K EY VA L UE

com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs The corresponding value for the key is a list of URLs. You enter all
the URLs you want to allow as a single value, separated by a pipe
| character.
Examples:
URL1|URL2
http://app.contoso.com/|https://expenses.contoso.com

For more information on the types of URL formats that are

supported, see URL formats for allowed and blocked site list.
 K EY VA L UE

com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO Number of hours to cache credentials, default is 720 hours

Deploy app configuration scenarios with Microsoft Endpoint Manager

If you are using Microsoft Endpoint Manager as your mobile app management provider, the following steps allow you to
create a managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of
users.
1. Sign into Microsoft Endpoint Manager.
2. Select Apps and then select App configuration policies .
3. On the App Configuration policies blade, choose Add and select Managed apps .
4. On the Basics section, enter a Name , and optional Description for the app configuration settings.
5. For Public apps , choose Select public apps , and then, on the Targeted apps blade, choose Edge for iOS and
Android by selecting both the iOS and Android platform apps. Click Select to save the selected public apps.
6. Click Next to complete the basic settings of the app configuration policy.
7. On the Settings section, expand the Edge configuration settings .
8. If you want to manage the data protection settings, configure the desired settings accordingly:
For Application proxy redirection , choose from the available options: Enable , Disable (default).
For Homepage shor tcut URL , specify a valid URL that includes the prefix of either http:// or https://.
Incorrect URLs are blocked as a security measure.
For Managed bookmarks , specify the title and a valid URL that includes the prefix of either http:// or
https://.
For Allowed URLs , specify a valid URL (only these URLs are allowed; no other sites can be accessed). For
more information on the types of URL formats that are supported, see URL formats for allowed and blocked
site list.
For Blocked URLs , specify a valid URL (only these URLs are blocked). For more information on the types of
URL formats that are supported, see URL formats for allowed and blocked site list.
For Redirect restricted sites to personal context , choose from the available options: Enable (default),
Disable .

NOTE
When both Allowed URLs and Blocked URLs are defined in the policy, only the allowed list is honored.

9. If you want to additional app configuration settings not exposed in the above policy, expand the General
configuration settings node and enter in the key value pairs accordingly.
10. When you are finished configuring the settings, choose Next .
11. On the Assignments section, choose Select groups to include . Select the Azure AD group to which you want to
assign the app configuration policy, and then choose Select .
12. When you are finished with the assignments, choose Next .
13. On the Create app configuration policy Review + Create blade, review the settings configured and choose
Create .
The newly created configuration policy is displayed on the App configuration blade.
Use Edge for iOS and Android to access managed app logs
Users with Edge for iOS and Android installed on their iOS or Android device can view the management status of all
Microsoft published apps. They can send logs for troubleshooting their managed iOS or Android apps by using the
following steps:
1. Open Edge for iOS and Android on your device.
2. Type about:intunehelp in the address box.
3. Edge for iOS and Android launches troubleshooting mode.
For a list of the settings stored in the app logs, see Review client app protection logs.
To see how to view logs on Android devices, see Send logs to your IT admin by email.

Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
 Manage collaboration experiences using Office for
iOS and Android with Microsoft Intune
9/4/2020 • 8 minutes to read • Edit Online

Office for iOS and Android delivers several key benefits including:
Combining Word, Excel, and PowerPoint in a way that simplifies the experience with fewer apps to download or
switch between. It requires far less phone storage than installing individual apps while maintaining virtually all
the capabilities of the existing mobile apps people already know and use.
Integrating Office Lens technology to unlock the power of the camera with capabilities like converting images
into editable Word and Excel documents, scanning PDFs, and capturing whiteboards with automatic digital
enhancements to make the content easier to read.
Adding new functionality for common tasks people often encounter when working on a phone—things like
making quick notes, signing PDFs, scanning QR codes, and transferring files between devices.
The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the
Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features,
such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows
connectivity to Office for iOS and Android from mobile devices and an Intune app protection policy that ensures
the collaboration experience is protected.

Apply Conditional Access

Organizations can use use Azure AD Conditional Access policies to ensure that users can only access work or
school content using Office for iOS and Android. To do this, you will need a conditional access policy that targets all
potential users. Details on creating this policy can be found in Require app protection policy for cloud app access
with Conditional Access.
1. Follow "Step 1: Configure an Azure AD Conditional Access policy for Office 365" in Scenario 1: Office 365
apps require approved apps with app protection policies, which allows Office for iOS and Android, but
blocks third-party OAuth capable mobile device clients from connecting to Office 365 endpoints.

NOTE
This policy ensures mobile users can access all Office endpoints using the applicable apps.

Create Intune app protection policies

App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's
data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it
may not be obvious which policy settings are required to implement a complete scenario. To help organizations
prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection
framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off
the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and
performs selective wipe operations. For Android devices, this level validates Android device attestation. This is
 an entry level configuration that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and
minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or
school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN
configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high
risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected,
review Data protection framework using app protection policies.
Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app
protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign
app protection policies. These policies, at a minimum, must meet the following conditions:
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this
ensures that users can access and manipulate work or school data within any Microsoft app in a secure
fashion.
2. They are assigned to all users. This ensures that all users are protected, regardless of whether they use Office
for iOS or Android.
3. Determine which framework level meets your requirements. Most organizations should implement the
settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and
access requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection
policy settings.

IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also
install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app
protection policies.

Utilize app configuration

Office for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint
Manager, administrators to customize the behavior of the app.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled
devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or
through the Intune App Protection Policy (APP) channel. Office for iOS and Android supports the following
configuration scenarios:
Only allow work or school accounts
General app configuration
Data protection settings
 IMPORTANT
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise
and Office for Android must be deployed via the Managed Google Play store. For more information, see Set up enrollment of
Android Enterprise work profile devices and Add app configuration policies for managed Android Enterprise devices.

Each configuration scenario highlights its specific requirements. For example, whether the configuration scenario
requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.

NOTE
With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed
Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to
as a Managed Apps App Configuration Policy.

Only allow work or school accounts

Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to
the Microsoft 365 value. Some companies have a requirement to capture all communications information within
their corporate environment, as well as, ensure the devices are only used for corporate communications. To support
these requirements, Office for Android on enrolled devices can be configured to only allow a single corporate
account to be provisioned within the app.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
This configuration scenario only works with enrolled devices. However, any UEM provider is supported. If you are
not using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these
configuration keys.

NOTE
At this time, only Office for Android supports org allowed accounts mode.

General app configuration scenarios

Office for iOS and Android offers administrators the ability to customize the default configuration for several in-
app settings. This capability is offered for both enrolled devices via any UEM provider and for devices that are not
enrolled when Office for iOS and Android has an Intune App Protection Policy applied.

NOTE
If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings
in a Managed Apps enrollment model. This ensures the App Configuration Policy is deployed to both enrolled devices and
unenrolled devices.

Office supports the following settings for configuration:

Manage the creation of Sticky Notes
Manage the creation of Sticky Notes
By default, Office for iOS and Android enables users to create Sticky Notes. For users with Exchange Online
mailboxes, the notes are synchronized into the user's mailbox. For users with on-premises mailboxes, these notes
are only stored on the local device.

K EY VA L UE

com.microsoft.office.NotesCreationEnabled true (default) enables Sticky Notes creation for the work or
school account
false disables Sticky Notes creation for the work or school
account

Data protection app configuration scenarios

Office for iOS and Android supports app configuration policies for the following data protection settings when the
app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied to the work or school
account that is signed into the app:
Manage file transfers via Transfer Files action
Manage file transfers via Share Nearby action
These settings can be deployed to the app regardless of device enrollment status.
Manage file transfers
By default, Office for iOS and Android enables users to share content using a variety of mechanisms:
If the file is hosted in OneDrive or SharePoint, users can initiate a share request directly within the file.
Users can transfer files to desktop systems using the Transfer Files action.
Users can share files to nearby mobile devices using the Share Nearby action.
The Transfer Files and Share Nearby actions only work with media, local files, and files that are not protected by
an App Protection Policy.

K EY VA L UE

com.microsoft.office.ShareNearby.IsAllowed.IntuneMAMOnly true (default) enables the Share Nearby feature for the work
or school account
false disables the Share Nearby feature for the work or school
account

com.microsoft.office.TransferFiles.IsAllowed.IntuneMAMOnly true (default) enables the Transfer Files feature for the work or
school account
false disables the Transfer Files feature for the work or school
account

Deploy app configuration scenarios with Microsoft Endpoint Manager

If you are using Microsoft Endpoint Manager as your mobile app management provider, see Add app configuration
policies for managed apps without device enrollment on how to create a managed apps app configuration policy
for the data protection app configuration scenarios. After the configuration is created, you can assign the policy to
groups of users.

Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
 Manage messaging collaboration access by using
Outlook for iOS and Android with Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

The Outlook for iOS and Android app is designed to enable users in your organization to do more from their
mobile devices, by bringing together email, calendar, contacts, and other files.
The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the
Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features,
such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows
connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures
the collaboration experience is protected.

Apply Conditional Access

Organizations can use use Azure AD Conditional Access policies to ensure that users can only access work or
school content using Outlook for iOS and Android. To do this, you will need a conditional access policy that targets
all potential users. Details on creating this policy can be found in Require app protection policy for cloud app access
with Conditional Access.
1. Follow "Step 1: Configure an Azure AD Conditional Access policy for Office 365" in Scenario 1: Office 365
apps require approved apps with app protection policies, which allows Outlook for iOS and Android, but
blocks OAuth capable Exchange ActiveSync clients from connecting to Exchange Online.

NOTE
This policy ensures mobile users can access all Office endpoints using the applicable apps.

2. Follow "Step 2: Configure an Azure AD Conditional Access policy for Exchange Online with ActiveSync (EAS)"
in Scenario 1: Office 365 apps require approved apps with app protection policies, which prevents Exchange
ActiveSync clients leveraging basic authentication from connecting to Exchange Online.
The above policies leverage the grant control Require app protection policy, which ensures that an Intune
App Protection Policy is applied to the associated account within Outlook for iOS and Android prior to
granting access. If the user isn't assigned to an Intune App Protection Policy, isn't licensed for Intune, or the
app isn't included in the Intune App Protection Policy, then the policy prevents the user from obtaining an
access token and gaining access to messaging data.
3. Finally, follow How to: Block legacy authentication to Azure AD with Conditional Access to block legacy
authentication for other Exchange protocols on iOS and Android devices; this policy should target only
Microsoft Exchange Online cloud app and iOS and Android device platforms. This ensures mobile apps using
Exchange Web Services, IMAP4, or POP3 protocols with basic authentication cannot connect to Exchange
Online.

Create Intune app protection policies

App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's
data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it
may not be obvious which policy settings are required to implement a complete scenario. To help organizations
prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection
framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off
the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and
performs selective wipe operations. For Android devices, this level validates Android device attestation. This is
an entry level configuration that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and
minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or
school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN
configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high
risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected,
review Data protection framework using app protection policies.
Regardless of whether the device is enrolled in a unified endpoint management (UEM) solution, an Intune app
protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign
app protection policies. These policies, at a minimum, must meet the following conditions:
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this
ensures that users can access and manipulate work or school data within any Microsoft app in a secure
fashion.
2. They are assigned to all users. This ensures that all users are protected, regardless of whether they use
Outlook for iOS or Android.
3. Determine which framework level meets your requirements. Most organizations should implement the
settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and
access requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection
policy settings.

IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also
install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app
protection policies.

Utilize app configuration

Outlook for iOS and Android supports app settings that allow unified endpoint management, like Microsoft
Endpoint Manager, administrators to customize the behavior of the app.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled
devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or
through the Intune App Protection Policy (APP) channel. Outlook for iOS and Android supports the following
configuration scenarios:
Only allow work or school accounts
General app configuration settings
S/MIME settings
 Data protection settings
For specific procedural steps and detailed documentation on the app configuration settings Outlook for iOS and
Android supports, see Deploying Outlook for iOS and Android app configuration settings.

Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
 Manage team collaboration access by using Teams
for iOS and Android with Microsoft Intune
9/4/2020 • 5 minutes to read • Edit Online

Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the people, content, and tools
your team needs to be more engaged and effective.
The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the
Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features,
such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows
connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures
the collaboration experience is protected.

Apply Conditional Access

Organizations can use use Azure AD Conditional Access policies to ensure that users can only access work or
school content using Teams for iOS and Android. To do this, you will need a conditional access policy that targets all
potential users. Details on creating this policy can be found in Require app protection policy for cloud app access
with Conditional Access.
1. Follow "Step 1: Configure an Azure AD Conditional Access policy for Office 365" in Scenario 1: Office 365
apps require approved apps with app protection policies, which allows Teams for iOS and Android, but
blocks third-party OAuth capable mobile device clients from connecting to Office 365 endpoints.

NOTE
This policy ensures mobile users can access all Office endpoints using the applicable apps.

Create Intune app protection policies

App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's
data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it
may not be obvious which policy settings are required to implement a complete scenario. To help organizations
prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection
framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off
the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and
performs selective wipe operations. For Android devices, this level validates Android device attestation. This is
an entry level configuration that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and
minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or
school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN
configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high
risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected,
review Data protection framework using app protection policies.
Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app
protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign
app protection policies. These policies, at a minimum, must meet the following conditions:
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this
ensures that users can access and manipulate work or school data within any Microsoft app in a secure
fashion.
2. They are assigned to all users. This ensures that all users are protected, regardless of whether they use
Teams for iOS or Android.
3. Determine which framework level meets your requirements. Most organizations should implement the
settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and
access requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection
policy settings.

IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also
install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app
protection policies.

Utilize app configuration

Teams for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint
Manager, administrators to customize the behavior of the app.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled
devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or
through the Intune App Protection Policy (APP) channel. Teams for iOS and Android supports the following
configuration scenarios:
Only allow work or school accounts

IMPORTANT
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise
and Teams for Android must be deployed via the Managed Google Play store. For more information, see Set up enrollment of
Android Enterprise work profile devices and Add app configuration policies for managed Android Enterprise devices.

Each configuration scenario highlights its specific requirements. For example, whether the configuration scenario
requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.

NOTE
With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed
Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to
as a Managed Apps App Configuration Policy.
Only allow work or school accounts
Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to
the Microsoft 365 value. Some companies have a requirement to capture all communications information within
their corporate environment, as well as, ensure the devices are only used for corporate communications. To support
these requirements, Teams for iOS and Android on enrolled devices can be configured to only allow a single
corporate account to be provisioned within the app.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM provider is supported. If you are
not using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these
configuration keys.

Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
 Configure Google Chrome for Android devices using
Intune
9/4/2020 • 2 minutes to read • Edit Online

You can use an Intune app configuration policy to configure Google Chrome for Android devices. The settings for
the app can be automatically applied. For example, you can specifically set the bookmarks and the URLs that you
would like to block or allow.

Prerequisites
The user's Android Enterprise device must be enrolled in Intune. For more information, see Set up enrollment of
Android Enterprise work profile devices.
Google Chrome is added as a Managed Google Play app. For more information about Managed Google Play, see
Connect your Intune account to your Managed Google Play account.

Add the Google Chrome app to Intune

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > All apps > Add then add the Managed Google Play app.
3. Go to Managed Google Play, search with Google Chrome and approve.

4. Assign Google Chrome to a user group as a required app type. Google Chrome will be deployed
automatically when the device is enrolled into Intune.
For additional details about adding a Managed Google Play app to Intune, see Managed Google Play store apps.

Add app configuration for managed AE devices

1. From the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add >
Managed devices .
2. Set the following details:
Name - The name of the profile that appears in the Azure portal.
Description - The description of the profile that appears in the Azure portal.
 Device enrollment type - This setting is set to Managed devices .
Platform - Select Android .

3. Click Associated app to display the Associated app pane. Find and select Google Chrome . This list
contains Managed Google Play apps that you've approved and synchronized with Intune.

4. Click Configuration settings , select Use configuration designer , and then click Add to select the
configuration keys.

Below is the example of the common settings:

Block access to a list of URLs : ["*"]
 Allow access to a list of URLs : ["baidu.com", "youtube.com", "chromium.org", "chrome://*"]
Managed Bookmarks :
[{"toplevel_name": "My managed bookmarks folder" }, {"url": "baidu.com", "name": "Baidu"}, {"url":
"youtube.com", "name": "Youtube"}, {"name": "Chrome links", "children": [{"url": "chromium.org",
"name": "Chromium"}, {"url": "dev.chromium.org", "name": "Chromium Developers"}]}]
Incognito mode availability : Incognito mode disabled
Once the configuration settings are added using the configuration designer, they will be listed in a table.

The above settings create bookmarks and block access to all URLs except baidu.com , yahoo.com ,
chromium.org , and chrome:// .

5. Click OK and Add to add your configuration policy to Intune.

6. Assign this configuration policy to a user group. For more information, see Assign apps to groups with
Microsoft Intune.

Verify the device settings

Once the Android device is enrolled with Android Enterprise, the managed Google Chrome app with the portfolio
icon will be deployed automatically.
Launch Google Chrome and you will find the settings applied.
Bookmarks:
Blocked URL:
Allow URL:
Incognito tab:
Troubleshooting
1. Check the Intune portal to monitor the policy deployment status.

2. Launch Google Chrome and visit chrome://policy . We can confirm if the settings are applied successfully.
Additional information
Add app configuration policies for managed Android Enterprise devices
Chrome Enterprise policy list

Next steps
For more information about Android Enterprise fully managed devices, see Set up Intune enrollment of Android
Enterprise fully manage devices.
 Use a VPN and per-app VPN policy on Android
Enterprise devices in Microsoft Intune
9/4/2020 • 8 minutes to read • Edit Online

Virtual private networks (VPN) allow users to access organization resources remotely, including from home, hotels,
cafes, and more. In Microsoft Intune, you can configure VPN client apps on Android Enterprise devices using an app
configuration policy. Then, deploy this policy with its VPN configuration to devices in your organization.
You can also create VPN policies that are used by specific apps. This feature is called per-app VPN. When the app is
active, it can connect to the VPN, and access resources through the VPN. When the app isn't active, the VPN isn't
used.
This feature applies to:
Android Enterprise
There are two ways to build the app configuration policy for your VPN client app:
Configuration designer
JSON data
This article shows you how to create a per-app VPN and VPN app configuration policy using both options.

NOTE
Many of the VPN client configuration parameters are similar. But, each app has its unique keys and options. Consult with your
VPN vendor if you have questions.

Before you begin

Android doesn't automatically trigger a VPN client connection when an app opens. The VPN connection
must be started manually. Or, you can use always-on VPN to start the connection.
The following VPN clients support Intune app configuration policies:
Cisco AnyConnect
Citrix SSO
F5 Access
Palo Alto Networks GlobalProtect
Pulse Secure
SonicWall Mobile Connect
When you create the VPN policy in Intune, you'll select different keys to configure. These key names vary
with the different VPN client apps. So, the key names in your environment may be different than the
examples in this article.
The Configuration designer and JSON data can successfully use certificate-based authentication. If VPN
authentication requires client certificates, then create the certificate profiles before you create the VPN
policy. The VPN app configuration policies use the values from the certificate profiles.
Android Enterprise work profile devices support SCEP and PKCS certificates. Android Enterprise fully
managed, dedicated, and corporate-owned work profile devices only support SCEP certificates. For more
 information, see Use certificates for authentication in Microsoft Intune.

Per-app VPN overview

When creating and testing per-app VPN, the basic flow includes the following steps:
1. Select the VPN client application. Before you begin (in this article) lists the supported apps.
2. Get the application package IDs of the apps that will use the VPN connection. Get the app package ID (in this
article) shows you how.
3. If you use certificates to authenticate the VPN connection, then create and deploy the certificate profiles before
you deploy the VPN policy. Make sure the certificate profiles deploy successfully. For more information, see Use
certificates for authentication in Microsoft Intune.
4. Add the VPN client application to Intune, and deploy the app to your users and devices.
5. Create the VPN app configuration policy. Use the app package IDs and certificate information in the policy.
6. Deploy the new VPN policy.
7. Confirm the VPN client app successfully connects to your VPN server.
8. When the app is active, confirm that traffic from your app successfully goes through the VPN.

Get the app package ID

Get the package ID for each application that will use the VPN. For publicly available applications, you can get the
app package ID in the Google Play store. The displayed URL for each application includes the package ID.
In the following example, the package ID of the Microsoft Edge browser app is com.microsoft.emmx . The package ID
is part of the URL:

For Line of Business (LOB) apps, get the package ID from the vendor or application developer.

Certificates
This article assumes your VPN connection uses certificate-based authentication. It also assumes you successfully
deployed all the certificates in the chain needed for clients to successfully authenticate. Typically, this certificate
chain includes the client certificate, any intermediate certificates, and the root certificate.
For more information on certificates, see Use certificates for authentication in Microsoft Intune.
When your client authentication certificate profile is deployed, it creates a certificate token in the certificate profile.
This token is used to create the VPN app configuration policy.
If you’re not familiar with creating app configuration policies, see Add app configuration policies for managed
Android Enterprise devices.

Use the Configuration Designer

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App configuration policies > Add > Managed devices .
3. In Basics , enter the following properties:
Name : Enter a descriptive name for the policy. Name your policies so you can easily identify them
later. For example, a good policy name is App config policy: Cisco AnyConnect VPN policy for
Android Enterprise work profile devices .
Description : Enter a description for the policy. This setting is optional, but recommended.
Platform : Select Android Enterprise .
Profile type : Your options:
All profile types : This option supports username and password authentication. If you use
certificate-based authentication, don't use this option.
Fully Managed, Dedicated, and Corporate-Owned work profile only : This option supports
certificate-based authentication, and username and password authentication.
Work Profile Only : This option supports certificate-based authentication, and username and
password authentication.
Targeted app : Select the VPN client app you previously added. In the following example, the Cisco
AnyConnect VPN client app is used:

4. Select Next .
5. In Settings , enter the following properties:
Configuration settings format : Select Use Configuration designer :

Add : Shows the list of configuration keys. Select all the configuration keys needed for your
configuration > OK .
In the following example, we selected a minimal list for AnyConnect VPN, including certificate-based
authentication and per-app VPN:
Configuration value : Enter the values for the configuration keys you selected. Remember, the key
names vary depending on the VPN Client app you're using. In the keys selected in our example:
Per App VPN Allowed Apps : Enter the application package ID(s) you collected earlier. For
example:

KeyChain Cer tificate Alias (optional): Change the Value type from string to cer tificate .
Select the client certificate profile to use with VPN authentication. For example:

Protocol : Select the SSL or IPsec tunnel protocol of the VPN.

Connection Name : Enter a user friendly name for the VPN connection. Users see this
connection name on their devices. For example, enter ContosoVPN .
Host : Enter the host name URL to the headend router. For example, enter vpn.contoso.com .
6. Select Next .
7. In Assignments , select the groups to assign the VPN app configuration policy.
Select Next .
8. In Review + create , review your settings. When you select Create , your changes are saved, and the policy
is deployed to your groups. The policy is also shown in the app configuration policies list.

Use JSON
Use this option if you don't have, or don't know all the required VPN settings used in the Configuration designer .
If you need help, consult your VPN vendor.
Get the certificate token
In these steps, create a temporary policy. The policy won't be saved. The intent is to copy the certificate token. You'll
use this token when creating the VPN policy using JSON (next section).
1. In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add >
Managed devices .
2. In Basics , enter the following properties:
Name : Enter any name. This policy is temporary, and won't be saved.
Platform : Select Android Enterprise .
Profile type : Select Work Profile Only .
Targeted app : Select the VPN client app you previously added.
3. Select Next .
4. In Settings , enter the following properties:
Configuration settings format : Select Use configuration designer .
Add : Shows the list of configuration keys. Select any key with a Value type of string . Select OK .

5. Change the Value type from string to cer tificate . This step lets you select the correct client certificate
profile that authenticates the VPN:

6. Immediately change the Value type back to string . The Configuration value changes to a token
{{cert:GUID}} :

7. Copy and paste this certificate token to another file, such as a text editor.
8. Discard this policy. Don't save it. The only purpose is to copy and paste the certificate token.
Create the VPN policy using JSON
1. In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add >
Managed devices .
2. In Basics , enter the following properties:
Name : Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
For example, a good policy name is App config policy: JSON Cisco AnyConnect VPN policy for
Android Enterprise work profile devices in entire company .
Description : Enter a description for the policy. This setting is optional, but recommended.
Platform : Select Android Enterprise .
Profile type : Your options:
All profile types : This option supports username and password authentication. If you use
certificate-based authentication, don't use this option.
Fully Managed, Dedicated, and Corporate-Owned work profile only : This option supports
certificate-based authentication, and username and password authentication.
Work Profile Only : This option supports certificate-based authentication, and username and
password authentication.
Targeted app : Select the VPN client app you previously added.
3. Select Next .
4. In Settings , enter the following properties:
Configuration settings format : Select Enter JSON data . You can edit the JSON directly.
Download JSON template : Use this option to download, and update the template in any external
editor. Be careful with text editors that use Smar t quotes , as they may create invalid JSON.
After you enter the values needed for your configuration, remove all settings that have "STRING_VALUE" or
STRING_VALUE .
5. Select Next .
6. In Assignments , select the groups to assign the VPN app configuration policy.
Select Next .
7. In Review + create , review your settings. When you select Create , your changes are saved, and the policy
is deployed to your groups. The policy is also shown in the app configuration policies list.
JSON example for F5 Access VPN

{
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.f5.edge.client_ics",
"managedProperty": [
{
"key": "disallowUserConfig",
"valueBool": false
},
{
"key": "vpnConfigurations",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "name",
"valueString": "MyCorpVPN"
},
 },
{
"key": "server",
"valueString": "vpn.contoso.com"
},
{
"key": "weblogonMode",
"valueBool": false
},
{
"key": "fipsMode",
"valueBool": false
},
{
"key": "clientCertKeychainAlias",
"valueString": "{{cert:77333880-14e9-0aa0-9b2c-a1bc6b913829}}"
},
{
"key": "allowedApps",
"valueString": "com.microsoft.emmx"
},
{
"key": "mdmAssignedId",
"valueString": ""
},
{
"key": "mdmInstanceId",
"valueString": ""
},
{
"key": "mdmDeviceUniqueId",
"valueString": ""
},
{
"key": "mdmDeviceWifiMacAddress",
"valueString": ""
},
{
"key": "mdmDeviceSerialNumber",
"valueString": ""
},
{
"key": "allowBypass",
"valueBool": false
}
]
}
]
}
]
}

Additional information
Add app configuration policies for managed Android Enterprise devices
Android Enterprise device settings to configure VPN in Intune

Next steps
Create VPN profiles to connect to VPN servers in Intune
 Manage volume-purchased apps and books with
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Introduction
Some app stores give you the ability to purchase multiple licenses for an app or books that you want to use in
your company. Buying licenses in bulk can help you reduce the administrative overhead of tracking multiple
purchased copies of apps and books.
Microsoft Intune helps you manage apps and books that you purchased through such a program. You import
license information from the store, and track how many licenses you have used. This process helps to ensure that
you don't install more copies of the app or book than you own.

Which types of apps and books can you manage?

With Intune, you can manage apps and books that you purchased in volume from the iOS store, and manage apps
that you purchased from the Microsoft Store for Business. To discover how to manage licensed apps from each
store, choose one of the following topics:
Manage iOS/iPadOS volume-purchased apps
Manage volume-purchased apps from the Microsoft Store for Business
How to manage iOS/iPadOS eBooks
 How to manage iOS and macOS apps purchased
through Apple Volume Purchase Program with
Microsoft Intune
9/4/2020 • 13 minutes to read • Edit Online

Apple lets you purchase multiple licenses for an app that you want to use in your organization on iOS/iPadOS and
macOS devices using Apple Business Manager or Apple School Manager. You can then synchronize your volume
purchase information with Intune and track your volume-purchased app use. Purchasing app licenses helps you
efficiently manage apps within your company and retain ownership and control of purchased apps.
Microsoft Intune helps you manage apps purchased through this program by:
Synchronizing location tokens you download from Apple Business Manager.
Tracking how many licenses are available and have been used for purchased apps.
Helping you install apps up to the number of licenses you own.
Additionally, you can synchronize, manage, and assign books you purchased from Apple Business Manager with
Intune to iOS/iPadOS devices. For more information, see How to manage iOS/iPadOS eBooks you purchased
through a volume-purchase program.

What are location tokens?

Location tokens are also known as Volume Purchase Program (VPP) tokens. These tokens are used to assign and
manage licenses purchased using Apple Business Manager. Content Managers can purchase and associate
licenses with location tokens they have permissions to in Apple Business Manager. These location tokens are then
downloaded from Apple Business Manager and uploaded in Microsoft Intune. Microsoft Intune supports
uploading multiple location tokens per tenant. Each token is valid for one year.

How are purchased apps licensed?

Purchased apps can be assigned to groups using two types of licenses that Apple offers for iOS/iPadOS and
macOS devices.

A C T IO N DEVIC E L IC EN SIN G USER L IC EN SIN G

App Store sign-in Not required. Each end user must use a unique Apple
ID when prompted to sign in to App
Store.

Device configuration blocking access to Apps can be installed and updated The invitation to join Apple VPP
App Store using Company Portal. requires access to App Store. If you
have set a policy to disable App Store,
user licensing for VPP apps will not
work.
 A C T IO N DEVIC E L IC EN SIN G USER L IC EN SIN G

Automatic app update As configured by the Intune admin in As configured by end user in personal
Apple VPP token settings. App Store settings. This cannot be
If the assignment type is available managed by the Intune admin.
for enrolled devices, available app
updates can also be installed from
the Company Portal by selecting
the Update action on the app
details page.

User Enrollment Not supported. Supported using Managed Apple IDs.

Books Not supported. Supported.

Licenses used 1 license per device. The license is 1 license for up to 5 devices using the
associated with the device. same personal Apple ID. The license is
associated with the user.
An end user associated with a
personal Apple ID and a Managed
Apple ID in Intune consumes 2 app
licenses.

License migration Apps can migrate silently from user to Apps cannot migrate from device to
device licenses. user licenses.

NOTE
Company Portal does not show device-licensed apps on User Enrollment devices because only user-licensed apps can be
installed on User Enrollment devices.

What app types are supported?

You can purchase and distribute public as well as private apps using Apple Business Manager.
Store apps: Using Apple Business Manager, Content Managers can buy both free and paid apps that are
available in the App Store.
Custom Apps: Using Apple Business Manager, Content Managers can also buy Custom Apps made available
privately to your organization. These apps are tailored to your organization's specific needs by developers with
whom you work directly. Learn more about how to distribute Custom Apps.

Prerequisites
An Apple Business Manager or Apple School Manager account for your organization.
Purchased app licenses assigned to one or more location tokens.
Downloaded location tokens.
 IMPORTANT
A location token can only be used with one device management solution at a time. Before you start to use purchased
apps with Intune, revoke and remove any existing location tokens used with other mobile device management (MDM)
vendor.
A location token is only supported for use on one Intune tenant at a time. Do not reuse the same token for multiple
Intune tenants.
By default, Intune synchronizes the location tokens with Apple twice a day. You can initiate a manual sync at any time
from Intune.
After you have imported the location token to Intune, do not import the same token to any other device management
solution. Doing so might result in the loss of license assignment and user records.

Migrate from Volume Purchase Program (VPP) to Apps and Books

If your organization has not migrated to Apple Business Manager or Apple School Manager yet, review Apple's
guidance on migrating to Apps and Books before proceeding to manage purchased apps in Intune.

IMPORTANT
For the best migration experience, migrate only one VPP purchaser per location. If each purchaser migrates to a unique
location, all licenses — assigned and unassigned — will move to Apps and Books.
Do not delete the existing legacy VPP token in Intune or apps and assignments associated with existing legacy VPP
token in Intune. These actions will require all app assignments to be recreated in Intune.

Migrate existing purchased VPP content and tokens to Apps and Books in Apple Business Manager or Apple
School Manager as follows:
1. Invite VPP purchasers to join your organization and direct each user to select a unique location.
2. Ensure that all VPP purchasers within your organization have completed step 1 before proceeding.
3. Verify that all purchased apps and licenses have migrated to Apps and Books in Apple Business Manager or
Apple School Manager.
4. Download the new location token by going to Apple Business (or School) Manager > Settings > Apps
and Books > My Ser ver Tokens .
5. Update the location token in Microsoft Endpoint Manager admin center by going to Tenant administration
> Connectors and tokens > Apple VPP tokens and manually upload the token.

Upload an Apple VPP or location token

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Connectors and tokens > Apple VPP tokens .
3. On the list of VPP tokens pane, select Create . The Create VPP token process is displayed. There are four
pages used when creating a VPP token. The first is Basics .
4. On the Basics page, specify the following information:
Token Name - An administrative field for setting the token name.
Apple ID - Enter the Managed Apple ID of the account associated with the uploaded token.
VPP token file - If you haven't already, sign up for Apple Business Manager or Apple School Manager.
After you sign up, download the Apple VPP token for your account and select it here.
5. Click Next to display the Settings page.
6. On the Settings page, specify the following information:
Take control of token from another MDM - Setting this option to yes allows the token to be
 reassigned to Intune from another MDM solution.
Countr y/Region - Select the VPP country/region store. Intune synchronizes VPP apps for all
locales from the specified VPP country/region store.

WARNING
Changing the country/region will update the apps metadata and App Store URL on next sync with the
Apple service for apps created with this token. The app will not be updated if it does not exist in the new
country/region store.

Type of VPP account - Choose from Business or Education .

Automatic app updates - Choose from On or Off to enable automatic updates. When enabled,
Intune detects the VPP app updates inside the app store and automatically pushes them to the
device when the device checks in.

NOTE
Automatic app updates for Apple VPP apps will automatically update for both Required and Available
install intents. For apps deployed with Available install intent, the automatic update generates a status
message for the IT admin informing that a new version of the app is available. This status message is
viewable by selecting the app, selecting Device Install Status, and checking the Status Details.

I grant Microsoft permission to send both user and device information to Apple. - You
must select I agree to proceed. To review what data Microsoft sends to Apple, see Data Intune
sends to Apple.
7. Click Next to display the Scope tags page.
8. Click Select scope tags to optionally add scope tags for the app. For more information, see Use role-based
access control (RBAC) and scope tags for distributed IT.
9. Click Next to display the Review + create page. Review the values and settings you entered for the VPP
token.
10. When you are done, click Create . The token is displayed in the list of tokens pane.

Synchronize a VPP token

You can synchronize the app names, metadata and license information for your purchased apps in Intune by
choosing Sync for a selected token.

Assign a volume-purchased app

1. Select Apps > All apps .
2. On the list of apps pane, choose the app you want to assign, and then choose Assignments .
3. On the App name - Assignments pane, choose Add group then, on the Add group pane, choose an
Assignment type and choose the Azure AD user or device groups to which you want to assign the app.
4. For each group you selected, choose the following settings:
Type - Choose whether the app will be Available (end users can install the app from the Company
Portal), or Required (end user devices will automatically get the app installed).
License type - Choose from User licensing , or Device licensing .
5. Once you are done, choose Save .
 NOTE
The Available deployment intent is not supported for device groups, only user groups are supported. The list of apps
displayed is associated with a token. If you have an app that is associated with multiple VPP tokens, you see the same app
being displayed multiple times; once for each token.

NOTE
Intune (or any other MDM for that matter) does not actually install VPP apps. Instead, Intune connects to your VPP
account and tells Apple which app licenses to assign to which devices. From there, all the actual installation is handled
between Apple and the device.

End-User Prompts for VPP

The end-user will receive prompts for VPP app installation in a number of scenarios. The following table explains
each condition:

IN VIT E TO A P P L E VP P A P P IN STA L L P RO M P T F O R A P P L E
# SC EN A RIO P RO GRA M P RO M P T ID

1 BYOD – user licensed Y Y Y

(not User Enrollment
device)

2 Corp – user licensed Y Y Y

(not supervised
device)

3 Corp – user licensed Y N Y

(supervised device)

4 BYOD – device N Y N
licensed

5 CORP – device N Y N
licensed (not
supervised device)

6 CORP – device N N N
licensed (supervised
device)

7 Kiosk mode N N N
(supervised device) –
device licensed

8 Kiosk mode --- --- ---

(supervised device) –
user licensed

NOTE
It is not recommended to assign VPP apps to Kiosk-mode devices using user licensing.
Revoking app licenses
You can revoke all associated iOS/iPadOS or macOS volume-purchase program (VPP) app licenses based on a
given device, user, or app. But there are some differences between iOS/iPadOS and macOS platforms.

A C T IO N IO S/ IPA DO S MAC OS

Remove app assignment When you remove an app that was When you remove an app that was
assigned to a user, Intune reclaims the assigned to a user, Intune reclaims the
user or device license and uninstalls the user or device license. The app is not
app from the device. uninstalled from the device.

Revoke app license Revoking an app license reclaims the Revoking an app license reclaims the
app license from the user or device. You app license from the user or device. The
must change the assignment to macOS app with revoked license
Uninstall to remove the app from the remains usable on the device, but
device. cannot be updated until a license is
reassigned to the user or device.
According to Apple, such apps are
removed after a 30-day grace period.
However, Apple does not provide a
means for Intune to remove the app
using Uninstall assignment action.

NOTE
Intune reclaims app licenses when an employee leaves the company and is no longer part of the AAD groups.
When assigning a purchased app with Uninstall intent, Intune both reclaims the license and uninstalls the app.
App licenses are not reclaimed when a device is removed from Intune management.

Deleting VPP tokens

You can delete an Apple Volume Purchasing Program (VPP) token using the console. This may be necessary when
you have duplicate instances of a VPP token. Deleting a token will also delete any associated apps and
assignment. Deleting a token revokes associated app licenses but doesn't uninstall the apps.

NOTE
Intune cannot revoke app licenses after a token has been deleted.

To revoke the license of all VPP apps for a given VPP token, you must first revoke all app licenses associated with
the token, then delete the token.

Renewing VPP tokens

You can renew an Apple VPP token by downloading a new token from Apple Business Manager or Apple School
Manager and updating the existing token in Intune.
To renew an Apple VPP token, use the following steps:
1. Navigate to Apple Business Manager or Apple School Manager.
2. Download the new token in Apple Business (or School) Manager , by selecting Settings > Apps and
Books > My Ser ver Tokens .
3. Update the token in Microsoft Endpoint Manager admin center by selecting Tenant administration >
Connectors and tokens > Apple VPP tokens . Then, manually upload the token.
 NOTE
You must download a new Apple VPP or location token from Apple Business Manager and update the existing token within
Intune when the user, who set up the token in Apple Business Manager, changes their password or the user leaves your
Apple Business Manager organization. Tokens that are not renewed will show "invalid" status in Intune.

Deleting a VPP app

Currently, you cannot delete an iOS/iPadOS VPP app from Microsoft Intune.

Assigning custom role permissions for VPP

Access to Apple VPP tokens and VPP apps can be controlled independently using permissions assigned to custom
administrator roles in Intune.
To allow an Intune custom role to manage Apple VPP tokens, in Microsoft Endpoint Manager admin center,
select Tenant administration > Connectors and tokens > Apple VPP tokens , assign permissions for
Managed apps .
To allow an Intune custom role to manage apps purchased using iOS/iPadOS VPP tokens under Apps > All
apps , assign permissions for Mobile apps .

Additional information
Apple provides direct assistance to create and renew VPP tokens. For more information, see Distribute content to
your users with the Volume Purchase Program (VPP) as part of Apple's documentation.
If Assigned to external MDM is indicated in the Intune portal, then you (the Admin) must remove the VPP
token from the 3rd party MDM before using the VPP token in Intune.
If status is Duplicate for a token, then multiple tokens with the same Token Location have been uploaded.
Remove the duplicate token to begin syncing the token again. You can still assign and revoke licenses for tokens
that are marked as duplicate. However, licenses for new apps and books purchased may not be reflected once a
token is marked as duplicate.

Frequently asked questions

How many tokens can I upload?
You can upload up to 3,000 tokens in Intune.
How long does the portal take to update the license count once an app is installed or removed from the
device?
The license should be updated within a few hours after installing or uninstalling an app. Note that if the end user
removes the app from the device, the license is still assigned to that user or device.
Is it possible to oversubscribe an app and, if so, in what circumstance?
Yes. The Intune admin can oversubscribe an app. For example, if the admin purchases 100 licenses for app XYZ,
and then targets the app to a group with 500 members in it. The first 100 members (users or devices) will get the
license assigned to them, the rest of the members will fail on license assignment.

Next steps
See How to monitor apps for information to help you monitor app assignments.
See How to troubleshoot apps for information on troubleshooting app-related issues.
 How to manage volume purchased apps from the
Microsoft Store for Business with Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually,
or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the
Azure portal. For example:
You can synchronize the list of apps you have purchased (or that are free) from the store with Intune.
Apps that are synchronized appear in the Intune administration console; you can assign these apps like any
other apps.
Both Online and Offline licensed versions of Apps are synchronized to Intune. App names will be appended
with "Online" or "Offline" in the portal.
You can track how many licenses are available, and how many are being used in the Intune administration
console.
Intune blocks assignment and installation of apps if there are an insufficient number of licenses available.
Apps managed by Microsoft Store for Business will automatically revoke licenses when a user leaves the
enterprise, or when the administrator removes the user and the user devices.

Before you start

Review the following information before you start syncing and assigning apps from the Microsoft Store for
Business:
Configure Intune as the mobile device management authority for your organization.
You must have signed up for an account on the Microsoft Store for Business.
Once you have associated a Microsoft Business Store account with Intune, you cannot change to a different
account in the future.
Apps purchased from the store cannot be manually added to or deleted from Intune. They can only be
synchronized with the Microsoft Store for Business.
Both online and offline licensed apps that you have purchased from the Microsoft Store for Business are
synced into the Intune portal. You can then deploy these apps to device groups or user groups.
Online app installations are managed by the store.
Offline apps that are free of charge can also be synced to Intune. These apps are installed by Intune, not by the
store.
To use this capability, devices must be joined to Active Directory Domain Services, Azure AD joined, or
workplace-joined.
Enrolled devices must be using the 1511 release of Windows 10 or later.

NOTE
If you disable access to the Store on managed devices (either manually, via policy or Group Policy), Online licensed apps will
fail to install.

Associate your Microsoft Store for Business account with Intune

Before you enable synchronization in the Intune console, you must configure your store account to use Intune as
a management tool:
1. Ensure that you sign into the Microsoft Store for Business using the same tenant account you use to sign into
Intune.
2. In the Business Store, choose the Manage tab, select Settings , and choose the Distribute tab.
3. If you don't specifically have Microsoft Intune available as a mobile device management tool, choose Add
management tool to add Microsoft Intune . If you don't have Microsoft Intune activated as your mobile
device management tool, click Activate next to Microsoft Intune . Note that you should activate Microsoft
Intune rather than Microsoft Intune Enrollment .

NOTE
You could previously only associate one management tool to assign apps with the Microsoft Store for Business. You can
now associate multiple management tools with the store, for example, Intune and Configuration Manager.

You can now continue, and set up synchronization in the Intune console.

Configure synchronization
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Connectors and tokens > Microsoft Store for Business .
3. Click Enable .
4. If you haven't already done so, click the link to sign up for the Microsoft Store for Business and associate your
account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the Microsoft Store for Business
are displayed in the Azure portal. Regardless of the language in which they are displayed, they are installed in
the end user's language when available.
6. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.

Synchronize apps
If you've already associated your Microsoft Store for Business account with your Intune admin credentials, you
can manually sync your Microsoft Store for Business apps with Intune using the following steps.
1. Select Tenant administration > Connectors and tokens > Microsoft Store for Business .
2. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.

NOTE
Apps with encrypted app packages are currently not supported and will not be synchronized to Intune.

Assign apps
You assign apps from the store in the same way you assign any other Intune app. For more information, see How
to assign apps to groups with Microsoft Intune.
Offline apps can be targeted to user groups, device groups, or groups with users and devices. Offline apps can be
installed for a specific user on a device or for all users on a device.
When you assign a Microsoft Store for Business app, a license is used by each user who installs the app. If you
use all of the available licenses for an assigned app, you cannot assign any more copies. Take one of the following
actions:
 Uninstall the app from some devices.
Reduce the scope of the current assignment, targeting only the users you have sufficient licenses for.
Buy more copies of the app from the Microsoft Store for Business.

Remove apps
To remove an app that is synced from the Microsoft Store for Business, you need to log into the Microsoft Store
for Business and refund the app. The process is the same whether the app is free or not. For a free app, the store
will refund $0. The example below shows a refund for a free app.

NOTE
Removing an app's visibility in the private store won't keep Intune from syncing the app. You must refund the app to fully
remove the app.

Next steps
Manage volume-purchased apps and books with Microsoft Intune
 How to manage iOS/iPadOS eBooks you purchased
through a volume-purchase program with Microsoft
Intune
9/4/2020 • 3 minutes to read • Edit Online

The Apple Volume Purchase Program (VPP) lets you purchase multiple licenses for a book that you want to
distribute to users in your company. You can distribute books from the Business, or Education stores.
Microsoft Intune helps you synchronize, manage, and assign books that you purchased through this program. You
can import license information from the store and track how many of the licenses you have used.
The procedures to manage books are similar to managing VPP apps.

Manage volume-purchased books for iOS devices

You buy multiple licenses for iOS/iPadOS books through the Apple Volume Purchase Program for Business or the
Apple Volume Purchase Program for Education. This process involves setting up an Apple VPP account from the
Apple website and uploading the Apple VPP token to Intune. You can then synchronize your volume purchase
information with Intune and track your volume-purchased book use.

Before you start

Before you start, get a VPP token from Apple and upload it to your Intune account. Additionally:
If you previously used a VPP token with a different product, you must generate a new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple VPP service twice a day. You can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to any other device
management solution. Doing so might result in the loss of license assignment and user records.
Before you start to use iOS/iPadOS books with Intune, remove any existing VPP user accounts created with
other mobile device management (MDM) vendors. Intune does not synchronize those user accounts into Intune
as a security measure. Intune synchronizes only data from the Apple VPP service that Intune created.
When you assign a book to a device, that device must have the built-in iBooks app installed. If it is not, the end
user must reinstall the app before they can read the book. You cannot currently use Intune to restore removed
built-in apps.
You can only assign books from the Apple Volume Purchase Program site. You cannot upload, then assign
books you created in-house.
You cannot currently assign books to end-user categories in the same way as you do apps.
You cannot reclaim a license once the book is assigned.
When a user with an eligible device first tries to install a VPP book, they must join the Apple Volume Purchase
program before they can install a book. You can also assign licenses to security groups with managed Apple
IDs. If you do this, then users are not prompted for their Apple ID when a book is installed.
Devices must be enrolled with user affinity as e-books can only be assigned to user groups.

To get and upload an Apple VPP token

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Connectors and tokens > Apple VPP tokens .
3. On the list of VPP tokens pane, click Create .
4. On the New VPP Token pane, specify the following information:
VPP token file - Ensure you have signed for the Volume Purchase Program for Business or the Volume
Purchase Program for Education. Then, download the Apple VPP token for your account and select it
here.
Apple ID - Enter the Apple ID of the account associated with the volume-purchase program.
Type of VPP account - Choose from Business or Education .
5. When you are done, click Create .
The token is displayed in the list of tokens pane.
You can synchronize the data held by Apple with Intune at any time by choosing Sync now .

To assign a volume-purchased app

1. Select Apps > eBooks > All eBooks .
2. On the list of books pane, choose the book you want to assign, and then choose '...' > Assign Groups .
3. On the <book name> - Groups Assigned pane, choose Manage > Groups Assigned .
4. Choose Assign Groups then, on the Select groups pane, choose the Azure AD user groups to which you
want to assign the book. Device groups are currently not supported. Choose an assignment action of
Available , or Required .
5. Once you are done, choose Save .

Next steps
See How to monitor apps for information to help you monitor book assignments.
 How to wipe only corporate data from Intune-
managed apps
9/4/2020 • 4 minutes to read • Edit Online

When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app
data is removed from the device. But you might not want to remove personal data on the device, especially if the
device is an employee-owned device.

NOTE
The iOS/iPadOS, Android, and Windows 10 platforms are the only platforms currently supported for wiping corporate data
from Intune managed apps. Intune managed apps are applications that include the Intune APP SDK and have a licensed
user account for your organization. Deployment of Application Protection Policies are not required to enable app selective
wipe.

To selectively remove company app data, create a wipe request by using the steps in this topic. After the request is
finished, the next time the app runs on the device, company data is removed from the app. In addition to creating
a wipe request, you can configure a selective wipe of your organization's data as a new action when the conditions
of Application Protection Policies (APP) Access settings are not met. This feature helps you automatically protect
and remove sensitive organization data from applications based on pre-configured criteria.

IMPORTANT
Contacts synced directly from the app to the native address book are removed. Any contacts synced from the native
address book to another external source can't be wiped. Currently, this only applies to the Microsoft Outlook app.

Deployed WIP policies without user enrollment

Windows Information Protection (WIP) policies can be deployed without requiring MDM users to enroll their
Windows 10 device. This configuration allows companies to protect their corporate documents based on the WIP
configuration, while allowing the user to maintain management of their own Windows devices. Once documents
are protected with a WIP policy, the protected data can be selectively wiped by an Intune administrator (Global
administrator or an Intune Service administrator). By selecting the user and device, and sending a wipe request, all
data that was protected via the WIP policy will become unusable. From the Intune in the Azure portal, select
Client app > App selective wipe . For more information, see Create and deploy Windows Information
Protection (WIP) app protection policy with Intune.

Create a device based wipe request

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App selective wipe > Create wipe request .
The Create wipe request pane is displayed.
3. Click Select user , choose the user whose app data you want to wipe, and click Select at the bottom of the
Select user pane.
4. Click Select the device , choose the device, and click Select at the bottom of the Select Device pane.

5. Click Create to make a wipe request.

The service creates and tracks a separate wipe request for each protected app on the device, and the user
associated with the wipe request.

Create a user based wipe request

By adding a user to the User-level wipe we will automatically issue wipe commands to all apps on all the user's
devices. The user will continue to get wipe commands at every check-in from all devices. To re-enable a user, you
must remove them from the list.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App selective wipe > Create wipe request .
Select User-Level Wipe
3. Click Add and Select user pane is displayed.
4. Chose the user whose app data you would like to wipe and click Select .
Monitor your wipe requests
You can have a summarized report that shows the overall status of the wipe request, and includes the number of
pending requests and failures. To get more details, follow these steps:
1. On the Apps > App selective wipe pane, you can see the list of your requests grouped by users. Because
the system creates a wipe request for each protected app running on the device, you might see multiple
requests for a user. The status indicates whether a wipe request is pending , failed , or successful .

Additionally, you are able to see the device name, and its device type, which can be helpful when reading the
reports.

IMPORTANT
The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.

Delete a device wipe request

Wipes with pending status are displayed until you manually delete them. To manually delete a wipe request:
1. On the Client Apps - App selective wipe pane.
2. From the list, right-click on the wipe request you want to delete, then choose Delete wipe request .

3. You're prompted to confirm the deletion, choose Yes or No , then click OK .

Delete a user wipe request

User wipes will remain in the list until removed by an administrator. To remove a user from the list:
1. On the Client Apps - App selective wipe pane select User-Level Wipe
2. From the list, right-click on the user you want to delete, then choose Delete .
See also
What's app protection policy
What's app management
 App protection policies overview
9/4/2020 • 31 minutes to read • Edit Online

App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a
managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate"
data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an
app that has app protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage and protect your
organization's data within an application. With MAM without enrollment (MAM-WE), a work or school-
related app that contains sensitive data can be managed on almost any device, including personal devices in
bring-your-own-device (BYOD) scenarios. Many productivity apps, such as the Microsoft Office apps, can be
managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use.

How you can protect app data

Your employees use mobile devices for both personal and work tasks. While making sure your employees can
be productive, you want to prevent data loss, intentional and unintentional. You'll also want to protect company
data that is accessed from devices that are not managed by you.
You can use Intune app protection policies independent of any mobile-device management (MDM)
solution . This independence helps you protect your company's data with or without enrolling devices in a
device management solution. By implementing app-level policies , you can restrict access to company
resources and keep data within the purview of your IT department.
App protection policies on devices
App protection policies can be configured for apps that run on devices that are:
Enrolled in Microsoft Intune: These devices are typically corporate owned.
Enrolled in a third-par ty Mobile device management (MDM) solution: These devices are
typically corporate owned.

NOTE
Mobile app management policies should not be used with third-party mobile app management or secure
container solutions.

Not enrolled in any mobile device management solution: These devices are typically employee
owned devices that aren't managed or enrolled in Intune or other MDM solutions.

IMPORTANT
You can create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. You can
also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for
iOS/iPadOS and Android enabled with hybrid Modern Authentication. Before using this feature, make sure you meet the
Outlook for iOS/iPadOS and Android requirements. App protection policies are not supported for other apps that
connect to on-premises Exchange or SharePoint services.

Benefits of using App protection policies

The important benefits of using App protection policies are the following:
Protecting your company data at the app level. Because mobile app management doesn't require
device management, you can protect company data on both managed and unmanaged devices. The
management is centered on the user identity, which removes the requirement for device management.
End-user productivity isn't affected and policies don't apply when using the app in a
personal context. The policies are applied only in a work context, which gives you the ability to protect
company data without touching personal data.
App protection policies makes sure that the app-layer protections are in place. For example,
you can:
Require a PIN to open an app in a work context
Control the sharing of data between apps
Prevent the saving of company app data to a personal storage location
MDM, in addition to MAM, makes sure that the device is protected . For example, you can
require a PIN to access the device, or you can deploy managed apps to the device. You can also deploy
apps to devices through your MDM solution, to give you more control over app management.
There are additional benefits to using MDM with App protection policies, and companies can use App protection
policies with and without MDM at the same time. For example, consider an employee that uses both a phone
issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected
by App protection policies while the personal device is protected by App protection policies only.
If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both
the BYOD device and the Intune-managed device. You can also apply a MAM policy based on the managed state.
So when you create an app protection policy, next to Target to all app types , you'd select No . Then do any of
the following:
Apply a less strict MAM policy to Intune managed devices, and apply a more restrictive MAM policy to non
MDM-enrolled devices.
Apply a MAM policy to unenrolled devices only.

Supported platforms for app protection policies

Intune offers a range of capabilities to help you get the apps you need on the devices you want to run them on.
For more information, see App management capabilities by platform.
Intune app protection policies platform support aligns with Office mobile application platform support for
Android and iOS/iPadOS devices. For details, see the Mobile apps section of Office System Requirements.

IMPORTANT
The Intune Company Portal is required on the device to receive App Protection Policies on Android. For more
information, see the Intune Company Portal access apps requirements.

App protection policy data protection framework

The choices available in app protection policies (APP) enable organizations to tailor the protection to their
specific needs. For some, it may not be obvious which policy settings are required to implement a complete
scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy
for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building
off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and
performs selective wipe operations. For Android devices, this level validates Android device attestation. This
is an entry level configuration that provides similar data protection control in Exchange Online mailbox
policies and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and
minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work
or school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced
PIN configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are
accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be
protected, review Data protection framework using app protection policies.

How app protection policies protect app data

Apps without app protection policies
When apps are used without restrictions, company and personal data can get intermingled. Company data can
end up in locations like personal storage or transferred to apps beyond your purview and result in data loss.
The arrows in the following diagram show unrestricted data movement between both corporate and personal
apps, and to storage locations.

Data protection with app protection policies (APP)

You can use App protection policies to prevent company data from saving to the local storage of the device (see
the image below). You can also restrict data movement to other apps that aren't protected by App protection
policies. App protection policy settings include:
Data relocation policies like Save copies of org data , and Restrict cut, copy, and paste .
Access policy settings like Require simple PIN for access , and Block managed apps from running on
jailbroken or rooted devices .
Data protection with APP on devices managed by an MDM solution
The below illustration shows the layers of protection that MDM and App protection policies offer together.

The MDM solution adds value by providing the following:

Enrolls the device
Deploys the apps to the device
Provides ongoing device compliance and management
The App protection policies add value by providing the following:
 Help protect company data from leaking to consumer apps and services
Apply restrictions like save-as, clipboard, or PIN, to client apps
Wipe company data when needed from apps without removing those apps from the device
Data protection with APP for devices without enrollment
The following diagram illustrates how the data protection policies work at the app level without MDM.

For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at
the app level. However, there are some limitations to be aware of, such as:
You can't deploy apps to the device. The end user has to get the apps from the store.
You can't provision certificate profiles on these devices.
You can't provision company Wi-Fi and VPN settings on these devices.

Apps you can manage with app protection policies

Any app that has been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be
managed using Intune app protection policies. See the official list of Microsoft Intune protected apps that have
been built using these tools and are available for public use.
The Intune SDK development team actively tests and maintains support for apps built with the native Android,
iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success
with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide
explicit guidance or plugins for app developers using anything other than our supported platforms.
The Intune SDK uses some advanced modern authentication capabilities from theAzure Active Directory
Authentication Libraries (ADAL) for both the 1st party and the 3rd party versions of the SDK. As such, Microsoft
Authentication Library (MSAL) does not work well with many of our core scenarios such as authentication into
the Intune App Protection service and conditional launch. Given that the overall guidance from Microsoft's
Identity team is to switch to MSAL for all of the Microsoft Office apps, the Intune SDK will eventually need to
support it, but there are no plans today.

End-user requirements to use app protection policies

The following list provides the end-user requirements to use app protection policies on an Intune-managed
app:
The end user must have an Azure Active Directory (Azure AD) account. See Add users and give
administrative permission to Intune to learn how to create Intune users in Azure Active Directory.
The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account.
See Manage Intune licenses to learn how to assign Intune licenses to end users.
The end user must belong to a security group that is targeted by an app protection policy. The same app
protection policy must target the specific app being used. App protection policies can be created and
deployed in the Intune console in the Azure portal. Security groups can currently be created in the
Microsoft 365 admin center.
The end user must sign into the app using their Azure AD account.

App protection policies for Microsoft Office apps

There are a few additional requirements that you want to be aware of when using App protection policies with
Microsoft Office apps.
Outlook mobile app
The additional requirements to use the Outlook mobile app include the following:
The end user must have the Outlook mobile app installed to their device.
The end user must have an Microsoft 365 Exchange Online mailbox and license linked to their Azure
Active Directory account.

NOTE
The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and
Exchange Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.

Word, Excel, and PowerPoint

The additional requirements to use the Word, Excel, and PowerPoint apps include the following:
The end user must have a license for Microsoft 365 Apps for business or enterprise linked to their Azure
Active Directory account. The subscription must include the Office apps on mobile devices and can
include a cloud storage account with OneDrive for Business. Microsoft 365 licenses can be assigned in
the Microsoft 365 admin center following these instructions.
The end user must have a managed location configured using the granular save as functionality under
the "Save copies of org data" application protection policy setting. For example, if the managed location
is OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to
the end user.
 NOTE
The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

Managed location needed for Office

A managed location (i.e. OneDrive) is needed for Office. Intune marks all data in the app as either "corporate" or
"personal". Data is considered "corporate" when it originates from a business location. For the Office apps,
Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a
OneDrive for Business account).
Skype for Business
There are additional requirements to use Skype for Business. See Skype for Business license requirements. For
Skype for Business (SfB) hybrid and on-prem configurations, see Hybrid Modern Auth for SfB and Exchange
goes GA and Modern Auth for SfB OnPrem with Azure AD, respectively.

App protection Global policy

If a OneDrive administrator browses to admin.onedrive.com and selects Device access , they can set Mobile
application management controls to the OneDrive and SharePoint client apps.
The settings, made available to the OneDrive Admin console, configure a special Intune app protection policy
called the Global policy. This global policy applies to all users in your tenant, and has no way to control the
policy targeting.
Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are protected with the selected
settings by default. An IT Pro can edit this policy in the Intune console to add more targeted apps and to modify
any policy setting.
By default, there can only be one Global policy per tenant. However, you can use Intune Graph APIs to create
extra global policies per tenant, but doing so isn't recommended. Creating extra global policies isn't
recommended because troubleshooting the implementation of such a policy can become complicated.
While the Global policy applies to all users in your tenant, any standard Intune app protection policy will
override these settings.

App protection features

Multi-identity
Multi-identity support allows an app to support multiple audiences. These audiences are both "corporate" users
and "personal" users. Work and school accounts are used by "corporate" audiences, whereas personal accounts
would be used for consumer audiences, such as Microsoft Office users. An app that supports multi-identity can
be released publicly, where app protection policies apply only when the app is used in the work and school
("corporate") context. Multi-identity support uses the Intune SDK to only apply app protection policies to the
work or school account signed into the app. If a personal account is signed into the app, the data is untouched.
For an example of "personal" context, consider a user who starts a new document in Word, this is considered
personal context so Intune App Protection policies are not applied. Once the document is saved on the
"corporate" OneDrive account, then it will be considered "corporate" context and Intune App Protection policies
will be applied.
For an example of work or "corporate" context, consider a user who starts the OneDrive app by using their work
account. In the work context, they can't move files to a personal storage location. Later, when they use OneDrive
with their personal account, they can copy and move data from their personal OneDrive without restrictions.
Outlook has a combined email view of both "personal" and "corporate" emails. In this situation, the Outlook app
prompts for the Intune PIN on launch.

NOTE
Although Edge is in "corporate" context, user can intentionally move OneDrive "corporate" context files to an unknown
personal cloud storage location. To avoid this, see Manage restricted web sites and configure the allowed/blocked site list
for Edge.

For more information about multi-identity in Intune, see MAM and multi-identity.
Intune app PIN
The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the
organization's data in an application.
PIN prompt
Intune prompts for the user's app PIN when the user is about to access "corporate" data. In multi-identity apps
such as Word, Excel, or PowerPoint, the user is prompted for their PIN when they try to open a "corporate"
document or file. In single-identity apps, such as line-of-business apps managed using the Intune App
Wrapping Tool, the PIN is prompted at launch, because the Intune SDK knows the user's experience in the app is
always "corporate".
PIN prompt, or corporate credential prompt, frequency
The IT admin can define the Intune app protection policy setting Recheck the access requirements after
(minutes) in the Intune admin console. This setting specifies the amount of time before the access
requirements are checked on the device, and the application PIN screen, or corporate credential prompt, is
shown again. However, important details about PIN that affect how often the user will be prompted are:
The PIN is shared among apps of the same publisher to improve usability:
On iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher . For example, all
Microsoft apps share the same PIN. On Android, one app PIN is shared amongst all apps.
The Recheck the access requirements after (minutes) behavior after a device reboot:
A timer tracks the number of minutes of inactivity that determine when to show the Intune app PIN, or
corporate credential prompt next. On iOS/iPadOS, the timer is unaffected by device reboot. Thus, device
reboot has no effect on the number of minutes the user has been inactive from an iOS/iPadOS app with
Intune PIN (or corporate credential) policy targeted. On Android, the timer is reset on device reboot. As such,
Android apps with Intune PIN (or corporate credential) policy will likely prompt for an app PIN, or corporate
credential prompt, regardless of the 'Recheck the access requirements after (minutes)' setting value after a
device reboot .
The rolling nature of the timer associated with the PIN:
Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the
device, the timer gets reset for that PIN. Any app (app B) that shares this PIN will not prompt the user for PIN
entry because the timer has reset. The prompt will show up again once the 'Recheck the access requirements
after (minutes)' value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show
up again when the Recheck the access requirements after (minutes) value is met again for the app that is
not the main input focus. So, for example, a user has app A from publisher X and app B from publisher Y, and
those two apps share the same PIN. The user is focused on app A (foreground), and app B is minimized. After
the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN
would be required.
 NOTE
In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is
recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting.

Built-in app PINs for Outlook and OneDrive

The Intune PIN works based on an inactivity-based timer (the value of Recheck the access requirements
after (minutes) ). As such, Intune PIN prompts show up independently from the built-in app PIN prompts for
Outlook and OneDrive which often are tied to app launch by default. If the user receives both PIN prompts at
the same time, the expected behavior should be that the Intune PIN takes precedence.
Intune PIN security
The PIN serves to allow only the correct user to access their organization's data in the app. Therefore, an end
user must sign in with their work or school account before they can set or reset their Intune app PIN. This
authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the
Intune SDK. From a security perspective, the best way to protect work or school data is to encrypt it. Encryption
is not related to the app PIN but is its own app protection policy.
Protecting against brute force attacks and the Intune PIN
As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to
authenticate their PIN before locking the app. After the number of attempts has been met, the Intune SDK can
wipe the "corporate" data in the app.
Intune PIN and a selective wipe
On iOS/iPadOS, the app level PIN information is stored in the keychain that is shared between apps with the
same publisher, such as all first party Microsoft apps. This PIN information is also tied to an end user account. A
selective wipe of one app shouldn't affect a different app.
For example, a PIN set for Outlook for the signed in user is stored in a shared keychain. When the user signs
into OneDrive (also published by Microsoft), they will see the same PIN as Outlook since it uses the same
shared keychain. When signing out of Outlook or wiping the user data in Outlook, the Intune SDK does not
clear that keychain because OneDrive might still be using that PIN. Because of this, selective wipes do not clear
that shared keychain, including the PIN. This behavior remains the same even if only one app by a publisher
exists on the device.
Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a single app, the Intune SDK
does not know if there are any other apps on the device with the same publisher. Thus, the Intune SDK does not
clear the PIN since it might still be used for other apps. The expectation is that the app PIN should be wiped
when last app from that publisher will be removed eventually as part of some OS cleanup.
If you observe the PIN being wiped on some devices, the following is likely happening: Since the PIN is tied to
an identity, if the user signed in with a different account after a wipe, they will be prompted to enter a new PIN.
However, if they sign in with a previously existing account, a PIN stored in the keychain already can be used to
sign in.
Setting a PIN twice on apps from the same publisher?
MAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and special characters (called
'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser, Yammer) to
integrate the Intune SDK for iOS. Without this, the passcode settings are not properly enforced for the targeted
applications. This was a feature released in the Intune SDK for iOS v. 7.1.12.
In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for
iOS/iPadOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in
previous versions of the SDK. Therefore, if a device has applications with Intune SDK for iOS versions before
7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs. The two PINs (for each app)
are not related in any way (i.e. they must adhere to the app protection policy that's applied to the app). As such,
only if apps A and B have the same policies applied (with respect to PIN), user may set up the same PIN twice.
This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with Intune Mobile App
Management. Over time, as applications adopt later versions of the Intune SDK for iOS/iPadOS, having to set a
PIN twice on apps from the same publisher becomes less of an issue. Please see the note below for an example.

NOTE
For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to
7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on an
iOS/iPadOS device. If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A.
An app D built with 7.1.14 will share the same PIN as app B.
If only apps A and C are installed on a device, then one PIN will need to be set. The same applies to if only apps B and D
are installed on a device.

App data encryption

IT administrators can deploy an app protection policy that requires app data to be encrypted. As part of the
policy, the IT administrator can also specify when the content is encrypted.
How does Intune data encr yption process
See the Android app protection policy settings and iOS/iPadOS app protection policy settings for detailed
information on the encryption app protection policy setting.
Data that is encr ypted
Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. Data is
considered "corporate" when it originates from a business location. For the Office apps, Intune considers the
following as business locations:
Email (Exchange)
Cloud storage (OneDrive app with a OneDrive for Business account)
For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered "corporate".
Selective wipe
Remotely wipe data
Intune can wipe app data in three different ways:
Full device wipe
Selective wipe for MDM
MAM selective wipe
For more information about remote wipe for MDM, see Remove devices by using wipe or retire. For more
information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from
apps.
Full device wipe removes all user data and settings from the device by restoring the device to its factory
default settings. The device is removed from Intune.

NOTE
Full device wipe, and selective wipe for MDM can only be achieved on devices enrolled with Intune mobile device
management (MDM).

Selective wipe for MDM

See Remove devices - retire to read about removing company data.
Selective wipe for MAM
Selective wipe for MAM simply removes company app data from an app. The request is initiated using the
Intune Azure portal. To learn how to initiate a wipe request, see How to wipe only corporate data from apps.
If the user is using the app when selective wipe is initiated, the Intune SDK checks every 30 minutes for a
selective wipe request from the Intune MAM service. It also checks for selective wipe when the user launches
the app for the first time and signs in with their work or school account.
When On-Premises (on-prem) ser vices don't work with Intune protected apps
Intune app protection depends on the identity of the user to be consistent between the application and the
Intune SDK. The only way to guarantee that is through modern authentication. There are scenarios in which
apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.
Secure way to open web links from managed apps
The IT administrator can deploy and set app protection policy for the Microsoft Edge, a web browser that can be
managed easily with Intune. The IT administrator can require all web links in Intune-managed apps to be
opened using the Managed Browser app.

App protection experience for iOS devices

Device fingerprint or face IDs
Intune app protection policies allow control over app access to only the Intune licensed user. One of the ways to
control access to the app is to require either Apple's Touch ID or Face ID on supported devices. Intune
implements a behavior where if there is any change to the device's biometric database, Intune prompts the user
for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or
removal of a fingerprint, or face. If the Intune user does not have a PIN set, they are led to set up an Intune PIN.
The intent of this process is to continue keeping your organization's data within the app secure and protected at
the app level. This feature is only available for iOS/iPadOS, and requires the participation of applications that
integrate the Intune SDK for iOS/iPadOS, version 9.0.1 or later. Integration of the SDK is necessary so that the
behavior can be enforced on the targeted applications. This integration happens on a rolling basis and is
dependent on the specific application teams. Some apps that participate include WXP, Outlook, Managed
Browser, and Yammer.
iOS share extension
You can use the iOS/iPadOS share extension to open work or school data in unmanaged apps, even with the
data transfer policy set to managed apps only or no apps . Intune app protection policy cannot control the
iOS/iPadOS share extension without managing the device. Therefore, Intune encr ypts "corporate" data
before it is shared outside the app . You can validate this encryption behavior by attempting to open a
"corporate" file outside of the managed app. The file should be encrypted and unable to be opened outside the
managed app.
Universal Links support
By default, Intune app protection policies will prevent access to unauthorized application content. In iOS/iPadOS,
there is functionality to open specific content or applications using Universal Links.
Users can disable an app's Universal Links by visiting them in Safari and selecting Open in New Tab or Open .
In order to user Universal Links with Intune app protection policies, it's important to re-enable the universal
links. The end user would need to do an Open in <app name > in Safari after long pressing a corresponding
link. This should prompt any additional protected app to route all Universal Links to the protected application
on the device.
Multiple Intune app protection access settings for same set of apps and users
Intune app protection policies for access will be applied in a specific order on end-user devices as they try to
access a targeted app from their corporate account. In general, a wipe would take precedence, followed by a
block, then a dismissible warning. For example, if applicable to the specific user/app, a minimum iOS/iPadOS
operating system setting that warns a user to update their iOS/iPadOS version will be applied after the
minimum iOS/iPadOS operating system setting that blocks the user from access. So, in the scenario where the
IT admin configures the min iOS operating system to 11.0.0.0 and the min iOS operating system (Warning only)
to 11.1.0.0, while the device trying to access the app was on iOS 10, the end user would be blocked based on
the more restrictive setting for min iOS operating system version that results in blocked access.
When dealing with different types of settings, an Intune SDK version requirement would take precedence, then
an app version requirement, followed by the iOS/iPadOS operating system version requirement. Then, any
warnings for all types of settings in the same order are checked. We recommend the Intune SDK version
requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.

App protection experience for Android devices

Company Portal app and Intune app protection
Much of app protection functionality is built into the Company Portal app. Device enrollment is not required
even though the Company Portal app is always required. For mobile application management without
enrollment (MAM-WE), the end user just needs to have the Company Portal app installed on the device.
Multiple Intune app protection access settings for same set of apps and users
Intune app protection policies for access will be applied in a specific order on end-user devices as they try to
access a targeted app from their corporate account. In general, a block would take precedence, then a
dismissible warning. For example, if applicable to the specific user/app, a minimum Android patch version
setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version
setting that blocks the user from access. So, in the scenario where the IT admin configures the min Android
patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the
device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on
the more restrictive setting for min Android patch version that results in blocked access.
When dealing with different types of settings, an app version requirement would take precedence, followed by
Android operating system version requirement and Android patch version requirement. Then, any warnings for
all types of settings in the same order are checked.
Intune app protection policies and Google's SafetyNet Attestation for Android devices
Intune app protection policies provide the capability for admins to require end-user devices to pass Google's
SafetyNet Attestation for Android devices. A new Google Play service determination will be reported to the IT
admin at an interval determined by the Intune service. How often the service call is made is throttled due to
load, thus this value is maintained internally and is not configurable. Any IT admin configured action for the
Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the
time of conditional launch. If there is no data, access will be allowed depending on no other conditional launch
checks failing, and Google Play Service "roundtrip" for determining attestation results will begin in the backend
and prompt the user asynchronously if the device has failed. If there is stale data, access will be blocked or
allowed depending on the last reported result, and similarly, a Google Play Service "roundtrip" for determining
attestation results will begin and prompt the user asynchronously if the device has failed.
Intune app protection policies and Google's Verify Apps API for Android devices
Intune App Protection Policies provide the capability for admins to require end-user devices to send signals via
Google's Verify Apps API for Android devices. The instructions on how to do this vary slightly by device. The
general process involves going to the Google Play Store, then clicking on My apps & games , clicking on the
result of the last app scan which will take you into the Play Protect menu. Ensure the toggle for Scan device
for security threats is switched to on.
Google's SafetyNet Attestation API
Intune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled
devices. Google has developed and maintained this API set for Android apps to adopt if they do not want their
apps to run on rooted devices. The Android Pay app has incorporated this, for example. While Google does not
share publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have
rooted their devices. These users can then be blocked from accessing, or their corporate accounts wiped from
their policy enabled apps. Check basic integrity tells you about the general integrity of the device. Rooted
devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Check basic
integrity & cer tified devices tells you about the compatibility of the device with Google's services. Only
unmodified devices that have been certified by Google can pass this check. Devices that will fail include the
following:
Devices that fail basic integrity
Devices with an unlocked bootloader
Devices with a custom system image/ROM
Devices for which the manufacturer didn't apply for, or pass, Google certification
Devices with a system image built directly from the Android Open Source Program source files
Devices with a beta/developer preview system image
See Google's documentation on the SafetyNet Attestation for technical details.
SafetyNet device attestation setting and the 'jailbroken/rooted devices' setting
Google Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the
time when the "roundtrip" for determining attestation results executes. If end user is offline, IT admin can still
expect a result to be enforced from the jailbroken/rooted devices setting. That being said, if the end user has
been offline too long, the Offline grace period value comes into play, and all access to work or school data is
blocked once that timer value is reached, until network access is available. Turning on both settings allows for a
layered approach to keeping end-user devices healthy which is important when end-users access work or
school data on mobile.
Google Play Protect APIs and Google Play Services
The app protection policy settings that leverage Google Play Protect APIs require Google Play Services to
function. Both the SafetyNet device attestation , and Threat scan on apps settings require Google
determined version of Google Play Services to function correctly. Since these are settings that fall in the area of
security, the end user will be blocked if they have been targeted with these settings and are not meeting the
appropriate version of Google Play Services or have no access to Google Play Services.

Next steps
How to create and deploy app protection policies with Microsoft Intune
Available Android app protection policy settings with Microsoft Intune
Available iOS/iPadOS app protection policy settings with Microsoft Intune

See also
Third-party apps such as the Salesforce mobile app work with Intune in specific ways to protect corporate data.
To learn more about how the Salesforce app in particular works with Intune (including MDM app configurations
settings), see Salesforce App and Microsoft Intune.
 Data protection framework using app protection
policies
9/4/2020 • 13 minutes to read • Edit Online

As more organizations implement mobile device strategies for accessing work or school data, protecting against
data leakage becomes paramount. Intune's mobile application management solution for protecting against data
leakage is App Protection Policies (APP). APP are rules that ensure an organization's data remains safe or
contained in a managed app, regardless of whether the device is enrolled. For more information, see App
protection policies overview.
When configuring App Protection Policies, the number of various settings and options enable organizations to
tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of
policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint
hardening endeavors, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and
Intune is leveraging a similar taxonomy for its APP data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct configuration scenarios:
Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data
protection configuration for an enterprise device.
Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where
users access sensitive or confidential information. This configuration is applicable to most mobile users
accessing work or school data. Some of the controls may impact user experience.
Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an
organization with a larger or more sophisticated security team, or for specific users or groups who are at
uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes
considerable material loss to the organization). An organization likely to be targeted by well-funded and
sophisticated adversaries should aspire to this configuration.

APP Data Protection Framework deployment methodology

As with any deployment of new software, features or settings, Microsoft recommends investing in a ring
methodology for testing validation prior to deploying the APP data protection framework. Defining deployment
rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the
sequencing is still correct.
Microsoft recommends the following deployment ring approach for the APP data protection framework:

DEP LO Y M EN T RIN G T EN A N T A SSESSM EN T T EA M S O UT P UT T IM EL IN E

Quality Assurance Pre-production Mobile capability Functional scenario 0-30 days

tenant owners, Security, Risk validation, draft
Assessment, Privacy, documentation
UX

Preview Production tenant Mobile capability End user scenario 7-14 days, post
owners, UX validation, user facing Quality Assurance
documentation
 DEP LO Y M EN T RIN G T EN A N T A SSESSM EN T T EA M S O UT P UT T IM EL IN E

Production Production tenant Mobile capability N/A 7 days to several

owners, IT help desk weeks, post Preview

As the above table indicates, all changes to the App Protection Policies should be first performed in a pre-
production environment to understand the policy setting implications. Once testing is complete, the changes can
be moved into production and applied to a subset of production users, generally, the IT department and other
applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Rollout to
production may take a longer amount of time depending on the scale of impact regarding the change. If there is
no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need
to go slower due to the need to communicate changes to the user population.
When testing changes to an APP, be aware of the delivery timing. The status of APP delivery for a given user can
monitored. For more information, see How to monitor app protection policies.
Individual APP settings for each app can be validated on devices using Edge and the URL about:Intunehelp. For
more information, see Review client app protection logs and Use Edge for iOS and Android to access managed
app logs.

APP Data Protection Framework settings

The following App Protection Policy settings should be enabled for the applicable apps and assigned to all mobile
users. For more information on each policy setting, see iOS app protection policy settings and Android app
protection policy settings.
Microsoft recommends reviewing and categorizing usage scenarios, and then configuring users using the
prescriptive guidance for that level. As with any framework, settings within a corresponding level may need to be
adjusted based on the needs of the organization as data protection must evaluate the threat environment, risk
appetite, and impact to usability.
Conditional Access Policies
To ensure that only apps supporting App Protection Polices access work or school account data, Azure Active
Directory Conditional Access policies are required. See Scenario 1: Office 365 apps require approved apps
with app protection policies in Require app protection policy for cloud app access with Conditional Access for
steps to implement the specific policies.
Apps to include in the App Protection Policies
For each App Protection Policy, the following core Microsoft apps should be included:
Edge
Excel
Office
OneDrive
OneNote
Outlook
PowerPoint
Microsoft Teams
Microsoft To-Do
Word
Microsoft SharePoint
The policies should include other Microsoft apps based on business need, additional third-party public apps that
have integrated the Intune SDK used within the organization, as well as line-of-business apps that have integrated
the Intune SDK (or have been wrapped).
Level 1 enterprise basic data protection
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces
the need for basic Exchange Online device access policies by requiring a PIN to access work or school data,
encrypting the work or school account data, and providing the capability to selectively wipe the school or work
data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all
the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the
default data protection and access requirements settings when creating an App Protection Policy within Microsoft
Endpoint Manager.
Data protection

SET T IN G SET T IN G DESC RIP T IO N VA L UE P L AT F O RM

Data Transfer Backup org data to… Allow iOS/iPadOS, Android

Data Transfer Send org data to other apps All apps iOS/iPadOS, Android

Data Transfer Receive data from other All apps iOS/iPadOS, Android
apps

Data Transfer Restrict cut, copy, and paste Any app iOS/iPadOS, Android
between apps

Data Transfer Third-party keyboards Allow iOS/iPadOS

Data Transfer Approved keyboards Not required Android

Data Transfer Screen capture and Google Allow Android

Assistant

Encryption Encrypt org data Require iOS/iPadOS, Android

Encryption Encrypt org data on Require Android

enrolled devices

Functionality Sync app with native Allow iOS/iPadOS, Android

contacts app

Functionality Printing org data Allow iOS/iPadOS, Android

Functionality Restrict web content transfer Any app iOS/iPadOS, Android

with other apps

Functionality Org data notifications Allow iOS/iPadOS, Android

Access requirements

SET T IN G VA L UE P L AT F O RM N OT ES

PIN for access Require iOS/iPadOS, Android

 SET T IN G VA L UE P L AT F O RM N OT ES

PIN type Numeric iOS/iPadOS, Android

Simple PIN Allow iOS/iPadOS, Android

Select Minimum PIN length 4 iOS/iPadOS, Android

Biometric instead of PIN for Allow iOS/iPadOS, Android

access

Override biometric instead Require iOS/iPadOS, Android

of PIN for access

Timeout (minutes of activity) 720 iOS/iPadOS, Android

Face ID instead of PIN for Allow iOS/iPadOS

access

PIN reset after number of No iOS/iPadOS, Android

days

App PIN when device PIN is Require iOS/iPadOS, Android If the device is enrolled in
set Intune, administrators can
consider setting this to "Not
required" if they are
enforcing a strong device
PIN via a device compliance
policy.

Work or school account Not required iOS/iPadOS, Android

credentials for access

Recheck the access 30 iOS/iPadOS, Android

requirements after (minutes
of inactivity)

Conditional launch

SET T IN G
SET T IN G DESC RIP T IO N VA L UE / A C T IO N P L AT F O RM N OT ES

App conditions Max PIN attempts 5 / Reset PIN iOS/iPadOS, Android

App conditions Offline grace period 720 / Block access iOS/iPadOS, Android
(minutes)

App conditions Offline grace period 90 / Wipe data (days) iOS/iPadOS, Android

Device conditions Jailbroken/rooted N/A / Block access iOS/iPadOS, Android

devices
 SET T IN G
SET T IN G DESC RIP T IO N VA L UE / A C T IO N P L AT F O RM N OT ES

Device conditions SafetyNet device Basic integrity and Android This setting
attestation certified devices / configures
Block access Google's
SafetyNet
Attestation on
end user devices.
Basic integrity
validates the
integrity of the
device. Rooted
devices,
emulators, virtual
devices, and
devices with signs
of tampering fail
basic integrity.
Basic integrity
and certified
devices validates
the compatibility
of the device with
Google's services.
Only unmodified
devices that have
been certified by
Google can pass
this check.

Device conditions Require threat scan N/A / Block access Android This setting ensures
on apps that Google's Verify
Apps scan is turned
on for end user
devices. If configured,
the end user will be
blocked from access
until they turn on
Google's app
scanning on their
Android device.

Level 2 enterprise enhanced data protection

Level 2 is the data protection configuration recommended as a standard for devices where users access more
sensitive information. These devices are a natural target in enterprises today. These recommendations do not
assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise
organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios
and by requiring a minimum operating system version.
The policy settings enforced in level 2 include all the policy settings recommended for level 1 but only lists those
settings below that have been added or changed to implement more controls and a more sophisticated
configuration than level 1. While these settings may have a slightly higher impact to users or to applications, they
enforce a level of data protection more commensurate with the risks facing users with access to sensitive
information on mobile devices.
Data protection
 SET T IN G
SET T IN G DESC RIP T IO N VA L UE P L AT F O RM N OT ES

Data Transfer Backup org data to… Block iOS/iPadOS, Android

Data Transfer Send org data to Policy managed apps iOS/iPadOS, Android With iOS/iPadOS,
other apps administrators
can configure this
value to be
"Policy managed
apps", "Policy
managed apps
with OS sharing",
or "Policy
managed apps
with Open-
In/Share filtering".
Policy managed
apps with OS
sharing is
available when
the device is also
enrolled with
Intune. This
setting allows
data transfer to
other policy
managed apps, as
well as file
transfers to other
apps that have
are managed by
Intune.
Policy managed
apps with Open-
In/Share filtering
filters the OS
Open-in/Share
dialogs to only
display policy
managed apps.
For more
information, see
iOS app
protection policy
settings.

Data Transfer Select apps to exempt Default / skype;app- iOS/iPadOS

settings;calshow;itms;i
tmss;itms-apps;itms-
appss;itms-services;

Data Transfer Save copies of org Block iOS/iPadOS, Android

data

Data Transfer Allow users to save OneDrive for iOS/iPadOS, Android

copies to selected Business, SharePoint
services Online
 SET T IN G
SET T IN G DESC RIP T IO N VA L UE P L AT F O RM N OT ES

Data Transfer Transfer All apps iOS/iPadOS, Android

telecommunication
data to

Data Transfer Restrict cut, copy, and Policy managed apps iOS/iPadOS, Android
paste between apps with paste in

Data Transfer Screen capture and Block Android

Google Assistant

Functionality Restrict web content Microsoft Edge iOS/iPadOS, Android

transfer with other
apps

Functionality Org data notifications Block Org Data iOS/iPadOS, Android For a list of apps that
support this setting,
see iOS app
protection policy
settings and Android
app protection policy
settings.

Conditional launch

SET T IN G
SET T IN G DESC RIP T IO N VA L UE / A C T IO N P L AT F O RM N OT ES

Device conditions Min OS version Format: iOS/iPadOS Microsoft

Major.Minor.Build recommends
Example: 12.4.6 / configuring the
Block access minimum iOS major
version to match the
supported iOS
versions for Microsoft
apps. Microsoft apps
support a N-1
approach where N is
the current iOS major
release version. For
minor and build
version values,
Microsoft
recommends
ensuring devices are
up to date with the
respective security
updates. See Apple
security updates for
Apple's latest
recommendations
 SET T IN G
SET T IN G DESC RIP T IO N VA L UE / A C T IO N P L AT F O RM N OT ES

Device conditions Min OS version Format: Major.Minor Android Microsoft

Example: 5.0 / Block recommends
access configuring the
minimum Android
major version to
match the supported
Android versions for
Microsoft apps. OEMs
and devices adhering
to Android Enterprise
recommended
requirements must
support the current
shipping release +
one letter upgrade.
Currently, Android
recommends Android
8.0 and later for
knowledge workers.
See Android
Enterprise
Recommended
requirements for
Android's latest
recommendations

Device conditions Min patch version Format: YYYY-MM- Android Android devices can
DD receive monthly
Example: 2020-01-01 security patches, but
/ Block access the release is
dependent on OEMs
and/or carriers.
Organizations should
ensure that deployed
Android devices do
receive security
updates before
implementing this
setting. See Android
Security Bulletins for
the latest patch
releases.

Level 3 enterprise high data protection

Level 3 is the data protection configuration recommended as a standard for organizations with large and
sophisticated security organizations, or for specific users and groups who will be uniquely targeted by
adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such
merit the additional constraints and controls described. This configuration expands upon the configuration in
Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and
adding mobile threat detection.
The policy settings enforced in level 3 include all the policy settings recommended for level 2 but only lists those
settings below that have been added or changed to implement more controls and a more sophisticated
configuration than level 2. These policy settings can have a potentially significant impact to users or to
applications, enforcing a level of security commensurate with the risks facing targeted organizations.
Data protection
 SET T IN G
SET T IN G DESC RIP T IO N VA L UE P L AT F O RM N OT ES

Data Transfer Transfer Any policy-managed Android Administrators can

telecommunication dialer app also configure this
data to setting to use a dialer
app that does not
support App
Protection Policies by
selecting A specific
dialer app and
providing the Dialer
App Package ID
and Dialer App
Name values.

Data Transfer Transfer A specific dialer app iOS/iPadOS

telecommunication
data to

Data Transfer Dialer App URL replace_with_dialer_a iOS/iPadOS On iOS/iPadOS, this

Scheme pp_url_scheme value must be
replaced with the URL
scheme for the
custom dialer app
being used. If the URL
scheme is not known,
contact the app
developer for more
information. For more
information on URL
schemes, see Defining
a Custom URL
Scheme for Your App.

Data transfer Receive data from Policy managed apps iOS/iPadOS, Android
other apps

Data transfer Third-party Block iOS/iPadOS On iOS/iPadOS, this

keyboards blocks all third-party
keyboards from
functioning within the
app.

Data transfer Approved keyboards Require Android

Data transfer Select keyboards to add/remove Android With Android,

approve keyboards keyboards must be
selected in order to
be used based on
your deployed
Android devices.

Functionality Printing org data Block iOS/iPadOS, Android

Access requirements

SET T IN G VA L UE P L AT F O RM

Simple PIN Block iOS/iPadOS, Android

 SET T IN G VA L UE P L AT F O RM

Select Minimum PIN length 6 iOS/iPadOS, Android

PIN reset after number of days Yes iOS/iPadOS, Android

Number of days 365 iOS/iPadOS, Android

Conditional launch

SET T IN G
SET T IN G DESC RIP T IO N VA L UE / A C T IO N P L AT F O RM N OT ES

Device conditions Min OS version Format: Major.Minor Android Microsoft

Example: 8.0 / Block recommends
access configuring the
minimum Android
major version to
match the supported
Android versions for
Microsoft apps. OEMs
and devices adhering
to Android Enterprise
recommended
requirements must
support the current
shipping release +
one letter upgrade.
Currently, Android
recommends Android
8.0 and later for
knowledge workers.
See Android
Enterprise
Recommended
requirements for
Android's latest
recommendations

Device conditions Jailbroken/rooted N/A / Wipe data iOS/iPadOS, Android

devices
 SET T IN G
SET T IN G DESC RIP T IO N VA L UE / A C T IO N P L AT F O RM N OT ES

Device conditions Max allowed threat Secured / Block iOS/iPadOS, Android Unenrolled
level access devices can be
inspected for
threats using
Mobile Threat
Defense. For
more information,
see Mobile Threat
Defense for
unenrolled
devices.
If the device is
enrolled, this
setting can be
skipped in favor
of deploying
Mobile Threat
Defense for
enrolled devices.
For more
information, see
Mobile Threat
Defense for
enrolled devices.

Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample Intune App Protection Policy Configuration Framework JSON
templates with Intune's PowerShell scripts.

See also
How to create and deploy app protection policies with Microsoft Intune
Available Android app protection policy settings with Microsoft Intune
Available iOS/iPadOS app protection policy settings with Microsoft Intune
Third-party apps such as the Salesforce mobile app work with Intune in specific ways to protect corporate data.
To learn more about how the Salesforce app in particular works with Intune (including MDM app
configurations settings), see Salesforce App and Microsoft Intune.
 How to create and assign app protection policies
9/4/2020 • 11 minutes to read • Edit Online

Learn how to create and assign Microsoft Intune app protection policies (APP) for users of your organization.
This topic also describes how to make changes to existing policies.

Before you begin

App protection policies can apply to apps running on devices that may or may not be managed by Intune. For a
more detailed description of how app protection policies work and the scenarios that are supported by Intune
app protection policies, see App protection policies overview.
The choices available in app protection policies (APP) enable organizations to tailor the protection to their
specific needs. For some, it may not be obvious which policy settings are required to implement a complete
scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy
for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building
off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and
performs selective wipe operations. For Android devices, this level validates Android device attestation. This
is an entry level configuration that provides similar data protection control in Exchange Online mailbox
policies and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and
minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work
or school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced
PIN configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are
accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be
protected, review Data protection framework using app protection policies.
If you're looking for a list of apps that have integrated the Intune SDK, see Microsoft Intune protected apps.
For information about adding your organization's line-of-business (LOB) apps to Microsoft Intune to prepare for
app protection policies, see Add apps to Microsoft Intune.

App protection policies for iOS/iPadOS and Android apps

When you create an app protection policy for iOS/iPadOS and Android apps, you follow a modern Intune
process flow that results in a new app protection policy. For information about creating app protection policies
for Windows apps, see Create and deploy Windows Information Protection (WIP) policy with Intune.
Create an iOS/iPadOS or Android app protection policy
1. Sign in to the Microsoft Endpoint Manager admin center.
2. In Intune portal, choose Apps > App protection policies . This selection opens the App protection
policies details, where you create new policies and edit existing policies.
3. Select Create policy and select either iOS/iPadOS or Android . The Create policy pane is displayed.
4. On the Basics page, add the following values:

VA L UE DESC RIP T IO N

Name The name of this app protection policy.

Description [Optional] The description of this app protection policy.

The Platform value is set based on your above choice.

5. Click Next to display the Apps page.

The Apps page allows you to choose how you want to apply this policy to apps on different devices. You
must add at least one app.

VA L UE/ O P T IO N DESC RIP T IO N

Target to apps on all devices types Use this option to target your policy to apps on devices
of any management state. Choose No to target apps on
specific devices types. For information, see Target app
protection policies based on device management state

Device types Use this option to specify whether this policy applies to
MDM managed devices or unmanaged devices. For
iOS/iPadOS APP policies, select from Unmanaged and
Managed devices. For Android APP policies, select from
Unmanaged , Android device administrator , and
Android Enterprise .

Public apps Click Select public apps to choose the apps to target.

Custom apps Click Select custom apps to select custom apps to

target based on a Bundle ID.

The app(s) you have selected will appear in the public and custom apps list.
6. Click Next to display the Data protection page.
This page provides settings for data loss prevention (DLP) controls, including cut, copy, paste, and save-as
restrictions. These settings determine how users interact with data in the apps that this app protection
 policy applies.
Data protection settings :
iOS/iPadOS data protection - For information, see iOS/iPadOS app protection policy settings -
Data protection.
Android data protection - For information, see Android app protection policy settings - Data
protection.
7. Click Next to display the Access requirements page.
This page provides settings to allow you to configure the PIN and credential requirements that users
must meet to access apps in a work context.
Access requirements settings :
iOS/iPadOS access requirements - For information, see iOS/iPadOS app protection policy settings
- Access requirements.
Android access requirements - For information, see Android app protection policy settings -
Access requirements.
8. Click Next to display the Conditional launch page.
This page provides settings to set the sign-in security requirements for your app protection policy. Select
a Setting and enter the Value that users must meet to sign in to your company app. Then select the
Action you want to take if users do not meet your requirements. In some cases, multiple actions can be
configured for a single setting.
Conditional launch settings :
iOS/iPadOS conditional launch - For information, see iOS/iPadOS app protection policy settings -
Conditional launch.
Android conditional launch - For information, see Android app protection policy settings -
Conditional launch.
9. Click Next to display the Assignments page.
The Assignments page allows you to assign the app protection policy to groups of users. You must
apply the policy to a group of users to have the policy take effect.
10. Click Next: Review + create to review the values and settings you entered for this app protection
policy.
11. When you are done, click Create to create the app protection policy in Intune.

TIP
These policy settings are enforced only when using apps in the work context. When end users use the app to do a
personal task, they aren't affected by these policies. Note that when you create a new file it is considered a
personal file.

IMPORTANT
It can take time for app protection policies to apply to existing devices. End users will see a notification on the
device when the app protection policy is applied. Apply your app protection policies to devices before applying
condidtional access rules.

End users can download the apps from the App store or Google Play. For more information, see:
What to expect when your Android app is managed by app protection policies
What to expect when your iOS/iPadOS app is managed by app protection policies
Change existing policies
You can edit an existing policy and apply it to the targeted users. However, when you change existing policies,
users who are already signed in to the apps won't see the changes for an eight-hour period.
To see the effect of the changes immediately, the end user must sign out of the app, and then sign back in.
To change the list of apps associated with the policy
1. In the App protection policies pane, select the policy you want to change.
2. In the Intune App Protection pane, select Proper ties .
3. Next to the section titled Apps, select Edit .
4. The Apps page allows you to choose how you want to apply this policy to apps on different devices. You
must add at least one app.

VA L UE/ O P T IO N DESC RIP T IO N

Target to apps on all devices types Use this option to target your policy to apps on devices
of any management state. Choose No to target apps on
specific devices types. Additional app configuration may
be required for this setting. For more information, see
Target app protection policies based on device
management state.

Device types Use this option to specify whether this policy applies to
MDM managed devices or unmanaged devices. For
iOS/iPadOS APP policies, select from Unmanaged and
Managed devices. For Android APP policies, select from
Unmanaged , Android device administrator , and
Android Enterprise .

Public apps Click Select public apps to choose the apps to target.

Custom apps Click Select custom apps to select custom apps to

target based on a Bundle ID.

The app(s) you have selected will appear in the public and custom apps list.
5. Click Review + create to review the apps selected for this policy.
6. When you are done, click Save to update the app protection policy.
To change the list of user groups
1. In the App protection policies pane, select the policy you want to change.
2. In the Intune App Protection pane, select Proper ties .
3. Next to the section titled Assignments, select Edit .
4. To add a new user group to the policy, on the Include tab choose Select groups to include , and select
the user group. Choose Select to add the group.
5. To exclude a user group, on the Exclude tab choose Select groups to exclude , and select the user
group. Choose Select to remove the user group.
6. To delete groups that were added previously, on either the Include or Exclude tabs, select the ellipsis (...)
and select Delete .
7. Click Review + create to review the user groups selected for this policy.
8. After your changes to the assignments are ready, select Save to save the configuration and deploy the
policy to the new set of users. If you select Cancel before you save your configuration, you will discard
all changes you've made to the Include and Exclude tabs.
To change policy settings
1. In the App protection policies pane, select the policy you want to change.
2. In the Intune App Protection pane, select Proper ties .
3. Next to the section corresponding to the settings you want to change, select Edit . Then change the
settings to new values.
4. Click Review + create to review the updated settings for this policy.
5. Select the Save to save your changes. Repeat the process to select a settings area and modify and then
save your changes, until all your changes are complete. You can then close the Intune App Protection -
Properties pane.

Target app protection policies based on device management state

In many organizations, it's common to allow end users to use both Intune Mobile Device Management (MDM)
managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app
protection policies. Unmanaged devices are often known as Bring Your Own Devices (BYOD).
Because Intune app protection policies target a user's identity, the protection settings for a user can apply to
both enrolled (MDM managed) and non-enrolled devices (no MDM). Therefore, you can target an Intune app
protection policy to either Intune enrolled or unenrolled iOS/iPadOS and Android devices. You can have one
protection policy for unmanaged devices in which strict data loss prevention (DLP) controls are in place, and a
separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed. For
more information how this works on personal Android Enterprise devices, see App protection policies and work
profiles.
To create these policies, browse to Apps > App protection policies in the Intune console, and then select
Create policy . You can also edit an existing app protection policy. To have the app protection policy apply to
both managed and un-managed devices, navigate to the Apps page and confirm that Target to apps on all
device types is set to Yes , the default value. If you want to granularly assign based on management state, set
Target to apps on all device types to No .
Device types
Unmanaged : For iOS/iPadOS devices, unmanaged devices are any devices where either Intune MDM
management or a 3rd party MDM/EMM solution does not pass the IntuneMAMUPN key. For Android devices,
unmanaged devices are devices where Intune MDM management has not been detected. This includes
devices managed by third-party MDM vendors.
Intune managed devices : Managed devices are managed by Intune MDM.
Android device administrator : Intune-managed devices using the Android Device Administration API.
Android Enterprise : Intune-managed devices using Android Enterprise Work Profiles or Android
Enterprise Full Device Management.
On Android, Android devices will prompt to install the Intune Company Portal app regardless of which Device
type is chosen. For example, if you select 'Android Enterprise' then users with unmanaged Android devices will
still be prompted.
For iOS/iPadOS, for the 'Device type' selection to be enforced to Intune managed devices, additional app
configuration settings are required. These configurations will communicate to the APP service that a particular
app is managed - and that APP settings will not apply:
IntuneMAMUPN must be configured for all MDM managed applications. For more information, see How to
manage data transfer between iOS/iPadOS apps in Microsoft Intune.
IntuneMAMDeviceID must be configured for all third-party and line-of-business MDM managed
applications. The IntuneMAMDeviceID should be configured to the device ID token. For example,
key=IntuneMAMDeviceID, value={{deviceID}} . For more information, see Add app configuration policies for
managed iOS/iPadOS devices.
If only the IntuneMAMDeviceID is configured, the Intune APP will consider the device as unmanaged.

NOTE
For specific iOS/iPadOS support information about app protection policies based on device management state, see MAM
protection policies targeted based on management state.

Policy settings
To see a full list of the policy settings for iOS/iPadOS and Android, select one of the following links:
iOS/iPadOS policies
Android policies

Next steps
Monitor compliance and user status

See also
What to expect when your Android app is managed by app protection policies
What to expect when your iOS/iPadOS app is managed by app protection policies
 Android app protection policy settings in Microsoft
Intune
9/4/2020 • 23 minutes to read • Edit Online

This article describes the app protection policy settings for Android devices. The policy settings that are
described can be configured for an app protection policy on the Settings pane in the Azure portal. There are
three categories of policy settings: data protection settings, access requirements, and conditional launch. In this
article, the term policy-managed apps refers to apps that are configured with app protection policies.

IMPORTANT
The Intune Company Portal is required on the device to receive App Protection Policies for Android devices. For more
information, see the Intune Company Portal access apps requirements.
The Intune Managed Browser has been retired. Use Microsoft Edge for your protected Intune browser experience.

Data protection
Data Transfer
SET T IN G H O W TO USE DEFA ULT VA L UE

Backup org data to Android Select Block to prevent this app from Allow
backup ser vices backing up work or school data to the
Android Backup Service.

Select Allow to allow this app to back

up work or school data.
SET T IN G H O W TO USE DEFA ULT VA L UE

Send org data to other apps Specify what apps can receive data All apps
from this app:
Policy managed apps : Allow
transfer only to other policy-
managed apps.
All apps : Allow transfer to any
app.
None : Do not allow data
transfer to any app, including
other policy-managed apps.
There are some exempt apps and
services to which Intune may
allow data transfer by default. In
addition, you can create your own
exemptions if you need to allow
data to transfer to an app that
doesn't support Intune APP. For
more information, see Data
transfer exemptions.
This policy may also apply to
Android App Links. General web
links are managed by the Open
app links in Intune Managed
Browser policy setting.

Note
Intune doesn't currently support
the Android Instant Apps
feature. Intune will block any
data connection to or from the
app. For more information, see
Android Instant Apps in the
Android Developer
documentation.
If Send org data to other
apps is configured to All
apps , text data may still be
transferred via OS sharing to
the clipboard.

Select apps to exempt This option is available when you

select Policy managed apps for the
previous option.

Save copies of org data Choose Block to disable the use of Allow
the Save As option in this app. Choose
Allow if you want to allow the use of
Save As. Note: This setting is
supported for Microsoft Excel,
OneNote, PowerPoint, and Word. It
may also be supported by third-party
and LOB apps.
SET T IN G H O W TO USE DEFA ULT VA L UE

Allow user to save copies Users can save to the selected services 0 selected
to selected ser vices (OneDrive for Business, SharePoint,
and Local Storage). All other services
will be blocked.

Transfer telecommunications Typically, when a user selects a Any dialer app

data to hyperlinked phone number in an app,
a dialer app will open with the phone
number prepopulated and ready to
call. For this setting, choose how to
handle this type of content transfer
when it is initiated from a policy-
managed app:
None, do not transfer this
data between apps : Do not
transfer communication data
when a phone number is
detected.
A specific dialer app : Allow a
specific dialer app to initiate
contact when a phone number
is detected.
Any policy-managed dialer
app : Allow any policy managed
dialer app to initiate contact
when a phone number is
detected.
Any dialer app : Allow any
dialer app to be used to initiate
contact when a phone number
is detected.

Dialer App Package ID When a specific dialer app has been Blank
selected, you must provide the app
package ID.

Dialer App Name When a specific dialer app has been Blank
selected, you must provide the name
of the dialer app.

Receive data from other apps Specify what apps can transfer data to All apps
this app:
Policy managed apps : Allow
transfer only from other policy-
managed apps.
All apps : Allow data transfer
from any app.
None : Do not allow data
transfer from any app,
including other policy-
managed apps.
There are some exempt apps and
services from which Intune may
allow data transfer. See Data
transfer exemptions for a full list of
apps and services.
SET T IN G H O W TO USE DEFA ULT VA L UE

Restrict cut, copy and paste Specify when cut, copy, and paste Any app
between other apps actions can be used with this app.
Choose from:
Blocked : Do not allow cut,
copy, and paste actions
between this app and any
other app.
Policy managed apps : Allow
cut, copy, and paste actions
between this app and other
policy-managed apps.
Policy managed with paste
in : Allow cut or copy between
this app and other policy-
managed apps. Allow data
from any app to be pasted into
this app.
Any app : No restrictions for
cut, copy, and paste to and
from this app.

Cut and copy character limit Specify the number of characters that 0
for any app may be cut or copied from org data
and accounts. This will allow sharing of
the specified number of characters
when it would be otherwise blocked
by the "Restrict cut, copy, and paste
with other apps" setting.
Default Value = 0
Note : Requires Intune Company
Portal version 5.0.4364.0 or later.

Screen capture and Google Select Block to block screen capture Block
Assistant and the Google Assistant
capabilities of the device when using
this app. Choosing Allow will also blur
the App-switcher preview image when
using this app with a work or school
account.

Approved keyboards Select Require and then specify a list of Not required
approved keyboards for this policy.
Users who aren't using an
approved keyboard receive a
prompt to download and install an
approved keyboard before they
can use the protected app. This
setting requires the app to have
the Intune SDK for Android
version 6.2.0 or above.
 SET T IN G H O W TO USE DEFA ULT VA L UE

Select keyboards to approve This option is available when you

select Require for the previous option.
Choose Select to manage the list of
keyboards and input methods that
can be used with apps protected by
this policy. You can add additional
keyboards to the list, and remove any
of the default options. You must have
at least one approved keyboard to
save the setting. To add a keyboard,
specify:
Name : A friendly name that
that identifies the keyboard,
and is visible to the user.
Package ID : The Package ID
of the app in the Google Play
store. For example, if the URL
for the app in the Play store is
https://play.google.com/store/details?
id=com.contoskeyboard.android.prod
, then the Package ID is
com.contosokeyboard.android.prod
. This package ID is presented
to the user as a simple link to
download the keyboard from
Google Play.

Note
A user assigned
multiple app protection
policies will be allowed
to use only the
approved keyboards
common to all policies.

Encryption
SET T IN G H O W TO USE DEFA ULT VA L UE
 SET T IN G H O W TO USE DEFA ULT VA L UE

Encr ypt org data Choose Require to enable encryption Require

of work or school data in this app.
Intune uses an OpenSSL, 256-bit AES
encryption scheme along with the
Android Keystore system to securely
encrypt app data. Data is encrypted
synchronously during file I/O tasks.
Content on the device storage is
always encrypted. New files will be
encrypted with 256-bit keys. Existing
128-bit encrypted files will undergo a
migration attempt to 256-bit keys,
but the process is not guaranteed.
Files encrypted with 128-bit keys will
remain readable.

The encryption method is FIPS 140-2

validated; for more information, see
OpenSSL FIPS Library and Android
Guide.

Encr ypt org data on enrolled Select Require to enforce encrypting Require
devices org data with Intune app layer
encryption on all devices. Select Not
required to not enforce encrypting
org data with Intune app layer
encryption on enrolled devices.

Functionality
SET T IN G H O W TO USE DEFA ULT VA L UE

Sync app with native contacts Choose Block to prevent the app Allow
app from saving data to the native
Contacts app on the device. If you
choose Allow , the app can save data
to the native Contacts app on the
device.

When you perform a selective wipe to

remove work, or school data from the
app, contacts synced directly from the
app to the native Contacts app are
removed. Any contacts synced from
the native address book to another
external source can't be wiped.
Currently this applies only to the
Microsoft Outlook app.

Printing Org data Choose Block to prevent the app Allow

from printing work or school data. If
you leave this setting to Allow , the
default value, users will be able to
export and print all Org data.

Restrict web content transfer Specify how web content (http/https Not configured
with other apps links) are opened from policy-
managed applications. Choose from:
Any app : Allow web links in
any app.
SET T IN G
Intune Managed Browser :
H O W TO USE DEFA ULT VA L UE
Allow web content to open
only in the Intune Managed
Browser. This browser is a
policy-managed browser.
Microsoft Edge : Allow web
content to open only in the
Microsoft Edge. This browser is
a policy-managed browser.
Unmanaged browser : Allow
web content to open only in
the unmanaged browser
defined by Unmanaged
browser protocol setting.
The web content will be
unmanaged in the target
browser.
Note : Requires Intune
Company Portal version
5.0.4415.0 or later.

Policy-managed browsers
On Android, your end users can
choose from other policy-
managed apps that support
http/https links if neither Intune
Managed Browser nor Microsoft
Edge are installed.
If a policy-managed browser is
required but not installed,
your end users will be
prompted to install the
Microsoft Edge.
If a policy-managed browser is
required, Android App Links
are managed by the Allow
app to transfer data to
other apps policy setting.
Intune device enrollment
If you are using Intune to
manage your devices, see
Manage Internet access using
managed browser policies
with Microsoft Intune.
Policy-managed Microsoft
Edge
The Microsoft Edge browser
for mobile devices (iOS/iPadOS
and Android) supports Intune
app protection policies. Users
who sign in with their
corporate Azure AD accounts
in the Microsoft Edge browser
application will be protected
by Intune. The Microsoft Edge
browser integrates the APP
SDK and supports all of its
data protection policies, with
the exception of preventing:
Save-as : The Microsoft
Edge browser does not
 allow a user to add direct,
SET T IN G H O W TO USE DEFA ULT VA L UE
in-app connections to
cloud storage providers
(such as OneDrive).
Contact sync: The
Microsoft Edge browser
does not save to native
contact lists.
Note: The APP SDK cannot
determine if a target app is a
browser. On Android devices,
other managed browser apps that
support the http/https intent are
allowed.

Unmanaged Browser ID Enter the application ID for a single Blank

browser. Web content (http/https
links) from policy managed
applications will open in the specified
browser. The web content will be
unmanaged in the target browser.

Unmanaged Browser Name Enter the application name for Blank

browser associated with the
Unmanaged Browser ID . This name
will be displayed to users if the
specified browser is not installed.

Org data notifications Specify how much org data is shared Allow
via OS notifications for org accounts.
This policy setting will impact the local
device and any connected devices
such as wearables and smart speakers.
Apps may provide additional controls
to customize notification behavior or
may choose to not honor all values.
Select from:
Block : Do not share
notifications.
If not supported by the
application, notifications
will be allowed.
Block org data : Do not share
org data in notifications. For
example, "You have new mail";
"You have a meeting"
If not supported by the
application, notifications
will be blocked.
Allow : Shares org data in the
notifications
Note : This setting requires app
support. Outlook for Android
4.0.95 or later supports this
setting.
Data transfer exemptions
There are some exempt apps and platform services that Intune app protection policies allow data transfer to
and from. For example, all Intune-managed apps on Android must be able to transfer data to and from the
Google Text-to-speech, so that text from your mobile device screen can be read aloud. This list is subject to
change and reflects the services and apps considered useful for secure productivity.
Full exemptions
These apps and services are fully allowed for data transfer to and from Intune-managed apps.

A P P / SERVIC E N A M E DESC RIP T IO N

com.android.phone Native phone app

com.android.vending Google Play Store

com.android.documentsui Android Document Picker

com.google.android.webview WebView, which is necessary for many apps including

Outlook.

com.android.webview Webview, which is necessary for many apps including

Outlook.

com.google.android.tts Google Text-to-speech

com.android.providers.settings Android system settings

com.android.settings Android system settings

com.azure.authenticator Azure Authenticator app, which is required for successful

authentication in many scenarios.

com.microsoft.windowsintune.companyportal Intune Company Portal

Conditional exemptions
These apps and services are only allowed for data transfer to and from Intune-managed apps under certain
conditions.

A P P / SERVIC E N A M E DESC RIP T IO N EXEM P T IO N C O N DIT IO N

com.android.chrome Google Chrome Browser Chrome is used for some WebView

components on Android 7.0+ and is
never hidden from view. Data flow to
and from the app, however, is always
restricted.

com.skype.raider Skype The Skype app is allowed only for

certain actions that result in a phone
call.

com.android.providers.media Android media content provider The media content provider allowed
only for the ringtone selection action.
 A P P / SERVIC E N A M E DESC RIP T IO N EXEM P T IO N C O N DIT IO N

com.google.android.gms; Google Play Services packages These packages are allowed for Google
com.google.android.gsf Cloud Messaging actions, such as
push notifications.

com.google.android.apps.maps Google Maps Addresses are allowed for navigation

For more information, see Data transfer policy exceptions for apps.

Access requirements
SET T IN G H O W TO USE

PIN for access Select Require to require a PIN to use this app. The user is
prompted to set up this PIN the first time they run the app
in a work or school context.

Default value = Require

You can configure the PIN strength using the settings

available under the PIN for access section.

PIN type Set a requirement for either numeric or passcode type PINs
before accessing an app that has app protection policies
applied. Numeric requirements involve only numbers, while
a passcode can be defined with at least 1 alphabetical letter
or at least 1 special character.

Default value = Numeric

Note: Special characters allowed include the special

characters and symbols on the Android English language
keyboard.

Simple PIN Select Allow to allow users to use simple PIN sequences like
1234, 1111, abcd or aaaa. Select Blocks to prevent them
from using simple sequences. Simple sequences are checked
in 3 character sliding windows. If Block is configured, 1235
or 1112 would not be accepted as PIN set by the end user,
but 1122 would be allowed.

Default value = Allow

Note: If Passcode type PIN is configured, and Simple PIN is

set to Allow, the user needs at least one letter or at least
one special character in their PIN. If Passcode type PIN is
configured, and Simple PIN is set to Block, the user needs at
least one number and one letter and at least one special
character in their PIN.

Select minimum PIN length Specify the minimum number of digits in a PIN sequence.

Default value = 4
SET T IN G H O W TO USE

Fingerprint instead of PIN for access (Android Select Allow to allow the user to use fingerprint
6.0+) authentication instead of a PIN for app access.

Default value = Allow

Note: This feature supports generic controls for biometric

on Android devices. OEM-specific biometric settings, like
Samsung Pass, are not supported.

On Android, you can let the user prove their identity by

using Android fingerprint authentication instead of a PIN.
When the user tries to use this app with their work or
school account, they are prompted to provide their
fingerprint identity instead of entering a PIN.

Android work profile enrolled devices require registering a

separate fingerprint for the Fingerprint instead of PIN
for access policy to be enforced. This policy takes effect
only for policy-managed apps installed in the Android work
profile. The separate fingerprint must be registered with the
device after the Android work profile is created by enrolling
in the Company Portal. For more information about work
profile fingerprints using Android work profiles, see Lock
your work profile.

Override fingerprint with PIN after timeout To use this setting, select Require and then configure an
inactivity timeout.

Default value = Require

Timeout (minutes of inactivity) Specify a time in minutes after which either a passcode or
numeric (as configured) PIN will override the use of a
fingerprint. This timeout value should be greater than the
value specified under 'Recheck the access requirements after
(minutes of inactivity)'.

Default value = 30

PIN reset after number of days Select Yes to require users to change their app PIN after a
set period of time, in days.

When set to Yes, you then configure the number of days

before the PIN reset is required.

Default value = No

Number of days Configure the number of days before the PIN reset is
required.

Default value = 90

Select number of previous PIN values to This setting specifies the number of previous PINs that
maintain Intune will maintain. Any new PINs must be different from
those that Intune is maintaining.

Default value = 0
 SET T IN G H O W TO USE

App PIN when device PIN is set Select Not required to disable the app PIN when a device
lock is detected on an enrolled device with Company Portal
configured.

Default value = Require .

Work or school account credentials for access Choose Require to require the user to sign in with their
work or school account instead of entering a PIN for app
access. When set to Require , and PIN or biometric prompts
are turned on, both corporate credentials and either the PIN
or biometric prompts are shown.

Default value = Not required

Recheck the access requirements after (minutes of Configure the following setting:
inactivity) Timeout : This is the number of minutes before the
access requirements (defined earlier in the policy) are
rechecked. For example, an admin turns on PIN and
Blocks rooted devices in the policy, a user opens an
Intune-managed app, must enter a PIN, and must
be using the app on a non-rooted device. When
using this setting, the user won't have to enter a PIN
or undergo another root-detection check on any
Intune-managed app for a period of time equal to
the configured value.

This policy setting format supports a positive whole

number.

Default value = 30 minutes

Note: On Android, the PIN is shared with all Intune-

managed apps. The PIN timer is reset once the app
leaves the foreground on the device. The user won't
have to enter a PIN on any Intune-managed app
that shares its PIN for the duration of the timeout
defined in this setting.

NOTE
To learn more about how multiple Intune app protection settings configured in the Access section to the same set of
apps and users work on Android, see Intune MAM frequently asked questions and Selectively wipe data using app
protection policy access actions in Intune.

Conditional launch
Configure conditional launch settings to set sign-in security requirements for your app protection policy.
By default, several settings are provided with pre-configured values and actions. You can delete some settings,
like the Min OS version. You can also select additional settings from the Select one dropdown.

SET T IN G H O W TO USE
SET T IN G H O W TO USE

Max PIN attempts Specify the number of tries the user has to successfully
enter their PIN before the configured action is taken. This
policy setting format supports a positive whole number.
Actions include:
Reset PIN - The user must reset their PIN.
Wipe data - The user account that is associated
with the application is wiped from the device.
Default value = 5

Offline grace period The number of minutes that MAM apps can run offline.
Specify the time (in minutes) before the access requirements
for the app are rechecked. Actions include:
Block access (minutes) - The number of minutes
that MAM apps can run offline. Specify the time (in
minutes) before the access requirements for the app
are rechecked. After this period expires, the app
requires user authentication to Azure Active
Directory (Azure AD) so that the app can continue to
run.

This policy setting format supports a positive whole

number.

Default value = 720 minutes (12 hours)

Wipe data (days) - After this many days (defined
by the admin) of running offline, the app will require
the user to connect to the network and
reauthenticate. If the user successfully authenticates,
they can continue to access their data and the offline
interval will reset. If the user fails to authenticate, the
app will perform a selective wipe of the users
account and data. For more information, see How to
wipe only corporate data from Intune-managed
apps.
This policy setting format supports a positive whole number.

Default value = 90 days

This entry can appear multiple times, with each instance

supporting a different action.

Jailbroken/rooted devices There is no value to set for this setting. Actions include:
Block access - Prevent this app from running on
jailbroken or rooted devices. The user continues to
be able to use this app for personal tasks, but will
have to use a different device to access work or
school data in this app.
Wipe data - The user account that is associated
with the application is wiped from the device.
SET T IN G H O W TO USE

Disabled account There is no value to set for this setting. Actions include:
Block access - When we have confirmed the user
has been disabled in Azure Active Directory, the app
blocks access to work or school data.
Wipe data - When we have confirmed the user has
been disabled in Azure Active Directory, the app will
perform a selective wipe of the users' account and
data.

Min OS version Specify a minimum Android operating system that is

required to use this app. Actions include:
Warn - The user will see a notification if the Android
version on the device doesn't meet the requirement.
This notification can be dismissed.
Block access - The user will be blocked from access
if the Android version on the device doesn't meet
this requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
This policy setting format supports either major.minor,
major.minor.build, major.minor.build.revision.
SET T IN G H O W TO USE

Min app version Specify a value for the minimum operating system value.
Actions include:
Warn - The user sees a notification if the app
version on the device doesn't meet the requirement.
This notification can be dismissed.
Block access - The user is blocked from access if
the app version on the device does not meet the
requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
As apps often have distinct versioning schemes between
them, create a policy with one minimum app version
targeting one app (for example, Outlook version policy).

This entry can appear multiple times, with each instance

supporting a different action.

This policy setting format supports either major.minor,

major.minor.build, major.minor.build.revision.

Additionally, you can configure where your end users can

get an updated version of a line-of-business (LOB) app. End
users will see this in the min app version conditional
launch dialog, which will prompt end users to update to a
minimum version of the LOB app. On Android, this feature
uses the Company Portal. To configure where an end user
should update a LOB app, the app needs a managed app
configuration policy sent to it with the key,
com.microsoft.intune.myappstore . The value sent will
define which store the end user will download the app from.
If the app is deployed via the Company Portal, the value
must be CompanyPortal . For any other store, you must
enter a complete URL.

Min patch version Require devices have a minimum Android security patch
released by Google.
Warn - The user will see a notification if the Android
version on the device doesn't meet the requirement.
This notification can be dismissed.
Block access - The user will be blocked from access
if the Android version on the device doesn't meet
this requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
This policy setting supports the date format of YYYY-MM-
DD.
SET T IN G H O W TO USE

Device manufacturer(s) Specify a semicolon separated list of manufacturer(s). These

values are not case sensitive. Actions include:
Allow specified (Block non-specified) - Only
devices that match the specified manufacturer can
use the app. All other devices are blocked.
Allow specified (Wipe non-specified) - The user
account that is associated with the application is
wiped from the device.
For more information on using this setting, see Conditional
Launch actions.

SafetyNet device attestation App protection policies support some of Google Play
Protect's APIs. This setting in particular configures Google's
SafetyNet Attestation on end user devices. Specify either
Basic integrity or Basic integrity and cer tified
devices . Basic integrity tells you about the general
integrity of the device. Rooted devices, emulators, virtual
devices, and devices with signs of tampering fail basic
integrity. Basic integrity & cer tified devices tells you
about the compatibility of the device with Google's services.
Only unmodified devices that have been certified by Google
can pass this check. Actions include:
Warn - The user sees a notification if the device
does not meet Google's SafetyNet Attestation scan
based on the value configured. This notification can
be dismissed.
Block access - The user is blocked from access if
the device does not meet Google's SafetyNet
Attestation scan based on the value configured.
Wipe data - The user account that is associated
with the application is wiped from the device.
For commonly asked questions related to this setting, see
Frequently asked questions about MAM and app
protection.

Require threat scan on apps App protection policies support some of Google Play
Protect's APIs. This setting in particular ensures that
Google's Verify Apps scan is turned on for end user devices.
If configured, the end user will be blocked from access until
they turn on Google's app scanning on their Android device.
Actions include:
Warn - The user sees a notification if Google's Verify
Apps scan on the device is not turned on. This
notification can be dismissed.
Block access - The user is blocked from access if
Google's Verify Apps scan on the device is not turned
on.
Results from Google's Verify Apps scan are surfaced in the
Potentially Harmful Apps report in the console.
SET T IN G H O W TO USE

Min Company Por tal version By using the Min Company Por tal version , you can
specify a specific minimum defined version of the Company
Portal that is enforced on an end user device. This
conditional launch setting allows you to set values to Block
access , Wipe data , and Warn as possible actions when
each value is not met. The possible formats for this value
follows the pattern [Major].[Minor], [Major].[Minor].[Build],
or [Major].[Minor].[Build].[Revision]. Given that some end
users may not prefer a forced update of apps on the spot,
the 'warn' option may be ideal when configuring this setting.
The Google Play Store does a good job of only sending the
delta bytes for app updates, but this can still be a large
amount of data that the user may not want to utilize if they
are on data at the time of the update. Forcing an update
and thereby downloading an updated app could result in
unexpected data charges at the time of the update. For
more information, see Android policy settings.

Max allowed device threat level App protection policies can take advantage of the Intune-
MTD connector. Specify a maximum threat level acceptable
to use this app. Threats are determined by your chosen
Mobile Threat Defense (MTD) vendor app on the end user
device. Specify either Secured, Low, Medium, or High.
Secured requires no threats on the device and is the most
restrictive configurable value, while High essentially requires
an active Intune-to-MTD connection. Actions include:
Block access - The user will be blocked from access
if the threat level determined by your chosen Mobile
Threat Defense (MTD) vendor app on the end user
device doesn't meet this requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
For more information on using this setting, see Enable the
Mobile Threat Defense connector in Intune for unenrolled
devices.
 iOS app protection policy settings
9/4/2020 • 22 minutes to read • Edit Online

This article describes the app protection policy settings for iOS/iPadOS devices. The policy settings that are
described can be configured for an app protection policy on the Settings pane in the Azure portal when you
make a new policy.
There are three categories of policy settings: Data relocation, Access requirements, and Conditional launch. In
this article, the term policy-managed apps refers to apps that are configured with app protection policies.

IMPORTANT
The Intune Managed Browser has been retired. Use Microsoft Edge for your protected Intune browser experience.

Data protection
Data Transfer
SET T IN G H O W TO USE DEFA ULT VA L UE

Backup Org data to iTunes and Select Block to prevent this app from Allow
iCloud backups backing up work or school data to
iTunes and iCloud. Select Allow to
allow this app to back up of work or
school data to iTunes and iCloud.

Send Org data to other apps Specify what apps can receive data All apps
from this app:
All apps : Allow transfer to any
app. The receiving app will
have the ability to read and
edit the data.
None : Do not allow data
transfer to any app, including
other policy-managed apps. If
the user performs a managed
open-in function and transfers
a document, the data will be
encrypted and unreadable.
Policy managed apps : Allow
transfer only to other policy-
managed apps.
Note: Users may be able
to transfer content via
Open-in or Share
extensions to unmanaged
apps on unenrolled devices
or enrolled devices that
allow sharing to
unmanaged apps.
Transferred data is
encrypted by Intune and
unreadable by unmanaged
apps.
 Policy managed apps with
SET T IN G H O W TO USE DEFA ULT VA L UE
OS sharing : Only allow data
transfer to other policy
managed apps, as well as file
transfers to other MDM
managed apps on enrolled
devices.
Note: The Policy
managed apps with OS
sharing value is applicable
to MDM enrolled devices
only. If this setting is
targeted to a user on an
unenrolled device, the
behavior of the Policy
managed apps value
applies. Users will be able
to transfer unencrypted
content via Open-in or
Share extensions to any
application allowed by the
iOS MDM
allowOpenFromManagedt
oUnmanaged setting,
assuming the sending app
has the IntuneMAMUPN
configured; for more
information, see How to
manage data transfer
between iOS apps in
Microsoft Intune. See
https://developer.apple.co
m/business/documentatio
n/Configuration-Profile-
Reference.pdf for more
information on this
iOS/iPadOS MDM setting.
Policy managed apps with
Open-In/Share filtering :
Allow transfer only to other
policy managed apps, and filter
OS Open-in/Share dialogs to
only display policy managed
apps. To configure the filtering
of the Open-In/Share dialog,
it requires both the app(s)
acting as the file/document
source and the app(s) that can
open this file/document to
have the Intune SDK for iOS
version 8.1.1 or above.
Note: Users may be able
to transfer content via
Open-in or Share
extensions to unmanaged
apps if Intune private data
type are supported by the
app. Transferred data is
encrypted by Intune and
unreadable by unmanaged
apps.
 In addition, when set to Policy
SET T IN G H O W TO USE DEFA ULT VA L UE
managed apps or None , the
Spotlight search (enables searching
data within apps) and Siri shortcuts
iOS features are blocked.
This policy can also apply to
iOS/iPadOS Universal Links.
General web links are managed by
the Open app links in Intune
Managed Browser policy
setting.
There are some exempt apps and
services to which Intune may
allow data transfer by default. In
addition, you can create your own
exemptions if you need to allow
data to transfer to an app that
doesn't support Intune APP. See
data transfer exemptions for more
information.

Select apps to exempt This option is available when you

select Policy managed apps for the
previous option.

Save copies of org data Select Block to disable the use of the
Save As option in this app. Select
Allow if you want to allow the use of Allow
Save As.

Note: This setting is supported for

Microsoft Excel, OneNote, Outlook,
PowerPoint, and Word. It can also be
supported by third-party and LOB
apps.

When set to Block, you can configure

the following setting, Allow user to
save copies to selected services.

Allow user to save copies Users can save to the selected services 0 selected
to selected ser vices (OneDrive for Business, SharePoint,
and Local Storage). All other services
are blocked. OneDrive for Business:
you can save files to OneDrive for
Business and SharePoint Online.
SharePoint: you can save files to on-
premises SharePoint. Local Storage:
you can save files to local storage.
SET T IN G H O W TO USE DEFA ULT VA L UE

Transfer telecommunication Typically, when a user selects a Any dialer app

data to hyperlinked phone number in an app,
a dialer app will open with the phone
number prepopulated and ready to
call. For this setting, choose how to
handle this type of content transfer
when it is initiated from a policy-
managed app:
None, do not transfer this
data between apps : Do not
transfer communication data
when a phone number is
detected.
A specific dialer app : Allow
a specific dialer app to initiate
contact when a phone number
is detected.
Any dialer app : Allow any
dialer app to be used to initiate
contact when a phone number
is detected.
Note : This setting requires Intune
SDK 12.7.0 and later. If your apps
rely on dialer functionality and are
not using the correct Intune SDK
version, as a workaround, consider
adding "tel;telprompt" as a data
transfer exemption. Once the apps
support the correct Intune SDK
version, the exemption can be
removed.

Dialer App URL Scheme When any dialer app has been Blank
selected, you must provide the dialer
app URL scheme that is used to
launch the dialer app on iOS devices.
For more information, see Apple's
documentation about Phone Links.
SET T IN G H O W TO USE DEFA ULT VA L UE

Receive data from other apps Specify what apps can transfer data to All apps
this app:
All apps : Allow data transfer
from any app.
None : Do not allow data
transfer from any app,
including other policy-
managed apps.
Policy managed apps : Allow
transfer only from other
policy-managed apps.
All apps with incoming
Org data : Allow data transfer
from any app. Treat all
incoming data without a user
identity as data from your
organization. The data will be
marked with the MDM
enrolled user's identity as
defined by the IntuneMAMUPN
setting.
Note: The All apps with
incoming Org data
value is applicable to MDM
enrolled devices only. If
this setting is targeted to a
user on an unenrolled
device, the behavior of the
Any apps value applies.
There are some exempt apps and
services from which Intune may allow
data transfer. See data transfer
exemptions for a full list of apps and
services. Multi-identity MAM enabled
applications on non-enrolled
iOS/iPadOS devices ignore this policy
and allow all incoming data.

Restrict cut, copy and paste Specify when cut, copy, and paste Any app
between other apps actions can be used with this app.
Select from:
Blocked : Don't allow cut, copy,
and paste actions between this
app and any other app.
Policy managed apps : Allow
cut, copy, and paste actions
between this app and other
policy-managed apps.
Policy managed with paste
in : Allow cut or copy between
this app and other policy-
managed apps. Allow data
from any app to be pasted into
this app.
Any app : No restrictions for
cut, copy, and paste to and
from this app.
 SET T IN G H O W TO USE DEFA ULT VA L UE

Cut and copy character limit Specify the number of characters that 0
for any app may be cut or copied from Org data
and accounts. This will allow sharing of
the specified number of characters to
any application, regardless of the
Restrict cut, copy, and paste with
other apps setting.
Default Value = 0
Note : Requires app to have
Intune SDK version 9.0.14 or later.

Third par ty keyboards Choose Block to prevent the use of Allow

third-party keyboards in managed
applications.
When this setting is enabled, the
user receives a one-time message
stating that the use of third-party
keyboards is blocked. This
message appears the first time a
user interacts with organizational
data that requires the use of a
keyboard. Only the standard
iOS/iPadOS keyboard is available
while using managed applications,
and all other keyboard options are
disabled. This setting will affect
both the organization and
personal accounts of multi-
identity applications. This setting
does not affect the use of third-
party keyboards in unmanaged
applications.
Note: This feature requires the
app to use Intune SDK version
12.0.16 or later. Apps with SDK
versions from 8.0.14 to, and
including, 12.0.15, will not have
this feature correctly apply for
multi-identity apps. For more
details, see Known issue: Third
party keyboards are not blocked
in iOS/iPadOS for personal
accounts.

Encryption
SET T IN G H O W TO USE DEFA ULT VA L UE
 SET T IN G H O W TO USE DEFA ULT VA L UE

Encr ypt Org data Choose Require to enable encryption Require

of work or school data in this app.
Intune enforces iOS/iPadOS device
encryption to protect app data while
the device is locked. Applications may
optionally encrypt app data using
Intune APP SDK encryption. Intune
APP SDK uses iOS/iPadOS
cryptography methods to apply 256-
bit AES encryption to app data.

When you enable this setting, the user

may be required to set up and use a
PIN to access their device. If there's no
device PIN and encryption is required,
the user is prompted to set a PIN with
the message "Your organization has
required you to first enable a device
PIN to access this app."

Go to the official Apple

documentation to see which
iOS/iPadOS encryption modules are
FIPS 140-2 validated.

Functionality
SET T IN G H O W TO USE DEFA ULT VA L UE

Sync app with native contacts Select Block to prevent the app from Allow
app saving data to the native Contacts
app on the device. If you select Allow ,
the app can save data to the native
Contacts app on the device.

When you perform a selective wipe to

remove work, or school data from the
app, contacts synced directly from the
app to the native Contacts app are
removed. Any contacts synced from
the native address book to another
external source can't be wiped.
Currently this applies only to the
Microsoft Outlook app.

Printing Org data Select Block to prevent the app from Allow
printing work or school data. If you
leave this setting to Allow , the default
value, users will be able to export and
print all Org data.

Restrict web content transfer Specify how web content (http/https Not configured
with other apps links) are opened from policy-
managed applications. Choose from:
Any app : Allow web links in
any app.
Intune Managed Browser :
Allow web content to open
only in the Intune Managed
Browser. This browser is a
 policy-managed browser.
SET T IN G H O W TO USE DEFA ULT VA L UE
Microsoft Edge : Allow web
content to open only in the
Microsoft Edge. This browser is
a policy-managed browser.
Unmanaged browser : Allow
web content to open only in
the unmanaged browser
defined by Unmanaged
browser protocol setting.
The web content will be
unmanaged in the target
browser.
Note : Requires app to have
Intune SDK version 11.0.9 or
later.
If you're using Intune to manage your
devices, see Manage Internet access
using managed browser policies with
Microsoft Intune.

If a policy-managed browser is
required but not installed, your end
users will be prompted to install the
Microsoft Edge.
If a policy-managed browser is
required, iOS/iPadOS Universal
Links are managed by the Allow
app to transfer data to other
apps policy setting.
Intune device enrollment
If you are using Intune to manage
your devices, see Manage Internet
access using managed browser
policies with Microsoft Intune.
Policy-managed Microsoft
Edge
The Microsoft Edge browser for
mobile devices (iOS/iPadOS and
Android) supports Intune app
protection policies. Users who sign
in with their corporate Azure AD
accounts in the Microsoft Edge
browser application will be
protected by Intune. The
Microsoft Edge browser integrates
the Intune SDK and supports all
of its data protection policies, with
the exception of preventing:
Save-as : The Microsoft Edge
browser does not allow a user
to add direct, in-app
connections to cloud storage
providers (such as OneDrive).
Contact sync: The Microsoft
Edge browser does not save to
native contact lists.

Note :The Intune SDK cannot

determine if a target app is a browser.
On iOS/iPadOS devices, no other
 managed browser apps are allowed.
SET T IN G H O W TO USE DEFA ULT VA L UE

Unmanaged Browser Protocol Enter the protocol for a single Blank

unmanaged browser. Web content
(http/https links) from policy managed
applications will open in any app that
supports this protocol. The web
content will be unmanaged in the
target browser.

This feature should only be used if you

want to share protected content with
a specific browser that is not enabled
using Intune app protection policies.
You must contact your browser
vendor to determine the protocol
supported by your desired browser.

Note : Include only the protocol prefix.

If your browser requires links of the
form
mybrowser://www.microsoft.com ,
enter mybrowser .
Links will be translated as:
http://www.microsoft.com
>
mybrowser://www.microsoft.com
https://www.microsoft.com
>
mybrowsers://www.microsoft.com

Org data notifications Specify how Org data is shared via OS Allow
notifications for Org accounts. This
policy setting will impact the local
device and any connected devices
such as wearables and smart speakers.
Apps may provide additional controls
to customize notification behavior or
may choose to not honor all values.
Select from:
Blocked : Do not share
notifications.
If not supported by the
application, notifications
will be allowed.
Block org Data : Do not share
Org data in notifications, for
example.
"You have new mail"; "You
have a meeting".
If not supported by the
application, notifications
will be blocked.
Allow : Shares Org data in the
notifications.
Note : This setting requires app
support. At this time, Outlook for
iOS version 4.34.0 or later
supports this setting.
 NOTE
None of the data protection settings control the Apple managed open-in feature on iOS/iPadOS devices. To use manage
Apple open-in, see Manage data transfer between iOS/iPadOS apps with Microsoft Intune.

Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policy may allow data transfer to
and from in certain scenarios. This list is subject to change and reflects the services and apps considered useful
for secure productivity.

A P P / SERVIC E N A M E( S) DESC RIP T IO N

skype Skype

app-settings Device settings

itms; itmss; itms-apps; itms-appss; itms-services App Store

calshow Native Calendar

IMPORTANT
App Protection policies created before June 15, 2020 include tel and telprompt URL scheme as part of the default data
transfer exemptions. These URL schemes allow managed apps to initiate the dialer. The App Protection policy setting
Transfer telecommunication data to has replaced this functionality. Administrators should remove tel;telprompt;
from the data transfer exemptions and rely on the App Protection policy setting, provided the managed apps that
initiate dialer functionality include the Intune SDK 12.7.0 or later.

Access requirements
SET T IN G H O W TO USE DEFA ULT VA L UE

PIN for access Select Require to require a PIN to use Require

this app. The user is prompted to set
up this PIN the first time they run the
app in a work or school context. The
PIN is applied when working either
online or offline.

You can configure the PIN strength

using the settings available under the
PIN for access section.
SET T IN G H O W TO USE DEFA ULT VA L UE

PIN type Set a requirement for either numeric Numeric

or passcode type PINs before
accessing an app that has app
protection policies applied. Numeric
requirements involve only numbers,
while a passcode can be defined with
at least 1 alphabetical letter or at least
1 special character.

Note: To configure passcode type, it

requires app to have Intune SDK
version 7.1.12 or above. Numeric type
has no Intune SDK version restriction.
Special characters allowed include the
special characters and symbols on the
iOS/iPadOS English language
keyboard.

Simple PIN Select Allow to allow users to use Allow

simple PIN sequences like 1234, 1111,
abcd or aaaa. Select Block to prevent
them from using simple sequences.
Simple sequences are checked in 3
character sliding windows. If Block is
configured, 1235 or 1112 would not
be accepted as PIN set by the end
user, but 1122 would be allowed.

Note : If Passcode type PIN is

configured, and Allow simple PIN is set
to Yes, the user needs at least 1 letter
or at least 1 special character in their
PIN. If Passcode type PIN is
configured, and Allow simple PIN is set
to No, the user needs at least 1
number and 1 letter and at least 1
special character in their PIN.

Select minimum PIN length Specify the minimum number of digits 4

in a PIN sequence.

Touch ID instead of PIN for Select Allow to allow the user to use Allow
access (iOS 8+) Touch ID instead of a PIN for app
access.

Override Touch ID with To use this setting, select Require and Require
PIN after timeout then configure an inactivity timeout.

Timeout (minutes of Specify a time in minutes after which 30

inactivity) either a passcode or numeric (as
configured) PIN will override the use
of a fingerprint or face as method of
access. This timeout value should be
greater than the value specified under
'Recheck the access requirements after
(minutes of inactivity)'.
SET T IN G H O W TO USE DEFA ULT VA L UE

Face ID instead of PIN for Select Allow to allow the user to use Allow
access (iOS 11+) facial recognition technology to
authenticate users on iOS/iPadOS
devices. If allowed, Face ID must be
used to access the app on a Face ID
capable device.

PIN reset after number of Select Yes to require users to change No

days their app PIN after a set period of
time, in days.

When set to Yes, you then configure

the number of days before the PIN
reset is required.

Number of days Configure the number of days before 90

the PIN reset is required.

App PIN when device PIN is Select Disable to disable the app PIN Enable
set when a device lock is detected on an
enrolled device with Company Portal
configured.

Note: Requires app to have Intune

SDK version 7.0.1 or above.

On iOS/iPadOS devices, you can let

the user prove their identity by using
Touch ID or Face ID instead of a PIN.
Intune uses the LocalAuthentication
API to authenticate users using Touch
ID and Face ID. To learn more about
Touch ID and Face ID, see the iOS
Security Guide.

When the user tries use this app with

their work or school account, they're
prompted to provide their fingerprint
identity or face identity instead of
entering a PIN. When this setting is
enabled, the App-switcher preview
image will be blurred while using a
work or school account.

Work or school account Select Require to require the user to Not required
credentials for access sign in with their work or school
account instead of entering a PIN for
app access. If you set this to Require ,
and PIN or biometric prompts are
turned on, both corporate credentials
and either the PIN or biometric
prompts are shown.
 SET T IN G H O W TO USE DEFA ULT VA L UE

Recheck the access requirements Configure the number of minutes of 30

after (minutes of inactivity) inactivity that must pass before the
app requires the user to again specify
the access requirements.

For example, an admin turns on PIN

and Blocks rooted devices in the
policy, a user opens an Intune-
managed app, must enter a PIN, and
must be using the app on a non-
rooted device. When using this
setting, the user would not have to
enter a PIN or undergo another root-
detection check on any Intune-
managed app for a period of time
equal to the configured value.

Note: On iOS/iPadOS, the PIN is

shared amongst all Intune-managed
apps of the same publisher . The PIN
timer for a specific PIN is reset once
the app leaves the foreground on the
device. The user wouldn't have to
enter a PIN on any Intune-managed
app that shares its PIN for the
duration of the timeout defined in this
setting. This policy setting format
supports a positive whole number.

NOTE
To learn more about how multiple Intune app protection settings configured in the Access section to the same set of
apps and users work on iOS/iPadOS, see Intune MAM frequently asked questions and Selectively wipe data using app
protection policy access actions in Intune.

Conditional launch
Configure conditional launch settings to set sign-in security requirements for your access protection policy.
By default, several settings are provided with pre-configured values and actions. You can delete some of these,
like the Min OS version. You can also select additional settings from the Select one dropdown.

SET T IN G H O W TO USE
SET T IN G H O W TO USE

Min OS version Specify a minimum iOS/iPadOS operating system to use this

app. Actions include:
Warn - The user will see a notification if the
iOS/iPadOS version on the device doesn't meet the
requirement. This notification can be dismissed.
Block access - The user will be blocked from access
if the iOS/iPadOS version on the device doesn't meet
this requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
This entry can appear multiple times, with each instance
supporting a different action.

This policy setting format supports either major.minor,

major.minor.build, major.minor.build.revision.

Note: Requires app to have Intune SDK version 7.0.1 or

above.

Max PIN attempts Specify the number of tries the user has to successfully
enter their PIN before the configured action is taken. This
policy setting format supports a positive whole number.
Actions include:
Reset PIN - The user must reset their PIN.
Wipe data - The user account that is associated
with the application is wiped from the device.
Default value = 5
SET T IN G H O W TO USE

Offline grace period The number of minutes that MAM apps can run offline.
Specify the time (in minutes) before the access requirements
for the app are rechecked. Actions include:
Block access (minutes) - The number of minutes
that MAM apps can run offline. Specify the time (in
minutes) before the access requirements for the app
are rechecked. After the configured period expires,
the app blocks access to work or school data until
network access is available. This policy-setting format
supports a positive whole number.

Default value = 720 minutes (12 hours)

Wipe data (days) - After this many days (defined
by the admin) of running offline, the app will require
the user to connect to the network and
reauthenticate. If the user successfully authenticates,
they can continue to access their data and the offline
interval will reset. If the user fails to authenticate, the
app will perform a selective wipe of the users'
account and data. See How to wipe only corporate
data from Intune-managed apps for more
information on what data is removed with a selective
wipe. This policy setting format supports a positive
whole number.

Default value = 90 days

This entry can appear multiple times, with each instance
supporting a different action.

Jailbroken/rooted devices There is no value to set for this setting. Actions include:
Block access - Prevent this app from running on
jailbroken or rooted devices. The user continues to
be able to use this app for personal tasks, but must
use a different device to access work or school data
in this app.
Wipe data - The user account that is associated
with the application is wiped from the device.

Disabled account There is no value to set for this setting. Actions include:
Block access - When we have confirmed the user
has been disabled in Azure Active Directory, the app
blocks access to work or school data.
Wipe data - When we have confirmed the user has
been disabled in Azure Active Directory, the app will
perform a selective wipe of the users' account and
data.
SET T IN G H O W TO USE

Min app version Specify a value for the minimum operating system value.
Actions include:
Warn - The user sees a notification if the app
version on the device doesn't meet the requirement.
This notification can be dismissed.
Block access - The user is blocked from access if
the app version on the device doesn't meet the
requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
As apps often have distinct versioning schemes between
them, create a policy with one minimum app version
targeting one app (for example, Outlook version policy).

This entry can appear multiple times, with each instance

supporting a different action.

This policy setting format supports either major.minor,

major.minor.build, major.minor.build.revision.

Note: Requires app to have Intune SDK version 7.0.1 or

above.

Additionally, you can configure where your end users can

get an updated version of a line-of-business (LOB) app. End
users will see this in the min app version conditional
launch dialog, which will prompt end users to update to a
minimum version of the LOB app. On iOS/iPadOS, this
feature requires the app to be integrated (or wrapped using
the wrapping tool) with the Intune SDK for iOS v. 10.0.7 or
above. To configure where an end user should update a LOB
app, the app needs a managed app configuration policy
sent to it with the key, com.microsoft.intune.myappstore
. The value sent will define which store the end user will
download the app from. If the app is deployed via the
Company Portal, the value must be CompanyPortal . For
any other store, you must enter a complete URL.

Min SDK version Specify a minimum value for the Intune SDK version. Actions
include:
Block access - The user is blocked from access if
the app's Intune app protection policy SDK version
doesn't meet the requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
To learn more about the Intune app protection policy SDK,
see Intune App SDK overview. As apps often have distinct
Intune SDK version between them, create a policy with one
min Intune SDK version targeting one app (for example,
Intune SDK version policy for Outlook).

This entry can appear multiple times, with each instance

supporting a different action.
 SET T IN G H O W TO USE

Device model(s) Specify a semi-colon separated list of model identifier(s).

These values are not case sensitive. Actions include:
Allow specified (Block non-specified) - Only
devices that match the specified device model can
use the app. All other device models are blocked.
Allow specified (Wipe non-specified) - The user
account that is associated with the application is
wiped from the device.
For more information on using this setting, see Conditional
Launch actions.

Max allowed device threat level App protection policies can take advantage of the Intune-
MTD connector. Specify a maximum threat level acceptable
to use this app. Threats are determined by your chosen
Mobile Threat Defense (MTD) vendor app on the end user
device. Specify either Secured, Low, Medium, or High.
Secured requires no threats on the device and is the most
restrictive configurable value, while High essentially requires
an active Intune-to-MTD connection. Actions include:
Block access - The user will be blocked from access
if the threat level determined by your chosen Mobile
Threat Defense (MTD) vendor app on the end user
device doesn't meet this requirement.
Wipe data - The user account that is associated
with the application is wiped from the device.
Note: Requires app to have Intune SDK version 12.0.15 or
above.

For more information on using this setting, see Enable MTD

for unenrolled devices.

Learn more
Learn about LinkedIn information and features in your Microsoft apps.
Learn about LinkedIn account connections release on the Microsoft 365 Roadmap page.
Learn about Configuring LinkedIn account connections.
For more information about data that is shared between users' LinkedIn and Microsoft work or school
accounts, see LinkedIn in Microsoft applications at your work or school.
 Selectively wipe data using app protection policy
conditional launch actions in Intune
9/4/2020 • 6 minutes to read • Edit Online

Using Intune app protection policies, you can configure settings to block end users from accessing a corporate app
or account. These settings target data relocation and access requirements set by your organization for things like
jail-broken devices and minimum OS versions.
You can explicitly choose to wipe your company's corporate data from the end user's device as an action to take for
non-compliance by using these settings. For some settings, you will be able to configure multiple actions, such as
block access and wipe data based on different specified values.

Create an app protection policy using conditional launch actions

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App protection Policies .
3. Click Create policy and select the platform of the device for your policy.
4. Click Configure required settings to see the list of settings available to be configured for the policy.
5. By scrolling down in the Settings pane, you will see a section titled Conditional launch with an editable
table.

6. Select a Setting and enter the Value that users must meet to sign in to your company app.
7. Select the Action you want to take if users do not meet your requirements. In some cases, multiple actions
can be configured for a single setting. For more information, see How to create and assign app protection
policies.

Policy settings
The app protection policy settings table has columns for Setting , Value , and Action .
iOS policy settings
For iOS/iPadOS, you will be able to configure actions for the following settings using the Setting dropdown:
Max PIN attempts
Offline grace period
Jailbroken/rooted devices
Min OS version
Min app version
Min SDK version
Device model(s)
Max allowed device threat level
To use the Device model(s) setting, input a semi-colon separated list of iOS/iPadOS model identifiers. These
values are not case-sensitive. Besides within Intune Reporting for the 'Device model(s)' input, you can find an
iOS/iPadOS model identifier in this 3rd party GitHub repository.
Example input: iPhone5,2;iPhone5,3
On end-user devices, the Intune client would take action based on a simple matching of device model strings
specified in Intune for Application Protection Policies. Matching depends entirely on what the device reports. You
(the IT administrator) are encouraged to ensure that the intended behavior occurs by testing this setting based on
a variety of device manufacturers and models, and targeted to a small user group. The default value is Not
configured .
Set one of the following actions:
Allow specified (Block non-specified)
Allow specified (Wipe non-specified)
What happens if the IT admin inputs a different list of iOS/iPadOS model identifier(s) between
policies targeted to the same apps for the same Intune user?
When conflicts arise between two app protection policies for configured values, Intune typically takes the most
restrictive approach. Thus, the resultant policy sent down to the targeted app being opened by the targeted Intune
user would be an intersection of the listed iOS/iPadOS model identifier(s) in Policy A and Policy B targeted to the
same app/user combination. For example, Policy A specifies "iPhone5,2;iPhone5,3", while Policy B specifies
"iPhone5,3", the resultant policy that the Intune user targeted by both Policy A and Policy B will be "iPhone5,3".
Android policy settings
For Android, you will be able to configure actions for the following settings using the Setting dropdown:
Max PIN attempts
Offline grace period
Jailbroken/rooted devices
Min OS version
Min app version
Min patch version
Device manufacturer(s)
 SafetyNet device attestation
Require threat scan on apps
Min Company Portal version
Max allowed device threat level
By using the Min Company Por tal version , you can specify a specific minimum defined version of the Company
Portal that is enforced on an end user device. This conditional launch setting allows you to set values to Block
access , Wipe data , and Warn as possible actions when each value is not met. The possible formats for this value
follow the pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. Given that some
end users may not prefer a forced update of apps on the spot, the 'warn' option may be ideal when configuring
this setting. The Google Play Store does a good job of only sending the delta bytes for app updates, but this can
still be a large amount of data that the user may not want to utilize if they are on data at the time of the update.
Forcing an update and thereby downloading an updated app could result in unexpected data charges at the time of
the update. The Min Company Por tal version setting, if configured, will affect any end user who gets gets
version 5.0.4560.0 of the Company Portal and any future versions of the Company Portal. This setting will have no
effect on users using a version of Company Portal that is older than the version that this feature is released with.
End users using app auto-updates on their device will likely not see any dialogs from this feature, given that they
will likely be on the latest Company Portal version. This setting is Android only with app protection for enrolled
and unenrolled devices.
To use the Device manufacturer(s) setting, input a semi-colon separated list of Android manufacturers. These
values are not case-sensitive. Besides Intune Reporting, you can find the Android manufacturer of a device under
the device settings.
Example input: Manufacturer A;Manufacturer B

NOTE
These are some common manufacturers reported from devices using Intune, and can be used as input:
Asus;Blackberry;Bq;Gionee;Google;Hmd
global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Samsung;Sharp;Sony;Tecno;Vivo;Vodafone;Xia
omi;Zte;Zuk

On end-user devices, the Intune client would take action based on a simple matching of device model strings
specified in Intune for Application Protection Policies. Matching depends entirely on what the device reports. You
(the IT administrator) are encouraged to ensure that the intended behavior occurs by testing this setting based on
a variety of device manufacturers and models, and targeted to a small user group. The default value is Not
configured .
Set one of the following actions:
Allow specified (Block on non-specified)
Allow specified (Wipe on non-specified)
What happens if the IT admin inputs a different list of Android manufacturer(s) between policies
targeted to the same apps for the same Intune user?
When conflicts arise between two app protection policies for configured values, Intune typically takes the most
restrictive approach. Thus, the resultant policy sent down to the targeted app being opened by the targeted Intune
user would be an intersection of the listed Android manufacturers in Policy A and Policy B targeted to the same
app/user combination. For example, Policy A specifies "Google;Samsung", while Policy B specifies "Google", the
resultant policy that the Intune user targeted by both Policy A and Policy B will be "Google".
Additional settings and actions
By default, the table will have populated rows as settings configured for Offline grace period , and Max PIN
attempts , if the Require PIN for access setting is set to Yes .
To configure a setting, select a setting from the dropdown under the Setting column. Once a setting is selected,
the editable text box will become enabled under the Value column in the same row, if a value is required to be set.
Also, the dropdown will become enabled under the Action column with the set of conditional launch actions
applicable to the setting.
The following list provides the common list of actions:
Block access – Block the end user from accessing the corporate app.
Wipe data – Wipe the corporate data from the end user's device.
Warn – Provide dialog to end user as a warning message.
In some cases, such as the Min OS version setting, you can configure the setting to perform all applicable actions
based on different version numbers.

Once a setting is fully configured, the row will appear in a read-only view and be available to be edited at any time.
In addition, the row will appear to have a dropdown available for selection in the Setting column. Settings that
have already been configured and do not allow multiple actions will not be available for selection in the dropdown.

Next steps
Learn more information on Intune app protection policies, see:
How to create and assign app protection policies
iOS/iPadOS app protection policy settings
Android app protection policy settings in Microsoft Intune
 How to create exceptions to the Intune App
Protection Policy (APP) data transfer policy
9/4/2020 • 3 minutes to read • Edit Online

As an administrator, you can create exceptions to the Intune App Protection Policy (APP) data transfer policy. An
exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps.
Your IT must trust the unmanaged apps that you include in the exception list.

WARNING
You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps
(apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result
in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support
Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data
leak risks.

Within an Intune Application Protection Policy, setting Allow app to transfer data to other apps to Policy
managed apps means that the app can transfer data only to apps managed by Intune. If you need to allow data to
be transferred to specific apps that don't support Intune APP, you can create exceptions to this policy by using
Select apps to exempt . Exemptions allow applications managed by Intune to invoke unmanaged applications
based on URL protocol (iOS/iPadOS) or package name (Android). By default, Intune adds vital native applications to
this list of exceptions.

NOTE
Modifying or adding to the data transfer policy exceptions doesn't impact other App Protection Policies, such as cut, copy,
and paste restrictions.

iOS data transfer exceptions

For a policy targeting iOS/iPadOS, you can configure data transfer exceptions by URL protocol. To add an exception,
check the documentation provided by the developer of the app to find information about supported URL protocols.
For more information about iOS/iPadOS data transfer exceptions, see iOS/iPadOS app protection policy settings -
Data transfer exemptions.

NOTE
Microsoft does not have a method to manually find the URL protocol for creating app exceptions for third-party applications.

Android data transfer exceptions

For a policy targeting Android, you can configure data transfer exceptions by app package name. You can check the
Google Play store page for the app you would like to add an exception for to find the app package name. For
more information about Android data transfer exceptions, see Android app protection policy settings - Data
transfer exemptions.
 TIP
You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the
URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word .

Example
By adding the Webex package as an exception to the MAM data transfer policy, Webex links inside a managed
Outlook email message are allowed to open directly in the Webex application. Data transfer is still restricted in
other unmanaged apps.
iOS/iPadOS Webex example: To exempt the Webex app so that it's allowed to be invoked by Intune
managed apps, you must add a data transfer exception for the following string: wbx
iOS/iPadOS Maps example: To exempt the native Maps app so that it's allowed to be invoked by Intune
managed apps, you must add a data transfer exception for the following string: maps
Android Webex example: To exempt the Webex app so that it's allowed to be invoked by Intune managed
apps, you must add a data transfer exception for the following string: com.cisco.webex.meetings
Android SMS example: To exempt the native SMS app so that it's allowed to be invoked by Intune managed
apps across different messaging apps and Android devices, you must add data transfer exceptions for the
following strings: com.google.android.apps.messaging
com.android.mms

com.samsung.android.messaging

Next steps
Create and deploy app protection policies
iOS/iPadOS app protection policy settings - Data transfer exemptions
Android app protection policy settings - Data transfer exemptions
 How to validate your app protection policy setup in
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Validate that your app protection policy is correctly set up and working. This guidance applies to app protection
policies in the Azure portal.

Checking for symptoms

Users are unlikely to report issues since app protection is a data protection tool. If there's a problem with the app
protection configuration, the user will have unrestricted access, as they would have without app protection, and
they wouldn't know there's an issue. For this reason, we recommend you validate your app protection
configuration by piloting your app protection policies with a small group of users who can deliberately test the app
protection restrictions.

What to check
If testing shows that your app protection policy behavior isn't functioning as expected, check these items:
Are the users licensed for app protection?
Are the users licensed for Microsoft 365?
Is the status of each of the users' app protection apps as expected. The possible statuses for the apps are
Checked in and Not checked in .
User app protection status
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > Monitor > App protection status , and then select the Assigned users tile.
3. On the App repor ting page, select Select user to bring up a list of users and groups.
4. Search for and select a user from the list, then choose Select user . At the top of the App repor ting pane, you
can see whether the user is licensed for app protection. You can also see whether the user has a license for
Microsoft 365 and the app status for all of the user's devices.

What to do
Here are the actions to take based on the user status:
If the user isn't licensed for app protection, assign an Intune license to the user.
If the user isn't licensed for Microsoft 365, get a license for the user.
If a user's app is listed as Not checked in , check if you've correctly configured an app protection policy for that
app.
Ensure that these conditions apply across all users to which you want app protection policies to apply.

See also
What is Intune app protection policy?
Licenses that include Intune
Assign licenses to users so they can enroll devices in Intune
How to validate your app protection policy setup
How to monitor app protection policies
 Understand App Protection Policy delivery timing
9/4/2020 • 2 minutes to read • Edit Online

Learn the different deployment windows for app protection policies to understand when changes should appear
on your end-user devices.

Delivery timing summary

Application protection policy delivery depends on the license state and Intune service registration for your users.

A P P P ROT EC T IO N
USER STAT E B EH AVIO R RET RY IN T ERVA L ( SEE N OT E) W H Y DO ES T H IS H A P P EN ?

Tenant Not Onboarded Wait for next retry interval. 24 hours Occurs when you have not
App Protection is not active setup your tenant for
for the user. Intune.

User Not Licensed Wait for next retry interval. 12 hours - However, on Occurs when you have not
App Protection is not active Android devices this interval licensed the user for Intune.
for the user. requires Intune APP SDK
version 5.6.0 or later.
Otherwise for Android
devices, the interval is 24
hours.

User Not Assigned App Wait for next retry interval. 12 hours Occurs when you have not
Protection Policies App Protection is not active assigned APP settings to the
for the user. user.

User Assigned App Wait for next retry interval. 12 hours Occurs when you have not
Protection Policies but app is App Protection is not active added the app to APP.
not defined in the App for the user.
Protection Policies

User Successfully Registered App Protection is applied Intune Service defined based Occurs when the user has
for Intune MAM per policy settings. Updates on user load. Typically 30 successfully registered with
occur based on retry mins. the Intune service for MAM
interval configuration.

NOTE
Retry intervals may require active app use to occur, meaning the app is launched and in use. If the retry interval is 24 hours
and the user waits 48 hours to launch the app, the Application Protection client will retry at 48 hours.

Handling network connectivity issues

When user registration fails due to network connectivity issues an accelerated retry interval is used. The
Application Protection client will retry at increasingly longer intervals until the interval reaches 60 minutes or a
successful connection is made. The client will then continue to retry at 60 minute intervals until a successful
connection is made. Then, the client will return to the standard retry interval based on the user state.
Next steps
Assign licenses to users so they can enroll devices in Intune
 Protecting application extensions
9/4/2020 • 3 minutes to read • Edit Online

This article describes app protection policies for extensions in Microsoft Intune.

Add-ins for Outlook app

Outlook add-ins let you integrate popular apps with the email client. Add-ins for Outlook are available on the web,
Windows, Mac, and Outlook for Android and iOS/iPadOS. The Intune APP SDK and Intune app protection policies
do not include support for managing add-ins for Outlook, but there are other ways to limit their use. Since add-ins
are managed via Microsoft Exchange, users will be able to share data and messages across Outlook and
unmanaged add-in applications unless add-ins are turned off for the user by their Exchange.
If you want to stop your end users from accessing and installing Outlook add-ins (this affects all Outlook clients),
make sure you have the following changes to roles in the Exchange admin center:
To prevent users from installing Office Store add-ins, remove the My Marketplace role from them.
To prevent users from side loading add-ins, remove the My Custom Apps role from them.
To prevent users from installing all add-ins, remove both, My Custom Apps and My Marketplace roles from
them.
These instructions apply to Microsoft 365, Exchange 2016, Exchange 2013 across Outlook on the web, Windows,
Mac, and mobile.
Learn more about add-ins for Outlook.
Learn more about how to specify the administrators and users who can install and manage add-ins for Outlook
app.

LinkedIn account connections for Microsoft apps

LinkedIn account connections allow users to see public LinkedIn profile information within certain Microsoft apps.
By default, your users can choose to connect their LinkedIn and Microsoft work or school accounts to see additional
LinkedIn profile information.

NOTE
LinkedIn integration is currently unavailable for United States Government customers and for organizations with Exchange
Online mailboxes hosted in Australia, Canada, China, France, Germany, India, South Korea, United Kingdom, Japan, and South
Africa.

The Intune SDK and Intune app protection policies don't include support for managing LinkedIn account
connections, but there are other ways to manage them. You can disable LinkedIn account connections for your
entire organization, or you can enable LinkedIn account connections for selected user groups in your organization.
These settings affect LinkedIn connections across Microsoft 365 apps on all platforms (web, mobile, and desktop).
You can:
Enable or disable LinkedIn account connections for your tenant in the Azure portal.
Enable or disable LinkedIn account connections for your organization's Office 2016 apps using Group Policy.
If LinkedIn integration is enabled for your tenant, when users in your organization connect their LinkedIn and
Microsoft work or school accounts, they have two options:
 They can give permission to share data between both accounts. This means that they give permission for their
LinkedIn account to share data with their Microsoft work or school account, as well as their Microsoft work or
school account to share data with their LinkedIn account. Data that is shared with LinkedIn leaves the online
services.
They can give permission to share data only from their LinkedIn account to their Microsoft work and school
account
If a user consents to sharing data between accounts, as with Office add-ins, LinkedIn integration uses existing
Microsoft Graph APIs. LinkedIn integration uses only a subset of the APIs available to Office add-ins and supports
various exclusions.

M IC RO SO F T GRA P H P ERM ISSIO N S DESC RIP T IO N

Read permissions for People Allows the app to read a scored list of people relevant to the
signed-in user. The list can include local contacts, contacts
from social networking or your organization's directory, and
people from recent communications (such as email and Skype).

Read permissions for Calendars Allows the app to read events in user calendars. Includes the
meetings in signed-in user calendars, their times, locations,
and attendees.

Read permissions for User Profile Allows users to sign in to the app, and allows the app to read
the profile of signed-in users. It also allows the app to read
basic company information for signed-in users.

Subscriptions This scope isn't available and not yet in use. It includes
subscriptions provided by the user's organization to Microsoft
apps and services, such as Microsoft 365.

Insights This scope isn't available and not yet in use. It includes the
interests associated with the signed-in user's account based
on their use of Microsoft services.

Learn more
Learn about LinkedIn information and features in your Microsoft apps.
Learn about LinkedIn account connections release on the Microsoft 365 Roadmap page.
Learn about Configuring LinkedIn account connections.
For more information about data that is shared between users' LinkedIn and Microsoft work or school accounts,
see LinkedIn in Microsoft applications at your work or school.
 How to monitor app protection policies
9/4/2020 • 9 minutes to read • Edit Online

You can monitor the status of the app protection policies that you've applied to users from the Intune app
protection pane in Intune. Additionally, you can find information about the users affected by app protection
policies, policy compliance status, and any issues that your users might be experiencing.
There are three different places to monitor app protection policies:
Summary view
Detailed view
Reporting view
The retention period for app protection data is 90 days. Any app instances that have checked in to the Intune
service within the past 90 days is included in the app protection status report. An app instance is a unique user +
app + device.

NOTE
For more information, see How to create and assign app protection policies.

Summary view
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > Monitor > App protection status .
The following list provides details about app protection status:
Assigned users : The total number of assigned users in your company who are using an app that is
associated with a policy in a work context and are protected and licensed, as well as the assigned users that
are unprotected and unlicensed.
Flagged users : The number of users who are experiencing issues with their devices. Jailbroken
(iOS/iPadOS) and rooted (Android) devices are reported under Flagged users . Also, users with devices
that are flagged by the Google SafetyNet device attestation check (if turned on by the IT admin) are
reported here.
Users with potentially harmful apps : The number of users who may have a harmful app on their
Android device detected by Google Play Protect.
User status for iOS and User status for Android : The number of users who have used an app who
have a policy assigned to them in a work context for the related platform. This information shows the
number of users managed by the policy, as well as the number of users who are using an app that is not
targeted by any policy in a work context. You might consider adding these users to the policy.
Top Protected iOS/iPadOS Apps and Top Protected Android Apps : Based on the most used
iOS/iPadOS and Android apps, this information shows the number of protected and unprotected apps by
platform.
Top Configured iOS/iPadOS Apps Without Enrollment and Top Configured Android Apps
Without Enrollment : Based on the most used iOS/iPadOS and Android apps for unenrolled devices, this
information shows the number of configured apps by platform (as in, using an app configuration policy).
 NOTE
If you have multiple policies per platform, a user is considered managed by policy when they have at least one policy
assigned to them.

Detailed view
You can get to the detailed view of the summary by choosing the Flagged users tile, and the Users with
potentially harmful apps tile.
Flagged users
The detailed view shows the error message, the app that was accessed when the error happened, the device OS
platform affected, and a time stamp. The error is typically for jailbroken (iOS/iPadOS) or rooted (Android) devices.
Also, users with devices that are flagged by the 'SafetyNet device attestation' conditional launch check are
reported here with the reason as reported by Google. For a user to be removed from the report, the status of the
device itself needs to have changed, which happens after the next root detection check (or jailbreak
check/SafetyNet check happens) that needs to report a positive result. If the device is truly remediated, the refresh
on the Flagged Users report will happen when the pane reloads.
Users with potentially harmful apps
Users with devices that are flagged by the Require threat scan on apps conditional launch check are reported
here, with the threat category as reported by Google. If there are apps listed in this report that are being deployed
through Intune, contact the app developer for the app, or remove the app from being assigned to your users. The
detailed view shows:
User : The name of the user.
App package ID : This is the way the Android OS uniquely determines an app.
If the app is MAM-enabled : Whether or not the app is being deployed through Microsoft Intune.
The threat categor y : What Google-determined threat category this app falls into.
Email : The email of the user.
Device Name : Names of any devices that are associated with the user's account.
A time stamp : This is the date of the last sync that Google did with Microsoft Intune regarding potentially
harmful apps.

Reporting view
You can find the same reports at the top of the App protection status pane. To view these reports, select Apps
> App protection status > Repor ts . The Repor ts pane provides several reports based on user and app,
including the following:
User report
You can search for a single user and check the compliance status for that user. The App repor ting pane shows
the following information for a selected user:
Icon : Displays whether the app status is up-to-date.
App Name : The name of the app.
Device Name : Devices that are associated with the user's account.
Device Type : The type of device or operating system the device is running.
Policies : The policies associated with the app.
Status :
Checked in : The policy was deployed to the user, and the app was used in the work context at least
once.
 Not checked in : The policy was deployed to the user, but the app hasn't been used in the work context
since then.
Last Sync : When the app was last synced with Intune.

NOTE
The Last Sync column represents the same value in both the in-console User status report and the App Protection Policy
exportable .csv report. The difference is a small delay in synchronization between the value in the two reports.
The time referenced in Last Sync is when Intune last saw the app instance. When a user launches an app, it might notify the
Intune App Protection service at that launch time, depending on when it last checked in. See the retry interval times for
App Protection Policy check-in. If a user hasn't used that particular app in the last check-in interval (which is usually 30
minutes for active usage), and they launch the app, then:
The App Protection Policy exportable .csv report has the newest time, within 1 minute (minimum) to 30 minutes
(maximum).
The User status report has the newest time instantly.
For example, consider a targeted and licensed user who launches a protected app at 12:00 PM:
If this is a sign in for the first time, that means the user was signed out before, and doesn't have an app instance
registration with Intune. After the user signs in, the user gets a new app instance registration, and can be checked-in
immediately (with the same time delays listed previously for future check-ins). Thus, the Last Sync time is 12:00 PM in
the User status report, and 12:01 PM (or 12:30 PM at latest) in the App Protection Policy report.
If the user is just launching the app, the Last Sync time reported depends on when the user last checked in.

To see the reporting for a user, follow these steps:

1. To select a user, choose the User status summary tile.

2. On the App repor ting pane, choose Select user to search for an Azure Active Directory user.
3. Select the user from the list. You can see the details of the compliance status for that user.

NOTE
If the users you searched for do not have the MAM policy deployed to them, you see a message informing you that the
user is not targeted by any MAM policies.

App report
You can search by platform and app, and then this report will provide two different app protection statuses that
you can select before generating the report. The statuses can be Protected or Unprotected .
User status for managed MAM activity (Protected ): This report outlines the activity of each managed MAM
app, on a per-user basis. It shows all apps targeted by MAM policies for each user, and the status of each
app as checked in with MAM policies. The report also includes the status of each app that was targeted with
a MAM policy, but was never checked in.
User status for unmanaged MAM activity (Unprotected ): This report outlines the activity of MAM-enabled
apps that are currently unmanaged, on a per-user basis. This might happen because:
These apps are either being used by a user or an app that isn't currently targeted by a MAM policy.
All apps are checked in, but aren't getting any MAM policies.

User configuration report

Based on a selected user, this report provides details about any app configurations the user has received.
App configuration report
Based on the selected platform and app, this report provides details about which users have received
configurations for the selected app.
App learning report for Windows Information Protection
This report shows which apps are attempting to cross policy boundaries.
Website learning for Windows Information Protection
This report shows which websites are attempting to cross policy boundaries.

Export app protection activities

You can export all your app protection policy activities to a single .csv file. This can be helpful to analyze all the app
protection statuses reported from the users. The App Protection .csv file shows :
User : The name of the user.
Email : The email of the user.
App : The name of the app.
App version : The version of the app.
Device Name : Names of any devices that are associated with the user's account.
Device Manufacturer : This lists the manufacturer of the device (Android only).
Device Model : This lists the manufacturer of the device (Android only).
Android Patch Version : The date of the last Android Security Patch.
AAD Device ID : This column gets populated if the device is AAD-joined.
MDM Device ID : This column gets populated if the device is enrolled Microsoft Intune MDM.
Platform : The operating system.
Platform version : The operating system version.
Management Type : Type of management on device. For example, Android Enterprise, unmanaged, or MDM.
App Protection Status : Unprotected or protected.
Policy : The app protection policies associated with the app.
Last Sync : When the app was last synced with Microsoft Intune.
Compliance State : Whether the app on the user's device is compliant with any app-based Conditional Access
policies.
Follow these steps to generate App Protection .csv file or App Configuration .csv file:
1. On the Intune mobile application management pane, choose App protection repor t .

2. Choose Yes to save your report, and then choose Save As . Select the folder you want to save the report in.
 NOTE
Intune provides additional device reporting fields, including App Registration ID, Android manufacturer, model, and security
patch version, as well as iOS/iPadOS model. In Intune, you access these fields by selecting Apps > App protection status
> App Protection Repor t: iOS/iPadOS, Android . In addition, these parameters help you configure the Allow list for
the device manufacturer (Android), the Allow list for the device model (Android and iOS/iPadOS), and the minimum
Android security patch version setting.

See also
Manage data transfer between iOS/iPadOS apps
What to expect when your Android app is managed by app protection policies
What to expect when your iOS/iPadOS app is managed by app protection policies
 Get ready for Windows Information Protection in
Windows 10
9/4/2020 • 2 minutes to read • Edit Online

Enable mobile application management (MAM) for Windows 10 by setting the MAM provider in Azure AD. Setting
a MAM provider in Azure AD allows you to define the enrollment state when creating a new Windows Information
Protection (WIP) policy with Intune. The enrollment state can be either MAM or mobile device management (MDM).

To configure the MAM provider

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select All ser vices and choose M365 Azure Active Director y to switch dashboards.
3. Select Azure Active Director y .
4. Choose Mobility (MDM and MAM) in the Manage group.
5. Click Microsoft Intune .
6. Configure the settings in the Restore default MAM URLs group on the Configure pane.
MAM user scope
Use MAM auto-enrollment to manage enterprise data on your employees' Windows devices. MAM auto-
enrollment will be configured for bring your own device scenarios.
None
Select if no users can be enrolled in MAM.
Some
Select Azure AD groups that contain users who will be enrolled in MAM.
All
Select if all users can be enrolled in MAM.
MAM terms of use URL
The MAM terms of use URL is not supported for Microsoft Intune. This input box must be left blank for
protection policies to apply.
MAM discover y URL
The URL of the enrollment endpoint of the MAM service. The enrollment endpoint is used to enroll devices
for management with the MAM service.
MAM compliance URL
The MAM compliance URL is not supported for Microsoft Intune. This input box must be left blank for
protection policies to apply.
7. Click Save .

Next steps
Create a WIP policy
 Create and deploy Windows Information Protection
(WIP) policy with Intune
9/4/2020 • 7 minutes to read • Edit Online

You can use Windows Information Protection (WIP) policies with Windows 10 apps to protect apps without device
enrollment.

Before you begin

You must understand a few concepts when adding a WIP policy:
List of allowed and exempt apps
Protected apps: These apps are the apps that need to adhere to this policy.
Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.
Types of apps
Recommended apps: A pre-populated list of (mostly Microsoft Office) apps that allow you easily import into
policy.
Store apps: You can add any app from the Windows store to the policy.
Windows desktop apps: You can add any traditional Windows desktop apps to the policy (for example, .exe,
.dll)

Prerequisites
You must configure the MAM provider before you can create a WIP policy. Learn more about how to configure
your MAM provider with Intune.

IMPORTANT
WIP does not support multi-identity, only one managed identity can exist at a time. For more information about the
capabilities and limitations of WIP, see Protect your enterprise data using Windows Information Protection (WIP).

Additionally, you need to have the following license and update:

Azure AD Premium license
Windows Creators Update

To add a WIP policy

After you set up Intune in your organization, you can create a WIP-specific policy.

TIP
For related information about creating WIP policies for Intune, including available settings and how to configure them, see
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune in the
Windows Security documentation library.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select Apps > App protection policies > Create policy .
3. Add the following values:
Name: Type a name (required) for your new policy.
Description: (Optional) Type a description.
Platform: Choose Windows 10 as the supported platform for your WIP policy.
Enrollment state: Choose Without enrollment as the enrollment state for your policy.
4. Choose Create . The policy is created and appears in the table on the App protection policies pane.

To add recommended apps to your protected apps list

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App protection policies .
3. On the App protection policies pane, choose the policy you want to modify. The Intune App Protection
pane is displayed.
4. Choose Protected apps from the Intune App Protection pane. The Protected apps pane opens showing
you all apps that are already included in the list for this app protection policy.
5. Select Add apps . The Add apps information shows you a filtered list of apps. The list at the top of the pane
allows you to change the list filter.
6. Select each app that you want to allow access your corporate data.
7. Click OK . The Protected apps pane is updated showing all selected apps.
8. Click Save .

Add a Store app to your protected apps list

To add a Store app
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App protection policies .
3. On the App protection policies pane, choose the policy you want to modify. The Intune App Protection
pane is displayed.
4. Choose Protected apps from the Intune App Protection pane. The Protected apps pane opens showing
you all apps that are already included in the list for this app protection policy.
5. Select Add apps . The Add apps information shows you a filtered list of apps. The list at the top of the pane
allows you to change the list filter.
6. From the list, select Store apps .
7. Enter values for Name , Publisher , Product Name , and Action . Be sure to set the Action value to Allow , so
that the app will have access to your corporate data.
8. Click OK . The Protected apps pane is updated showing all selected apps.
9. Click Save .

Add a desktop app to your protected apps list

To add a desktop app
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > App protection policies .
3. On the App protection policies pane, choose the policy you want to modify. The Intune App Protection
pane is displayed.
4. Choose Protected apps from the Intune App Protection pane. The Protected apps pane opens showing
you all apps that are already included in the list for this app protection policy.
5. Select Add apps . The Add apps information shows you a filtered list of apps. The list at the top of the pane
allows you to change the list filter.
6. From the list, select Desktop apps .
7. Enter values for Name , Publisher , Product Name , File , Min Version , Max Version , and Action . Be sure to
set the Action value to Allow , so that the app will have access to your corporate data.
8. Click OK . The Protected apps pane is updated showing all selected apps.
9. Click Save .

WIP Learning
After you add the apps you want to protect with WIP, you need to apply a protection mode by using WIP
Learning .
Before you begin
WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The
unknown apps are the ones not deployed by your organization's IT department. You can export these apps from
the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in "Block"
mode.
In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have
shared work data with websites. With this information, you can determine which websites should be added to
group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.
When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or
Allow Overrides while verifying with a small group that you have the right apps on your protected apps list.
After you're done, you can change to your final enforcement policy, Block .
What are the protection modes?
Block
WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions
can include sharing info across non-corporate-protected apps, and sharing corporate data between other people
and devices outside of your organization.
Allow Overrides
WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe.
However, this mode lets the user override the policy and share the data, logging the action to your audit log.
Silent
WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted
for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to
access a network resource or WIP-protected data, are still stopped.
Off (not recommended)
WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Note that
previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.
Add a protection mode
1. From the App policy pane, choose the name of your policy, then choose Required settings .
2. Select a setting and then choose Save .
Use WIP Learning
1. Open the Azure portal. Choose All ser vices . Type Intune in the text box filter.
2. Choose Intune > Apps .
3. Choose App protection status > Repor ts > Windows Information Protection learning .
Once you have the apps showing up in the WIP Learning logging report, you can add them to your app
protection policies.

Allow Windows Search Indexer to search encrypted items

Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it
indexes items that are encrypted, such as the Windows Information Protection (WIP) protected files.
This app protection policy option is in the Advanced settings of the Windows Information Protection policy. The
app protection policy must be set to the Windows 10 platform and the app policy Enrollment state must be set
to With enrollment .
When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an
unencrypted location. The metadata includes things like file path and date modified.
When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana
or file explorer. There may also be a performance impact on photos and Groove apps if there are many WIP
protected media files on the device.

Add encrypted file extensions

In addition to setting the Allow Windows Search Indexer to search encr ypted items option, you can specify
a list of file extensions. Files with these extensions are encrypted when copying from a Server Message Block
(SMB) share within the corporate boundary as defined in the network location list. When this policy is not
specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the
extensions in the list will be encrypted.

Deploy your WIP app protection policy

 IMPORTANT
This information applies for WIP without device enrollment.

After you created your WIP app protection policy, you need to deploy it to your organization using MAM.
1. On the App policy pane, choose your newly created app protection policy, choose User groups > Add
user group .
A list of user groups, made up of all the security groups in your Azure Active Directory, opens in the Add
user group pane.
2. Choose the group you want your policy to apply to, then choose Select to deploy the policy.

Next steps
Learn more about Windows Information Protection, see Protect your enterprise data using Windows Information
Protection (WIP).
 How to manage data transfer between iOS apps in
Microsoft Intune
9/4/2020 • 6 minutes to read • Edit Online

To help protect company data, restrict file transfers to only the apps that you manage. You can manage iOS apps in
the following ways:
Protect Org data for work or school accounts by configuring an app protection policy for the apps. which
we call policy managed apps. See Microsoft Intune protected apps.
Deploy and manage the apps through iOS device management, which requires devices to enroll in a Mobile
Device Management (MDM) solution. The apps you deploy can be policy managed apps or other iOS
managed apps.
The Open-in management feature for enrolled iOS devices can limit file transfers between iOS managed apps.
Set Open-in management restrictions in configuration settings and then deploy them using your MDM solution.
When a user installs the deployed app, the restrictions you set are applied.

Use app protection with iOS apps

Use App protection policies with the iOS Open-in management feature to protect company data in the
following ways:
Devices not managed by any MDM solution: You can set the app protection policy settings to control
sharing of data with other applications via Open-in or Share extensions. To do so, configure the Send Org
data to other app setting to Policy managed apps with Open-In/Share filtering value. The Open-
in/Share behavior in the policy managed app presents only other policy managed apps as options for
sharing.
Devices managed by MDM solutions : For devices enrolled in Intune or third-party MDM solutions, data
sharing between apps with app protection policies and other managed iOS apps deployed through MDM is
controlled by Intune APP policies and the iOS Open in management feature. To make sure that apps you
deploy using a MDM solution are also associated with your Intune app protection policies, configure the
user UPN setting as described in the following section, Configure user UPN setting. To specify how you
want to allow data transfer to other policy managed apps and iOS managed apps, configure Send Org
data to other apps setting to Policy managed apps with OS sharing . To specify how you want to
allow an app to receive data from other apps, enable Receive data from other apps and then choose
your preferred level of receiving data. For more information about receiving and sharing app data, see Data
relocation settings.

Configure user UPN setting for Microsoft Intune or third-party EMM

Configuring the user UPN setting is required for devices that are managed by Intune or a third-party EMM
solution to identify the enrolled user account for the sending policy managed app when transferring data to an
iOS managed app. The UPN configuration works with the app protection policies you deploy from Intune. The
following procedure is a general flow on how to configure the UPN setting and the resulting user experience:
1. In the Microsoft Endpoint Manager admin center, create and assign an app protection policy for
iOS/iPadOS. Configure policy settings per your company requirements and select the iOS apps that should
have this policy.
2. Deploy the apps and the email profile that you want managed through Intune or your third-party MDM
solution using the following generalized steps. This experience is also covered by Example 1.
3. Deploy the app with the following app configuration settings to the managed device:
key = IntuneMAMUPN, value = username@company.com
Example: ['IntuneMAMUPN', 'janellecraig@contoso.com']

NOTE
In Intune, the App Configuration policy enrollment type must be set to Managed Devices . Additionally, the app
needs to be either installed from the Intune Company Portal (if set as available) or pushed as required to the device.

NOTE
Deploy IntuneMAMUPN app configuration settings to the target managed app which sends data, not the receiving
app.

4. Deploy the Open in management policy using Intune or your third-party MDM provider to enrolled
devices.
Example 1: Admin experience in Intune or third-party MDM console
1. Go to the admin console of Intune or your third-party MDM provider. Go to the section of the console in
which you deploy application configuration settings to enrolled iOS devices.
2. In the Application Configuration section, enter the following setting for each policy managed app that will
transfer data to iOS managed apps:
key = IntuneMAMUPN, value = username@company.com
The exact syntax of the key/value pair may differ based on your third-party MDM provider. The following
table shows examples of third-party MDM providers and the exact values you should enter for the
key/value pair.

T H IRD- PA RT Y M DM
P RO VIDER C O N F IGURAT IO N K EY VA L UE T Y P E C O N F IGURAT IO N VA L UE

Microsoft Intune IntuneMAMUPN String {{UserPrincipalName}}

VMware AirWatch IntuneMAMUPN String {UserPrincipalName}

MobileIron IntuneMAMUPN String ${userUPN} or

${userEmailAddress}

Citrix Endpoint IntuneMAMUPN String ${user.userprincipalname}

Management

ManageEngine Mobile IntuneMAMUPN String %upn%

Device Manager
 NOTE
For Outlook for iOS/iPadOS, if you deploy a managed devices App Configuration Policy with the option "Using configuration
designer" and enable Allow only work or school accounts , the configuration key IntuneMAMUPN is configured
automatically behind the scenes for the policy. More details can be found in the FAQ section in New Outlook for iOS and
Android App Configuration Policy Experience – General App Configuration.

Example 2: End-user experience

Sharing from a policy managed app to other applications with OS sharing
1. A user opens the Microsoft OneDrive app on an enrolled iOS device and signs-in to their work account. The
account the user enters must match the account UPN you specified in the app configuration settings for the
Microsoft OneDrive app.
2. After sign-in, your Administrator configured APP settings apply to the user account in Microsoft OneDrive.
This includes configuring the Send Org data to other apps setting to the Policy managed apps with
OS sharing value.
3. The user previews a work file and attempts to share via Open-in to iOS managed app.
4. The data transfer succeeds and data is now protected by Open-in management in the iOS managed app.
Intune APP does not apply to applications that are not policy managed apps.
Sharing from a iOS managed app to a policy managed app with incoming Org data
1. A user opens native Mail on an enrolled iOS device with a Managed email profile.
2. The user opens a work document attachment from native Mail to Microsoft Word.
3. When the Word app launches, one of two experiences occur:
a. The data is protected by Intune APP when:
The user is signed-in to their work account that matches the account UPN you specified in the
app configuration settings for the Microsoft Word app.
Your Administrator configured APP settings apply to the user account in Microsoft Word. This
includes configuring the Receive data from other apps setting to the All apps with
incoming Org data value.
The data transfer succeeds and the document is tagged with the work identity in the app. Intune
APP protects the user actions for the document.
b. The data is not protected by Intune APP when:
The user is not signed-in to their work account.
Your Administrator configured settings are not applied to Microsoft Word because the user is not
signed in.
The data transfer succeeds and the document is not tagged with the work identity in the app.
Intune APP does not protects the user actions for the document because it is not active.

NOTE
The user can add and use their personal accounts with Word. App protection policies don't apply when the user uses
Word outside of a work-context.

Validate user UPN setting for third-party EMM

After configuring the user UPN setting, validate the iOS app's ability to receive and comply to Intune app
protection policy.
For example, the Require app PIN policy setting is easy to test. When the policy setting equals Require , the user
should see a prompt to set or enter a PIN before they can access company data.
First, create and assign an app protection policy to the iOS app. For more information on how to test app
protection policy, See Validate app protection policies.

See also
What is Intune app protection policy
 Review client app protection logs
9/4/2020 • 12 minutes to read • Edit Online

Learn about the settings you can review in the app protection logs. Access logs by enabling Intune Diagnostics on a
mobile client.
The process to enable and collect logs varies by platform:
iOS/iPadOS devices - Use Microsoft Edge for iOS/iPadOS to collect logs. For details, see Use Edge for iOS
and Android to access managed app logs.
Windows 10 devices - Use MDMDiag and event logs. See, Diagnose MDM failures in Windows 10 in the
Windows client management content, and the blog Troubleshooting Windows 10 Intune Policy Failures.
Android devices - Use Microsoft Edge for Android to collect logs. For details, see Use Edge for iOS and
Android to access managed app logs.

NOTE
On Android Fully Managed devices, in certain instances the Intune Company Portal app may be visible under all apps.
This may happen when an app associated with an app protection policy is either not installed or not launched.

The following tables list the App protection policy setting name and supported values that are recorded in the log.
In addition, each setting identifies the policy setting found within Microsoft Endpoint Manager portal. For detailed
information on each setting, see iOS/iPadOS app protection policy settings and Android app protection policy
settings in Microsoft Intune.

iOS/iPadOS App protection policy settings

SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AccessRecheckOfflineTimeout x minutes Section : Conditional Launch

Setting : Offline grace period with
action Block access (minutes)

AccessRecheckOnlineTimeout x minutes Section : Access requirements

Setting : Recheck the access
requirements after (minutes of
inactivity)

AllowedOutboundClipboardSharingExce x characters Section : Data protection

ptionLength Setting : Cut and copy character limit
for any app

AppPinDisabled 0 = Require Section : Access requirements

1 = Not required Setting : App PIN when device PIN is
set

AppSharingFromLevel 0 = None Section : Data Protection

1 = Policy Managed apps Setting : Receive data from other apps
2 = All apps
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AppSharingToLevel 0 = None Section : Data Protection

1 = Policy managed apps Setting : Send org data to other apps
2 = All app

ProtectManagedOpenInData 0 = False Section : Data Protection

1 = True Setting : Send org data to other apps is
set to Policy Managed apps with Open-
In/Share filtering when true

AuthenticationEnabled 0 = Not required Section : Access requirements

1 = Require Setting : Work or school account
credentials for access

ClipboardSharingLevel 0 = Blocked Section : Data Protection

1 = Policy managed apps Setting : Restrict cut, copy, and paste
2 = Policy managed apps with paste in between other apps
3 = Any app

ContactSyncDisabled 0 = Allow Section : Data Protection

1 = Block Setting : Sync app with native contacts
app

DataBackupDisabled 0 = Allow Section : Data Protection

1 = Block Setting : Prevent backups

DeviceComplianceEnabled 0 = False Section : Conditional Launch

1 = True Setting : Jailbroken/rooted devices

DeviceComplianceFailureAction 0 = Block acess Section : Conditional Launch

1 = Wipe data Setting : Jailbroken/rooted devices

DisableShareSense N/A N/A: Not actively used by Intune

service.

FileEncryptionLevel 0 = When device is locked Section : Data Protection

1 = When device is locked and there are Setting : Encrypt org data
open files
2 = After device restart
3 = Use device settings

FileSharingSaveAsDisabled 0 = Allow Section : Data Protection

1 = Block Setting : Save copies of org data

IntuneIdentityUPN UPN of the Intune MAM user N/A

ManagedBrowserRequired 0 = False Section : Data Protection

1 = True Setting : Restrict web content transfer
with other apps
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

ManagedLocations A value that represents the number of Section : Data Protection

managed storage locations to which the Setting : Allow user to save copies to
app can save data. selected services
1 = OneDrive
2 = SharePoint
3 = OneDrive and SharePoint
32 = Local Storage
33 = Local Storage & OneDrive
34 = Local Storage & SharePoint
35 = Local Storage, OneDrive, and
SharePoint

MinAppVersion "0.0" = no minimum app version Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Block access

MinAppVersionWarning "0.0" = no minimum app version. Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Warn

MinAppVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min app version with action
Wipe data

MinOsVersion "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Block access

MinOsVersionWarning "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Warn

MinOsVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Wipe data

MinSDKVersion "0.0" = no minimum SDK version Section : Conditional launch

anything else = minimum OS version Setting : Min SDK version with action
Block access

MinSDKVersionWipe "0.0" = no minimum SDK version Section : Conditional launch

anything else = minimum OS version Setting : Min SDK version with action
Block access

NotificationRestriction 0 = Allow Section : Data Protection

1 = Block Org Data Setting : Org data notifications
2 = Block

PINCharacterType 0 = Passcode Section : Access requirements

1 = Numeric Setting : Pin type

PINEnabled 0 = Not required Section : Access requirements

1 = Require Setting : PIN for access
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

PINMinLength x characters Section : Access requirements

Setting : Select minimum PIN length

PINNumRetry x attempts Section : Conditional launch

Setting : Max PIN attempts

MaxPinRetryExceededAction 0 = Reset PIN Section : Conditional launch

1 = Wipe data Setting : Max PIN attempts

PrintingBlocked 0 = Allow Section : Data Protection

1 = Block Setting : Printing org data

SimplePINAllowed 0 = Block Section : Access requirements

1 = Allow Setting : Simple PIN

TouchIDEnabled 0 = Block Section : Access requirements

1 = Allow Setting : Touch ID instead of PIN for
access (iOS 8+/iPadOS)

ThirdPartyKeyboardsBlocked 0 = Allow Section : Data Protection

1 = Block Setting : Third party keyboards

FaceIDEnabled 0 = Block Section : Access requirements

1 = Allow Setting : Face ID instead of PIN for
access (iOS 11+/iPadOS)

PINExpiryDays x characters Section : Access requirements

Setting : PIN reset after number of days
> Number of days

NonBioPassTimeOutRequired 0 = Not required Section : Access requirements

1 = Require Setting : Override Touch ID with PIN
after timeout

NonBioPassTimeOut x minutes Section : Access requirements

Setting : Override Touch ID with PIN
after timeout > Timeout (minutes of
inactivity)

DictationBlocked 0 = Allow No administration control for this

1 = Block setting.

OfflineWipeInterval x days Note : No admin control for this setting.

ProtocolExclusions 0 = Allow Section : Data Protection

1 = Block Setting : Select apps to exempt

EnableOpenInFilter 0 = Disabled Section : Data Protection

1 = Enabled Setting : Send Org data to other apps >
Policy managed apps with Open-
In/Share filtering
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

MinimumRequiredDeviceThreatProtectio 0 = Not configured Section : Conditional launch

nLevel 1 = Secured Setting : Max allowed device threat level
2 = Low
3 = Medium
4 = High

MobileThreatDefenseRemediationAction 0 = Block access Section : Access requirements

1 = Wipe data Setting : Max allowed device threat level
action)

AllowedIOSModelsElseBlock x characters Section : Conditional launch

Setting : Device model(s) with action
Allow specified (Block non-specific)

AllowedIOSModelsElseWipe x characters Section : Conditional launch

Setting : Device model(s) with action
Allow specified (Wipe non-specific)

ProtectAllIncomingUnknownSourceData N/A Note : Not actively used by Intune

service.

Android App protection policy settings

SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AccessRecheckOfflineTimeout x minutes Section : Conditional Launch

Setting : Offline grace period with
action Block access (minutes)

AccessRecheckOnlineTimeout x minutes Section : Access requirements

Setting : Recheck the access
requirements after (minutes of
inactivity)

AppPinDisabled true = Require Section : Access requirements

false = Not required Setting : App PIN when device PIN is
set

AllowedAndroidManufacturersElseBlock Empty if not set, otherwise list of Section : Conditional launch

allowed manufacturers Setting : Device manufacturers with
action Allow specified (Block non-
specified)

AllowedAndroidManufacturersElseWipe Empty if not set, otherwise list of Section : Conditional launch

allowed manufacturers Setting : Device manufacturers with
action Allow specified (Wipe non-
specified)

AllowedAndroidModelsElseBlock Empty if not set, otherwise list of No administration control for this
allowed models setting.

AllowedAndroidModelsElseWipe Empty if not set, otherwise list of No administration control for this
allowed models setting.
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AndroidSafetyNetDeviceAttestationEnfo NOT_REQUIRED = not set Section : Conditional launch

rcement BASIC_INTEGRITY = Basic Integrity Setting : SafetyNet device attestation
BASIC_INTEGRITY_AND_DEVICE_CERTIFI
CATION = Basic Integrity and certified
devices

AndroidSafetyNetDeviceAttestationFaile BLOCK = Block access Section : Conditional launch

dAction WARN = Warn Setting : SafetyNet device attestation
WIPE_DATA = Wipe Data

AndroidSafetyNetVerifyAppsEnforcemen NOT_REQUIRED = not set Section : Conditional launch

tType REQUIRE_ENABLED = configured Setting : Require threat scan on apps

AndroidSafetyNetVerifyAppsFailedAction BLOCK = Block access Section : Conditional launch

WARN = Warn Setting : Require threat scan on apps

AppSharingFromLevel BLOCKED = None Section : Data Protection

MANAGED = Policy Managed apps Setting : Receive data from other apps
UNRESTRICTED = All apps

AppSharingToLevel BLOCKED = None Section : Data Protection

MANAGED = Policy Managed apps Setting : Send org data to other apps
UNRESTRICTED = All app

AuthenticationEnabled false = Not required Section : Access requirements

true = Require Setting : Work or school account
credentials for access

BlockScreenCapture false = Allow Section : Data Protection

true = Block Setting : Screen capture and Google
Assistant

ClipboardCharacterExceptionLength x characters Section : Data protection

Setting : Cut and copy character limit
for any app

ClipboardSharingLevel BLOCKED = Blocked Section : Data Protection

MANAGED = Policy managed apps Setting : Restrict cut, copy, and paste
MANAGED_PASTE_IN = Policy managed between other apps
apps with paste in
UNMANAGED = Any app

ConditionalEncryptionEnabled false = Require Section : Data Protection

true = Not required Setting : Encrypt org data on enrolled
devices

ContactSyncDisabled false = Allow Section : Data Protection

true = Block Setting : Sync app with native contacts
app

DataBackupDisabled false = Allow Section : Data Protection

true = Block Setting : Prevent backups

DeviceComplianceEnabled false = False Section : Conditional Launch

true = True Setting : Jailbroken/rooted devices
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

DeviceComplianceFailureAction BLOCK = Block acess Section : Conditional Launch

WIPE_DATA = Wipe data Setting : Jailbroken/rooted devices

DialerRestrictionLevel 0 = None, do not transfer this data Section : Data Protection

between apps Setting : Transfer telecommunication
1 = A specific dialer app data to
2 = Any policy-managed dialer app
3 = Any dialer app

DictationBlocked false = Allow No administration control for this

true = Block setting.

FileEncryptionKeyLength 128 No administration control for this

256 setting.

FileSharingSaveAsDisabled false = Allow Section : Data Protection

true = Block Setting : Save copies of org data

IntuneMAMPolicyVersion version number N/A

isManaged true N/A

false

KeyboardsRestricted true = Required Section : Data Protection

false = Not required Setting : Approved keyboards

ManagedBrowserRequired true = Microsoft Edge or Unmanaged Section : Data Protection

browser Setting : Restrict web content transfer
false = Any app to other apps app.

ManagedLocations A value that represents the number of Section : Data Protection

managed storage locations to which the Setting : Allow user to save copies to
app can save data, separated by a semi- selected services
colon.
ONEDRIVE_FOR_BUSINESS
SHAREPOINT
LOCAL

MaxPinRetryExceededAction RESET_PIN = Reset PIN Section : Conditional launch

WIPE_DATA = Wipe data Setting : Max PIN attempts

MinAppVersion "0.0" = no minimum app version Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Block access

MinAppVersionWarning "0.0" = no minimum app version. Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Warn

MinAppVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min app version with action
Wipe data
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

MinOsVersion "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Block access

MinOsVersionWarning "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Warn

MinOsVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Wipe data

MinPatchVersion "0000-00-00" = no minimum Patch Section : Conditional launch

version Setting : Min Patch version with action
anything else = minimum Patch version Block access

MinPatchVersionWarning "0000-00-00" = no minimum Patch Section : Conditional launch

version Setting : Min Patch version with action
anything else = minimum Patch version Warn

MinPatchVersionWipe "0000-00-00" = no minimum Patch Section : Conditional launch

version Setting : Min Patch version with action
anything else = minimum Patch version Wipe data

MinimumRequiredCompanyPortalVersio "0.0" = no minimum Company Portal Section : Conditional launch

n version Setting : Min Company Portal version
anything else = minimum Company with action Block access
Portal version

MinimumRequiredDeviceThreatProtectio NOT_SET = not defined in the policy Section : Conditional launch

nLevel SECURED = Secured Setting : Max allowed device threat level
LOW = Low
MEDIUM = Medium
HIGH = High

MinimumWarningCompanyPortalVersio "0.0" = no minimum Company Portal Section : Conditional launch

n version Setting : Min Company Portal version
anything else = minimum Company with action Warn
Portal version

MinimumWipeCompanyPortalVersion "0.0" = no minimum Company Portal Section : Conditional launch

version Setting : Min Company Portal version
anything else = minimum Company with action Wipe data
Portal version

MobileThreatDefenseRemediationAction BLOCK = Block Access Section : Conditional launch

WIPE_DATA = Wipe data Setting : Max allowed device threat level

NonBioPassTimeOut x minutes Section : Access requirements

Setting : Override fingerprint with PIN
after timeout > Timeout (minutes of
inactivity)
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

NonBioPassTimeOutRequired false = Not required Section : Access requirements

true = Require Setting : Override fingerprint with PIN
after timeout

NotificationRestriction UNRESTRICTED = Allow Section : Data Protection

BLOCK_ORG_DATA = Block Org Data Setting : Org data notifications
BLOCK = Block

PINCharacterType PASSCODE = Passcode Section : Access requirements

NUMERIC = Numeric Setting : Pin type

PINEnabled false = Not required Section : Access requirements

true = Require Setting : PIN for access

PINMinLength x characters Section : Access requirements

Setting : Select minimum PIN length

PINNumRetry x attempts Section : Conditional launch

Setting : Max PIN attempts

PackageExclusions Empty if no bundle IDs are configured, Section : Data protection

otherwise bundle IDs separated by a Setting : Select apps to exempt
semi-colon

PinHistoryLength x PIN values to maintain Section : Access requirements

Setting : Select number of previous PIN
values to maintain

PolicyCount number N/A

PrintingBlocked false = Allow Section : Data Protection

true = Block Setting : Printing org data

RequireFileEncryption false = Not required Section : Data Protection

true = Require Setting : Encrypt org data

SimplePINAllowed false = Block Section : Access requirements

true = Allow Setting : Simple PIN

SpecificDialerDisplayName Dialer app name Section : Data Protection

Setting : Dialer app name

SpecificDialerPackageID Dialer app bundle ID Section : Data Protection

Setting : Dialer App Package ID

TouchIDEnabled false = Block Section : Access requirements

true = Allow Setting : Fingerprint instead of PIN for
access (Android 6.0+)

ThirdPartyKeyboardsBlocked 0 = Allow Section : Data Protection

1 = Block Setting : Third party keyboards
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

FaceIDEnabled 0 = Block Section : Access requirements

1 = Allow Setting : Face ID instead of PIN for
access (iOS 11+/iPadOS)

PINExpiryDays x characters Section : Access requirements

Setting : PIN reset after number of days
> Number of days

UnmanagedBrowserDisplayName Unmanaged web browser display name Section : Data protection

Setting : Unmanaged Browser name

UnmanagedBrowserPackageID Unmanaged web browser package ID Section : Data protection

Setting : Unmanaged Browser ID

Next steps
To learn more about app protection policies, see What are app protection policies?
Intune offers a number of tools to help you troubleshoot issues in your environment. For more information, see
Use the troubleshooting portal to help users.
 Use the troubleshooting portal to help users at your
company
3/20/2020 • 4 minutes to read • Edit Online

The troubleshooting portal lets help desk operators and Intune administrators view user information to address
user help requests. Organizations that include a help desk can assign the Help desk operator to a group of
users. The help desk operator role can use the Troubleshoot pane.
The Troubleshoot pane also shows user enrollment issues. Details about the issue and suggested remediation
steps can help administrators and help desk operators troubleshoot problems. Certain enrollment issues aren't
captured and some errors might not have remediation suggestions.
For steps on adding a help desk operator role, see Role-based administration control (RBAC) with Intune
When a user contacts support with a technical issue with Intune, the help desk operator enters the user's name.
Intune shows useful data that can help resolve many tier-1 issues, including:
User status
Assignments
Compliance issues
Device not responding
Device not getting VPN or Wi-Fi settings
App installation failure

To review troubleshooting details

In the troubleshooting pane, choose Select user to view user information. User information can help you
understand the current state of users and their devices.
1. Sign in to Intune.
2. On the Intune pane, choose Troubleshoot .
3. Click Select to select a user to troubleshoot.
4. Select a user by typing the name or email address. Click Select . The troubleshooting information for the user
shows in the Troubleshooting pane. The following table explains the information.

NOTE
You can also access the troubleshooting pane by pointing your browser to: https://aka.ms/intunetroubleshooting.

Areas of troubleshooting dashboard

You can use the Troubleshoot pane to review user information.
 A REA NAME DESC RIP T IO N

1. Account status Shows the status of the current Intune

tenant as Active or Inactive .

2. User selection The name of the currently selected user.

Click Change user to choose a new
user.

3. User status Displays the status of the user's Intune

license, number of devices, and each
device compliance.

4. User information Use the list to select the details to

review in the pane.
You can select:
Client apps
Compliance policies
Configuration policies
App protection policies
Enrollment restrictions

5. Group membership Shows the current groups the selected

user is a member of.

Enrollment failure reference

The Enrollment Failures table lists enrollment attempts that failed. A device listed in the below table may have
subsequently enrolled successfully during another attempt. Some failed attempts may not be listed. Mitigation
information isn't available for all failures.

TA B L E C O L UM N DESC RIP T IO N

Enrollment start The start time when the user first began enrolling.

OS The device's operating system.

OS version The device's operating system version.

 TA B L E C O L UM N DESC RIP T IO N

Failure The reason for the failure.

Failure details
When you choose a failure row, more details are provided.

SEC T IO N DESC RIP T IO N

Failure details A more detailed explanation of the failure.

Potential remediations Suggested steps to resolve the error. Some failures may not
have remediations.

Resources (Optional) Links for further reading or areas in the portal to take action.

Enrollment errors
ERRO R DETA IL S

iOS/iPadOS Timeout or Failure A timeout between the device and Intune due to the user
taking too long to complete enrollment.

User not found or licensed The user is missing a license or has been removed from the
service.

Device already enrolled Someone attempted to enroll a device by using the Company
Portal on a device that is still enrolled by another user.

Not onboarded into Intune An enrollment was attempted when the Intune mobile device
management (MDM) authority wasn't configured.

Enrollment authorization failed An enrollment was attempted using an old version of

company portal.

Device not supported The device doesn't meet the minimum requirements for
Intune enrollment.

Enrollment restrictions not met This enrollment was blocked due to an admin configured
enrollment restriction.

Device version too low The admin has configured an enrollment restriction requiring
a higher device version.

Device version too high The admin has configured an enrollment restriction requiring
a lower device version.

Device cannot be enrolled as personal The admin has configured an enrollment restriction to block
personal enrollments and the failed device wasn't predefined
as corporate.

Device platform blocked The admin has configured an enrollment restriction that
blocks this device's platform.

Bulk token expired The bulk token in the provisioning package has expired.
 ERRO R DETA IL S

Autopilot device or details not found The Autopilot device wasn't found when attempting to enroll.

Autopilot profile not found or not assigned The device doesn't have an active Autopilot profile.

Autopilot enrollment method unexpected The device attempted to enroll by using a non-allowed
method.

Autopilot device removed The device attempting to enroll has been removed from
Autopilot for this account.

Device cap reached This enrollment was blocked due to an admin configured
device limit restriction.

Apple onboarding All iOS/iPadOS devices were blocked from enrolling at this
time due to a missing or expired Apple MDM push certificate
within Intune.

Device not preregistered The device wasn't pre-registered as corporate and all personal
enrollments were blocked by an admin.

Feature not supported The user was likely attempting to enroll via a method not
compatible with your Intune configuration.

Collect available data from mobile device

Use the following resources to help collect device data when troubleshooting user's device issues:
Send iOS/iPadOS enrollment errors to your IT administrator
Help your company support fix device issues with verbose logging
Send Android logs to your company support using a USB cable
Send Android diagnostic data logs to your IT administrator using email
Send Android enrollment errors to your IT administrator

Next steps
You can learn more about Role-based administration control (RBAC) to define roles in your organizational device,
mobile application management, data protection tasks. For more information, see Role-based administration
control (RBAC) with Intune.
Learn about any known issues in Microsoft Intune. For more information, see Known issues in Microsoft Intune.
Learn how to create a support ticket a get help when you need it. Get support.
 Troubleshoot app installation issues
9/4/2020 • 5 minutes to read • Edit Online

On Microsoft Intune MDM-managed devices, sometimes app installations can fail. When these app installs fail, it
can be challenging to understand the failure reason or troubleshoot the issue. Microsoft Intune provides app
installation failure details that allow help desk operators and Intune administrators to view app information to
address user help requests. The troubleshooting pane within Intune provides failure details, including details about
managed apps on a user's device. Details about the end-to-end lifecycle of an app are provided under each
individual device in the Managed Apps pane. You can view installation issues, such as when the app was created,
modified, targeted, and delivered to a device.

NOTE
For specific app installation error code information, see Intune app installation error reference.

App troubleshooting details

Intune provides app troubleshooting details based on the apps installed on a specific user's device.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Troubleshoot + suppor t .
3. Click Select user to select a user to troubleshoot. The Select users pane will be displayed.
4. Select a user by typing the name or email address. Click Select at the bottom of the pane. The
troubleshooting information for the user is displayed in the Troubleshoot pane.
5. Select the device that you want to troubleshoot from the Devices list.

6. Select Managed Apps from selected device pane. A list of managed apps is displayed.
7. Select an app from the list where Installation Status indicates a failure.

NOTE
The same app could be assigned to multiple groups but with different intended actions (intents) for the app. For
instance, a resolved intent for an app will show excluded if the app is excluded for a user during app assignment.
For more information, see How conflicts between app intents are resolved.

If an installation failure occurs for a required app, either you or your helpdesk will be able to sync the device and
retry the app install.

The app installation error details will indicate the problem. You can use these details to determine the best action to
take to resolve the problem. For more information about troubleshooting app installation issues, see Android app
installation errors and iOS app installation errors.

NOTE
You can also access the troubleshooting pane by pointing your browser to: https://aka.ms/intunetroubleshooting.

User Group targeted app installation does not reach device

The following actions should be considered when you have problems installing apps:
If the app does not display in the Company Portal, ensure the app is deployed with Available intent and that
the user is accessing the Company Portal with the device type supported by the app.
For Windows BYOD devices, the user needs to add a Work account to the device.
Check if the user is over the AAD device limit:
1. Navigate to Azure Active Directory Device Settings.
2. Make note of the value set for Maximum devices per user .
3. Navigate to Azure Active Directory Users.
4. Select the affected user and click Devices .
5. If user is over the set limit then delete any stale records that are no longer needed.
For iOS/iPadOS DEP devices, ensure that the user is listed as Enrolled by User in Intune Device Overview
pane. If it shows NA, then deploy a config policy for the Intune Company Portal. For more information, see
Configure the Company Portal app.

Win32 app installation troubleshooting

Select the Win32 app that was deployed using the Intune management extension. You can select the Collect logs
option when your Win32 app installation fails.

IMPORTANT
The Collect logs option will not be enabled when the Win32 app has been successfully installed on the device.
Before you can collect Win32 app log information, the Intune management extension must be installed on the Windows
client. The Intune management extension is installed when a PowerShell script or a Win32 app is deployed to a user or device
security group. For more information, see Intune Management extension - Prerequisites.

Collect log file

To collect your Win32 app installation logs, first follow the steps provided in the section App troubleshooting
details. Then, continue with the following steps:
1. Click the Collect logs option on the Installation details pane.
Win32 app installation details - Collect log option
2. Provide file paths with log file names to begin the log file collection process and click OK .

NOTE
Log collection will take less than two hours. Supported file types: .log,.txt,.dmp,.cab,.zip,.xml,.evtx, and.evtl. A
maximum of 25 file paths are allowed.

3. Once the log files have been collected, you can select the logs link to download the log files.
Win32 app log details - Download logs

NOTE
A notification will be displayed indicating the success of the app log collection.

Win32 log collection requirements

There are specific requirements that must be followed to collect log files:
You must specify the complete log file path.
 You can specify environment variables for log collection, such as the following:
%PROGRAMFILES%, %PROGRAMDATA% %PUBLIC%, %WINDIR%, %TEMP%, %TMP%
Only exact file extensions are allowed, such as:
.log,.txt,.dmp,.cab,.zip,.xml
The maximum log file to upload is 60 MB or 25 files, whichever occurs first.
Win32 app install log collection is enabled for apps that meet the required, available, and uninstall app
assignment intent.
Stored logs are encrypted to protect any personal identifiable information contained in the logs.
While opening support tickets for Win32 app failures, attach the related failure logs using the steps provided
above.

App types supported on ARM64 devices

App types that are supported on ARM64 devices include the following:
Web apps that do not require a managed browser to open.
Microsoft Store for Business apps or Windows Universal LOB apps ( .appx ) with any of the following
combination of TargetDeviceFamily and ProcessorArchitectures elements:
TargetDeviceFamily includes Desktop apps, Universal apps and Windows8x apps. Windows8x apps
apply only as Online Microsoft Store for Business apps.
ProcessorArchitecture includes x86 apps, ARM apps, ARM64 apps, and neutral apps.
Windows Store apps
Mobile MSI LOB apps
Win32 apps with the requirement rule of 32-bit.
Windows Office click-to-run apps if 32-bit or x86 architecture is selected.

NOTE
To better recognize ARM64 apps in the Company Portal, consider adding ARM64 to the name of your ARM64 apps.

Troubleshooting apps from the Microsoft Store

The information in the topic Troubleshooting packaging, deployment, and query of Microsoft Store apps helps you
troubleshoot common problems you might encounter when installing apps from the Microsoft Store, whether by
using Intune, or by any other means.

App troubleshooting resources

Deploying Visio and Project as part of your Microsoft 365 Apps Deployment
Take Action to Ensure MSfB Apps deployed through Intune install on Windows 10 1903
Troubleshooting MSI app deployments in Microsoft Intune
Best practices for software distribution to Intune classic Windows PC agent

Next steps
For additional Intune troubleshooting information, see Use the troubleshooting portal to help users at your
company.
Learn about any known issues in Microsoft Intune. For more information, see Intune Customer Success.
Need extra help? See How to get support for Microsoft Intune.
 Intune app installation error reference
4/2/2020 • 15 minutes to read • Edit Online

In addition to following the provided steps to troubleshoot application errors, you can also learn about specific app
errors based on the returned error codes. Once you have matched an error code, use the additional description and
information to help resolve the error.

Android app installation errors

This section mentions both Device Administrator (DA) and Samsung Knox enrollment. For more information, see
Android device administrator enrollment and Automatically enroll Android devices by using Samsung's Knox
Mobile Enrollment.

ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0xC7D14FB5 -942583883 The app failed to install. This error message is

displayed when Intune
cannot determine the root
cause of the Android app
installation error. No
information was provided by
Android during the failure.
This error is returned when
the APK download
succeeded, but the app
installation failed. This error
may occur more commonly
due to a bad APK file that
cannot be installed onto the
device. A possible cause can
be when Google Play Protect
blocks the install of the app
due to security concerns.
Another possible cause of
this error is when a device
does not support the app.
For example, if the app
requires API version 21+
and the device currently has
API version 19. Intune
returns this error for both
DA and KNOX devices and
although there may be a
notification that users can
click to retry, if there is an
issue with the APK, it will
never continue to fail. If the
app is an available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed.
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0xC7D14FBA -942583878 The app installation was The download of the APK
canceled because the succeeded, but before the
installation (APK) file was user installed the app the file
deleted after download, but was removed from the
before installation. device. This could happen if
there was a large time
difference between
download and install. For
example, the user canceled
the original install, waited,
and then clicked the
notification to try again. This
error message is returned
this for only DA scenarios.
KNOX scenarios can be done
silently. We do present a
notification to retry so the
user can accept instead of
cancel. If the app is an
available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed.

0xC7D14FBB -942583877 The app installation was The device was rebooted
canceled because the during the APK installation
process was restarted during process, resulting in a
installation. canceled installation. This
error message is returned
for both DA and KNOX
devices. Intune presents a
notification that users can
click to retry. If the app is an
available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed.
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0x87D1041C -2016345060 The application was not The user explicitly uninstalled
detected after installation the app. This error is not
completed successfully. returned from the client. It is
an error produced when the
app was installed at one
point, but then the user
uninstalled it. This error
should only occur for
required applications. Users
can uninstall non-required
apps. This error can only
happen in DA. KNOX blocks
the uninstall of managed
apps. The next sync will
repost the notification on
the device for the user to
install. The user can ignore
the notification. This error
will continue to be reported
until the user installs the
app.

0xC7D14FB2 -942583886 The download failed because This error occurs when the
of an unknown error. download fails. This error can
commonly occur due to Wi-
Fi issues or slow
connections. This error is
returned for only DA
scenarios. For KNOX
scenarios, the user is not
prompted to install, this can
be done silently. Intune
presents a notification that
users can click to retry. If the
app is an available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed.

0xC7D15078 -942583688 The download failed because This error occurs when the
of an unknown error. The download fails. This error can
policy will be retried the next commonly occur due to Wi-
time the device syncs. Fi issues or slow
connections. This error is
returned for only DA
scenarios. For KNOX
scenarios, the user is not
prompted to install, this can
be done silently.
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0xC7D14FB1 -942583887 The end user canceled the The user explicitly uninstalled
app installation. the app. This error is
returned when the Android
OS install activity was
canceled by the user. The
user pressed the cancel
button when the OS install
prompt was presented or
clicked away from the
prompt. This error is
returned for only DA
scenarios. For KNOX
scenarios, the user is not
prompted to install, this can
be done silently. Intune
presents a notification that
users can click to retry. If the
app is an available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed. Ask the user not
to cancel the install.

0xC7D15015 -942583787 The file download process The OS stopped the

was unexpectedly stopped. download process before it
was complete. This error can
occur when the device has
low battery or the download
is taking too long. This error
is returned for only DA
scenarios. For KNOX
scenarios, the user is not
prompted to install, this can
be done silently. Intune
presents a notification that
users can click to retry. If the
app is an available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed. Ensure the device
has a reliable network
connection.

0xC7D1507C -942583684 The file download service The OS ended the download
was unexpectedly stopped. process before it was
The policy will be retried the completed. This error can
next time the device syncs. occur when the device has
low battery or the download
is taking too long. This error
is returned for only DA
scenarios. For KNOX
scenarios, the user is not
prompted to install, this can
be done silently. Manually
sync the device or wait for
24 hours and check the
status.
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0xc7d14fb8 -942583880 The app failed to uninstall. This error is a generic

uninstall failure. The OS did
not specify why the app
failed to uninstall. Some
admin apps cannot simply
be uninstalled. Check to
ensure the app can be
uninstalled manually and
collect the Company Portal
logs if the uninstall fails.

0xc7d14fb7 -942583881 The app installation APK file Android OS has the
used for the upgrade does limitation of requiring the
not match the signature for signing cert for the upgrade
the current app on the version to be exactly the
device. same as the cert used to
sign the existing version. If
the developer cannot use
the same cert to sign the
new version, you will need to
uninstall the existing app
and re-deploy the new app
rather than upgrade the
existing app.

0xc7d14fb9 -942583879 The end user canceled the Educate the user to accept
app installation. the Intune deployed app
and install the app when
prompted.

0xc7d14fbc -942583876 Uninstall of the app was The app install process was
canceled because the terminated by the OS or the
process was restarted during device was restarted. Retry
installation. the install and collect
Company Portal logs if this
error occurs again.

0xc7d14fb6 -942583882 The app installation APK file By default, Android OS

cannot be installed because requires apps to be signed.
it was not signed. Ensure the app is signed
before deployment.
 ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0xC7D14FB1 -942583887 The end user canceled the The user explicitly uninstalled
app installation. the app. This error is
returned when the Android
OS install activity was
canceled by the user. The
user pressed the cancel
button when the OS install
prompt was presented or
clicked away from the
prompt. This error is
returned for only DA
scenarios. For KNOX
scenarios, the user is not
prompted to install, this can
be done silently. Intune
presents a notification that
users can click to retry. If the
app is an available app, the
notification can be
dismissed. However, if the
app is required, it cannot be
dismissed. Ask the user not
to cancel the install.

0xC7D14FB9 -942583879 The end user canceled the Educate the user to accept
app installation. (At the the Intune deployed app
accept prompt) and install the app when
prompted.

iOS and iPadOS app installation errors

The following error messages and descriptions provide details about iOS/iPadOS installation errors.

DESC RIP T IO N / T RO UB L ESH O

ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE OT IN G T IP S

0x87D12906 -2016335610 Apple MDM Agent error: Apple MDM Agent returned
App installation command that the installation
failed with no error reason command failed.
specified. Retry app
installation.

0x87D1313C -2016333508 Network connection on the The network connection was

client was lost or lost while the updated
interrupted. Later attempts download service URL was
should succeed in a better sent to the device.
network environment. Specifically, a server with the
specified hostname could
not be found.
 DESC RIP T IO N / T RO UB L ESH O
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE OT IN G T IP S

0x87D1313D -2016333507 Could not retrieve license for Sync the associated VPP
the app with iTunes Store ID token, then sync the device
with Intune. If the issue
persists, remove group
assignment and reassign the
VPP app as device-licensed.
If the issue still persists,
revoke the app license from
the device by navigating to
Apps > iOS > select VPP
app > App licenses >
select device. Then, revoke
license and try re-assigning
the app to the user group or
device group. If the issue still
persists, revoke all VPP
licenses for the device by
going to Devices > iOS >
select device > Over view >
Revoke licenses , then
retire the device and re-
enroll to Intune.

0x87D11388 -2016341112 iOS/iPadOS device is The iOS/iPadOS device was

currently busy. busy, which resulted in an
error. The device was locked.
The user needs to unlock the
device to install the app.

0x87D13B64 -2016330908 The app installation has An app installation failure

failed. occurred. iOS/iPadOS
Console logs are needed to
troubleshoot this error.

0x87D13B66 -2016330906 The app is managed, but has Either the user explicitly
expired or been removed by uninstalled the app, or the
the user. app is expired but failed to
download, or the app
detection does not match
the response from the
device. Additionally, this
error could occur based on
an iOS/iPadOS 9.2.2
platform bug.

0x87D13B60 -2016330912 The app is scheduled for This error typically occurs
installation, but needs a with iOS Store apps which
redemption code to are paid apps.
complete the transaction.

0x87D1041C -2016345060 The application was not The app detection process
detected after installation did not match with the
completed successfully. response from the device.

0x87D13B62 -2016330910 The user rejected the offer to During initial app install, the
install the app. user clicked cancel. Ask the
user to accept the install
request the next time.
 DESC RIP T IO N / T RO UB L ESH O
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE OT IN G T IP S

0x87D13B63 -2016330909 The user rejected the offer to The end user clicked cancel
update the app. during the update process.
Deploy as required or
educate the user to accept
the upgrade prompt.

0x87D103E8 -2016345112 Unknown error An unknown app installation

error occurred. This is the
resulting error when other
errors have not occurred.

0x87D13B93 -2016330861 Can only install VPP apps on The apps must be obtained
Shared iPad. using Apple Volume
Purchase Program to install
on a Shared iPad.

0x87D13B94 -2016330860 Can't install apps when App The App Store must be
Store is disabled. enabled for the user to
install the app.

0x87D13B95 -2016330859 Can't find VPP license for Try revoking and reassigning
app. the app license.

0x87D13B96 -2016330858 Can't install system apps Installing apps that are pre-
with your MDM provider. installed by the iOS/iPadOS
operating system is not a
supported scenario.

0x87D13B97 -2016330857 Can't install apps when All use of the device is
device is in Lost Mode. blocked in Lost Mode.
Disable Lost Mode to install
apps.

0x87D13B98 -2016330856 Can't install apps when Try adding this device to an
device is in kiosk mode. exclude group for kiosk
mode configuration policy to
install apps.

0x87D13B9C -2016330852 Can't install 32-bit apps on The device doesn't support
this device. installing 32-bit apps. Try
deploying the 64-bit version
of the app.

0x87D13B99 -2016330855 User must sign in to the App The user needs to sign in to
Store. the App Store before the
app can be installed.

0x87D13B9A -2016330854 Unknown problem. Please The app installation failed

try again. due to an unknown reason.
Try again later.

0x87D13B9B -2016330853 The app installation failed. The app installation

Intune will try again the next encountered a device error.
time the device syncs. Sync the device to try
installing the app again.
 DESC RIP T IO N / T RO UB L ESH O
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE OT IN G T IP S

0x87d13b7e -2016330882 License Assignment failed This behavior is by design. To

with Apple error 'No VPP resolve this, purchase
licenses remaining' additional VPP licenses or
reclaim licenses from users
no longer targeted.

0x87d13b6e -2016330898 App Install Failure 12024: Apple hasn't given us

Unknown cause. sufficient information to
determine why the install
failed. Nothing to report.

0x87d13b7f -2016330881 Needed app configuration App requires app config but
policy not present, ensure no app config is targeted.
policy is targeted to same Admin should make sure the
groups. groups the app is targeted
to also has the required app
config targeted to the
groups.

0x87d13b69 -2016330903 Device VPP licensing is only Upgrade affected

applicable for iOS/iPadOS iOS/iPadOS devices to
9.0+ devices. iOS/iPadOS 9.0+.

0x87d13b8f -2016330865 The application is installed This error only happens to

on the device but is LOB apps. The app was
unmanaged. installed outside of Intune.
To address this error,
uninstall the app from the
device. The next time the
device sync happens, the
device should install the app
from Intune.

0x87d13b68 -2016330904 User declined app Ask the user to accept app
management management.

0x87d1279d -2016335971 Unknown error. This error happens to iOS

store apps, but the error
scenario is unknown.
 DESC RIP T IO N / T RO UB L ESH O
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE OT IN G T IP S

0x87D13B9D -2016330851 The latest version of the app This error message is
failed to update from an displayed if the app is
earlier version. installed and managed but
with the incorrect version on
the device. This situation
includes when a device has
received a command to
update an app but the new
version has not yet been
installed and reported back.
This error will be reported
for the first check-in of a
device after the upgrade has
been deployed, and will
occur until the device
reports that the new version
is installed, or fails due to a
different error.

0x87D13B6F -2016330897 Your connection to Intune App Manifest validation

timed out. failure due to network
connectivity(timeout)

0x87D13B70 -2016330896 You lost connection to the App Manifest validation

Internet. failure due to network
connectivity(Cannot Find
Host)

0x87D13B72 -2016330894 You lost connection to the App Manifest validation

Internet. failure due to network
connectivity(Connection
Lost)

0x87D13B73 -2016330893 You lost connection to the App Manifest validation

Internet. failure due to network
connectivity(Not Connected
to internet)

0x87D13B77 -2016330889 The secure connection failed. App Manifest validation

failure due to network
connectivity(Secure
Connection Failed)

0x87D13B80 -2016330880 CannotConnectToITunesStor App install failed due to

eError failure to Connect To ITunes
Store

0x87D13B9F -2016330849 The VPP App has an update This code is returned when a
available VPP app is installed but
there is a newer version
available.
 DESC RIP T IO N / T RO UB L ESH O
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE OT IN G T IP S

0x87D13B9E 2016330850 Can't enforce app uninstall The app is already installed
setting. Retry installing the on the device but the
app. "uninstall on retire" setting
does not match the
configured value. Advise the
user to request the app-
install from Company Portal
to attempt applying the
"uninstall on retire" setting
again.

Other installation errors

ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0x80073CFF -2147009281 (client error) To install this app, you must

have a sideloading-enabled
system. Make sure that the
app package is signed with a
trusted signature and
installed on a domain-joined
device that has the
AllowAllTrustedApps policy
enabled, or a device that has
a Windows Sideloading
license with the
AllowAllTrustedApps policy
enabled. For more
information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.

0x80CF201C -2133909476 (client error) To install this app, you must

have a sideloading-enabled
system. Make sure that the
app package is signed with a
trusted signature and
installed on a domain-joined
device that has the
AllowAllTrustedApps policy
enabled, or a device that has
a Windows Sideloading
license with the
AllowAllTrustedApps policy
enabled. For more
information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.
ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0x80073CF0 -2147009296 The package is unsigned. The package could not be

The publisher name does opened. Possible causes:
not match the signing
certificate subject. Check the
AppxPackagingOM event log
for information. For more
information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.

0x80073CF3 -2147009296 The incoming package The package failed update,

conflicts with an installed dependency, or conflict
package. A specified package validation. Possible causes:
dependency is not found.
The package does not
support the correct
processor architecture.
Check the
AppXDeployment-Server
event log for information.
For more information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.

0x80073CFB -2147009285 Increment the version The provided package is

number of the app, then already installed, and
rebuild and re-sign the reinstallation of the package
package. Remove the old is blocked. You could receive
package for every user on this error if you are installing
the system before you install a package that is not
the new package. For more identical to the package that
information, see is already installed. Confirm
Troubleshooting packaging, the digital signature is also
deployment, and query of part of the package. When a
Windows Store apps. package is rebuilt or re-
signed, that package is no
longer bitwise identical to
the previously installed
package. Two possible
options to fix this error are
as follows:

0x87D1041C -2016345060 The end user uninstalled the Application installation

app. The identity information succeeded but application is
in the package does not not detected. The app was
match what device reports deployed successfully by
for bad apps. For self- Intune, then subsequently
updating MSIs, the product uninstalled. Reasons for the
version does not match the app being uninstalled
information of the app after include:
it is updated outside of
Intune. Instruct the user to
reinstall the app from the
company portal. Note that
required apps will be
reinstalled automatically
when the device next checks
in.
 ERRO R C O DE ( H EX) ERRO R C O DE ( DEC ) ERRO R M ESSA GE/ C O DE DESC RIP T IO N

0x8000FFFF -2147418113 An unexpected error

occurred during installation.
Check the installation logs
for additional information.

Next steps
For additional Intune troubleshooting information, see Use the troubleshooting portal to help users at your
company.
Learn about any known issues in Microsoft Intune. For more information, see Intune Customer Success.
Need extra help? See How to get support for Microsoft Intune.
 Troubleshoot mobile application management
9/4/2020 • 12 minutes to read • Edit Online

This topic provides solutions to common problems that have occurred when using Intune App Protection (also
referred to as MAM or mobile application management).
If this information does not solve your problem, see How to get support for Microsoft Intune to find more ways to
get help.

Common IT administrator issues

These are common issues an IT administrator may experience when using Intune app protection policies.

ISSUE DESC RIP T IO N RESO L UT IO N

Policy not applied to Skype for Business App protection policy without device Skype for Business must be set up for
enrollment, made in the Azure portal, is modern authentication. Please follow
not applying to the Skype for Business instructions in Enable your tenant for
app on iOS/iPadOS and Android modern authentication to set up
devices. modern authentication for Skype.

Office app policy not applied App protection policies are not applying Confirm that the user is licensed for
to any supported Office App for any Intune and the Office apps are targeted
user. by a deployed app protection policy. It
can take up to 8 hours for a newly
deployed app protection policy to be
applied.

Admin can't configure app protection IT administrator user is unable to The following user roles have access to
policy in Azure portal configure app protection policies in the Azure portal:
Azure portal. Global administrator, which you
can set up in the Microsoft 365
admin center
Owner, which you can set up in
the Azure portal.
Contributor, which you can set
up in the Azure portal.
Refer to Role-based administration
control (RBAC) with Microsoft Intune for
help setting up these roles.

User accounts missing from app Admin console reports do not show If a user is newly targeted by an app
protection policy reports user accounts to which app protection protection policy, it can take up to 24
policy was recently deployed. hours for that user to show up in
reports as a targeted user.

Policy changes not working Changes and updates to app protection If applicable, the end-user can log out
policy can take up to 8 hours to apply. of the app and log back in to force sync
with service.
 ISSUE DESC RIP T IO N RESO L UT IO N

App protection policy not working with App protection policy is not applying to Please ensure you are using User
DEP Apple DEP devices. Affinity with Apple Device Enrollment
Program (DEP). User Affinity is required
for any app that requires user
authentication under DEP.

Refer to Automatically enroll iOS/iPadOS

devices with Apple's Device Enrollment
Program for more information on
iOS/iPadOS DEP enrollment.

Data transfer policy not working with The Allow app to transfer data to See How to manage data transfer
iOS/iPadOS other apps and Allow app to between iOS/iPadOS apps in Microsoft
receive data from other apps Intune.
policies do not successfully manage
data transfer in iOS/iPadOS.

Common end-user issues

Common end-user issues are broken down in the following categories:
Normal usage scenarios : An end-user might experience these scenarios on apps that have an Intune app
protection policy. These are not actual issues, but may be perceived as bugs or errors.
Normal usage dialogs : These are usage dialogs an end-user might see in apps that have an Intune app
protection policy. These messages and dialogs do not indicate an error or bug.
Error messages and dialogs : These are error messages and dialogs an end-user might see on apps that
have an Intune app protection policy. These often indicate an error was made by the IT administrator or a
bug with Intune app protection.
Normal usage scenarios
P L AT F O RM SC EN A RIO EXP L A N AT IO N

iOS The end-user can use the iOS/iPadOS Intune app protection policy cannot
share extension to open work or school control the iOS/iPadOS share extension
data in unmanaged apps, even with the without managing the device. Therefore,
data transfer policy set to Managed Intune encr ypts "corporate" data
apps only or No apps. Doesn't this before sharing it outside the app .
leak data? You can validate this by attempting to
open the "corporate" file outside of the
managed app. The file should be
encrypted and unable to be opened
outside the managed app.

iOS Why is the end-user prompted to This is needed when App Based
install the Microsoft Authenticator Conditional Access is applied, see
app Require approved client app.
 P L AT F O RM SC EN A RIO EXP L A N AT IO N

Android Why does the end-user need to On Android, much of app protection
install the Company Por tal app , functionality is built into the Company
even if I'm using MAM app protection Portal app. Device enrollment is not
without device enrollment? required even though the
Company Por tal app is always
required . For app protection without
enrollment, the end-user just needs to
have the Company Portal app installed
on the device.

iOS/Android App Protection policy not applied on Since Outlook supports both corporate
draft email in the Outlook app and personal context, it does not
enforce MAM on draft email.

iOS/Android App Protection policy not applied on Since WXP supports both corporate and
new documents in WXP personal context, it does not enforce
(Word,Excel,PowerPoint) MAM on new documents until they are
saved in an identified corporate location
like OneDrive.

iOS/Android Apps not allowing Save As to Local The App behavior for this setting is
Storage when policy is enabled controlled by the App Developer.

Android Android has more restrictions than Android is an open platform and the
iOS/iPadOS on what "native" apps can "native" app association can be changed
access MAM protected content by the end-user to potentially unsafe
apps. Apply Data transfer policy
exceptions to exempt specific apps.

Android Azure Information Protection (AIP) can AIP honors the MAM policy for 'Disable
Save as PDF when Save As is prevented printing' when Save as PDF is used.

iOS Opening PDF attachments in Outlook This can occur if the user has not
app fails with "Action Not Allowed authenticated to Acrobat Reader for
Intune, or has used thumbprint to
authenticate to their organization. Open
Acrobat Reader beforehand and
authenticate using UPN credentials.

Normal usage dialogs

P L AT F O RM M ESSA GE O R DIA LO G EXP L A N AT IO N

iOS, Android Sign-in : To protect its data, your The end-user must sign in with their
organization needs to manage this app. work or school account in order to use
To complete this action, sign in with this app, which requires an app
your work or school account. protection policy. In order for the policy
to apply, the user must authenticate
against Azure Active Directory.

iOS, Android Restar t Required : Your organization is The app has just received an Intune app
now protecting its data in this app. You protection policy and must restart in
need to restart the app to continue. order for the policy to apply.
 P L AT F O RM M ESSA GE O R DIA LO G EXP L A N AT IO N

iOS, Android Action Not Allowed : Your The IT administrator has set the Allow
organization only allows you to open app to receive data from other
work or school data in this app. apps to Managed apps only .
Therefore, the end-user can only
transfer data into this app from other
apps that have an app protection policy.

iOS, Android Action Not Allowed : Your The IT administrator has set the Allow
organization only allows you to transfer app to transfer data to other apps
its data to other managed apps. to Managed apps only . Therefore,
the end-user can only transfer data out
of this app to other apps that have an
app protection policy.

iOS, Android Wipe Aler t : Your organization has The IT administrator has initiated an
removed its data associated with this app wipe using Intune app protection.
app. To continue, restart the app.

Android Company Por tal required : To use On Android, much of app protection
your work or school account with this functionality is built into the Company
app, you must install the Intune Portal app. Device enrollment is not
Company Portal app. Click "Go to store" required even though the
to continue. Company Por tal app is always
required . For app protection without
enrollment, the end-user just needs to
have the Company Portal app installed
on the device.

Error messages and dialogs on iOS

ERRO R M ESSA GE O R DIA LO G C A USE REM EDIAT IO N

App Not Set Up : This app has not Failure to detect a required app Make sure an iOS app protection policy
been set up for you to use. Contact protection policy for the app. is deployed to the user's security group
your IT administrator for help. and targets this app.

Welcome to the Intune Managed Failure to detect a required app Make sure an iOS app protection policy
Browser : This app works best when protection policy for the Intune is deployed to the user's security group
managed by Microsoft Intune. You can Managed Browser app. and targets the Intune Managed
always use this app to browse the web, Browser app.
and when it is managed by Microsoft The user can still use the app to browse
Intune you gain access to additional the web, but the app is not managed by
data protection features. Intune.

Sign-in Failed : We can't sign you in Failure to enroll the user with the MAM Make sure an iOS app protection policy
right now. Please try again later. service after the user attempts to sign is deployed to the user's security group
in with their work or school account. and targets this app.

Account Not Set Up : Your The user account does not have an Make sure the user's account has an
organization has not set up your Intune A Direct license. Intune license assigned in the Microsoft
account to access work or school data. 365 admin center.
Please contact your IT administrator for
help.
 ERRO R M ESSA GE O R DIA LO G C A USE REM EDIAT IO N

Device Non-Compliant : This app Intune detected the user is on a Reset the device to default factory
cannot be used because you are using a jailbroken device. settings. Follow these instructions from
jailbroken device. Contact your IT the Apple support site.
administrator for help.

Internet Connection Required : You The device is not connected to the Connect the device to a WiFi or Data
must be connected to the Internet to Internet. network.
verify that you can use this app.

Unknown Failure : Try restarting this An unknown failure occurred. Wait a while and try again. If the error
app. If the problem persists, contact persists, create a support ticket with
your IT administrator for help. Intune.

Accessing Your Organization's Intune detects the user attempted to Have the user sign in with the account
Data : The work or school account you sign in with second work or school whose username is pre-populated by
specified does not have access to this account that is different from the MAM the sign-in screen. You may need to
app. You may have to sign in with a enrolled account for the device. Only configure the user UPN setting for
different account. Contact your IT one work or school account can be Intune.
administrator for help. managed by MAM at a time per device.
Or, have the user sign in with the new
work or school account and remove the
existing MAM enrolled account.

Connection Issue : An unexpected Unexpected failure. Wait a while and try again. If the error
connection issue occurred. Check your persists, create a support ticket with
connection and try again. Intune.

Aler t : This app can no longer be used. Failure to validate the app's certificate. Make sure the app version is up-to-
Contact your IT administrator for more date.
information.
Reinstall the app.

Error : This app has encountered a Failure to read the MAM app PIN from Restart the device. Make sure the app
problem and must close. If this error the Apple iOS Keychain. version is up-to-date.
persists, please contact your IT
administrator. Reinstall the app.

Error messages and dialogs on Android

DIA LO G/ ERRO R M ESSA GE C A USE REM EDIAT IO N

App not set up : This app has not Failure to detect a required app Make sure an Android app protection
been set up for you to use. Contact protection policy for the app. policy is deployed to the user's security
your IT administrator for help. group and targets this app.

Failed app launch : There was an issue Intune detected valid app protection Make sure the app version is up-to-
launching your app. Try updating the policy for the app, but the app is date.
app or the Intune Company Portal app. crashing during MAM initialization.
If you need help, contact your IT Make sure the Intune Company Portal
administrator. app is installed and up-to-date on the
device.

If the error persists, use the Company

Portal app to send logs to Intune or
create a support ticket.
 DIA LO G/ ERRO R M ESSA GE C A USE REM EDIAT IO N

No apps found : There are no apps on The user tried to open work or school Make sure an Android app protection
this device that your organization data with another app, but Intune policy is deployed to the user's security
allows to open this content. Contact cannot find any other managed apps group and targets at least one other
your IT administrator for help. that are allowed to open the data. MAM-enabled app that can open the
data in question.

Sign-in failed : Try to sign in again. If Failure to authenticate the account with Make sure the user signs in with the
this problem persists, contact your IT which the user attempted to sign in. work or school account that is already
administrator for help. enrolled with the Intune MAM service
(the first work or school account that
was successfully signed into in this app).

Clear the app's data.

Make sure the app version is up-to-

date.

Make sure the Company Portal version

is up-to-date.

Internet connection required : You The device is not connected to the Connect the device to a WiFi or Data
must be connected to the Internet to Internet. network.
verify that you can use this app.

Device noncompliant : This app can't Intune detected the user is on a rooted Reset the device to default factory
be used because you are using a rooted device. settings.
device. Contact your IT administrator
for help.

Account not set up : This app must The user account does not have an Make sure the user's account has an
be managed by Microsoft Intune, but Intune A Direct license. Intune license assigned in the Microsoft
your account has not been set up. 365 admin center.
Contact your IT administrator for help.

Unable to register the app : This app Failure to automatically enroll the app Clear the app's data.
must be managed by Microsoft Intune, with the MAM service when app
but we were unable to register this app protection policy is required. Send logs to Intune through the
at this time. Contact your IT Company Portal app or file a support
administrator for help. ticket. For more information, see How
to get support for Microsoft Intune.

Next steps
Validating your mobile application management setup
Learn how to use log files to troubleshoot Intune App Protection policy, see
https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Troubleshooting-Intune-app-
protection-policy-using/ba-p/330372
For additional Intune troubleshooting information, see Use the troubleshooting portal to help users at your
company.
Learn about any known issues in Microsoft Intune. For more information, see Known issues in Microsoft Intune.
Need extra help? See How to get support for Microsoft Intune.
 Review client app protection logs
9/4/2020 • 12 minutes to read • Edit Online

Learn about the settings you can review in the app protection logs. Access logs by enabling Intune Diagnostics on
a mobile client.
The process to enable and collect logs varies by platform:
iOS/iPadOS devices - Use Microsoft Edge for iOS/iPadOS to collect logs. For details, see Use Edge for iOS
and Android to access managed app logs.
Windows 10 devices - Use MDMDiag and event logs. See, Diagnose MDM failures in Windows 10 in the
Windows client management content, and the blog Troubleshooting Windows 10 Intune Policy Failures.
Android devices - Use Microsoft Edge for Android to collect logs. For details, see Use Edge for iOS and
Android to access managed app logs.

NOTE
On Android Fully Managed devices, in certain instances the Intune Company Portal app may be visible under all
apps. This may happen when an app associated with an app protection policy is either not installed or not launched.

The following tables list the App protection policy setting name and supported values that are recorded in the log.
In addition, each setting identifies the policy setting found within Microsoft Endpoint Manager portal. For detailed
information on each setting, see iOS/iPadOS app protection policy settings and Android app protection policy
settings in Microsoft Intune.

iOS/iPadOS App protection policy settings

SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AccessRecheckOfflineTimeout x minutes Section : Conditional Launch

Setting : Offline grace period with
action Block access (minutes)

AccessRecheckOnlineTimeout x minutes Section : Access requirements

Setting : Recheck the access
requirements after (minutes of
inactivity)

AllowedOutboundClipboardSharingExce x characters Section : Data protection

ptionLength Setting : Cut and copy character limit
for any app

AppPinDisabled 0 = Require Section : Access requirements

1 = Not required Setting : App PIN when device PIN is
set

AppSharingFromLevel 0 = None Section : Data Protection

1 = Policy Managed apps Setting : Receive data from other apps
2 = All apps
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AppSharingToLevel 0 = None Section : Data Protection

1 = Policy managed apps Setting : Send org data to other apps
2 = All app

ProtectManagedOpenInData 0 = False Section : Data Protection

1 = True Setting : Send org data to other apps is
set to Policy Managed apps with Open-
In/Share filtering when true

AuthenticationEnabled 0 = Not required Section : Access requirements

1 = Require Setting : Work or school account
credentials for access

ClipboardSharingLevel 0 = Blocked Section : Data Protection

1 = Policy managed apps Setting : Restrict cut, copy, and paste
2 = Policy managed apps with paste in between other apps
3 = Any app

ContactSyncDisabled 0 = Allow Section : Data Protection

1 = Block Setting : Sync app with native contacts
app

DataBackupDisabled 0 = Allow Section : Data Protection

1 = Block Setting : Prevent backups

DeviceComplianceEnabled 0 = False Section : Conditional Launch

1 = True Setting : Jailbroken/rooted devices

DeviceComplianceFailureAction 0 = Block acess Section : Conditional Launch

1 = Wipe data Setting : Jailbroken/rooted devices

DisableShareSense N/A N/A: Not actively used by Intune

service.

FileEncryptionLevel 0 = When device is locked Section : Data Protection

1 = When device is locked and there Setting : Encrypt org data
are open files
2 = After device restart
3 = Use device settings

FileSharingSaveAsDisabled 0 = Allow Section : Data Protection

1 = Block Setting : Save copies of org data

IntuneIdentityUPN UPN of the Intune MAM user N/A

ManagedBrowserRequired 0 = False Section : Data Protection

1 = True Setting : Restrict web content transfer
with other apps
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

ManagedLocations A value that represents the number of Section : Data Protection

managed storage locations to which Setting : Allow user to save copies to
the app can save data. selected services
1 = OneDrive
2 = SharePoint
3 = OneDrive and SharePoint
32 = Local Storage
33 = Local Storage & OneDrive
34 = Local Storage & SharePoint
35 = Local Storage, OneDrive, and
SharePoint

MinAppVersion "0.0" = no minimum app version Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Block access

MinAppVersionWarning "0.0" = no minimum app version. Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Warn

MinAppVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min app version with action
Wipe data

MinOsVersion "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Block access

MinOsVersionWarning "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Warn

MinOsVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Wipe data

MinSDKVersion "0.0" = no minimum SDK version Section : Conditional launch

anything else = minimum OS version Setting : Min SDK version with action
Block access

MinSDKVersionWipe "0.0" = no minimum SDK version Section : Conditional launch

anything else = minimum OS version Setting : Min SDK version with action
Block access

NotificationRestriction 0 = Allow Section : Data Protection

1 = Block Org Data Setting : Org data notifications
2 = Block

PINCharacterType 0 = Passcode Section : Access requirements

1 = Numeric Setting : Pin type

PINEnabled 0 = Not required Section : Access requirements

1 = Require Setting : PIN for access
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

PINMinLength x characters Section : Access requirements

Setting : Select minimum PIN length

PINNumRetry x attempts Section : Conditional launch

Setting : Max PIN attempts

MaxPinRetryExceededAction 0 = Reset PIN Section : Conditional launch

1 = Wipe data Setting : Max PIN attempts

PrintingBlocked 0 = Allow Section : Data Protection

1 = Block Setting : Printing org data

SimplePINAllowed 0 = Block Section : Access requirements

1 = Allow Setting : Simple PIN

TouchIDEnabled 0 = Block Section : Access requirements

1 = Allow Setting : Touch ID instead of PIN for
access (iOS 8+/iPadOS)

ThirdPartyKeyboardsBlocked 0 = Allow Section : Data Protection

1 = Block Setting : Third party keyboards

FaceIDEnabled 0 = Block Section : Access requirements

1 = Allow Setting : Face ID instead of PIN for
access (iOS 11+/iPadOS)

PINExpiryDays x characters Section : Access requirements

Setting : PIN reset after number of
days > Number of days

NonBioPassTimeOutRequired 0 = Not required Section : Access requirements

1 = Require Setting : Override Touch ID with PIN
after timeout

NonBioPassTimeOut x minutes Section : Access requirements

Setting : Override Touch ID with PIN
after timeout > Timeout (minutes of
inactivity)

DictationBlocked 0 = Allow No administration control for this

1 = Block setting.

OfflineWipeInterval x days Note : No admin control for this setting.

ProtocolExclusions 0 = Allow Section : Data Protection

1 = Block Setting : Select apps to exempt

EnableOpenInFilter 0 = Disabled Section : Data Protection

1 = Enabled Setting : Send Org data to other apps
> Policy managed apps with Open-
In/Share filtering
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

MinimumRequiredDeviceThreatProtecti 0 = Not configured Section : Conditional launch

onLevel 1 = Secured Setting : Max allowed device threat
2 = Low level
3 = Medium
4 = High

MobileThreatDefenseRemediationAction 0 = Block access Section : Access requirements

1 = Wipe data Setting : Max allowed device threat
level action)

AllowedIOSModelsElseBlock x characters Section : Conditional launch

Setting : Device model(s) with action
Allow specified (Block non-specific)

AllowedIOSModelsElseWipe x characters Section : Conditional launch

Setting : Device model(s) with action
Allow specified (Wipe non-specific)

ProtectAllIncomingUnknownSourceDat N/A Note : Not actively used by Intune

a service.

Android App protection policy settings

SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AccessRecheckOfflineTimeout x minutes Section : Conditional Launch

Setting : Offline grace period with
action Block access (minutes)

AccessRecheckOnlineTimeout x minutes Section : Access requirements

Setting : Recheck the access
requirements after (minutes of
inactivity)

AppPinDisabled true = Require Section : Access requirements

false = Not required Setting : App PIN when device PIN is
set

AllowedAndroidManufacturersElseBlock Empty if not set, otherwise list of Section : Conditional launch

allowed manufacturers Setting : Device manufacturers with
action Allow specified (Block non-
specified)

AllowedAndroidManufacturersElseWipe Empty if not set, otherwise list of Section : Conditional launch

allowed manufacturers Setting : Device manufacturers with
action Allow specified (Wipe non-
specified)

AllowedAndroidModelsElseBlock Empty if not set, otherwise list of No administration control for this
allowed models setting.

AllowedAndroidModelsElseWipe Empty if not set, otherwise list of No administration control for this
allowed models setting.
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

AndroidSafetyNetDeviceAttestationEnfo NOT_REQUIRED = not set Section : Conditional launch

rcement BASIC_INTEGRITY = Basic Integrity Setting : SafetyNet device attestation
BASIC_INTEGRITY_AND_DEVICE_CERTIF
ICATION = Basic Integrity and certified
devices

AndroidSafetyNetDeviceAttestationFaile BLOCK = Block access Section : Conditional launch

dAction WARN = Warn Setting : SafetyNet device attestation
WIPE_DATA = Wipe Data

AndroidSafetyNetVerifyAppsEnforceme NOT_REQUIRED = not set Section : Conditional launch

ntType REQUIRE_ENABLED = configured Setting : Require threat scan on apps

AndroidSafetyNetVerifyAppsFailedActio BLOCK = Block access Section : Conditional launch

n WARN = Warn Setting : Require threat scan on apps

AppSharingFromLevel BLOCKED = None Section : Data Protection

MANAGED = Policy Managed apps Setting : Receive data from other apps
UNRESTRICTED = All apps

AppSharingToLevel BLOCKED = None Section : Data Protection

MANAGED = Policy Managed apps Setting : Send org data to other apps
UNRESTRICTED = All app

AuthenticationEnabled false = Not required Section : Access requirements

true = Require Setting : Work or school account
credentials for access

BlockScreenCapture false = Allow Section : Data Protection

true = Block Setting : Screen capture and Google
Assistant

ClipboardCharacterExceptionLength x characters Section : Data protection

Setting : Cut and copy character limit
for any app

ClipboardSharingLevel BLOCKED = Blocked Section : Data Protection

MANAGED = Policy managed apps Setting : Restrict cut, copy, and paste
MANAGED_PASTE_IN = Policy managed between other apps
apps with paste in
UNMANAGED = Any app

ConditionalEncryptionEnabled false = Require Section : Data Protection

true = Not required Setting : Encrypt org data on enrolled
devices

ContactSyncDisabled false = Allow Section : Data Protection

true = Block Setting : Sync app with native contacts
app

DataBackupDisabled false = Allow Section : Data Protection

true = Block Setting : Prevent backups

DeviceComplianceEnabled false = False Section : Conditional Launch

true = True Setting : Jailbroken/rooted devices
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

DeviceComplianceFailureAction BLOCK = Block acess Section : Conditional Launch

WIPE_DATA = Wipe data Setting : Jailbroken/rooted devices

DialerRestrictionLevel 0 = None, do not transfer this data Section : Data Protection

between apps Setting : Transfer telecommunication
1 = A specific dialer app data to
2 = Any policy-managed dialer app
3 = Any dialer app

DictationBlocked false = Allow No administration control for this

true = Block setting.

FileEncryptionKeyLength 128 No administration control for this

256 setting.

FileSharingSaveAsDisabled false = Allow Section : Data Protection

true = Block Setting : Save copies of org data

IntuneMAMPolicyVersion version number N/A

isManaged true N/A

false

KeyboardsRestricted true = Required Section : Data Protection

false = Not required Setting : Approved keyboards

ManagedBrowserRequired true = Microsoft Edge or Unmanaged Section : Data Protection

browser Setting : Restrict web content transfer
false = Any app to other apps app.

ManagedLocations A value that represents the number of Section : Data Protection

managed storage locations to which Setting : Allow user to save copies to
the app can save data, separated by a selected services
semi-colon.
ONEDRIVE_FOR_BUSINESS
SHAREPOINT
LOCAL

MaxPinRetryExceededAction RESET_PIN = Reset PIN Section : Conditional launch

WIPE_DATA = Wipe data Setting : Max PIN attempts

MinAppVersion "0.0" = no minimum app version Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Block access

MinAppVersionWarning "0.0" = no minimum app version. Section : Conditional launch

anything else = minimum app version Setting : Min app version with action
Warn

MinAppVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min app version with action
Wipe data
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

MinOsVersion "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Block access

MinOsVersionWarning "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Warn

MinOsVersionWipe "0.0" = no minimum OS version Section : Conditional launch

anything else = minimum OS version Setting : Min OS version with action
Wipe data

MinPatchVersion "0000-00-00" = no minimum Patch Section : Conditional launch

version Setting : Min Patch version with action
anything else = minimum Patch version Block access

MinPatchVersionWarning "0000-00-00" = no minimum Patch Section : Conditional launch

version Setting : Min Patch version with action
anything else = minimum Patch version Warn

MinPatchVersionWipe "0000-00-00" = no minimum Patch Section : Conditional launch

version Setting : Min Patch version with action
anything else = minimum Patch version Wipe data

MinimumRequiredCompanyPortalVersio "0.0" = no minimum Company Portal Section : Conditional launch

n version Setting : Min Company Portal version
anything else = minimum Company with action Block access
Portal version

MinimumRequiredDeviceThreatProtecti NOT_SET = not defined in the policy Section : Conditional launch

onLevel SECURED = Secured Setting : Max allowed device threat
LOW = Low level
MEDIUM = Medium
HIGH = High

MinimumWarningCompanyPortalVersio "0.0" = no minimum Company Portal Section : Conditional launch

n version Setting : Min Company Portal version
anything else = minimum Company with action Warn
Portal version

MinimumWipeCompanyPortalVersion "0.0" = no minimum Company Portal Section : Conditional launch

version Setting : Min Company Portal version
anything else = minimum Company with action Wipe data
Portal version

MobileThreatDefenseRemediationAction BLOCK = Block Access Section : Conditional launch

WIPE_DATA = Wipe data Setting : Max allowed device threat
level

NonBioPassTimeOut x minutes Section : Access requirements

Setting : Override fingerprint with PIN
after timeout > Timeout (minutes of
inactivity)
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

NonBioPassTimeOutRequired false = Not required Section : Access requirements

true = Require Setting : Override fingerprint with PIN
after timeout

NotificationRestriction UNRESTRICTED = Allow Section : Data Protection

BLOCK_ORG_DATA = Block Org Data Setting : Org data notifications
BLOCK = Block

PINCharacterType PASSCODE = Passcode Section : Access requirements

NUMERIC = Numeric Setting : Pin type

PINEnabled false = Not required Section : Access requirements

true = Require Setting : PIN for access

PINMinLength x characters Section : Access requirements

Setting : Select minimum PIN length

PINNumRetry x attempts Section : Conditional launch

Setting : Max PIN attempts

PackageExclusions Empty if no bundle IDs are configured, Section : Data protection

otherwise bundle IDs separated by a Setting : Select apps to exempt
semi-colon

PinHistoryLength x PIN values to maintain Section : Access requirements

Setting : Select number of previous PIN
values to maintain

PolicyCount number N/A

PrintingBlocked false = Allow Section : Data Protection

true = Block Setting : Printing org data

RequireFileEncryption false = Not required Section : Data Protection

true = Require Setting : Encrypt org data

SimplePINAllowed false = Block Section : Access requirements

true = Allow Setting : Simple PIN

SpecificDialerDisplayName Dialer app name Section : Data Protection

Setting : Dialer app name

SpecificDialerPackageID Dialer app bundle ID Section : Data Protection

Setting : Dialer App Package ID

TouchIDEnabled false = Block Section : Access requirements

true = Allow Setting : Fingerprint instead of PIN for
access (Android 6.0+)

ThirdPartyKeyboardsBlocked 0 = Allow Section : Data Protection

1 = Block Setting : Third party keyboards
 SET T IN G IN M IC RO SO F T EN DP O IN T
NAME VA L UE DETA IL S M A N A GER A P P P ROT EC T IO N P O L IC Y

FaceIDEnabled 0 = Block Section : Access requirements

1 = Allow Setting : Face ID instead of PIN for
access (iOS 11+/iPadOS)

PINExpiryDays x characters Section : Access requirements

Setting : PIN reset after number of
days > Number of days

UnmanagedBrowserDisplayName Unmanaged web browser display name Section : Data protection

Setting : Unmanaged Browser name

UnmanagedBrowserPackageID Unmanaged web browser package ID Section : Data protection

Setting : Unmanaged Browser ID

Next steps
To learn more about app protection policies, see What are app protection policies?
Intune offers a number of tools to help you troubleshoot issues in your environment. For more information, see
Use the troubleshooting portal to help users.
 Troubleshooting app protection policy deployment in
Intune
9/4/2020 • 11 minutes to read • Edit Online

Introduction
This article helps you understand and troubleshoot problems when you apply app protection policies in Microsoft
Intune. Follow the sections that apply to your situation.

Basic steps
Collect initial data
Before you begin troubleshooting, you should collect some basic information that can help you better understand
the problem and reduce the time to find a resolution.
Collect the following information:
What policy setting isn't applied? Is any policy applied?
What is the user experience? Have users installed and started the targeted app?
When did the problem start? Has app protection ever worked?
Which platform (Android or iOS) has the problem?
How many users are affected? Are all devices or only some devices affected?
How many devices are affected? Are all devices or only some devices affected?
Although Intune app protection policy doesn't require a mobile device management (MDM) service, are affected
users using Intune or a third-party EMM?
Are all managed apps or only specific apps affected? For example, are LOB apps that have Intune App SDK
affected but store apps are not?
Now, you can start troubleshooting based on the answers to these questions.
Verify prerequisites
The next step in troubleshooting is to check whether all prerequisites are met.
Although you can use Intune app protection policies independent of any MDM solution, the following prerequisites
must be met:
The user must have an Intune license assigned.
The user must belong to a security group that is targeted by an app protection policy. The same app
protection policy must target the specific app that's used.
For Android devices, the Company Portal app is required to receive app protection policies.
If you use Word, Excel, or PowerPoint apps, the following additional requirements must be met:
The user must have a license for Microsoft 365 Apps for business or enterprise linked to the user's Azure
Active Directory (Azure AD) account. The subscription must include the Office apps on mobile devices
and can include a cloud storage account with OneDrive for Business. Microsoft 365 licenses can be
assigned in the Microsoft 365 admin center by following these instructions.
The user must have a managed location that's configured by using the granular Save as functionality.
This command is located under the Save Copies of Org Data application protection policy setting. For
 example, if the managed location is OneDrive, the OneDrive app should be configured in the user's Word,
Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app protection policy that's
deployed to the user.

NOTE
The Office mobile apps currently support only SharePoint Online and not SharePoint on-premises.

If you use Intune app protection policies together with on-premises resources (Microsoft Skype for Business
and Microsoft Exchange Server), you must enable Hybrid Modern Authentication (HMA) for Skype for
Business and Exchange.
Intune app protection policies require that the identity of the user is consistent between the app and Intune App
SDK. The only way to guarantee this consistency is through modern authentication. There are scenarios in which
apps may work in an on-premises configuration without modern authentication. However, the outcomes are not
consistent or guaranteed.
For more information about how to enable HMA for Skype for Business hybrid and on-premises configurations, see
the following articles:
Hybrid
Hybrid Modern Auth for SfB and Exchange goes GA
On-premises
Modern Auth for SfB OnPrem with Azure AD
Check app protection policy status
To check your app protection status, follow these steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > Monitor > App protection status , and then select the Assigned users tile.
3. On the App repor ting page, select Select user to bring up a list of users and groups.
4. Search for and select one of the affected users from the list, then select Select user . At the top of the App
reporting pane, you can see whether the user is licensed for app protection and has a license for Microsoft 365.
You can also see the app status for all the user's devices.
5. Make a note of such important information as the targeted apps, device types, policies, device check-in status,
and last sync time.

NOTE
App protection policies are applied only when apps are used in the work context. For example, when the user is accessing
apps by using a work account.

For more information, see How to validate your app protection policy setup in Microsoft Intune.
Verify that user identity is consistent between app and Intune App SDK
In most scenarios, users log in to their accounts by using their user principal name (UPN). However, in some
environments (such as on-premises scenarios), users might use some other form of sign-in credentials. In these
cases, you might find that the UPN that's used in the app doesn't match the UPN object in Azure AD. When this
issue occurs, app protection policies aren't applied as expected.
Microsoft's recommended best practices are to match the UPN to the primary SMTP address. This practice enables
users to log in to managed apps, Intune app protection, and other Azure AD resources by having a consistent
identity. For more information, see Azure AD UserPrincipalName population.
If your environment requires alternative sign-in methods, see Configuring Alternate Login ID, specifically Hybrid
Modern Authentication with Alternate-ID.
Verify that the user is targeted
Intune app protection policies must be targeted to users. If you don't assign an app protection policy to a user or
user group, the policy isn't applied.
To verify that the policy is applied to the targeted user, follow these steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > Monitor > App protection status , and then select the User status tile (based on device OS
platform). On the App repor ting pane that opens, select Select user to search for a user.
3. Select the user from the list. You can see the details for that user.
When you assign the policy to a user group, make sure that the user is in the user group. To do this, follow these
steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Groups > All groups , and then search for and select the group that's used for your app protection
policy assignment.
3. Under the Manage section, select Members .
4. If the affected user isn't listed, review Manage app and resource access using Azure Active Directory groups and
your group membership rules. Make sure that the affected user is included in the group.
5. Make sure that the affected user isn't in any of the excluded groups for the policy.

IMPORTANT
The Intune app protection policy must be assigned to user groups and not device groups.
If the affected device uses Apple Device Enrollment Program (DEP), make sure that User Affinity is enabled. User Affinity
is required for any app that requires user authentication under DEP.
If the affected device uses Android Enterprise, only work profiles will support app protection policies.

Verify that the managed app is targeted

When you configure Intune app protection policies, the targeted apps must use Intune App SDK. Otherwise, app
protection policies may not work correctly.
Make sure that the targeted app is listed in Microsoft Intune protected apps. For LOB or custom apps, verify that the
apps use the latest version of Intune App SDK. Note the following:
For iOS, this practice is important because each version contains fixes that affect how these policies are applied and
how they function. For more information, see Intune App SDK iOS releases. For Android, this practice isn't as
important. However, users must have the latest version of the Company Portal app installed because the Company
Portal app works as the policy broker agent.

NOTE
Starting in September 2019, Intune will move to support iOS apps that have Intune App SDK 8.1.1 and later versions. Apps
built by using SDK versions that are earlier than 8.1.1 will no longer be supported.

More information
Special requirements for Intune MDM -managed devices
When you create an app protection policy, you can target it to all app types or to the following app types:
Apps on unmanaged devices
Apps on Intune-managed devices
Apps in the Android Work Profile

NOTE
To specify the app types, set Target to all app types to No , and then select from the App types list.

For iOS, the following additional app configuration settings are required to target app protection policy (APP)
settings to apps on Intune-enrolled devices:
IntuneMAMUPN must be configured for all MDM (Intune or a third-party EMM)-managed applications. For
more information, see Configure user UPN setting for Microsoft Intune or third-party EMM.
IntuneMAMDeviceID must be configured for all third-party and LOB MDM-managed applications.
IntuneMAMDeviceID must be configured as the device ID token. For example, key=IntuneMAMDeviceID,
value={{deviceID}}. For more information, see Add app configuration policies for managed iOS devices.
If only the IntuneMAMDeviceID value is configured, Intune APP will consider the device as unmanaged.
Scenario: Policy changes are not working
The Intune App SDK checks regularly for policy changes. However, this process may be delayed for any of the
following reasons:
The app hasn't checked in with the service.
The Company Portal app has been removed from the device.
Intune app protection policy relies on user identity. Therefore, a valid login that uses a work or school account to
the app and a consistent connection to the service are required. If the user hasn't signed in to the app, or the
Company Portal app has been removed from the device, policies updates won't apply.
Additionally, changes and updates to app protection policy can take up to 8 hours to apply. If applicable, closing all
apps and restarting the device usually forces the policy update to apply sooner.
To check app protection status, follow these steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Apps > Monitor > App protection status , and then select the Assigned users tile.
3. On the App reporting page, select Select user to open a list of users and groups.
4. Search for and select one of the affected users from the list, then select Select user .
5. Review the policies that are currently applied, including the status and last sync time.
6. If the status is Not checked in , or if the display indicates that there has not been a recent sync, check whether
the user has a consistent network connection. For Android users, make sure that they have the latest version of
the Company Portal app installed.

IMPORTANT
The Intune App SDK checks every 30 minutes for selective wipe. However, changes to existing policy for users who are
already signed in may not appear for up to 8 hours. To speed up this process, have the user log out of the app and then log
back in or restart their devices.

Intune app protection policy includes multi-identity support. Intune can apply app protection policies to only the
work or school account that's signed in to the app. However, only one work or school account per device is
supported.
Scenario: The policy is applied, but iOS users can still transfer work files to unmanaged apps
The Open-in management ( ) feature for iOS devices can limit file transfers between apps that are deployed
through the MDM channel. The user may be able to transfer work files from managed locations such as OneDrive
and Exchange to unmanaged apps or locations, depending on the configuration. The iOS Open-in management
feature works outside other data transfer methods. Therefore, it isn't affected by Save as and Copy/Paste settings.
You can use Intune app protection policies together with the iOS Open-in management feature to protect
company data in the following manner:
Employee-owned devices that are not managed by an MDM solution : You can set the app
protection policy settings to Allow app to transfer data to only Policy Managed apps . Configured in
this way, the Open-in behavior in a policy-managed app provides only other policy-managed apps as
options for sharing. For example, if a user tries to send a protected file as an attachment from OneDrive in
the native mail app, that file is unreadable.
Devices that are managed by MDM solutions : For devices that are enrolled in Intune or third-party
MDM solutions, data sharing between apps by using app protection policies and other managed iOS apps
that are deployed through MDM is controlled by Intune APP and by the iOS Open-in management
feature.

To make sure that apps you deploy by using an MDM solution are also associated with your Intune app
protection policies, configure the user UPN setting as described in Configure user UPN setting.

To specify how you want to allow data transfer to other apps, enable Send Org data to other apps , and
then select your preferred level of sharing.

To specify how you want to allow an app to receive data from other apps, enable Receive data from other
apps , and then select your preferred level of receiving data.
For more information about how to receive and share app data, see Data relocation settings.
For more information, see How to manage data transfer between iOS apps in Microsoft Intune.

References
If you're still looking for a solution to a related problem, or for more information about Intune, post a question in
our Microsoft Intune forum. Many support engineers, MVPs, and members of our development team visit the
forums. So, there's a good chance that you can find someone who has the information that you need.
To open a support request for the Microsoft Intune product support team, see How to get support for Microsoft
Intune.
For more information about Intune app protection policy, see the following articles:
Troubleshoot mobile application management
Frequently asked questions about MAM and app protection
Support Tip: Troubleshooting Intune app protection policy using log files on local devices
For all the latest news, information, and tech tips, go to our official blogs:
The Microsoft Intune Support Team Blog
The Microsoft Enterprise Mobility and Security Blog

Next steps
For additional Intune troubleshooting information, see Use the troubleshooting portal to help users at your
company.
Learn about any known issues in Microsoft Intune. For more information, see Intune Customer Success.
Need extra help? See How to get support for Microsoft Intune.
 Microsoft Intune App SDK overview
9/4/2020 • 4 minutes to read • Edit Online

The Intune App SDK, available for both iOS and Android, enables your app to support Intune app protection
policies. When your app has app protection policies applied to it, it can be managed by Intune and is
recognized by Intune as a managed app. The SDK strives to minimize the amount of code changes required
from the app developer. You'll find that you can enable most of the SDK's features without changing your app's
behavior. For enhanced end-user and IT administrator experience, you can utilize the SDK's APIs to customize
your app behavior to support features that require your app participation.
Once you have enabled your app to support Intune app protection policies, IT administrators can deploy these
policies to protect their corporate data within the app.

App protection features

The following are examples of Intune app protection features that can be enabled with the SDK.
Control users' ability to move corporate files
IT administrators can control where work or school data in the app can be moved. For instance, they can
deploy a policy that disables the app from backing up corporate data to the cloud.
Configure clipboard restrictions
IT administrators can configure the clipboard behavior in Intune-managed apps. For instance, they can deploy
a policy to prevent end users from cutting or copying data from the app and pasting into an unmanaged,
personal app.
Enforce encryption on saved data
IT administrators can enforce a policy that ensures that data saved to the device by the app is encrypted.
Remotely wipe corporate data
IT administrators can remotely wipe corporate data from an Intune-managed app. This feature is identity-
based and will only delete the files associated with the corporate identity of the end user. To do that, the feature
requires the app's participation. The app can specify the identity for which the wipe should occur based on
user settings. In the absence of these specified user settings from the app, the default behavior is to wipe the
application directory and notify the end user that access has been removed.
Enforce the use of a managed browser
IT administrators can force web links in the app to be opened with the Intune Managed Browser app. This
functionality ensures that links that appear in a corporate environment are kept within the domain of Intune-
managed apps.
Enforce a PIN policy
IT administrators can require the end-user to enter a PIN before accessing corporate data in the app. This
ensures that the person using the app is the same person who initially signed in with their work or school
account. When end users configure their PIN, the Intune App SDK uses Azure Active Directory to verify the
credentials of end-users against the enrolled Intune account.
Require users to sign in with a work or school account for app access
IT administrators can require users to sign in with their work or school account to access the app. The Intune
App SDK uses Azure Active Directory to provide a single sign-on experience, where the credentials, once
entered, are reused for subsequent logins. We also support authentication of identity management solutions
federated with Azure Active Directory.
Check device health and compliance
IT administrators can a check the health of the device and its compliance with Intune policies before end-users
access the app. On iOS/iPadOS, this policy checks if the device has been jailbroken. On Android, this policy
checks if the device has been rooted.
Support multi-identity
Multi-identity support is a feature of the SDK that enables coexistence of policy-managed (corporate) and
unmanaged (personal) accounts in a single app.
For example, many users configure both corporate and personal email accounts in the Office mobile apps for
iOS and Android. When a user accesses data with their corporate account, the IT administrator must be
confident that app protection policy will be applied. However, when a user is accessing a personal email
account, that data should be outside of the IT administrator's control. The Intune App SDK achieves this by
targeting the app protection policy to only the corporate identity in the app.
The multi-identity feature helps solve the data protection problem that organizations face with store apps that
support both personal and work accounts.
App protection without device enrollment

IMPORTANT
Intune app protection without device enrollment is available with the Intune App Wrapping Tools, Intune App SDK for
Android, Intune App SDK for iOS, and Intune App SDK Xamarin Bindings.

Many users with personal devices want to access corporate data without enrolling their personal device with a
Mobile Device Management (MDM) provider. Since MDM enrollment requires global control of the device,
users are often hesitant to give control of their personal device over to their company.
App protection without device enrollment allows the Microsoft Intune service to deploy app protection policy
to an app directly, without relying on a device management channel to deploy the policy.
On-demand application VPN connections with Citrix mVPN
You can manage devices and apps with a combination of Citrix XenMobile MDX and Microsoft Intune. This
combination means that you can manage apps with Intune app protection policy while using Citrix's mVPN
technology. The integration with Citrix is available for the Intune App SDK for iOS and Android, and with the
Intune App Wrapping Tool for iOS and Android (with the -citrix flag).
To learn more about Citrix MDX, see About the MDX Toolkit, Citrix MDX app wrapper for iOS, and the Citrix
MDX app wrapper for Android.

Next steps
Get started with the Microsoft Intune App SDK.
 Get started with the Microsoft Intune App SDK
9/4/2020 • 10 minutes to read • Edit Online

This guide will help you quickly enable your mobile app to support app protection policies with Microsoft Intune.
You may find it useful to first understand the benefits of the Intune App SDK, as explained in the Intune App SDK
overview.
The Intune App SDK supports similar scenarios across iOS and Android, and is intended to create a consistent
experience across the platforms for IT admins. But there are small differences in the support of certain features,
because of platform differences and limitations.

Register your store app with Microsoft

If your app is internal to your organization and will not be publicly available:
You do not need to register your app. For internal line-of-business (LOB) apps that were written by or for your
company, the IT administrator will deploy the app internally. Intune will detect that the app has been built with
the SDK, and will let the IT administrator apply app protection policies to it. You can skip to the section Enable
your iOS or Android app for app protection policy.
If your app will be released to a public app store, like the Apple App Store or Google Play:
You must first register your app with Microsoft Intune and agree to the registration terms. IT administrators can
then apply an app protection policy to the managed app, which will be listed as an Intune protected partner app.
Until registration has been finished and confirmed by the Microsoft Intune team, Intune administrators will not
have the option to apply app protection policy to your app's deep link. Microsoft will also add your app to its
Microsoft Intune Partners page. There, the app's icon will be displayed to show that it supports Intune app
protection policies.
The registration process
To begin the registration process, and if you are not already working with a Microsoft contact, fill out the
Microsoft Intune App Partner Questionnaire.
We will use the email addresses listed in your questionnaire response to reach out and continue the registration
process. Additionally, we use your registration email address to contact you if we have any concerns.

NOTE
All information collected in the questionnaire and through email correspondence with the Microsoft Intune team will honor
the Microsoft Privacy Statement.

What to expect in the registration process :

1. After you have submitted the questionnaire, we will contact you via your registration email address, to
either confirm successful receipt or request additional information to finish the registration.
2. After we receive all necessary information from you, we will send you the Microsoft Intune App Partner
Agreement to sign. This agreement describes the terms that your company must accept before it becomes
a Microsoft Intune app partner.
3. You will be notified when your app is successfully registered with the Microsoft Intune service and when
your app is featured on the Microsoft Intune partners site.
4. Finally, your app's deep link will be added to the next monthly Intune Service update. For example, if the
registration information is finished in July, the deep link will be supported in mid-August.
The deep link is the link to your app's listing in the public app store. If your app's deep link changes in the future,
you will need to re-register your app.

NOTE
You must inform us if you update your app with a new version of the Intune App SDK.

Download the SDK files

The Intune App SDKs for native iOS and Android are hosted on a Microsoft GitHub account. These public
repositories have the SDK files for native iOS and Android, respectively:
Intune App SDK for iOS
Intune App SDK for Android
If your app is a Xamarin app, use this SDK variant:
Intune App SDK Xamarin Bindings
It's a good idea to sign up for a GitHub account that you can use to fork and pull from our repositories. GitHub
lets developers communicate with our product team, open issues and receive quick responses, view release
notes, and provide feedback to Microsoft. For questions on the Intune App SDK GitHub, contact
msintuneappsdk@microsoft.com.

Enable your iOS or Android app for app protection policy

You will need one of the following developer guides to help you integrate the Intune App SDK into your app:
Intune App SDK for iOS Developer Guide : This document will walk you step-by-step through
enabling your native iOS app with the Intune App SDK.
Intune App SDK for Android Developer Guide : This document will walk you step-by-step through
enabling your native Android app with the Intune App SDK.
Intune App SDK Xamarin Bindings guide : This document will help you build iOS and Android apps
using Xamarin for Intune app protection policies.

Enable your iOS or Android app for app based Conditional Access
In addition to enabling your app for app protection policy, the following is required for your app to properly
function with Azure ActiveDirectory (AAD) app based Conditional Access:
App is built with the Azure ActiveDirectory Authentication Library and enabled for AAD broker
authentication.
The AAD Client ID for your app must be unique across iOS and Android platforms.

Configure Telemetry for your app

Microsoft Intune collects data on usage statistics for your app.
Intune App SDK for iOS : The SDK logs SDK telemetry data on usage events by default. This data is sent
to Microsoft Intune.
 If you choose not to send SDK telemetry data to Microsoft Intune from your app, you must disable
telemetry transmission by setting the property MAMTelemetryDisabled to "YES" in the
IntuneMAMSettings dictionary.
Intune App SDK for Android : The Intune App SDK for Android does not control data collection from
your app. The Company Portal application logs telemetry data by default. This data is sent to Microsoft
Intune. As per Microsoft Policy, we do not collect any personally identifiable information (PII).
If end users choose not to send this data, they must turn off telemetry under Settings on the Company
Portal app. To learn more, see Turn off Microsoft usage data collection.

Line-of-business app version numbers

Line-of-business apps in Intune now display the version number for iOS and Android apps. The number displays
in the Azure portal in the app list and in the app overview blade. End users can see the app number in the
Company Portal app and in the web portal.
Full version number
The full version number identifies a specific release of the app. The number appears as Version(Build). For
example, 2.2(2.2.17560800).
The full version number has two components:
Version
The version number is the human-readable release number of the app. This is used by end users to
identify different releases of the app.
Build Number
The build number is an internal number that can be used in app detection and to programmatically
manage the app. The build number refers to an iteration of the app that references changes in the code.
Version and build number in Android and iOS
Android and iOS both use version and build numbers in reference to apps. However, both operating systems
have meanings that are OS-specific. The following table explains how these terms are related.
When you are developing a line-of-business application for use in Intune, remember to use both the version and
the build number. Intune App management features rely on a meaningful CFBundleVersion (for iOS) and
PackageVersionCode (for Android). These numbers are included in the app manifest.

IN T UN E IO S A N DRO ID DESC RIP T IO N

Version number CFBundleShortVersionString PackageVersionName This number indicates a

specific release of the app
for end users.

Build number CFBundleVersion PackageVersionCode This number is used to

indicate an iteration in the
app code.

iOS
CFBundleShor tVersionString
Specifies the release version number of the bundle. This number identifies a released version of the app. The
number is used by end users to reference the app.
CFBundleVersion
The build version of the bundle, which identifies an iteration of the bundle. The number may be identify a
release or unreleased bundle. The number is used for app detection.
Android
PackageVersionName
The version number shown to users. This attribute can be set as a raw string or as a reference to a string
resource. The string has no other purpose than to be displayed to users.
PackageVersionCode
An internal version number. This number is used only to determine whether one version is more recent than
another, with higher numbers indicating more recent versions. This is not the version

Next steps after integration

Test your app
After you finish the necessary steps to integrate your iOS or Android app with the Intune App SDK, you will need
to ensure that all the app protection policies are enabled and functioning for the user and the IT admin. To test
your integrated app, you will need the following:
Microsoft Intune test account : To test your Intune-managed app against Intune app protection
features, you will need a Microsoft Intune account.
If you are an ISV enabling your iOS or Android store apps for Intune app protection policy, you will
receive a promo code after you finish the registration with Microsoft Intune, as outlined in the
registration step. The promo code will let you sign up for a Microsoft Intune trial for one year of
extended use.
If you are developing a line-of-business app that will not be shipped to the store, you are expected
to have access to Microsoft Intune through your organization. You can also sign up for a one-
month free trial in Microsoft Intune.
If you are testing your app on a mobile device using an end user account, ensure that you have
given that account an Intune license by in the Microsoft 365 admin center website after logging in
with an admin account, see Assign Microsoft Intune license.
Intune app protection policies : To test your app against all the Intune app protection policies, you
should know what the expected behavior is for each policy setting. See the descriptions for iOS app
protection policies and Android app protection policies. If your app has integrated the Intune SDK, but is
not listed in the list of targetable apps, you can specify the app's bundle ID (iOS) or package name
(Android) in the text box when selecting 'Custom Apps'.
Troubleshoot : If you run into any issues while manually testing your app's installation user experience,
see Troubleshoot app installation issues.
Give your app access to the Intune app protection service (optional)
If your app is using its own custom Azure Active Directory (AAD) settings for authentication, then the following
steps should be taken for both public store apps, as well as internal LOB apps. The steps do not need to be
taken if your app is using the Intune SDK default client ID .
Once you have registered your app within an Azure tenant, and it is showing up under All Applications , you
must give your app access to the Intune app protection service (previously known as MAM service). In the Azure
portal:
1. Go to the Azure Active Director y blade.
2. Under App registrations , go to the listing set up for the application.
3. Click + Add a permission .
4. Click on the APIs my organization uses .
5. In the search box, enter Microsoft Mobile Application Management .
6. Under Delegated Permissions , select the DeviceManagementManagedApps.ReadWrite: Read and
 Write the User's App Management Data * checkbox.
7. Click Add permissions .

NOTE
If your app restricts you from signing in due to an error accessing this resource: https://intunemam.microsoftonline.com,
you must send a note to msintuneappsdk@microsoft.com with your app's Client ID. This is a manual approval process
today.

Badge your app (optional)

After validating that Intune app protection policies work in your app, you can badge your app icon with the
Intune app protection logo.
This badge indicates to IT administrators, end-users, and potential Intune customers that your app works with
Intune app protection policies. It encourages the usage and adoption of your app by Intune customers.
The badge is a briefcase icon and can be seen in the samples below:

What you'll need to badge your app :

An image manipulation application that can read .eps files, or an Adobe application that can read .ai files.
You can find the Intune app badge assets and guidelines on the Microsoft Intune GitHub.
 Prepare line-of-business apps for app protection
policies
9/4/2020 • 4 minutes to read • Edit Online

You can enable your apps to use app protection policies by using either the Intune App Wrapping Tool or the
Intune App SDK. Use this information to learn about these two methods and when to use them.

Intune App Wrapping Tool

The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command-line
application that creates a wrapper around the app, which then allows the app to be managed by an Intune app
protection policy. When protecting an app provided by an independent software vendor (ISV) it's important to
clarify if the ISV will still support the wrapped app.
You don't need the source code to use the tool, but you do need signing credentials. For more about signing
credentials, see the Intune blog. For the App Wrapping Tool documentation, see Android App Wrapping Tool and
iOS App Wrapping Tool.
The App Wrapping Tool does not support apps in the Apple App Store or Google Play Store. It also doesn't
support certain features that require developer integration (see the following feature comparison table).
For more information about the App Wrapping Tool for app protection policies on devices that are not enrolled
in Intune, see Protect line-of-business apps and data on devices not enrolled in Microsoft Intune.
Reasons to use the App Wrapping Tool
Your app does not have built-in data protection features
Your app is deployed internally
You don't have access to the app's source code
You didn't develop the app
Your app has minimal user authentication experiences
Supported app development platforms
A P P W RA P P IN G TO O L XA M A RIN C O RDO VA

iOS Yes Yes

Android No - use the Intune App SDK Xamarin Yes

Bindings.

Intune App SDK

The App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and
want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK,
even line-of-business apps.
To learn more about the SDK, see the Overview. To get started with the SDK, see Getting Started With the
Microsoft Intune App SDK.
Reasons to use the SDK
 Your app does not have built-in data protection features
Your app is deployed on a public app store such as Google Play or Apple's App Store
You are an app developer and have the technical background to use the SDK
Your app has other SDK integrations
Your app is frequently updated
Supported app development platforms
IN T UN E A P P SDK XA M A RIN C O RDO VA

iOS Yes – use the Intune App SDK Xamarin No

Bindings.

Android Yes - use the Intune App SDK Xamarin No

Bindings.

Not using an app development platform listed above?

The Intune SDK development team actively tests and maintains support for apps built with the native Android,
iOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success with Intune
SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance
or plugins for app developers using anything other than our supported platforms.

Feature comparison
This table lists the settings that are enabled if an app uses the App SDK or the App Wrapping Tool. Some features
require app developers to apply some logic outside of basic integration with the Intune SDK, and as such, are not
enabled if the app uses the App Wrapping Tool.

F EAT URE A P P SDK A P P W RA P P IN G TO O L

Restrict web content to X X

display in a corporate
managed browser

Prevent Android, iTunes, or X X

iCloud backups

Allow app to transfer data X X

to other apps

Allow app to receive data X X

from other apps

Restrict cut, copy, and paste X X

with other apps

Specify the number of X X

characters that may be cut
or copied from a managed
app

Require simple PIN for X X

access
F EAT URE A P P SDK A P P W RA P P IN G TO O L

Specify the number of X X

attempts before PIN reset

Allow fingerprint instead of X X

PIN

Allow facial recognition X X

instead of PIN (iOS only)

Require corporate X X
credentials for access

Set a PIN expiry X X

Block managed apps from X X

running on jailbroken or
rooted devices

Encrypt app data X X

Recheck the access X X

requirements after a
specified number of minutes

Specify the offline grace X X

period

Block screen capture X X

(Android only)

Support for MAM without X X

device enrollment

Full Wipe of app data X X

Selective Wipe of work and X

school data in Multi-
Identity scenarios

Note: For iOS/iPadOS,

when the management
profile is removed, the app
is also removed.

Prevent "Save as" X

Targeted Application X X
Configuration (or app config
through the "MAM
channel")

Support for Multi-Identity X

Customizable Style X
 F EAT URE A P P SDK A P P W RA P P IN G TO O L

On-demand application X X
VPN connections with Citrix
mVPN

Disable contact sync X X

Disable printing X X

Require minimum app X X

version

Require minimum operating X X

system

Require minimum Android X X

security patch version
(Android only)

Require minimum Intune X X

SDK for iOS (iOS only)

SafetyNet device attestation X X

(Android only)

Threat scan on apps X X

(Android only)

Require maximum Mobile X

Threat Defense vendor
device risk level

Configure app notification X X

content for organization
accounts

Require use of approved X X

keyboards (Android only)

Require app protection X

policy (Conditional Access)

Next steps
To learn more about app protection policies and Intune, see the following topics:
Android app wrapping tool
iOS app wrapping tool
Use the SDK to enable apps for mobile application management
 Prepare iOS apps for app protection policies with the
Intune App Wrapping Tool
9/4/2020 • 23 minutes to read • Edit Online

Use the Microsoft Intune App Wrapping Tool for iOS to enable Intune app protection policies for in-house iOS
apps without changing the code of the app itself.
The tool is a macOS command-line application that creates a wrapper around an app. Once an app is processed,
you can change the app's functionality by deploying app protection policies to it.
To download the tool, see Microsoft Intune App Wrapping Tool for iOS on GitHub.

General prerequisites for the App Wrapping Tool

Before you run the App Wrapping Tool, you need to fulfill some general prerequisites:
Download the Microsoft Intune App Wrapping Tool for iOS from GitHub.
A macOS computer that runs OS X 10.8.5 or later and has the Xcode toolset version 9 or later installed.
The input iOS app must be developed and signed by your company or an independent software vendor
(ISV).
The input app file must have the extension .ipa or .app .
The input app must be compiled for iOS 11 or later.
The input app cannot be encrypted.
The input app cannot have extended file attributes.
The input app must have entitlements set before being processed by the Intune App Wrapping Tool.
Entitlements give the app additional permissions and capabilities beyond those typically granted. See
Setting app entitlements for instructions.

Apple Developer prerequisites for the App Wrapping Tool

To distribute wrapped apps exclusively to your organization's users, you need an account with the Apple Developer
Enterprise Program and several entities for app signing that are linked to your Apple Developer account.
To learn more about distributing iOS apps internally to your organization's users, read the official guide to
Distributing Apple Developer Enterprise Program Apps.
You will need the following to distribute apps wrapped by Intune:
A developer account with the Apple Developer Enterprise Program.
In-house and ad-hoc distribution signing certificate with valid Team Identifier.
You will need the SHA1 hash of the signing certificate as a parameter to the Intune App Wrapping Tool.
In-house distribution provisioning profile.
Steps to create an Apple Developer Enterprise account
1. Go to the Apple Developer Enterprise Program site.
2. In the top right of the page, click Enroll .
3. Read the checklist of what you need to enroll. Click Star t Your Enrollment at the bottom of the page.
4. Sign in with the Apple ID of your organization. If you don't have one, click Create Apple ID .
5. Select your Entity Type and click Continue .
6. Fill out the form with your organization's information. Click Continue . At this point, Apple contacts you to
verify that you are authorized to enroll your organization.
7. After verification, click Agree to License .
8. After agreeing to license, finish by purchasing and activating the program .
9. If you are the team agent (the person who joins the Apple Developer Enterprise Program on behalf of your
organization), build your team first by inviting team members and assigning roles. To learn how to manage
your team, read the Apple documentation on Managing Your Developer Account Team.
Steps to create an Apple signing certificate
1. Go to the Apple Developer portal.
2. In the top right of the page, click Account .
3. Sign in with your organizational Apple ID.
4. Click Cer tificates, IDs & Profiles .

5. Click the in the top right corner to add an iOS certificate.

6. Choose to create an In-House and Ad Hoc certificate under Production .
 NOTE
If do not plan to distribute the app, and only want to test it internally, you can use an iOS App Development
certificate instead of a certificate for Production. If you use a development certificate, make sure the mobile
provisioning profile references the devices on which the app will be installed.

7. Click Next at the bottom of the page.

8. Read the instructions on creating a Cer tificate Signing Request (CSR) using the Keychain Access
application on your macOS computer.
 9. Follow the instructions above to create a Certificate Signing Request. On your macOS computer, launch the
Keychain Access application.
10. On the macOS menu at the top of the screen, go to Keychain Access > Cer tificate Assistant >
Request a Cer tificate From a Cer tificate Authority .

11. Follow the instructions from the Apple developer site above on how to create a CSR file. Save the CSR file to
your macOS computer.
12. Return to the Apple developer site. Click Continue . Then upload the CSR file.
13. Apple generates your signing certificate. Download and save it to a memorable location on your macOS
computer.

14. Double-click the certificate file you just downloaded to add the certificate to a keychain.
15. Open Keychain Access again. Locate your certificate by searching for its name in the top right search bar.
Right-click on the item to bring up the menu and click Get Info . In the example screens, we are using a
development certificate instead of a production certificate.
16. An informational window appears. Scroll to the bottom and look under the Fingerprints label. Copy the
SHA1 string (blurred out) to use as the argument for "-c" for the App Wrapping Tool.

Steps to create an In-House Distribution Provisioning profile

1. Go back to the Apple Developer account portal and sign in with your organizational Apple ID.
2. Click Cer tificates, IDs & Profiles .

3. Click the in the top right corner to add an iOS provisioning profile.
4. Choose to create an In House provisioning profile under Distribution .
5. Click Continue . Make sure to link the previously generated signing certificate to the provisioning profile.
6. Follow the steps to download your profile (with extension .mobileprovision) to your macOS computer.
7. Save the file in a memorable location. This file will be used for the -p parameter while using the App
Wrapping Tool.

Download the App Wrapping Tool

1. Download the files for the App Wrapping Tool from GitHub to a macOS computer.
2. Double-click Microsoft Intune App Wrapping Tool for iOS.dmg . A window with the End User License
Agreement (EULA) will appear. Read the document carefully.
3. Choose Agree to accept EULA, which mounts the package to your computer.

Run the App Wrapping Tool

Use terminal
Open the macOS Terminal and run the following command:

/Volumes/IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i /<path of input app>/<app filename> -o /<path

to output folder>/<app filename> -p /<path to provisioning profile> -c <SHA1 hash of the certificate> [-b
[<output app build string>]] [-v] [-e] [-x /<array of extension provisioning profile paths>]

NOTE
Some parameters are optional as shown in the following table.
Example: The following example command runs the App Wrapping Tool on the app named MyApp.ipa. A
provisioning profile and SHA-1 hash of the signing certificate are specified and used to sign the wrapped app. The
output app (MyApp_Wrapped.ipa) is created and stored in your Desktop folder.

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i ~/Desktop/MyApp.ipa -o ~/Desktop/MyApp_Wrapped.ipa -p

~/Desktop/My_Provisioning_Profile_.mobileprovision -c "12 A3 BC 45 D6 7E F8 90 1A 2B 3C DE F4 AB C5 D6 E7 89
0F AB" -v true

Command-line parameters
You can use the following command line parameters with the App Wrapping Tool:

P RO P ERT Y H O W TO USE IT

-i <Path of the input native iOS application file> . The

file name must end in .app or .ipa.

-o <Path of the wrapped output application>

-p <Path of your provisioning profile for iOS apps>

-c <SHA1 hash of the signing certificate>

-h Shows detailed usage information about the available

command line properties for the App Wrapping Tool.

-aa (Optional)
<Authority URI of the input app if the app uses the
Azure Active Directory Authentication Library>
i.e login.windows.net/common

-ac (Optional)
<Client ID of the input app if the app uses the
Azure Active Directory Authentication Library>
This is the guid in the Client ID field is from your app's listing
in the App Registration blade.

-ar (Optional)
<Redirect/Reply URI of the input app if the app uses
the Azure Active Directory Authentication Library>
This is the Redirect URI configured in your App Registration.
Typically it would be the URL protocol of the application that
the Microsoft Authenticator app would return to after
brokered authentication.

-v (Optional) Outputs verbose messages to the console. It is

recommended to use this flag to debug any errors.

-e (Optional) Use this flag to have the App Wrapping Tool

remove missing entitlements as it processes the app. See
Setting app entitlements for more details.

-xe (Optional) Prints information about the iOS extensions in the

app and what entitlements are required to use them. See
Setting app entitlements for more details.
 P RO P ERT Y H O W TO USE IT

-x (Optional)
<An array of paths to extension provisioning
profiles>
. Use this if your app needs extension provisioning profiles.

-b (Optional) Use -b without an argument if you want the

wrapped output app to have the same bundle version as the
input app (not recommended).

Use -b <custom bundle version> if you want the wrapped

app to have a custom CFBundleVersion. If you choose to
specify a custom CFBundleVersion, it's a good idea to
increment the native app's CFBundleVersion by the least
significant component, like 1.0.0 -> 1.0.1.

-citrix (Optional) Include the Citrix XenMobile App SDK (network-

only variant). You must have the Citrix MDX Toolkit installed
to use this option.

-f (Optional)
<Path to a plist file specifying arguments.> Use this
flag in front of the plist file if you choose to use the plist
template to specify the rest of the IntuneMAMPackager
properties like -i, -o, and -p. See Use a plist to input
arguments.

Use a plist to input arguments

An easy way to run the App Wrapping Tool is to put all the command arguments into a plist file. Plist is a file
format similar to XML that you can use to input your command line arguments using a form interface.
In the IntuneMAMPackager/Contents/MacOS folder, open Parameters.plist (a blank plist template) with a text
editor or Xcode. Enter your arguments for the following keys:

P L IST K EY TYPE DEFA ULT VA L UE N OT ES

Input Application Package String empty Same as -i

Path

Output Application Package String empty Same as -o

Path

Provisioning Profile Path String empty Same as -p

SHA-1 Certificate Hash String empty Same as -c

ADAL Authority String empty Same as -aa

ADAL Client ID String empty Same as -ac

ADAL Reply URI String empty Same as -ar

Verbose Enabled Boolean false Same as -v

 P L IST K EY TYPE DEFA ULT VA L UE N OT ES

Remove Missing Boolean false Same as -e

Entitlements

Prevent Default Build Boolean false Equivalent to using -b

Update without arguments

Build String Override String empty The custom

CFBundleVersion of the
wrapped output app

Include Citrix XenMobile Boolean false Same as -citrix

App SDK (network-only
variant)

Extension Provisioning Array of Strings empty An array of extension

Profile Paths provisioning profiles for the
app.

Run the IntuneMAMPackager with the plist as the sole argument:

./IntuneMAMPackager –f Parameters.plist

Post-wrapping
After the wrapping process completes, the message "The application was successfully wrapped" will be displayed.
If an error occurs, see Error messages for help.
The wrapped app is saved in the output folder you specified previously. You can upload the app to the Intune
admin console and associate it with a mobile application management policy.

IMPORTANT
When uploading a wrapped app, you can try to update an older version of the app if an older (wrapped or native) version
was already deployed to Intune. If you experience an error, upload the app as a new app and delete the older version.

You can now deploy the app to your user groups and target app protection policies to the app. The app will run on
the device using the app protection policies you specified.

How often should I rewrap my iOS application with the Intune App
Wrapping Tool?
The main scenarios in which you would need to rewrap your applications are as follows:
The application itself has released a new version. The previous version of the app was wrapped and uploaded
to the Intune console.
The Intune App Wrapping Tool for iOS has released a new version that enables key bug fixes, or new, specific
Intune application protection policy features. This happens after 6-8 weeks through GitHub repo for the
Microsoft Intune App Wrapping Tool for iOS.
For iOS/iPadOS, while it is possible to wrap with different cert/provisioning profile than the original used to sign
the app, if the entitlements specified in the app are not included in the new provisioning profile, wrapping will fail.
Using the "-e" command-line option, which removes any missing entitlements from the app, to force wrapping to
not fail in this scenario can cause broken functionality in the app.
Some best practices for rewrapping include:
Ensuring that a different provisioning profile has all the required entitlements as any previous provisioning
profile.

Error messages and log files

Use the following information to troubleshoot issues you have with the app wrapping tool.
Error messages
If the app wrapping tool fails to finish successfully, one of the following error messages will be displayed in the
console:

ERRO R M ESSA GE M O RE IN F O RM AT IO N

You must specify a valid iOS provisioning profile. Your provisioning profile might not be valid. Check to make
sure you have the correct permissions for devices and that
your profile is correctly targeting development or distribution.
Your provisioning profile might also be expired.

Specify a valid input application name. Make sure that the input application name you specified is
correct.

Specify a valid path to the output application. Make sure that the path to the output application you
specified exists, and is correct.

Specify a valid input provisioning profile. Make sure you supplied a valid provisioning profile name and
extension. Your provisioning profile might be missing
entitlements, or you might not have included the –p
command line option.

The input application you specified was not found. Specify a Make sure your input app path is valid and exists. Make sure
valid input application name and path. the input app exists at that location.

The input provisioning profile file you specified was not found. Make sure that the path to the input provisioning file is valid
Specify a valid input provisioning profile file. and that the file you specified exists.

The output application folder you specified was not found. Make sure that the output path you specified is valid and
Specify a valid path to the output application. exists.

Output app does not have .ipa extension. Only apps with the .app and .ipa extensions are accepted by
the App Wrapping Tool. Make sure your output file has a valid
extension.

An invalid signing certificate was specified. Specify a valid Make sure you've downloaded the correct signing certificate
Apple signing certificate. from the Apple developer portal. Your certificate might be
expired or might be missing a public or private key. If your
Apple certificate and provisioning profile can be used to
correctly sign an app within Xcode, then they are valid for the
App Wrapping Tool.

The input application you specified is invalid. Specify a valid Make sure you have a valid iOS application that has been
application. compiled as an .app or .ipa file.

The input application you specified is encrypted. Specify a The App Wrapping Tool does not support encrypted apps.
valid unencrypted application. Provide an unencrypted app.
 ERRO R M ESSA GE M O RE IN F O RM AT IO N

The input application you specified is not in a Position Position Independent Executable (PIE) apps can be loaded at a
Independent Executable (PIE) format. Specify a valid random memory address when run. This can have security
application in PIE format. benefits. For more about security benefits, see your Apple
Developer documentation.

The input app you specified has already been wrapped. You cannot process an app that has already been processed
Specify a valid unwrapped application. by the tool. If you want to process an app again, run the tool
using the original version of the app.

The input application you specified is not signed. Specify a The app wrapping tool requires apps to be signed. Consult
valid signed application. your developer documentation to learn how to sign a
wrapped app.

The input application you specified must be in the .ipa or .app Only .app and .ipa extensions are accepted by the app
format. wrapping tool. Make sure your input file has a valid extension
and has been compiled as a .app or .ipa file.

The input app you specified has already been wrapped and is The App Wrapping Tool will not rewrap an existing wrapped
on the latest policy template version. app with the latest policy template version.

WARNING: You did not specify a SHA1 certificate hash. Make Ensure that you specify a valid SHA1 hash following the –c
sure that your wrapped application is signed before command line flag.
deploying.

Collecting logs for your wrapped applications from the device

Use the following steps to get logs for your wrapped applications during troubleshooting.
1. Go to the iOS Settings app on your device and select your LOB app.
2. Toggle the Diagnostics Console to On .
3. Launch your LOB application.
4. Click on the "Get Started" link.
5. You can now share logs through email or copying them to a OneDrive location.

NOTE
The logging functionality is enabled for apps that have wrapped with the Intune App Wrapping Tool version 7.1.13 or above.

Collecting crash logs from the system

Your app may be logging useful information to the iOS client device console. This information is useful when you
are having problems with the application and need to determine if the issue is related to the App Wrapping Tool or
the app itself. To retrieve this information, use the following steps:
1. Reproduce the issue by running the app.
2. Collect the console output by following Apple's instructions for Debugging Deployed iOS Apps.
Wrapped apps will also present users the option to send logs directly from the device via email after the app
crashes. Users can send the logs to you to examine and forward to Microsoft if necessary.
Certificate, provisioning profile, and authentication requirements
The App Wrapping Tool for iOS has some requirements that must be met in order to guarantee full functionality.
 REQ UIREM EN T DETA IL S

iOS provisioning profile Make sure that the provisioning profile is valid before you
include it. The App Wrapping Tool does not check whether the
provisioning profile is expired when processing an iOS app. If
an expired provisioning profile is specified, the app wrapping
tool will include the expired provisioning profile, and you will
not know there is a problem until the app fails to install on an
iOS device.

iOS signing certificate Make sure that the signing certificate is valid before you
specify it. The tool does not check whether a certificate is
expired when processing iOS apps. If the hash for an expired
certificate is provided, the tool will process and sign the app,
but it will fail to install on devices.

Make sure that the certificate provided for signing the

wrapped app has a match in the provisioning profile. The tool
does not validate if the provisioning profile has a match for
the certificate provided for signing the wrapped application.

Authentication A device must have a PIN for encryption to work. On devices

to which you have deployed a wrapped app, touching the
status bar on the device will require the user to sign in again
with a work or school account. The default policy in a wrapped
app is authentication on re-launch. iOS handles any external
notification (like a phone call) by exiting the app and then re-
launching it.

Setting app entitlements

Before wrapping your app, you can grant entitlements to give the app additional permissions and capabilities that
exceed what an app can typically do. An entitlement file is used during code signing to specify special permissions
within your app (for example, access to a shared keychain). Specific app services called capabilities are enabled
within Xcode during app development. Once enabled, the capabilities are reflected in your entitlements file. For
more information about entitlements and capabilities, see Adding Capabilities in the iOS Developer Library. For a
complete list of supported capabilities, see Supported capabilities.
Supported capabilities for the App Wrapping Tool for iOS
C A PA B IL IT Y DESC RIP T IO N REC O M M EN DED GUIDA N C E

App groups Use app groups to allow multiple apps When using App Groups, use reverse
to access shared containers and allow DNS notation:
additional interprocess communication
between apps. group.com.companyName.AppGroup

To enable app groups, open the

Capabilities pane and click ON in
App Groups . You can add app groups
or select existing ones.

Background modes Enabling background modes lets your

iOS app continue running in the
background.
 C A PA B IL IT Y DESC RIP T IO N REC O M M EN DED GUIDA N C E

Data protection Data protection adds a level of security

to files stored on disk by your iOS app.
Data protection uses the built-in
encryption hardware present on specific
devices to store files in an encrypted
format on disk. Your app needs to be
provisioned to use data protection.

In-app purchase In-app purchase embeds a store

directly into your app by enabling you
to connect to the store and securely
process payments from the user. You
can use in-app purchase to collect
payment for enhanced functionality or
for additional content usable by your
app.

Keychain sharing Enabling keychain sharing lets your app When using keychain sharing, use
share passwords in the keychain with reverse DNS notation:
other apps developed by your team.
com.companyName.KeychainGroup

Personal VPN Enable personal VPN to allow your app

to create and control a custom system
VPN configuration using the Network
Extension framework.

Push notifications Apple Push Notification service (APNs) For push notifications to work, you
lets an app that isn't running in the need to use an app-specific
foreground notify the user that it has provisioning profile.
information for the user.
Follow the steps in the Apple developer
documentation.

Wireless accessory configuration Enabling wireless accessory

configuration adds the External
Accessory framework to your project
and lets your app set up MFi Wi-Fi
accessories.

Steps to enable entitlements

1. Enable capabilities in your app:
a. In Xcode, go to your app's target, and click Capabilities .
b. Turn on the appropriate capabilities. For detailed information about each capability and how to determine
the correct values, see Adding Capabilities in the iOS Developer Library.
c. Note any IDs that you created during the process. These may also be referred to as the
AppIdentifierPrefix values.

d. Build and sign your app to be wrapped.

2. Enable entitlements in your provisioning profile:
a. Sign in to the Apple Developer Member Center.
b. Create a provisioning profile for your app. For instructions, see How to Obtain the Prerequisites for the
 Intune App Wrapping Tool for iOS.
c. In your provisioning profile, enable the same entitlements that you have in your app. You will need to
supply the same IDs (the AppIdentifierPrefix values) that you specified during the development of your
app.
d. Finish the provisioning profile wizard and download your file.
3. Ensure that you have satisfied all the prerequisites, and then wrap the app.
Troubleshoot common errors with entitlements
If the App Wrapping Tool for iOS shows an entitlement error, try the following troubleshooting steps.

ISSUE C A USE RESO L UT IO N

Failed to parse entitlements generated The App Wrapping Tool cannot read the Inspect the entitlements file for your
from the input application. entitlements file that was extracted app. The following instructions explain
from the app. The entitlements file how to do so. When inspecting the
might be malformed. entitlements file, check for any
malformed syntax. The file should be in
XML format.

Entitlements are missing in the There is a mismatch between the Generally, you can create a new
provisioning profile (missing entitlements enabled in the provisioning profile that enables the
entitlements are listed). Repackage the provisioning profile and the capabilities same capabilities as the app. When IDs
app with a provisioning profile that has enabled in the app. This mismatch also between the profile and app don't
these entitlements. applies to the IDs associated with match, the App Wrapping Tool will
particular capabilities (like app groups replace the IDs if it is able to. If you still
and keychain access). get this error after creating a new
provisioning profile, you can try
removing entitlements from the app by
using the –e parameter (see Using the –
e parameter to remove entitlements
from an app section).

Find the existing entitlements of a signed app

To review the existing entitlements of a signed app and provisioning profile:
1. Find the .ipa file and change its the extension to .zip.
2. Expand the .zip file. This will produce a Payload folder containing your .app bundle.
3. Use the codesign tool to check the entitlements on the .app bundle, where YourApp.app is the actual name
of your .app bundle.:

codesign -d --entitlements :- "Payload/YourApp.app"

4. Use the security tool to check the entitlements of the app's embedded provisioning profile, where
YourApp.app is the actual name of your .app bundle.

security cms -D -i "Payload/YourApp.app/embedded.mobileprovision"

Remove entitlements from an app by using the –e parameter

This command removes any enabled capabilities in the app that are not in the entitlements file. If you remove
capabilities that are being used by the app, it can break your app. An example of where you might remove missing
capabilities is in a vendor-produced app that has all capabilities by default.
 ./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager –i /<path of input app>/<app filename> -o /<path to
output folder>/<app filename> –p /<path to provisioning profile> –c <SHA1 hash of the certificate> -e

Security and privacy for the App Wrapping Tool

Use the following security and privacy best practices when you use the App Wrapping Tool.
The signing certificate, provisioning profile, and the line-of-business app you specify must be on the same
macOS machine that you use to run the app wrapping tool. If the files are on a UNC path, ensure that these
are accessible from the macOS machine. The path must be secured via IPsec or SMB signing.
The wrapped application imported into the admin console should be on the same computer that you run
the tool on. If the file is on a UNC path, ensure that it is accessible on the computer running the admin
console. The path must be secured via IPsec or SMB signing.
The environment where the App Wrapping Tool is downloaded from the GitHub repository needs to be
secured via IPsec or SMB signing.
The app you process must come from a trustworthy source to ensure protection against attacks.
Ensure that the output folder you specify in the App Wrapping Tool is secured, particularly if it is a remote
folder.
iOS apps that include a file upload dialog box can allow users to circumvent, cut, copy, and paste restrictions
applied to the app. For example, a user could use the file upload dialog box to upload a screenshot of the
app data.
When you monitor the documents folder on your device from within a wrapped app, you might see a folder
named .msftintuneapplauncher. If you change or delete this file, it might affect the correct functioning of
restricted apps.

Intune App Wrapping Tool for iOS with Citrix MDX mVPN
This feature is an integration with the Citrix MDX app wrapper for iOS/iPadOS. The integration is simply an
additional, optional command-line flag, -citrix to the general Intune App Wrapping Tools.
Requirements
To use the -citrix flag, you will also need to install the Citrix MDX app wrapper for iOS on the same macOS
machine. The downloads are found on Citrix XenMobile Downloads and are restricted to Citrix customers only
after signing in. Make sure this is installed in the default location: /Applications/Citrix/MDXToolkit .

NOTE
Support for Intune and Citrix integration is limited to iOS 10+ devices only.

Use the -citrix flag

Simply run your general app wrapping command and with the -citrix flag appended. The -citrix flag
currently does not take any arguments.
Usage format :

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i /<path of input app>/<app filename> -o /<path to

output folder>/<app filename> -p /<path to provisioning profile> -c <SHA1 hash of the certificate> [-b
[<output app build string>]] [-v] [-e] [-x /<array of extension provisioing profile paths>] [-citrix]
Example command :

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i ~/Desktop/MyApp.ipa -o ~/Desktop/MyApp_Wrapped.ipa -p

~/Desktop/My_Provisioning_Profile_.mobileprovision -c 12A3BC45D67EF8901A2B3CDEF4ABC5D6E7890FAB -v true -
citrix

See also
Decide how to prepare apps for mobile application management with Microsoft Intune
Common questions, issues, and resolutions with device policies and profiles
Use the SDK to enable apps for mobile application management
 Microsoft Intune App SDK for iOS developer guide
9/4/2020 • 46 minutes to read • Edit Online

NOTE
Consider reading the Get Started with Intune App SDK Guide article, which explains how to prepare for integration on each
supported platform.
To download the SDK, see Download the SDK files.

The Microsoft Intune App SDK for iOS lets you incorporate Intune app protection policies (also known as APP or
MAM policies) into your native iOS app. A MAM-enabled application is one that is integrated with the Intune App
SDK. IT administrators can deploy app protection policies to your mobile app when Intune actively manages the
app.

Prerequisites
You will need a Mac OS computer that runs OS X 10.12.6 or later, and also has Xcode 9 or later installed.
Your app must be targeted for iOS 11 or above.
Review the Intune App SDK for iOS License Terms. Print and retain a copy of the license terms for your
records. By downloading and using the Intune App SDK for iOS, you agree to such license terms. If you do
not accept them, do not use the software.
Download the files for the Intune App SDK for iOS on GitHub.

What's in the SDK Repository

The following files are relevant to apps/extensions that contain no Swift code, or are compiled with a version of
Xcode prior to 10.2:
IntuneMAM.framework : The Intune App SDK framework. It is recommended that you link this framework
to your app/extensions to enable Intune client application management. However some developers may
prefer the performance benefits of the static library. See the following.
libIntuneMAM.a : The Intune App SDK static library. Developers may choose to link the static library
instead of the framework. Because static libraries are embedded directly into the app/extension binary at
build time, there are some launch-time performance benefits to using the static library. However, integrating
it into your app is a more complicated process. If your app includes any extensions, linking the static library
to the app and extensions will result in a larger app bundle size, as the static library will be embedded into
each app/extension binary. When using the framework, apps and extensions can share the same Intune SDK
binary, resulting in a smaller app size.
IntuneMAMResources.bundle : A resource bundle that contains resources that the SDK relies on. The
resources bundle is required only for apps which integrate the static library (libIntuneMAM.a).
The following files are relevant to apps/extensions that contain Swift code, and are compiled with Xcode 10.2+:
IntuneMAMSwift.framework : The Intune App SDK Swift framework. This framework contains all the
headers for APIs that your app will call. Link this framework to your app/extensions to enable Intune client
application management.
 IntuneMAMSwiftStub.framework : The Intune App SDK Swift Stub framework. This is a required
dependency of IntuneMAMSwift.framework which apps/extensions must link.
The following files are relevant to all apps/extentions:
IntuneMAMConfigurator : A tool used to configure the app or extension's Info.plist with the minimum
required changes for Intune management. Depending on the functionality of your app or extension, you
may need to make additional manual changes to the Info.plist.
Headers : Exposes the public Intune App SDK APIs. These headers are included within the
IntuneMAM/IntuneMAMSwift frameworks, so developers who consume either of the frameworks do not
need to manually add the headers to their project. Developers that choose to link against the static library
(libIntuneMAM.a) will need to manually include these headers in their project.
The following header files include the APIs, data types, and protocols which the Intune App SDK makes available to
developers:
IntuneMAMAppConfig.h
IntuneMAMAppConfigManager.h
IntuneMAMDataProtectionInfo.h
IntuneMAMDataProtectionManager.h
IntuneMAMDefs.h
IntuneMAMDiagnosticConsole.h
IntuneMAMEnrollmentDelegate.h
IntuneMAMEnrollmentManager.h
IntuneMAMEnrollmentStatus.h
IntuneMAMFileProtectionInfo.h
IntuneMAMFileProtectionManager.h
IntuneMAMLogger.h
IntuneMAMPolicy.h
IntuneMAMPolicyDelegate.h
IntuneMAMPolicyManager.h
IntuneMAMVersionInfo.h
Developers can make the contents of all the previous headers available by just importing IntuneMAM.h

How the Intune App SDK works

The objective of the Intune App SDK for iOS is to add management capabilities to iOS applications with minimal
code changes. The fewer the code changes the less time to market, but without affecting the consistency and
stability of your mobile application.

Build the SDK into your mobile app

To enable the Intune App SDK, follow these steps:
1. Option 1 - Framework (recommended) : If you're using Xcode 10.2+ and your app/extension contains
Swift code, link IntuneMAMSwift.framework and IntuneMAMSwiftStub.framework to your target: Drag
IntuneMAMSwift.framework and IntuneMAMSwiftStub.framework to the Embedded Binaries list of the project
target.
Otherwise, link IntuneMAM.framework to your target: Drag IntuneMAM.framework to the Embedded Binaries
list of the project target.
 NOTE
If you use the framework, you must manually strip out the simulator architectures from the universal framework
before you submit your app to the App Store. See Submit your app to the App Store for more details.

Option 2 - Static Librar y : This option is only available for apps/extensions that contain no Swift code, or
were built with Xcode < 10.2. Link to the libIntuneMAM.a library. Drag the libIntuneMAM.a library to the
Linked Frameworks and Libraries list of the project target.

Add -force_load {PATH_TO_LIB}/libIntuneMAM.a to either of the following, replacing {PATH_TO_LIB} with the
Intune App SDK location:
The project's OTHER_LDFLAGS build configuration setting.
The Xcode UI's Other Linker Flags .

NOTE
To find PATH_TO_LIB , select the file libIntuneMAM.a and choose Get Info from the File menu. Copy and
paste the Where information (the path) from the General section of the Info window.

Add the IntuneMAMResources.bundle resource bundle to the project by dragging the resource bundle
under Copy Bundle Resources within Build Phases .

2. Add these iOS frameworks to the project:

 MessageUI.framework
Security.framework
CoreServices.framework
SystemConfiguration.framework
libsqlite3.tbd
libc++.tbd
ImageIO.framework
LocalAuthentication.framework
AudioToolbox.framework
QuartzCore.framework
WebKit.framework
3. Enable keychain sharing (if it isn't already enabled) by choosing Capabilities in each project target and
enabling the Keychain Sharing switch. Keychain sharing is required for you to proceed to the next step.

NOTE
Your provisioning profile needs to support new keychain sharing values. The keychain access groups should support
a wildcard character. You can check this by opening the .mobileprovision file in a text editor, searching for keychain-
access-groups , and ensuring that you have a wildcard character. For example:

<key>keychain-access-groups</key>
<array>
<string>YOURBUNDLESEEDID.*</string>
</array>

4. After you enable keychain sharing, follow the steps to create a separate access group in which the Intune
App SDK will store its data. You can create a keychain access group by using the UI or by using the
entitlements file. If you are using the UI to create the keychain access group, make sure to follow these
steps:
a. If your mobile app does not have any keychain access groups defined, add the app's bundle ID as the first
group.
b. Add the shared keychain group com.microsoft.intune.mam to your existing access groups. The Intune App
SDK uses this access group to store data.
c. Add com.microsoft.adalcache to your existing access groups.

d. If you are editing the entitlements file directly, rather than using the Xcode UI shown above to create the
keychain access groups, prepend the keychain access groups with $(AppIdentifierPrefix) (Xcode handles
this automatically). For example:
 $(AppIdentifierPrefix)com.microsoft.intune.mam
$(AppIdentifierPrefix)com.microsoft.adalcache

NOTE
An entitlements file is an XML file that is unique to your mobile application. It is used to specify special permissions
and capabilities in your iOS app. If your app did not previously have an entitlements file, enabling keychain sharing
(step 3) should have caused Xcode to generate one for your app. Ensure the app's bundle ID is the first entry in the
list.

5. Include each protocol that your app passes to UIApplication canOpenURL in the LSApplicationQueriesSchemes
array of your app's Info.plist file. Be sure to save your changes before proceeding to the next step.
6. If your app does not use FaceID already, ensure the NSFaceIDUsageDescription Info.plist key is configured
with a default message. This is required so iOS can let the user know how the app intends to use FaceID. An
Intune app protection policy setting allows for FaceID to be used as a method for app access when
configured by the IT admin.
7. Use the IntuneMAMConfigurator tool that is included in the SDK repo to finish configuring your app's
Info.plist. The tool has three parameters:

P RO P ERT Y H O W TO USE IT

-i <Path to the input plist>

-e <Path to the entitlements file>

-o (Optional) <Path to the output plist>

If the '-o' parameter is not specified, the input file will be modified in-place. The tool is idempotent, and should be
rerun whenever changes to the app's Info.plist or entitlements have been made. You should also download and run
the latest version of the tool when updating the Intune SDK, in case Info.plist config requirements have changed in
the latest release.

Configure MSAL
The Intune App SDK uses the Microsoft Authentication Library for its authentication and conditional launch
scenarios. It also relies on MSAL to register the user identity with the MAM service for management without device
enrollment scenarios.
Typically, MSAL require apps to register with Azure Active Directory (AAD) and create a unique client ID and
redirect URI, to guarantee the security of the tokens granted to the app. If your app already uses MSAL to
authenticate users, the app must use its existing registration values and override the Intune App SDK default
values. This ensures that users are not prompted for authentication twice (once by the Intune App SDK and once by
the app).
If your app does not already use MSAL, and you do not need to access any AAD resource, you do not need to set
up a client app registration in AAD if you choose to integrate MSAL. If you decide to integrate MSAL, you will need
to configure an app registration and override the default Intune client ID and redirect URI.
It is recommended that your app links to the latest release of MSAL.
Link to MSAL binaries
Follow these instructions to link your app to the MSAL binaries.
1. If your app does not have any keychain access groups defined, add the app's bundle ID as the first group.
2. Enable MSAL single sign-on (SSO) by adding com.microsoft.adalcache to the keychain access groups.
3. In the case you are explicitly setting the MSAL shared cache keychain group, make sure it is set to
<appidprefix>.com.microsoft.adalcache . MSAL will set this for you unless you override it. If you want to
specify a custom keychain group to replace com.microsoft.adalcache , specify that in the Info.plist file under
IntuneMAMSettings, by using the key ADALCacheKeychainGroupOverride .
Configure MSAL settings for the Intune App SDK
If your app already uses MSAL for authentication and has its own Azure Active Directory settings, you can force the
Intune App SDK to use the same settings during authentication against AAD. This ensures that the app will not
double-prompt the user for authentication. See Configure settings for the Intune App SDK for information on
populating the following settings:
ADALClientId
ADALAuthority
ADALRedirectUri
ADALRedirectScheme
ADALCacheKeychainGroupOverride
If your app already uses MSAL, the following configurations are required:
1. In the project's Info.plist file, under the IntuneMAMSettings dictionary with the key name ADALClientId ,
specify the client ID to be used for MSAL calls.
2. Also under the IntuneMAMSettings dictionary with the key name ADALAuthority , specify the Azure AD
authority.
3. Also under the IntuneMAMSettings dictionary with the key name ADALRedirectUri , specify the redirect
URI to be used for MSAL calls. Alternatively, you could specify ADALRedirectScheme instead, if the
application's redirect URI is in the format scheme://bundle_id .

Additionally, apps can override these Azure AD settings at runtime. To do this, simply set the
aadAuthorityUriOverride , aadClientIdOverride , and aadRedirectUriOverride properties on the
IntuneMAMPolicyManager instance.

4. Ensure the steps to give your iOS app permissions to the app protection policy (APP) service are followed. Use
the instructions in the getting started with the Intune SDK guide under "Give your app access to the Intune app
protection service (optional)".

NOTE
The Info.plist approach is recommended for all settings which are static and do not need to be determined at runtime. Values
assigned to the IntuneMAMPolicyManager properties take precedence over any corresponding values specified in the
Info.plist, and will persist even after the app is restarted. The SDK will continue to use them for policy check-ins until the user
is unenrolled or the values are cleared or changed.

If your app does not use MSAL

As previously mentioned, the Intune App SDK uses the Microsoft Authentication Library for its authentication and
conditional launch scenarios. It also relies on MSAL to register the user identity with the MAM service for
management without device enrollment scenarios. If your app does not use MSAL for its own
authentication mechanism , then you may need to configure custom AAD settings:
Developers need to create an app registration in AAD with a custom redirect URI in the format specified here.
 Developers should set the ADALClientID and ADALRedirectUri settings previously mentioned, or the equivalent
aadClientIdOverride and aadRedirectUriOverride properties on the IntuneMAMPolicyManager instance.
Developers should also ensure they follow step 4 in the previous section, to give their app registration access to
the Intune app protection service.
Special considerations when using MSAL
1. Check your Webview - It is recommended that applications do not use SFSafariViewController,
SFAuthSession or ASWebAuthSession as their webview for any app-initiated MSAL interactive auth operations.
If for some reason your app must use one of these webviews for any interactive MSAL auth operations, then it
must also set SafariViewControllerBlockedOverride to true under the IntuneMAMSettings dictionary in the
application's Info.plist. WARNING: This will turn off Intune's SafariViewController hooks to enable the auth
session. This does risk data leaks elsewhere in the app if the application uses SafariViewController to view
corporate data, so the application should not show corporate data in any of those webview types.
2. Linking both ADAL and MSAL - Developers must opt in if they want Intune to prefer MSAL over ADAL in
this scenario. By default, Intune will prefer supported ADAL versions to supported MSAL versions, if both are
linked at runtime. Intune will only prefer a supported MSAL version when, at the time of Intune's first
authentication operation, IntuneMAMUseMSALOnNextLaunch is true in NSUserDefaults . If
IntuneMAMUseMSALOnNextLaunch is false or not set, Intune will fall back to the default behavior. As the name
suggests, a change to IntuneMAMUseMSALOnNextLaunch will take effect on the next launch.

Configure settings for the Intune App SDK

You can use the IntuneMAMSettings dictionary in the application's Info.plist file to set up and configure the
Intune App SDK. If the IntuneMAMSettings dictionary is not seen in your Info.plist file, you should create it.
Under the IntuneMAMSettings dictionary, you can the following supported settings to configure the Intune App
SDK.
Some of these settings might have been covered in previous sections, and some do not apply to all apps.

SET T IN G TYPE DEF IN IT IO N REQ UIRED?

ADALClientId String The app's Azure AD client Required for all apps that
identifier. use MSAL.

ADALAuthority String The app's Azure AD Optional. Recommended if

authority in use. You should the app is a custom line-of-
use your own environment business application built for
where AAD accounts have use within a single
been configured. organization/AAD tenant. If
this value is absent, the
common AAD authority is
used.

ADALRedirectUri String The app's Azure AD redirect ADALRedirectUri or

URI. ADALRedirectScheme is
required for all apps that use
MSAL and any ADAL app
that accesses a non-Intune
AAD resource.
SET T IN G TYPE DEF IN IT IO N REQ UIRED?

ADALRedirectScheme String The app's Azure AD redirect ADALRedirectUri or

scheme. This can be used in ADALRedirectScheme is
place of ADALRedirectUri if required for all apps that use
the application's redirect URI MSAL and any ADAL app
is in the format that accesses a non-Intune
scheme://bundle_id . AAD resource.

ADALLogOverrideDisabled Boolean Specifies whether the SDK Optional.

will route all MSAL logs
(including MSAL calls from
the app, if any) to its own
log file. Defaults to NO. Set
to YES if the app will set its
own MSAL log callback.

ADALCacheKeychainGroupO String Specifies the keychain group Optional.

verride to use for the MSAL cache,
instead of
"com.microsoft.adalcache."
Note that this doesn't have
the app-id prefix. That will be
prefixed to the provided
string at runtime.

AppGroupIdentifiers Array of strings Array of app groups from Required if the app uses
the app's entitlements application groups.
com.apple.security.applicatio
n-groups section.

ContainingAppBundleId String Specifies the bundle ID of Required for iOS extensions.

the extension's containing
application.

DebugSettingsEnabled Boolean If set to YES, test policies Optional. Defaults to no.

within the Settings bundle
can be applied. Applications
should not be shipped with
this setting enabled.

AutoEnrollOnLaunch Boolean Specifies whether the app Optional. Defaults to no.

should attempt to
automatically enroll on
launch if an existing
managed identity is detected
and it has not yet done so.
Defaults to NO.

Notes: If no managed
identity is found or no valid
token for the identity is
available in the MSAL cache,
the enrollment attempt will
silently fail without
prompting for credentials,
unless the app has also set
MAMPolicyRequired to YES.
SET T IN G TYPE DEF IN IT IO N REQ UIRED?

MAMPolicyRequired Boolean Specifies whether the app Optional. Defaults to no.

will be blocked from starting
if the app does not have an
Intune app protection policy.
Defaults to NO.

Notes: Apps cannot be

submitted to the App Store
with MAMPolicyRequired set
to YES. When setting
MAMPolicyRequired to YES,
AutoEnrollOnLaunch should
also be set to YES.

MAMPolicyWarnAbsent Boolean Specifies whether the app Optional. Defaults to no.

will warn the user during
launch if the app does not
have an Intune app
protection policy.

Note: Users will still be

allowed to use the app
without policy after
dismissing the warning.

MultiIdentity Boolean Specifies whether the app is Optional. Defaults to no.

multi-identity aware.

SafariViewControllerBlocked Boolean Disables Intune's Optional. Defaults to no.

Override SafariViewController hooks WARNING: can result in data
to enable MSAL auth via leakage if used improperly.
SFSafariViewController, Enable only if absolutely
SFAuthSession or necessary. See special
ASWebAuthSession. considerations when using
MSAL for details.

SplashIconFile String Specifies the Intune splash Optional.

SplashIconFile~ipad (startup) icon file.

SplashDuration Number Minimum amount of time, in Optional.

seconds, that the Intune
startup screen will be shown
at application launch.
Defaults to 1.5.

BackgroundColor String Specifies the background Optional. Defaults to the

color for the Intune SDK's UI system background color,
components. Accepts a which may vary across
hexadecimal RGB string in versions of iOS and
the form of #XXXXXX, where according to the iOS Dark
X can range from 0-9 or A-F. Mode setting.
The pound sign might be
omitted.
SET T IN G TYPE DEF IN IT IO N REQ UIRED?

ForegroundColor String Specifies the foreground Optional. Defaults to the

color for the Intune SDK's UI system label color, which
components, such as text may vary across versions of
color. Accepts a hexadecimal iOS and according to the iOS
RGB string in the form of Dark Mode setting.
#XXXXXX, where X can range
from 0-9 or A-F. The pound
sign might be omitted.

AccentColor String Specifies the accent color for Optional. Defaults to system
the Intune SDK's UI blue.
components, such as button
text color and PIN box
highlight color. Accepts a
hexadecimal RGB string in
the form of #XXXXXX, where
X can range from 0-9 or A-F.
The pound sign might be
omitted.

SecondaryBackgroundColor String Specifies the secondary Optional. Defaults to white.

background color for the
MTD screens. Accepts a
hexadecimal RGB string in
the form of #XXXXXX, where
X can range from 0-9 or A-F.
The pound sign might be
omitted.

SecondaryForegroundColor String Specifies the secondary Optional. Defaults to gray.

foreground color for the
MTD screens, like footnote
color. Accepts a hexadecimal
RGB string in the form of
#XXXXXX, where X can range
from 0-9 or A-F. The pound
sign might be omitted.

SupportsDarkMode Boolean Specifies whether the Intune Optional. Defaults to yes.

SDK's UI color scheme
should observe the system
dark mode setting, if no
explicit value has been set
for
BackgroundColor/Foregroun
dColor/AccentColor

MAMTelemetryDisabled Boolean Specifies if the SDK will not Optional. Defaults to no.
send any telemetry data to
its back end.

MAMTelemetryUsePPE Boolean Specifies if MAM SDK will Optional. Defaults to no.

send data to PPE telemetry
backend. Use this when
testing your apps with
Intune policy so that test
telemetry data does not mix
up with customer data.
 SET T IN G TYPE DEF IN IT IO N REQ UIRED?

MaxFileProtectionLevel String Optional. Allows the app to

specify the maximum
NSFileProtectionType it
can support. This value will
override the policy sent by
the service if the level is
higher than what the
application can support.
Possible values:
NSFileProtectionComplete
,
NSFileProtectionCompleteUnlessOpen
,
NSFileProtectionCompleteUntilFirstUserAuthentication
, NSFileProtectionNone .

OpenInActionExtension Boolean Set to YES for Open in

Action extensions. See the
Sharing Data via
UIActivityViewController
section for more
information.

WebViewHandledURLSchem Array of Strings Specifies the URL schemes Required if your app uses a
es that your app's WebView WebView that handles URLs
handles. via links and/or javascript.

DocumentBrowserFileCache String If your app uses the Optional. Defaults to the

Path UIDocumentBrowserViewController
/Documents/ directory.
to browse through files in
various file providers, you
can set this path relative to
the home directory in the
application sandbox so the
Intune SDK can drop
decrypted managed files
into that folder.

VerboseLoggingEnabled Boolean If set to YES, Intune will log Optional. Defaults to NO

in verbose mode.

Receive app protection policy

Overview
To receive Intune app protection policy, apps must initiate an enrollment request with the Intune MAM service.
Apps can be configured in the Intune console to receive app protection policy with or without device enrollment.
App protection policy without enrollment, also known as APP-WE or MAM-WE, allows apps to be managed by
Intune without the need for the device to be enrolled in Intune mobile device management (MDM). In both cases,
enrolling with the Intune MAM service is required to receive policy.

IMPORTANT
The Intune App SDK for iOS uses 256-bit encryption keys when encryption is enabled by App Protection Policies. All apps
will need to have a current SDK version to allow protected data sharing.
Apps that already use ADAL or MSAL

NOTE
Azure Active Directory (Azure AD) Authentication Library (ADAL) and Azure AD Graph API will be deprecated. For more
information, see Update your applications to use Microsoft Authentication Library (MSAL) and Microsoft Graph API.

Apps which already use ADAL or MSAL should call the registerAndEnrollAccount method on the
IntuneMAMEnrollmentManager instance after the user has been successfully authenticated:

/*
* This method will add the account to the list of registered accounts.
* An enrollment request will immediately be started.
* @param identity The UPN of the account to be registered with the SDK
*/

(void)registerAndEnrollAccount:(NSString *)identity;

By calling the registerAndEnrollAccount method, the SDK will register the user account and attempt to enroll the
app on behalf of this account. If the enrollment fails for any reason, the SDK will automatically retry the enrollment
24 hours later. For debugging purposes, the app can receive notifications, via a delegate, about the results of any
enrollment requests.
After this API has been invoked, the app can continue to function as normal. If the enrollment succeeds, the SDK
will notify the user that an app restart is required. At that time, the user can immediately restart the app.

[[IntuneMAMEnrollmentManager instance] registerAndEnrollAccount:@"user@foo.com"];

Apps that do not use ADAL or MSAL

Apps that do not sign in the user using ADAL or MSAL can still receive app protection policy from the Intune MAM
service by calling the API to have the SDK handle that authentication. Apps should use this technique when they
have not authenticated a user with Azure AD but still need to retrieve app protection policy to help protect data. An
example is if another authentication service is being used for app sign-in, or if the app does not support signing in
at all. To do this, the application can call the loginAndEnrollAccount method on the IntuneMAMEnrollmentManager
instance:

/**
* Creates an enrollment request which is started immediately.
* If no token can be retrieved for the identity, the user will be prompted
* to enter their credentials, after which enrollment will be retried.
* @param identity The UPN of the account to be logged in and enrolled.
*/
(void)loginAndEnrollAccount: (NSString *)identity;

By calling this method, the SDK will prompt the user for credentials if no existing token can be found. The SDK will
then try to enroll the app with the Intune MAM service on behalf of the supplied user account. The method can be
called with "nil" as the identity. In that case, the SDK will enroll with the existing managed user on the device (in the
case of MDM), or prompt the user for a user name if no existing user is found.
If the enrollment fails, the app should consider calling this API again at a future time, depending on the details of
the failure. The app can receive notifications, via a delegate, about the results of any enrollment requests.
After this API has been invoked, the app can continue functioning as normal. If the enrollment succeeds, the SDK
will notify the user that an app restart is required.
Example:

[[IntuneMAMEnrollmentManager instance] loginAndEnrollAccount:@"user@foo.com"];

Let Intune handle authentication and enrollment at launch

If you want the Intune SDK to handle all authentication using ADAL/MSAL and enrollment before your app finishes
launching, and your app always requires APP policy, you don't have to use loginAndEnrollAccount API. You can
simply set the two settings below to YES in the IntuneMAMSettings dictionary in the app's Info.plist.

SET T IN G TYPE DEF IN IT IO N

AutoEnrollOnLaunch Boolean Specifies whether the app should

attempt to automatically enroll on
launch if an existing managed identity is
detected and it has not yet done so.
Defaults to NO.

Note: If no managed identity is found

or no valid token for the identity is
available in the ADAL/MSAL cache, the
enrollment attempt will silently fail
without prompting for credentials,
unless the app has also set
MAMPolicyRequired to YES.

MAMPolicyRequired Boolean Specifies whether the app will be

blocked from starting if the app does
not have an Intune app protection
policy. Defaults to NO.

Note: Apps cannot be submitted to the

App Store with MAMPolicyRequired set
to YES. When setting
MAMPolicyRequired to YES,
AutoEnrollOnLaunch should also be set
to YES.

If you choose this option for your app, you do not have to handle restarting your app after enrolling.
Deregister user accounts
Before a user is signed out of an app, the app should deregister the user from the SDK. This will ensure:
1. Enrollment retries will no longer happen for the user's account.
2. App protection policy will be removed.
3. If the app initiates a selective wipe (optional), any corporate data is deleted.
Before the user is signed out, the app should call the following method on the on the IntuneMAMEnrollmentManager
instance:
 /*
* This method will remove the provided account from the list of
* registered accounts. Once removed, if the account has enrolled
* the application, the account will be un-enrolled.
* @note In the case where an un-enroll is required, this method will block
* until the Intune APP AAD token is acquired, then return. This method must be called before
* the user is removed from the application (so that required AAD tokens are not purged
* before this method is called).
* @param identity The UPN of the account to be removed.
* @param doWipe If YES, a selective wipe if the account is un-enrolled
*/
(void)deRegisterAndUnenrollAccount:(NSString *)identity withWipe:(BOOL)doWipe;

This method must be called before the user account's Azure AD tokens are deleted. The SDK needs the user
account's AAD token(s) to make specific requests to the Intune MAM service on behalf of the user.
If the app will delete the user's corporate data on its own, the doWipe flag can be set to false. Otherwise, the app
can have the SDK initiate a selective wipe. This will result in a call to the app's selective wipe delegate.
Example:

[[IntuneMAMEnrollmentManager instance] deRegisterAndUnenrollAccount:@"user@foo.com" withWipe:YES];

Status, result, and debug notifications

The app can receive status, result, and debug notifications about the following requests to the Intune MAM service:
Enrollment requests
Policy update requests
Unenrollment requests
The notifications are presented via delegate methods in IntuneMAMEnrollmentDelegate.h :

/**
* Called when an enrollment request operation is completed.
* @param status status object containing debug information
*/

(void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

/**
* Called when a MAM policy request operation is completed.
* @param status status object containing debug information
*/
(void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

/**
* Called when a un-enroll request operation is completed.
* @Note: when a user is un-enrolled, the user is also de-registered with the SDK
* @param status status object containing debug information
*/

(void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

These delegate methods return an IntuneMAMEnrollmentStatus object that has the following information:
The identity of the account associated with the request
A status code that indicates the result of the request
An error string with a description of the status code
 An NSError object. This object is defined in IntuneMAMEnrollmentStatus.h , along with the specific status codes
that can be returned.
Sample code
These are example implementations of the delegate methods:

- (void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus*)status
{
NSLog(@"enrollment result for identity %@ with status code %ld", status.identity, (unsigned
long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

- (void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus*)status
{
NSLog(@"policy check-in result for identity %@ with status code %ld", status.identity, (unsigned
long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

- (void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus*)status
{
NSLog(@"un-enroll result for identity %@ with status code %ld", status.identity, (unsigned
long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

Application restart
When an app receives MAM policies for the first time, it must restart to apply the required hooks. To notify the app
that a restart needs to happen, the SDK provides a delegate method in IntuneMAMPolicyDelegate.h .

- (BOOL) restartApplication

The return value of this method tells the SDK if the application must handle the required restart:
If true is returned, the application must handle the restart.
If false is returned, the SDK will restart the application after this method returns. The SDK will immediately
show a dialog box that tells the user to restart the application.

Customize your app's behavior with APIs

The Intune App SDK has several APIs you can call to get information about the Intune APP policy deployed to the
app. You can use this data to customize your app's behavior. The following table provides information on some
essential Intune classes you will use.

C L A SS DESC RIP T IO N

IntuneMAMPolicyManager.h The IntuneMAMPolicyManager class exposes the Intune APP

policy deployed to the application. Notably, it exposes APIs
that are useful for Enabling multi-identity.
 C L A SS DESC RIP T IO N

IntuneMAMPolicy.h The IntuneMAMPolicy class exposes some MAM policy

settings that apply to the app. Most of these policy settings
are exposed so the app can customize its UI. Most policy
settings are enforced by the SDK and not the app. However,
there are some exceptions. App developers should review the
comments in this header to determine which APIs are
applicable to their application's scenarios.

IntuneMAMFileProtectionManager.h The IntuneMAMFileProtectionManager class exposes APIs the

app can use to explicitly secure files and directories based on a
supplied identity. The identity can be managed by Intune or
unmanaged, and the SDK will apply the appropriate MAM
policy. Using this class is optional.

IntuneMAMDataProtectionManager.h The IntuneMAMDataProtectionManager class exposes APIs

the app can use to secure data buffers given a supplied
identity. The identity can be managed by Intune or
unmanaged, and the SDK will apply encryption appropriately.

Implement Allowed Accounts

Intune lets IT admins specify which accounts can be logged into by the user. Apps can query the Intune App SDK
for the specified list of allowed accounts and then ensure only allowed accounts are signed into the device.
To query for allowed accounts, the App should check the allowedAccounts property on the
IntuneMAMEnrollmentManager . The allowedAccounts property is either an array containing the allowed accounts or
nil. If the property is nil then no allowed accounts have been specified.
Apps can also react to changes of the allowedAccounts property by observing the
IntuneMAMAllowedAccountsDidChangeNotification notification. The notification is posted whenever the
allowedAccounts property changes in value.

Implement File Encryption Required

The isFileEncryptionRequired API defined in IntuneMAMPolicy.h informs applications when the IT administrator
requires that applications use Intune encryption on any files saved to disk. If isFileEncryptionRequired is true, then
it is the app's responsibility to ensure that any files saved to disk by the app are encrypted using the APIs in
IntuneMAMFile.h , IntuneMAMFileProtectionManager.h , and IntuneMAMFDataProtectionManager.h .

Apps can react to changes in this policy by observinbg the IntuneMAMDataProtectionDidChangeNotification

notification defined in IntuneMAMFDataProtectionManager.h .

Implement save-as and open-from controls

Intune lets IT admins select which storage locations a managed app can save data to or open data from. Apps can
query the Intune MAM SDK for allowed save-to storage locations by using the isSaveToAllowedForLocation API,
defined in IntuneMAMPolicy.h . Apps can also query the Intune MAM SDK for allowed open-from storage locations
by using the isOpenFromAllowedForLocation API, defined in IntuneMAMPolicy.h .
Before apps can save managed data to a cloud-storage or local location, they must check with the
isSaveToAllowedForLocation API to know if the IT admin has allowed data to be saved there. Before opening data
into an app from a cloud-storage or local location, the app must check with the isOpenFromAllowedForLocation API
to know if the IT admin has allowed data to be opened from there.
When apps use the isSaveToAllowedForLocation or isOpenFromAllowedForLocation APIs, they must pass in the UPN
for the storage location, if it is available.
Supported save locations
The isSaveToAllowedForLocation API provides constants to check whether the IT admin permits data to be saved to
the following locations defined in IntuneMAMPolicy.h :
IntuneMAMSaveLocationOther
IntuneMAMSaveLocationOneDriveForBusiness
IntuneMAMSaveLocationSharePoint
IntuneMAMSaveLocationLocalDrive
IntuneMAMSaveLocationCameraRoll
IntuneMAMSaveLocationAccountDocument
Apps should use the constants in isSaveToAllowedForLocation to check if data can be saved to locations considered
"managed," like OneDrive for Business, or "personal." Additionally, the API should be used when the app can't
check whether a location is "managed" or "personal."
The IntuneMAMSaveLocationLocalDrive constant should be used when the app is saving data to any location on the
local device. Similarly, the IntuneMAMSaveLocationCameraRoll constant should be used if the app is saving a photo to
the camera roll.
If the account for the destination location is unknown, nil should be passed. The
IntuneMAMSaveLocationLocalDrive and IntuneMAMSaveLocationCameraRoll locations should always be paired with a
nil account.

Supported open locations

The isOpenFromAllowedForLocation API provides constants to check whether the IT admin permits data to be
opened from the following locations defined in IntuneMAMPolicy.h .
IntuneMAMOpenLocationOther
IntuneMAMOpenLocationOneDriveForBusiness
IntuneMAMOpenLocationSharePoint
IntuneMAMOpenLocationCamera
IntuneMAMOpenLocationLocalStorage
IntuneMAMOpenLocationAccountDocument
Apps should use the constants in isOpenFromAllowedForLocation to check if data can be opened from locations
considered "managed", like OneDrive for Business, or "personal". Additionally, the API should be used when the
app can't check whether a location is "managed" or "personal".
The IntuneMAMOpenLocationCamera constant should be used when the app is opening data from the camera or photo
album.
The IntuneMAMOpenLocationLocalStorage constant should be used when the app is opening data from any location
on the local device.
The IntuneMAMOpenLocationAccountDocument constant should be used when the app is opening a document that has
a managed account identity (see the "Shared data" section below)
If the account for the source location is unknown, nil should be passed. The IntuneMAMOpenLocationLocalStorage
and IntuneMAMOpenLocationCamera locations should always be paired with a nil account.
Unknown or unlisted locations
When the desired location is not listed in the IntuneMAMSaveLocation or IntuneMAMOpenLocation enums or is
unknown, one of two locations should be used.
If the save location is being accessed with a managed account then the IntuneMAMSaveLocationAccountDocument
location should be used ( IntuneMAMOpenLocationAccountDocument for open).
Otherwise, use the IntuneMAMSaveLocationOther location ( IntuneMAMOpenLocationOther for open).
It is important to make the distinction clear between the managed account and an account that shares the
managed account's UPN. For example, a managed account with UPN "user@contoso.com" signed into OneDrive is
not the same as an account with UPN "user@contoso.com" signed into Dropbox. If an unknown or unlisted service
is accessed by signing into the managed account (e.g. "user@contoso.com" signed into OneDrive), it should be
represented by the AccountDocument location. If the unknown or unlisted service signs in through another account
(e.g. "user@contoso.com" signed into Dropbox), it is not accessing the location with a managed account and
should be represented by the Other location.
Sharing blocked alert
A UI helper function can be used when either the isSaveToAllowedForLocation or isOpenFromAllowedForLocation API
is called and found to block the save/open action. If the app wants to notify the user that the action was blocked, it
can call the showSharingBlockedMessage API defined in IntuneMAMUIHelper.h to present an alert view with a generic
message.

Share Data via UIActivityViewController

Starting in release 8.0.2, the Intune App SDK can filter UIActivityViewController actions so that only Intune
managed share locations are available to select. This behavior will be controlled by the application data transfer
policy.
'Copy To' actions
When sharing documents via the UIActivityViewController and UIDocumentInteractionController , iOS displays
'Copy to' actions for each application that supports opening the document being shared. Applications declare the
document types they support through the CFBundleDocumentTypes setting in their Info.plist. This type of sharing will
no longer be available if the policy prohibits sharing to unmanaged applications. As a replacement, user will have
to add a non-UI Action extension to their application and link it to the Intune App SDK. The Action extension is
merely a stub. The SDK will implement the file sharing behavior. Follow the steps below:
1. Your application must have at least one schemeURL defined under its Info.plist CFBundleURLTypes along with
its -intunemam counterpart. For example:

<key>CFBundleURLSchemes</key>
<array>
<string>launch-com.contoso.myapp</string>
<string>launch-com.contoso.myapp-intunemam</string>
</array>

2. Both your application and action extension must share at least one App Group, and the App Group must be
listed under the AppGroupIdentifiers array under the app's and the extension's IntuneMAMSettings
dictionaries.
3. Both your application and action extension must have the Keychain Sharing capability and share the
com.microsoft.intune.mam keychain group.

4. Name the action extension "Open in" followed by the application name. Localize the Info.plist as needed.
5. Provide a template icon for the extension as described by Apple's developer documentation. Alternatively,
the IntuneMAMConfigurator tool can be used to generate these images from the application .app directory.
To do this, run:
 IntuneMAMConfigurator -generateOpenInIcons /path/to/app.app -o /path/to/output/directory

6. Under IntuneMAMSettings in the extension's Info.plist, add a Boolean setting named OpenInActionExtension
with value YES.
7. Configure the NSExtensionActivationRule to support a single file and all types from the application's
CFBundleDocumentTypes prefixed with com.microsoft.intune.mam . For example, if the application supports
public.text and public.image, the activation rule would be:

SUBQUERY (
extensionItems,
$extensionItem,
SUBQUERY (
$extensionItem.attachments,
$attachment,
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO
"com.microsoft.intune.mam.public.text" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO
"com.microsoft.intune.mam.public.image").@count == 1
).@count == 1

Update existing Share and Action extensions

If your app already contains Share or Action extensions, then their NSExtensionActivationRule will have to be
modified to allow the Intune types. For each type supported by the extension, add an additional type prefixed with
com.microsoft.intune.mam . For example, if the existing activation rule is:

SUBQUERY (
extensionItems,
$extensionItem,
SUBQUERY (
$extensionItem.attachments,
$attachment,
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.url" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.plain-text" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.image" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.data"
).@count > 0
).@count > 0

It should be changed to:

SUBQUERY (
extensionItems,
$extensionItem,
SUBQUERY (
$extensionItem.attachments,
$attachment,
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.url" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.plain-text" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.image" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.data" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.url" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.plain-text"
||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.image" ||
ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.data"
).@count > 0
).@count > 0
 NOTE
The IntuneMAMConfigurator tool can be used to add the Intune types to the activation rule. If your existing activation rule
uses the predefined string constants (e.g. NSExtensionActivationSupportsFileWithMaxCount,
NSExtensionActivationSupportsText, etc.), the predicate syntax can get quite complex. The IntuneMAMConfigurator tool can
also be used to convert the activation rule from the string constants to a predicate string while adding the Intune types.

What the UI should look like

Old UI:

New UI:

Enable targeted configuration (APP/MAM app config) for your iOS

applications
MAM targeted configuration (also know as MAM app config) allows an app to receive configuration data through
the Intune SDK. The format and variants of this data must be defined and communicated to Intune customers by
the app owner/developer.
Intune administrators can target and deploy configuration data via the Intune Azure portal and Intune Graph API.
As of version 7.0.1 of the Intune App SDK for iOS, apps that are participating in MAM targeted configuration can be
provided MAM targeted configuration data via the MAM Service. The application configuration data is pushed
through our MAM Service directly to the app instead of through the MDM channel. The Intune App SDK provides a
class to access the data retrieved from these consoles. The following items are prerequisites:
The app needs to be enrolled with the Intune MAM service before you access the MAM targeted config UI.
For more information, see Receive app protection policy.
Include IntuneMAMAppConfigManager.h in your app's source file.
Call [[IntuneMAMAppConfigManager instance] appConfigForIdentity:] to get the App Config Object.
Call the appropriate selector on IntuneMAMAppConfig object. For example, if your application's key is a string,
you'd want to use stringValueForKey or allStringsForKey . See IntuneMAMAppConfig.h for a detailed
description on return values and error conditions.
For more information about the capabilities of the Graph API, see Graph API Reference.
For more information about how to create a MAM targeted app configuration policy in iOS, see the section on
MAM targeted app config in How to use Microsoft Intune app configuration policies for iOS/iPadOS.

Telemetry
By default, the Intune App SDK for iOS collects telemetry on the following types of events:
App launch : To help Microsoft Intune learn about MAM-enabled app usage by management type (MAM
with MDM, MAM without MDM enrollment, and so on).
Enrollment calls : To help Microsoft Intune learn about success rate and other performance metrics of
enrollment calls initiated from the client side.
Intune actions : To help diagnose issues and ensure Intune functionality, we collect information about
Intune SDK actions.

NOTE
If you choose not to send Intune App SDK telemetry data to Microsoft Intune from your mobile application, you must
disable Intune App SDK telemetry capture. Set the property MAMTelemetryDisabled to YES in the IntuneMAMSettings
dictionary.

Enable multi-identity (optional)

By default, the SDK applies a policy to the app as a whole. Multi-identity is a MAM feature that you can enable to
apply a policy on a per-identity level. This requires more app participation than other MAM features.
The app must inform the app SDK when it intends to change the active identity. The SDK also notifies the app when
an identity change is required. Currently, only one managed identity is supported. After the user enrolls the device
or the app, the SDK uses this identity and considers it the primary managed identity. Other users in the app will be
treated as unmanaged with unrestricted policy settings.
Note that an identity is simply defined as a string. Identities are case-insensitive. Requests to the SDK for an
identity might not return the same casing that was originally used when the identity was set.
Identity overview
An identity is simply the user name of an account (for example, user@contoso.com). Developers can set the
identity of the app on the following levels:
 Process identity : Sets the process-wide identity and is mainly used for single identity applications. This
identity affects all tasks, files, and UI.
UI identity : Determines what policies are applied to UI tasks on the main thread, like cut/copy/paste, PIN,
authentication, and data sharing. The UI identity does not affect file tasks like encryption and backup.
Thread identity : Affects what policies are applied on the current thread. This identity affects all tasks, files,
and UI.
The app is responsible for setting the identities appropriately, whether or not the user is managed.
At any time, every thread has an effective identity for UI tasks and file tasks. This is the identity that's used to check
what policies, if any, should be applied. If the identity is "no identity" or the user is not managed, no policies will be
applied. The diagrams below show how the effective identities are determined.

Thread queues
Apps often dispatch asynchronous and synchronous tasks to thread queues. The SDK intercepts Grand Central
Dispatch (GCD) calls and associates the current thread identity with the dispatched tasks. When the tasks are
finished, the SDK temporarily changes the thread identity to the identity associated with the tasks, finishes the
tasks, then restores the original thread identity.
Because NSOperationQueue is built on top of GCD, NSOperations will run on the identity of the thread at the time
the tasks are added to NSOperationQueue . NSOperations or functions dispatched directly through GCD can also
change the current thread identity as they are running. This identity will override the identity inherited from the
dispatching thread.
File owner
The SDK tracks the identities of local file owners and applies policies accordingly. A file owner is established when a
file is created or when a file is opened in truncate mode. The owner is set to the effective file task identity of the
thread that's performing the task.
Alternatively, apps can set the file owner identity explicitly by using IntuneMAMFilePolicyManager . Apps can use
IntuneMAMFilePolicyManager to retrieve the file owner and set the UI identity before showing the file contents.
Shared data
If the app creates files that have data from both managed and unmanaged users, the app is responsible for
encrypting the managed user's data. You can encrypt data by using the protect and unprotect APIs in
IntuneMAMDataProtectionManager .

The protect method accepts an identity that can be a managed or unmanaged user. If the user is managed, the
data will be encrypted. If the user is unmanaged, a header will be added to the data that's encoding the identity, but
the data will not be encrypted. You can use the protectionInfo method to retrieve the data's owner.
Share extensions
If the app has a share extension, the owner of the item being shared can be retrieved through the
protectionInfoForItemProvider method in IntuneMAMDataProtectionManager . If the shared item is a file, the SDK will
handle setting the file owner. If the shared item is data, the app is responsible for setting the file owner if this data
is persisted to a file, and for calling the setUIPolicyIdentity API before showing this data in the UI.
Turn on multi-identity
By default, apps are considered single identity. The SDK sets the process identity to the enrolled user. To enable
multi-identity support, add a Boolean setting with the name MultiIdentity and a value of YES to the
IntuneMAMSettings dictionary in the app's Info.plist file.

NOTE
When multi-identity is enabled, the process identity, UI identity, and thread identities are set to nil. The app is responsible for
setting them appropriately.

Switch identities
App-initiated identity switch :
At launch, multi-identity apps are considered to be running under an unknown, unmanaged account. The
conditional launch UI will not run, and no policies will be enforced on the app. The app is responsible for
notifying the SDK whenever the identity should be changed. Typically, this will happen whenever the app is
about to show data for a specific user account.
An example is when the user attempts to open a document, a mailbox, or a tab in a notebook. The app
needs to notify the SDK before the file, mailbox, or tab is actually opened. This is done through the
setUIPolicyIdentity API in IntuneMAMPolicyManager . This API should be called whether or not the user is
managed. If the user is managed, the SDK will perform the conditional launch checks, like jailbreak
detection, PIN, and authentication.
The result of the identity switch is returned to the app asynchronously through a completion handler. The
app should postpone opening the document, mailbox, or tab until a success result code is returned. If the
identity switch failed, the app should cancel the task.
SDK-initiated identity switch :
Sometimes, the SDK needs to ask the app to switch to a specific identity. Multi-identity apps must
implement the identitySwitchRequired method in IntuneMAMPolicyDelegate to handle this request.
When this method is called, if the app can handle the request to switch to the specified identity, it should
pass IntuneMAMAddIdentityResultSuccess into the completion handler. If it can't handle switching the identity,
the app should pass IntuneMAMAddIdentityResultFailed into the completion handler.
The app does not have to call setUIPolicyIdentity in response to this call. If the SDK needs the app to
switch to an unmanaged user account, the empty string will be passed into the identitySwitchRequired call.
Selective wipe :
 When the app is selectively wiped, the SDK will call the wipeDataForAccount method in
IntuneMAMPolicyDelegate . The app is responsible for removing the specified user's account and any data
associated with it. The SDK is capable of removing all files owned by the user and will do so if the app
returns FALSE from the wipeDataForAccount call.
Note that this method is called from a background thread. The app should not return a value until all data
for the user has been removed (with the exception of files if the app returns FALSE).

Siri Intents
If your app integrates with Siri Intents, please make sure to read the comments for areSiriIntentsAllowed in
IntuneMAMPolicy.h for instructions on supporting this scenario.

Notifications
If your app receives notifications, please make sure to read the comments for notificationPolicy in
IntuneMAMPolicy.h for instructions on supporting this scenario. It is recommended that apps register for
IntuneMAMPolicyDidChangeNotification described in IntuneMAMPolicyManager.h , and communicate this value to their
UNNotificationServiceExtension via the keychain.

Displaying web content within an application

If your application has the ability to display websites within a webview, you might need to add logic to prevent data
leaks, depending on the specific scenario.
Webviews that display only non-corporate content/websites
If your application doesn't display any corporate data in the webview and users have the ability to browse to
arbitrary sites where they might potentially copy and paste managed data from other parts of the application into
a public forum, the application is responsible for setting the current identity so that managed data can't be leaked
through the webview. Examples of this are Suggest a Feature or Feedback webpages that have either direct or
indirect links to a search engine. Multi-identity applications should call IntuneMAMPolicyManager
setUIPolicyIdentity, passing in the empty string prior to displaying the webview. After the webview is dismissed, the
application should call setUIPolicyIdentity, passing in the current identity. Single-identity applications should call
IntuneMAMPolicyManager setCurrentThreadIdentity, passing in the empty string prior to displaying the webview.
After the webview is dismissed, the application should call setCurrentThreadIdentity, passing in nil. This ensures
that the Intune SDK treats the webview as unmanaged, and that it doesn't allow managed data from other parts of
the application to be pasted into the webview if policy is configured as such.
Webviews that display only corporate content/websites
If your application displays only corporate data in the webview and users can't browse to arbitrary sites, no
changes are required.
Webviews that might display both corporate and non-corporate content/websites
For this scenario, only WKWebView is supported. Applications which use the legacy UIWebView should transition
to WKWebView. If your application does display corporate content within the WKWebView, and users can also
access non-corporate content/websites which may lead to data leaks, the application should implement the
isExternalURL: delegate method defined in IntuneMAMPolicyDelegate.h. Applications should determine if the URL
passed to the delegate method represents a corporate website where managed data can be pasted in or a non-
corporate website that could leak corporate data.
Returning NO in isExternalURL will tell the Intune SDK that the website being loaded is a corporate location where
managed data can be shared. If YES is returned, the Intune SDK will open the URL in Edge rather than the
WKWebView if current policy settings require it. This will ensure that no managed data from within the app can be
leaked to the external website.

iOS best practices

Here are recommended best practices for developing for iOS:
The iOS file system is case-sensitive. Ensure that the case is correct for file names like libIntuneMAM.a and
IntuneMAMResources.bundle .

If Xcode has trouble finding libIntuneMAM.a , you can fix the problem by adding the path to this library into
the linker search paths.

FAQs
Are all of the APIs addressable through native Swift or the Objective -C and Swift interoperability?
The Intune App SDK APIs are in Objective-C only and do not support native Swift. Swift interoperability with
Objective-C is required.
Do all users of my application need to be registered with the APP-WE service?
No. In fact, only work or school accounts should be registered with the Intune App SDK. Apps are responsible for
determining if an account is used in a work or school context.
What about users that have already signed in to the application? Do they need to be enrolled?
The application is responsible for enrolling users after they have been successfully authenticated. The application is
also responsible for enrolling any existing accounts that might have been present before the application had
MDM-less MAM functionality.
To do this, the application should make use of the registeredAccounts: method. This method returns an
NSDictionary that has all of the accounts registered into the Intune MAM service. If any existing accounts in the
application are not in the list, the application should register and enroll those accounts via
registerAndEnrollAccount: .

How often does the SDK retry enrollments?

The SDK will automatically retry all previously failed enrollments on a 24-hour interval. The SDK does this to
ensure that if a user's organization enabled MAM after the user signed in to the application, the user will
successfully enroll and receive policies.
The SDK will stop retrying when it detects that a user has successfully enrolled the application. This is because only
one user can enroll an application at a particular time. If the user is unenrolled, the retries will begin again on the
same 24-hour interval.
Why does the user need to be deregistered?
The SDK will take these actions in the background periodically:
If the application is not yet enrolled, it will try to enroll all registered accounts every 24 hours.
If the application is enrolled, the SDK will check for MAM policy updates every 8 hours.
Deregistering a user notifies the SDK that the user will no longer use the application, and the SDK can stop any of
the periodic events for that user account. It also triggers an app unenroll and selective wipe if necessary.
Should I set the doWipe flag to true in the deregister method?
This method should be called before the user is signed out of the application. If the user's data is deleted from the
application as part of the sign-out, doWipe can be set to false. But if the application does not remove the user's
data, doWipe should be set to true so that the SDK can delete the data.
Are there any other ways that an application can be un-enrolled?
Yes, the IT admin can send a selective wipe command to the application. This will deregister and unenroll the user,
and it will wipe the user's data. The SDK automatically handles this scenario and sends a notification via the
unenroll delegate method.
Is there a sample app that demonstrates how to integrate the SDK?
Yes! We just recently revamped our open-source sample app Wagr for iOS. Wagr is now enabled for app
protection policy using the Intune App SDK.
How can I troubleshoot my app?
The Intune SDK for iOS 9.0.3+ supports the ability to add a diagnostics console within the mobile app for testing
policies and logging errors. IntuneMAMDiagnosticConsole.h defines the IntuneMAMDiagnosticConsole class interface,
which developers can use to display the Intune diagnostic console. This allows end users or developers during test
to collect and share Intune logs to help diagnose any issue they may have. This API is optional for integrators.

Submit your app to the App Store

Both the static library and framework builds of the Intune App SDK are universal binaries. This means they have
code for all device and simulator architectures. Apple will reject apps submitted to the App Store if they have
simulator code. When compiling against the static library for device-only builds, the linker will automatically strip
out the simulator code. Follow the steps below to ensure all simulator code is removed before you upload your
app to the App Store.
1. Make sure IntuneMAM.framework is on your desktop.
2. Run these commands:

lipo ~/Desktop/IntuneMAM.framework/IntuneMAM -remove i386 -remove x86_64 -output

~/Desktop/IntuneMAM.device_only

cp ~/Desktop/IntuneMAM.device_only ~/Desktop/IntuneMAM.framework/IntuneMAM

The first command strips the simulator architectures from the framework's DYLIB file. The second command
copies the device-only DYLIB file back into the framework directory.
 Prepare Android apps for app protection policies
with the Intune App Wrapping Tool
9/4/2020 • 7 minutes to read • Edit Online

Use the Microsoft Intune App Wrapping Tool for Android to change the behavior of your in-house Android apps by
restricting features of the app without changing the code of the app itself.
The tool is a Windows command-line application that runs in PowerShell and creates a wrapper around your
Android app. After the app is wrapped, you can change the app's functionality by configuring mobile application
management policies in Intune.
Before running the tool, review Security considerations for running the App Wrapping Tool. To download the tool,
go to the Microsoft Intune App Wrapping Tool for Android on GitHub.

Fulfill the prerequisites for using the App Wrapping Tool

You must run the App Wrapping Tool on a Windows computer running Windows 7 or later.
Your input app must be a valid Android application package with the file extension .apk and:
It cannot be encrypted.
It must not have previously been wrapped by the Intune App Wrapping Tool.
It must be written for Android 4.0 or later.
The app must be developed by or for your company. You cannot use this tool on apps downloaded from the
Google Play Store.
To run the App Wrapping Tool, you must install the latest version of the Java Runtime Environment and then
ensure that the Java path variable has been set to C:\ProgramData\Oracle\Java\javapath in your Windows
environment variables. For more help, see the Java documentation.

NOTE
In some cases, the 32-bit version of Java may result in memory issues. It's a good idea to install the 64-bit version.

Android requires all app packages (.apk) to be signed. For reusing existing certificates and overall signing
certificate guidance, see Reusing signing certificates and wrapping apps. The Java executable keytool.exe is
used to generate new credentials needed to sign the wrapped output app. Any passwords that are set must
be secure, but make a note of them because they're needed to run the App Wrapping Tool.

NOTE
The Intune App Wrapping Tool does not support Google's v2 and upcoming v3 signature schemes for app signing.
After you have wrapped the .apk file using the Intune App Wrapping Tool, the recommendation is to use Google's
provided Apksigner tool. This will ensure that once your app gets to end user devices, it can be launched properly by
Android standards.

(Optional) Sometimes an app may hit the Dalvik Executable (DEX) size limit due to the Intune MAM SDK
classes that are added during wrapping. DEX files are a part of the compilation of an Android app. The
Intune App Wrapping Tool automatically handles DEX file overflow during wrapping for apps with a min API
 level of 21 or higher (as of v. 1.0.2501.1). For apps with a min API level of < 21, best practice would be to
increase the min API level using the wrapper's -UseMinAPILevelForNativeMultiDex flag. For customers unable
to increase the app's minimum API level, the following DEX overflow workarounds are available. In certain
organizations, this may require working with whoever compiles the app (ie. the app build team):
Use ProGuard to eliminate unused class references from the app's primary DEX file.
For customers using v3.1.0 or higher of the Android Gradle plugin, disable the D8 dexer.

Install the App Wrapping Tool

1. From the GitHub repository, download the installation file InstallAWT.exe for the Intune App Wrapping Tool
for Android to a Windows computer. Open the installation file.
2. Accept the license agreement, then finish the installation.
Note the folder to which you installed the tool. The default location is: C:\Program Files (x86)\Microsoft Intune
Mobile Application Management\Android\App Wrapping Tool.

Run the App Wrapping Tool

1. On the Windows computer where you installed the App Wrapping Tool, open a PowerShell window.
2. From the folder where you installed the tool, import the App Wrapping Tool PowerShell module:

Import-Module .\IntuneAppWrappingTool.psm1

3. Run the tool by using the invoke-AppWrappingTool command, which has the following usage syntax:

Invoke-AppWrappingTool [-InputPath] <String> [-OutputPath] <String> -KeyStorePath <String> -

KeyStorePassword <SecureString>
-KeyAlias <String> -KeyPassword <SecureString> [-SigAlg <String>] [<CommonParameters>]

The following table details the properties of the invoke-AppWrappingTool command:

P RO P ERT Y IN F O RM AT IO N EXA M P L E

-InputPath <String> Path of the source Android app (.apk).

-OutputPath <String> Path to the output Android app. If this

is the same directory path as InputPath,
the packaging will fail.

-KeyStorePath <String> Path to the keystore file that has the By default, keystore files are stored in
public/private key pair for signing. "C:\Program Files
(x86)\Java\jreX.X.X_XX\bin."

-KeyStorePassword <SecureString> Password used to decrypt the keystore.

Android requires all application
packages (.apk) to be signed. Use Java
keytool to generate the
KeyStorePassword. Read more about
Java KeyStore here.

-KeyAlias <String> Name of the key to be used for signing.

 P RO P ERT Y IN F O RM AT IO N EXA M P L E

-KeyPassword <SecureString> Password used to decrypt the private

key that will be used for signing.

-SigAlg <SecureString> (Optional) The name of the signature Examples: SHA256withRSA,

algorithm to be used for signing. The SHA1withRSA
algorithm must be compatible with the
private key.

- (Optional) Use this flag to increase the

UseMinAPILevelForNativeMultiDex source Android app's minimum API
level to 21. This flag will prompt for
confirmation as it will limit who may
install this app. Users can skip the
confirmation dialog by appending the
parameter "-Confirm:$false" to their
PowerShell command. The flag should
only be used by customers on apps
with min API < 21 that fail to wrap
successfully due to DEX overflow errors.

<CommonParameters> (Optional) The command supports

common PowerShell parameters like
verbose and debug.

For a list of common parameters, see the Microsoft Script Center.

To see detailed usage information for the tool, enter the command:

Help Invoke-AppWrappingTool

Example:
Import the PowerShell module.

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping

Tool\IntuneAppWrappingTool.psm1"

Run the App Wrapping Tool on the native app HelloWorld.apk.

invoke-AppWrappingTool -InputPath .\app\HelloWorld.apk -OutputPath .\app_wrapped\HelloWorld_wrapped.apk -

KeyStorePath "C:\Program Files (x86)\Java\jre1.8.0_91\bin\mykeystorefile" -keyAlias mykeyalias -SigAlg
SHA1withRSA -Verbose

You will then be prompted for KeyStorePassword and KeyPassword . Enter the credentials you used to create
the key store file.
The wrapped app and a log file are generated and saved in the output path you specified.

How often should I rewrap my Android application with the Intune App
Wrapping Tool?
The main scenarios in which you would need to rewrap your applications are as follows:
The application itself has released a new version. The previous version of the app was wrapped and uploaded
 to the Intune console.
The Intune App Wrapping Tool for Android has released a new version that enables key bug fixes, or new,
specific Intune application protection policy features. This happens every 6-8 weeks through GitHub repo for
the Microsoft Intune App Wrapping Tool for Android.
Some best practices for rewrapping include:
Maintaining signing certificates used during the build process, see Reusing signing certificates and wrapping
apps

Reusing signing certificates and wrapping apps

Android requires that all apps must be signed by a valid certificate in order to be installed on Android devices.
Wrapped apps can be signed either as part of the wrapping process or after wrapping using your existing signing
tools (any signing information in the app before wrapping is discarded). If possible, the signing information that
was already used during the build process should be used during wrapping. In certain organizations, this may
require working with whoever owns the keystore information (ie. the app build team).
If the previous signing certificate cannot be used, or the app has not been deployed before, you may create a new
signing certificate by following the instructions in the Android Developer Guide.
If the app has been deployed previously with a different signing certificate, the app can't be uploaded to Intune
after upgrade. App upgrade scenarios will be broken if your app is signed with a different certificate than the one
the app is built with. As such, any new signing certificates should be maintained for app upgrades.

Security considerations for running the App Wrapping Tool

To prevent potential spoofing, information disclosure, and elevation of privilege attacks:
Ensure that the input line-of-business (LOB) application, output application, and Java KeyStore are on the
same Windows computer where the App Wrapping Tool is running.
Import the output application to Intune on the same machine where the tool is running. See keytool for
more about the Java keytool.
If the output application and the tool are on a Universal Naming Convention (UNC) path and you are not
running the tool and input files on the same computer, set up the environment to be secure by using
Internet Protocol Security (IPsec) or Server Message Block (SMB) signing.
Ensure that the application is coming from a trusted source.
Secure the output directory that has the wrapped app. Consider using a user-level directory for the output.

See also
Decide how to prepare apps for mobile application management with Microsoft Intune
Microsoft Intune App SDK for Android developer guide
 Microsoft Intune App SDK for Android developer
guide
9/4/2020 • 91 minutes to read • Edit Online

NOTE
You might want to first read the Intune App SDK overview, which covers the current features of the SDK and describes how
to prepare for integration on each supported platform.
To download the SDK, see Download the SDK files.

The Microsoft Intune App SDK for Android lets you incorporate Intune app protection policies (also known as APP
or MAM policies) into your native Android app. An Intune-managed application is one that is integrated with the
Intune App SDK. Intune administrators can easily deploy app protection policies to your Intune-managed app
when Intune actively manages the app.

What's in the SDK

The Intune App SDK consists of the following files:
Microsoft.Intune.MAM.SDK.aar : The SDK components, with the exception of the Support Library JAR files.
Microsoft.Intune.MAM.SDK.Suppor t.v4.jar : The classes necessary to enable MAM in apps that use the
Android v4 support library.
Microsoft.Intune.MAM.SDK.Suppor t.v7.jar : The classes necessary to enable MAM in apps that use the
Android v7 support library.
Microsoft.Intune.MAM.SDK.Suppor t.v17.jar : The classes necessary to enable MAM in apps that use the
Android v17 support library.
Microsoft.Intune.MAM.SDK.Suppor t.Text.jar : The classes necessary to enable MAM in apps that use
Android support library classes in the android.support.text package.
Microsoft.Intune.MAM.SDK.DownlevelStubs.aar : This AAR contains stubs for Android system classes
which are present only on newer devices but which are referenced by methods in MAMActivity . Newer devices
will ignore these stub classes. This AAR is necessary only if your app performs reflection on classes deriving
from MAMActivity , and most apps do not need to include it. The AAR contains ProGuard rules to exclude all its
classes.
com.microsoft.intune.mam.build.jar : A Gradle plugin which aids in integrating the SDK.
CHANGELOG.md : Provides a record of changes made in each SDK version.
THIRDPARTYNOTICES.TXT : An attribution notice that acknowledges third-party and/or OSS code that will be
compiled into your app.

Requirements
Android versions
The SDK fully supports Android API 21 (Android 5.0) through Android API 29 (Android 10.0). It may be built into
an app with an Android minSDKVersion as low as 14, but on those older OS versions it will be impossible to install
the Intune Company Portal app or use MAM policies.
Company Portal app
The Intune App SDK for Android relies on the presence of the Company Portal app on the device to enable app
protection policies. The Company Portal retrieves app protection policies from the Intune service. When the app
initializes, it loads policy and code to enforce that policy from the Company Portal.

NOTE
When the Company Portal app is not on the device, an Intune-managed app behaves the same as a normal app that does
not support Intune app protection policies.

For app protection without device enrollment, the user is not required to enroll the device by using the Company
Portal app.

SDK integration
Sample app
An example of how to integrate with the Intune App SDK properly is available on GitHub. This example uses the
Gradle build plugin.
Referencing Intune App libraries
The Intune App SDK is a standard Android library with no external dependencies.
Microsoft.Intune.MAM.SDK.aar contains both the interfaces necessary for an app protection policy enablement
and the code necessary to interoperate with the Microsoft Intune Company Portal app.
Microsoft.Intune.MAM.SDK.aar must be specified as an Android library reference. To do this, open your app
project in Android Studio and go to File > New > New module and select Impor t .JAR/.AAR Package . Then
select our Android archive package Microsoft.Intune.MAM.SDK.aar to create a module for the .AAR file type. Right-
click the module or modules containing your app code and go to Module Settings > Dependencies tab > +
icon > Module dependency > Select the MAM SDK AAR module you just created > OK . This will ensure that
your module compiles with the MAM SDK when you build your project.
Additionally, the Microsoft.Intune.MAM.SDK.Suppor t.XXX.jar libraries contain Intune variants of the
corresponding android.support.XXX libraries. They are not built into Microsoft.Intune.MAM.SDK.aar in case an app
does not need to depend on the support libraries.
ProGuard
If ProGuard (or any other shrinking/obfuscation mechanism) is used as a build step, the SDK has additional
configuration rules which must be included. When including the .AAR in your build, our rules are automatically
integrated into the proguard step and the necessary class files are kept.
The Azure Active Directory Authentication Libraries (ADAL) may have its own ProGuard restrictions. If your app
integrates ADAL, you must follow the ADAL documentation on these restrictions.
Policy enforcement
The Intune App SDK is an Android library which allows your app to support and participate in the enforcement of
Intune policies.
Most policies are enforced semi-automatically, but certain policies require explicit participation from your app to
enforce. Regardless of whether you perform source integration or utilize build tooling for integration the policies
requiring explicit participation will need to be coded for.
For policies that are automatically enforced, apps are required to replace inheritance from several Android base
classes with inheritance from MAM equivalents and similarly replace calls to certain Android system service
classes with calls to MAM equivalents. The specific replacements needed are detailed below and can be manually
performed with source integration or performed automatically through build tooling.
Build tooling
The SDK provides build tools (a plugin for Gradle builds and a command-line tool for non-Gradle builds) that
perform MAM equivalent replacements automatically. These tools transform the class files generated by Java
compilation, and do not modify the original source code.
The tools perform direct replacements only. They do not perform any more complex SDK integrations such as
Save-As Policy, Multi-Identity, App-WE registration, AndroidManifest modifications or ADAL configuration so these
must be completed before your app is fully Intune enabled. Please carefully review the rest of this documentation
for integration points relevant to your app.

NOTE
It is fine to run the tools against a project which has already performed partial or complete source integration of the MAM
SDK through manual replacements. Your project must still list the MAM SDK as a dependency.

Gradle Build Plugin

If your app does not build with gradle, skip to Integrating with the Command Line Tool.
The App SDK plugin is distributed as part of the SDK as GradlePlugin/com.microsoft.intune.mam.build.jar .
For Gradle to be able to find the plugin, it must be added to the buildscript classpath. The plugin depends on
Javassist, which must also be added. To add these to the classpath, add the following to your root build.gradle

buildscript {
repositories {
jcenter()
}
dependencies {
classpath "org.javassist:javassist:3.22.0-GA"
classpath files("$PATH_TO_MAM_SDK/GradlePlugin/com.microsoft.intune.mam.build.jar")
}
}

Then, in the build.gradle file for your APK project, simply apply the plugin as

apply plugin: 'com.microsoft.intune.mam'

By default, the plugin will operate only on project dependencies. Test compilation not affected. Configuration
may be provided to list
Projects to exclude
External dependencies to include
Specific classes to exclude from processing
Variants to exclude from processing. These can refer to either a complete variant name or a single flavor. For
example
if your app has build types debug and release with flavors { savory , sweet } and { vanilla , chocolate
} you could specify
savory to exclude all variants with the savory flavor or savoryVanillaRelease to exclude only that exact
variant.
Example partial build.gradle
 apply plugin: 'com.microsoft.intune.mam'

dependencies {
implementation project(':product:FooLib')
implementation project(':product:foo-project')
implementation fileTree(dir: "libs", include: ["bar.jar"])
implementation fileTree(dir: "libs", include: ["zap.jar"])
implementation "com.contoso.foo:zap-artifact:1.0.0"
implementation "com.microsoft.bar:baz:1.0.0"
implementation "com.microsoft.qux:foo:2.0"

// Include the MAM SDK

implementation files("$PATH_TO_MAM_SDK/Microsoft.Intune.MAM.SDK.aar")
}
intunemam {
excludeProjects = [':product:FooLib']
includeExternalLibraries = ['bar.jar', "com.contoso.foo:zap-artifact", "com.microsoft.*",
"!com.microsoft.qux*"]
excludeClasses = ['com.contoso.SplashActivity']
excludeVariants=['savory']
}

This would have the following effects:

:product:FooLib is not rewritten because it is included in excludeProjects
:product:foo-project is rewritten, except for com.contoso.SplashActivity which is skipped because it's in
excludeClasses
bar.jar is rewritten because it is included in includeExternalLibraries
zap.jar is not rewritten because it's not a project and it's not included in includeExternalLibraries
com.contoso.foo:zap-artifact:1.0.0 is rewritten because it's included in includeExternalLibraries
com.microsoft.bar:baz:1.0.0 is rewritten because it's included in includeExternalLibraries via a wildcard (
com.microsoft.* ).
com.microsoft.qux:foo:2.0 is not rewritten even though it matches the same wildcard as the previous item
because it is explicitly excluded via a negation pattern.
Usage of includeExternalLibraries
Since the plugin only operates on project dependencies (usually provided by the project() function) by default,
any dependencies specified by fileTree(...) or obtained from maven or other package sources (e.g. "
com.contoso.bar:baz:1.2.0 ") must be provided to the includeExternalLibraries property if MAM processing of
them is needed based on the criteria explained below. Wildcards ("*") are supported. An item beginning with ! is
a negation and can be used to exclude libraries which would otherwise be included by a wildcard.
When specifying external dependencies with artifact notation, it is recommended to omit the version component
in the includeExternalLibraries value. If you do include the version, it must be an exact version. Dynamic version
specifications (e.g. 1.+ ) are not supported.
The general rule you should use to determine if you need to include libraries in includeExternalLibraries is based
on two questions:
1. Does the library have classes in it for which there are MAM equivalents? Examples: Activity , Fragment ,
ContentProvider , Service etc.
2. If yes, does your app make use of those classes?
If you answer 'yes' to both of those questions, then you must include that library in includeExternalLibraries .
 SC EN A RIO SH O UL D IN C L UDE?

You include a PDF viewer library in your app and you use the Yes
viewer Activity in your application when users try to view
PDFs

You include an HTTP library in your app for enhanced web No

performance

You include a library like React Native that contains classes Yes
derived from Activity , Application and Fragment and
you use or further derive those classes in your app

You include a library like React Native that contains classes No

derived from Activity , Application and Fragment but
you only use static helpers or utility classes

You include a library that contains view classes derived from Yes
TextView and you use or further derive those classes in
your app

Reporting
The build plugin can generate an html report of the changes it makes. To request generation of this report, specify
report = true in the intunemam configuration block. If generated, the report will be written to outputs/logs in
the build directory.

intunemam {
report = true
}

Verification
The build plugin can run additional verification to look for possible errors in processing classes. To request this,
specify verify = true in the intunemam configuration block. Note that this may add several seconds to the time
taken by the plugin's task.

intunemam {
verify = true
}

Incremental builds
To enable support for building incrementally, specify incremental = true in the intunemam configuration block.
This is an experimental feature aimed at increasing build performance by processing only the input files that have
changed. The default configuration is false .

intunemam {
incremental = true
}

Dependencies
The gradle plugin has a dependency on Javassist, which must be available to Gradle's dependency resolution (as
described above). Javassist is used solely at build time when running the plugin. No Javassist code will be added to
your app.
 NOTE
You must be using version 3.0 or newer of the Android Gradle plugin and Gradle 4.1 or newer.

Command Line Build Tool

If your build uses Gradle, skip to the next section.
The command-line build tool is available in the BuildTool folder of the SDK drop. It performs the same function
as the Gradle plugin detailed above, but can be integrated into custom or non-Gradle build systems. As it is more
generic, it is more complex to invoke, so the Gradle plugin should be used when it is possible to do so.
Using the Command-Line Tool
The command-line tool can be invoked by using the provided helper scripts located in the BuildTool\bin
directory.
The tool expects the following parameters.

PA RA M ET ER DESC RIP T IO N

--input A semi-colon delimited list of jar files and directories of class

files to modify. This should include all jars/directories that you
intend to rewrite.

--output A semi-colon delimited list of jar files and directories to store

the modified classes to. There should be one output entry per
input entry, and they should be listed in order.

--classpath The build classpath. This may contain both jars and class
directories.

--excludeClasses A semi-colon delimited list containing the names of the

classes that should be excluded from rewriting.

All parameters are required except for --excludeClasses which is optional.

NOTE
On Unix-like systems semi-colon is a command separator. To avoid the shell from splitting commands, make sure to escape
each semi-colon with '' or wrap the full parameter in quotation marks.

Example Command-Line Tool invocation

> BuildTool\bin\BuildTool.bat --input build\product-foo-project;libs\bar.jar --output mam-build\product-foo-

project;mam-build\libs\bar.jar --classpath
build\zap.jar;libs\Microsoft.Intune.MAM.SDK\classes.jar;%ANDROID_SDK_ROOT%\platforms\android-27\android.jar --
excludeClasses com.contoso.SplashActivity

This would have the following effects:

the product-foo-project directory is rewritten to mam-build\product-foo-project
bar.jar is rewritten to mam-build\libs\bar.jar
zap.jar is not rewritten because it is only listed in --classpath
The com.contoso.SplashActivity class is not rewritten even if it is in --input
 NOTE
The build tool does not currently support aar files. If your build system does not already extract classes.jar when dealing
with aar files, you will need to do so before invoking the build tool.

Class and method replacements

NOTE
Apps should integrate with the SDK build tooling, which will perform all of these replacements automatically (except for
manifest replacements

Android base classes must be replaced with their respective MAM equivalents in order to enable Intune
management. The SDK classes live between the Android base class and the app's own derived version of that class.
For example, an app activity might end up with an inheritance hierarchy that looks like: Activity > MAMActivity
> AppSpecificActivity . The MAM layer filters calls to system operations in order to seamlessly provide your app
with a managed view of the world.
In addition to base classes, some classes your app might use without deriving (e.g. MediaPlayer ) also have
required MAM equivalents, and some method calls must also be replaced. The precise details are given below.

NOTE
If your app is integrating with SDK build tooling, the following class and method replacements are performed automatically.

A N DRO ID B A SE C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.app.Activity MAMActivity

android.app.ActivityGroup MAMActivityGroup

android.app.AliasActivity MAMAliasActivity

android.app.Application MAMApplication

android.app.Dialog MAMDialog

android.app.AlertDialog.Builder MAMAlertDialogBuilder

android.app.DialogFragment MAMDialogFragment

android.app.ExpandableListActivity MAMExpandableListActivity

android.app.Fragment MAMFragment

android.app.IntentService MAMIntentService

android.app.LauncherActivity MAMLauncherActivity

android.app.ListActivity MAMListActivity
A N DRO ID B A SE C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.app.ListFragment MAMListFragment

android.app.NativeActivity MAMNativeActivity

android.app.PendingIntent MAMPendingIntent (see Pending Intent)

android.app.Service MAMService

android.app.TabActivity MAMTabActivity

android.app.TaskStackBuilder MAMTaskStackBuilder

android.app.backup.BackupAgent MAMBackupAgent

android.app.backup.BackupAgentHelper MAMBackupAgentHelper

android.app.backup.FileBackupHelper MAMFileBackupHelper

android.app.backup.SharePreferencesBackupHelper MAMSharedPreferencesBackupHelper

android.content.BroadcastReceiver MAMBroadcastReceiver

android.content.ContentProvider MAMContentProvider

android.os.Binder MAMBinder (Only necessary if the Binder is not generated

from an Android Interface Definition Language (AIDL)
interface)

android.media.MediaPlayer MAMMediaPlayer

android.media.MediaMetadataRetriever MAMMediaMetadataRetriever

android.provider.DocumentsProvider MAMDocumentsProvider

android.preference.PreferenceActivity MAMPreferenceActivity

android.support.multidex.MultiDexApplication MAMMultiDexApplication

android.widget.TextView MAMTextView

android.widget.AutoCompleteTextView MAMAutoCompleteTextView

android.widget.CheckedTextView MAMCheckedTextView

android.widget.EditText MAMEditText

android.inputmethodservice.ExtractEditText MAMExtractEditText

android.widget.MultiAutoCompleteTextView MAMMultiAutoCompleteTextView
 NOTE
Even if your application does not have a need for its own derived Application class, see MAMApplication below

Microsoft.Intune.MAM.SDK.Support.v4.jar:
A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.support.v4.app.DialogFragment MAMDialogFragment

android.support.v4.app.FragmentActivity MAMFragmentActivity

android.support.v4.app.Fragment MAMFragment

android.support.v4.app.JobIntentService MAMJobIntentService

android.support.v4.app.TaskStackBuilder MAMTaskStackBuilder

android.support.v4.content.FileProvider MAMFileProvider

android.support.v4.content.WakefulBroadcastReceiver MAMWakefulBroadcastReceiver

Microsoft.Intune.MAM.SDK.Support.v7.jar:
A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.support.v7.app.AlertDialog.Builder MAMAlertDialogBuilder

android.support.v7.app.AppCompatActivity MAMAppCompatActivity

android.support.v7.widget.AppCompatAutoCompleteTextView MAMAppCompatAutoCompleteTextView

android.support.v7.widget.AppCompatCheckedTextView MAMAppCompatCheckedTextView

android.support.v7.widget.AppCompatEditText MAMAppCompatEditText

android.support.v7.widget.AppCompatMultiAutoCompleteTex MAMAppCompatMultiAutoCompleteTextView
tView

android.support.v7.widget.AppCompatTextView MAMAppCompatTextView

Microsoft.Intune.MAM.SDK.Support.v17.jar:
A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.support.v17.leanback.widget.SearchEditText MAMSearchEditText

Microsoft.Intune.MAM.SDK.Support.Text.jar:
A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.support.text.emoji.widget.EmojiAppCompatEditText MAMEmojiAppCompatEditText
 A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.support.text.emoji.widget.EmojiAppCompatTextView MAMEmojiAppCompatTextView

android.support.text.emoji.widget.EmojiEditText MAMEmojiEditText

android.support.text.emoji.widget.EmojiTextView MAMEmojiTextView

Renamed Methods
In many cases, a method available in the Android class has been marked as final in the MAM replacement class. In
this case, the MAM replacement class provides a similarly named method (generally suffixed with MAM ) that you
should override instead. For example, when deriving from MAMActivity , instead of overriding onCreate() and
calling super.onCreate() , Activity must override onMAMCreate() and call super.onMAMCreate() . The Java
compiler should enforce the final restrictions to prevent accidental override of the original method instead of the
MAM equivalent.
MAMApplication
If your app creates a subclass of android.app.Application , then you must create a subclass of
com.microsoft.intune.mam.client.app.MAMApplication instead. If your app does not subclass
android.app.Application , then you must set "com.microsoft.intune.mam.client.app.MAMApplication" as the
"android:name" attribute in your AndroidManifest.xml's <application> tag.
PendingIntent
Instead of PendingIntent.get* , you must use the MAMPendingIntent.get* method. After this, you can use the
resultant PendingIntent as usual.
Wrapped System Services
For some system service classes, it is necessary to call a static method on a MAM wrapper class instead of directly
invoking the desired method on the service instance. For example, a call to
getSystemService(ClipboardManager.class).getPrimaryClip() must become a call to
MAMClipboardManager.getPrimaryClip(getSystemService(ClipboardManager.class) . It is not recommended to make
these replacements manually. Instead, let the BuildPlugin do it.

A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.content.ClipboardManager MAMClipboard

android.content.ContentProviderClient MAMContentProviderClientManagement

android.content.ContentResolver MAMContentResolverManagement

android.content.pm.PackageManager MAMPackageManagement

android.app.DownloadManager MAMDownloadManagement

android.print.PrintManager MAMPrintManagement

android.support.v4.print.PrintHelper MAMPrintHelperManagement

android.view.View MAMViewManagement

android.view.DragEvent MAMDragEventManagement
 A N DRO ID C L A SS IN T UN E A P P SDK REP L A C EM EN T

android.app.NotificationManager MAMNotificationManagement

android.support.v4.app.NotificationManagerCompat MAMNotificationCompatManagement

Some classes have most of their methods wrapped, e.g. ClipboardManager , ContentProviderClient ,
ContentResolver , and PackageManager while other classes have only one or two methods wrapped, e.g.
DownloadManager , PrintManager , PrintHelper , View , DragEvent , NotificationManager and
NotificationManagerCompat . Please consult APIs exposed by the MAM equivalent classes for the exact method if
you do not use the BuildPlugin.
Manifest Replacements
It may be necessary to perform some of the above class replacements in the manifest as well as in Java code. Of
special note:
Manifest references to android.support.v4.content.FileProvidermust be replaced with
com.microsoft.intune.mam.client.support.v4.content.MAMFileProvider .

AndroidX Libraries
With Android P, Google announced a new (renamed) set of support libraries called AndroidX, and version 28 is the
last major release of the existing android.support libraries.
Unlike with the android support libs, we do not provide MAM variants of the AndroidX libraries. Instead, AndroidX
should be treated as any other external library and should be configured to be rewritten by the build plugin/tool.
For Gradle builds, this can be done by including androidx.* in the includeExternalLibraries field of the plugin
config. Invocations of the command-lines tool must list all jar files explicitly.
Pre -AndroidX Architecture Components
Many Android architecture components including Room, ViewModel, and WorkManager were repackaged for
AndroidX. If your app uses the pre-AndroidX variants of these libraries, ensure rewrites apply by including
android.arch.* in the includeExternalLibraries field of the plugin config. Alternatively, update the libraries to
their AndroidX equivalents.
Troubleshooting AndroidX Migration
While migrating your SDK-integrated app to AndroidX, you may encounter an error like the following:

incompatible types: android.support.v7.app.ActionBar cannot be converted to androidx.appcompat.app.ActionBar

These errors can occur because your app references MAM support classes. MAM support classes wrap Android
support classes that have moved in AndroidX. To combat such errors, replace all MAM support class references
with their AndroidX equivalents. This can be achieved by first removing the MAM support library dependencies
from your Gradle build files. The lines in question will look something like the following:

implementation "com.microsoft.intune.mam:android-sdk-support-v4:$intune_mam_version"
implementation "com.microsoft.intune.mam:android-sdk-support-v7:$intune_mam_version"

Then, fix the resulting compile-time errors by replacing all references to MAM classes in the
com.microsoft.intune.mam.client.support.v7 and com.microsoft.intune.mam.client.support.v4 packages with their
AndroidX equivalents. For example, references to MAMAppCompatActivity should be changed to AndroidX's
AppCompatActivity . As discussed above, the MAM build plugin/tool will automatically rewrite classes in the
AndroidX libraries with the appropriate MAM equivalents at compile time.
SDK permissions
The Intune App SDK requires three Android system permissions on apps that integrate it:
android.permission.GET_ACCOUNTS (requested at runtime if necessary)
android.permission.MANAGE_ACCOUNTS

android.permission.USE_CREDENTIALS

The Azure Active Directory Authentication Library (ADAL) requires these permissions to perform brokered
authentication. If these permissions are not granted to the app or are revoked by the user, authentication flows that
require the broker (the Company Portal app) will be disabled.

Logging
Logging should be initialized early to get the most value out of logged data. Application.onMAMCreate() is typically
the best place to initialize logging.
To receive MAM logs in your app, create a Java Handler and add it to the MAMLogHandlerWrapper . This will invoke
publish() on the application handler for every log message.

/**
* Global log handler that enables fine grained PII filtering within MAM logs.
*
* To start using this you should build your own log handler and add it via
* MAMComponents.get(MAMLogHandlerWrapper.class).addHandler(myHandler, false);
*
* You may also remove the handler entirely via
* MAMComponents.get(MAMLogHandlerWrapper.class).removeHandler(myHandler);
*/
public interface MAMLogHandlerWrapper {
/**
* Add a handler, PII can be toggled.
*
* @param handler handler to add.
* @param wantsPII if PII is desired in the logs.
*/
void addHandler(final Handler handler, final boolean wantsPII);

/**
* Remove a handler.
*
* @param handler handler to remove.
*/
void removeHandler(final Handler handler);
}

Diagnostics Information
Apps can invoke MAMPolicyManager.showDiagnostics(context) method that starts an activity displaying UI for
collecting Company Portal logs and viewing MAM diagnostics. This is an optional feature that may assist in
debugging.
When Company Portal is not installed on device, a dialog will be prompted to inform the user that this information
is currently not available. When apps are managed by MAM policy, detailed MAM policy settings will be displayed.

MAM Strict Mode

MAM Strict Mode provides a mechanism to detect "smells" in app usage of MAM APIs or MAM-restricted platform
APIs. It is loosely patterned after Android's StrictMode, and runs a set of checks which raise errors when they fail. It
is not intended to be left enabled in production builds, but you are strongly encouraged to use it in your app's
internal development, debug, and/or dogfood builds.
To enable, call

MAMStrictMode.enable();

early in application initialization (e.g. Application.onCreate ).

When a MAM Strict Mode check fails, try to determine whether it is a real issue that can be fixed in your app, or a
false positive. If you believe it's a false positive or you aren't sure, please let the Intune MAM team know. This will
allow us to make sure we agree with the false positive determination and to attempt to improve detection for
future releases. To suppress false positives, disable the failing check (more info below).
Handling Violations
When a check fails, it runs a MAMStrictViolationHandler . The default handler throws an Error , which is expected
to crash the app. This is to make failures as noisy as possible, and fits with the intention that strict mode should not
be enabled in production builds.
If your app would like to handle violations differently, it can supply its own handler by calling:

MAMStrictMode.global().setHandler(handler);

where handler implements MAMStrictViolationHandler :

public interface MAMStrictViolationHandler {

/**
* Called when a MAM Strict Mode check fails.
*
* @param check
* the check that failed
* @param detail
* additional detail. Note that this might contain usernames or filepaths.
* @param error
* error containing a stack trace. The default implementation throws this error
*/
void checkFailed(@NonNull MAMStrictCheck check, @NonNull String detail, @NonNull Error error);
}

Suppressing Checks
If a check fails in a situation where your app is doing nothing incorrect, please report it as mentioned above. At
some times, however, it may be necessary to disable the check encountering a false positive, at least while waiting
for an updated SDK. The check which failed will be shown in the error raised by the default handler, or will be
passed to a custom handler if set.
Suppression can be done globally, but temporarily disabling per-thread at the specific call site is preferred. The
following examples show various ways to disable MAMStrictCheck.IDENTITY_NO_SUCH_FILE (raised if an attempt is
made to protect a file which doesn't exist).
Per-Thread Temporary Suppression
This is the preferred suppression mechanism.
 try (StrictScopedDisable disable = MAMStrictMode.thread().disableScoped(MAMStrictCheck.IDENTITY_NO_SUCH_FILE))
{
// Perform the operation which raised a violation here
}
// The check is no longer disabled once the block exits

Per-Thread Permanent Suppression

MAMStrictMode.thread().disable(MAMStrictCheck.IDENTITY_NO_SUCH_FILE);

Global (Process-Wide) Suppression

MAMStrictMode.global().disable(MAMStrictCheck.IDENTITY_NO_SUCH_FILE);

Enable features that require app participation

There are several app protection policies the SDK cannot implement on its own. The app can control its behavior to
achieve these features by using several APIs that you can find in the following AppPolicy interface. To retrieve an
AppPolicy instance, use MAMPolicyManager.getPolicy .

/**
* External facing application policies.
*/
public interface AppPolicy {

/**
* Restrict where an app can save personal data.
* This function is now deprecated. Use getIsSaveToLocationAllowed(SaveLocation, String) instead
* @return True if the app is allowed to save to personal data stores; false otherwise.
*/
@Deprecated
boolean getIsSaveToPersonalAllowed();

/**
* Check if policy prohibits saving to a content provider location.
*
* @param location
* a content URI to check
* @return True if location is not a content URI or if policy does not prohibit saving to the content
location.
*/
boolean getIsSaveToLocationAllowed(Uri location);

/**
* Determines if the SaveLocation passed in can be saved to by the username associated with the cloud service.
*
* @param service
* The SaveLocation the data will be saved to.
* @param username
* The AAD UPN associated with the cloud service being saved to. Use null if a mapping between
* the AAD username and the cloud service username does not exist or the username is not known.
* @return true if the location can be saved to by the identity, false if otherwise.
*/
boolean getIsSaveToLocationAllowed(SaveLocation service, String username);

/**
* Determines if data from the OpenLocation can be opened for the username associated with the data.
*
* @param location
* The OpenLocation that the data will be opened from.
* @param username
* The AAD UPN associated with the location the data is being opened from. Use null if a mapping between
 * The AAD UPN associated with the location the data is being opened from. Use null if a mapping between
the
* AAD username and the cloud service username does not exist or the username is not known.
* @return true if the data can be opened from the location for the identity, false if otherwise.
*/
boolean getIsOpenFromLocationAllowed(@NonNull OpenLocation location, @Nullable String username);

/**
* Checks whether any activities which could handle the given intent are allowed by policy. Returns false only
if all
* activities which could otherwise handle the intent are blocked. If there are no activities which could
handle the intent
* regardless of policy, returns true. If some activities are allowed and others blocked, returns true. Note
that it is not
* necessary to use this method for policy enforcement. If your app attempts to launch an intent for which
there are no
* allowed activities, MAM will display a dialog explaining the situation to the user.
*
* @param intent
* intent to check
*
* @return whether any activities which could handle this intent are allowed.
*/
boolean areIntentActivitiesAllowed(Intent intent);

/**
* Whether the SDK PIN prompt is enabled for the app.
*
* @return True if the PIN is enabled. False otherwise.
*/
boolean getIsPinRequired();

/**
* Whether the Intune Managed Browser is required to open web links.
* @return True if the Managed Browser is required, false otherwise
*/
boolean getIsManagedBrowserRequired();

/**
* Check if policy allows taking screenshots.
*
* @return True if screenshots will be blocked, false otherwise
*/
boolean getIsScreenCaptureAllowed();

/**
* Check if policy allows Contact sync to local contact list.
*
* @return True if Contact sync is allowed to save to local contact list; false otherwise.
*/
boolean getIsContactSyncAllowed();

/**
* Get the notification restriction. If {@link NotificationRestriction#BLOCKED BLOCKED}, the app must not show
any notifications
* for the user associated with this policy. If {@link NotificationRestriction#BLOCK_ORG_DATA BLOCK_ORG_DATA},
the app must show
* a modified notification that does not contain organization data. If {@link
NotificationRestriction#UNRESTRICTED
* UNRESTRICTED}, all notifications are allowed.
*
* @return The notification restriction.
*/
NotificationRestriction getNotificationRestriction();

/**
* This method is intended for diagnostic/telemetry purposes only. It can be used to discover whether file
encryption is in use.
* File encryption is transparent to the app and the app should not need to make any business logic decisions
based on this.
 based on this.
* @return True if file encryption is in use.
*/
boolean diagnosticIsFileEncryptionInUse();

/**
* Return the policy in string format to the app.
*
* @return The string representing the policy.
*/
String toString();

NOTE
MAMPolicyManager.getPolicy will always return a non-null App Policy, even if the device or app is not under an Intune
management policy.

Example: Determine if PIN is required for the app

If the app has its own PIN user experience, you might want to disable it if the IT administrator has configured the
SDK to prompt for an app PIN. To determine if the IT administrator has deployed the app PIN policy to this app, for
the current end user, call the following method:

MAMPolicyManager.getPolicy(currentActivity).getIsPinRequired();

Example: Determine the primary Intune user

In addition to the APIs exposed in AppPolicy, the user principal name (UPN ) is also exposed by the
getPrimaryUser() API defined inside the MAMUserInfo interface. To get the UPN, call the following:

MAMComponents.get(MAMUserInfo.class).getPrimaryUser();

The full definition of the MAMUserInfo interface is below:

/**
* External facing user information.
*
*/
public interface MAMUserInfo {
/**
* Get the primary user name.
*
* @return the primary user name or null if neither the device nor app is enrolled.
*/
String getPrimaryUser();
}

Example: Data transfer between apps and device or cloud storage locations
Many apps implement features that allow the end user to save data to or open data from local file storage or cloud
storage services. The Intune App SDK allows IT administrators to protect against data ingress and leakage by
applying policy restrictions as they see fit in their organization.
App par ticipation is needed to enable the feature. If your app allows saving to personal or cloud locations
directly from the app or allows for data to be opened directly into the app, you must implement the respective
feature to ensure that the IT administrator can control whether saving to / opening from a location is allowed.
Saving to device or cloud storage
The API below lets the app know whether saving to a personal store is allowed by the current Intune
administrator's policy.
To determine if the policy is enforced, make the following call:

MAMPolicyManager.getPolicy(currentActivity).getIsSaveToLocationAllowed(
SaveLocation service, String username);

The service parameter must be one of the following SaveLocation values:

SaveLocation.ONEDRIVE_FOR_BUSINESS
SaveLocation.SHAREPOINT
SaveLocation.LOCAL
SaveLocation.ACCOUNT_DOCUMENT
SaveLocation.OTHER

For determining whether ACCOUNT_DOCUMENT or OTHER should be passed to getIsSaveToLocationAllowed see

Unknown or unlisted locations for more information.
For the username parameter, see Username for data transfer for more information.
The previous method of determining whether a user’s policy allowed them to save data to various locations was
getIsSaveToPersonalAllowed() within the same AppPolicy class. This function is now deprecated and should not
be used, the following invocation is equivalent to getIsSaveToPersonalAllowed() :

MAMPolicyManager.getPolicy(currentActivity).getIsSaveToLocationAllowed(SaveLocation.LOCAL, null);

Opening data from a local or cloud storage location

The API below lets the app know whether opening from a personal store is allowed by the current Intune
administrator's policy.
To determine if the policy is enforced, make the following call:

MAMPolicyManager.getPolicy(currentActivity).getIsOpenFromLocationAllowed(
OpenLocation location, String username);

The location parameter must be one of the following OpenLocation values:

OpenLocation.ONEDRIVE_FOR_BUSINESS
OpenLocation.SHAREPOINT
OpenLocation.CAMERA
OpenLocation.LOCAL
OpenLocation.ACCOUNT_DOCUMENT
OpenLocation.OTHER

The OpenLocation.CAMERAlocation should be passed in when the app is opening data from the camera. The
OpenLocation.LOCAL location should be passed in when the app is opening data from the external storage on the
local device. The OpenLocation.ACCOUNT_DOCUMENT location should be passed in when the app is opening data that
belongs to an AAD account signed into the app.
For determining whether ACCOUNT_DOCUMENT or OTHER should be passed to getIsOpenFromLocationAllowed see
Unknown or unlisted locations for more information.
For the username parameter, see Username for data transfer for more information.
Unknown or unlisted locations
When the desired location is not listed in the SaveLocation or OpenLocation enums or it is unknown there are two
options for the service / location parameter, ACCOUNT_DOCUMENT and OTHER . ACCOUNT_DOCUMENT should be used
when the data belongs to an AAD account signed into the app, but is not ONEDRIVE_FOR_BUSINESS or SHAREPOINT
whereas OTHER should be used when that is not the case.
It is important to make the distinction clear between the managed account and an account that shares the
managed account's UPN. For example, a managed account with UPN "user@contoso.com" signed into OneDrive is
not the same as an account with UPN "user@contoso.com" signed into Dropbox. If an unknown or unlisted service
is accessed by signing into the managed account (e.g. "user@contoso.com" signed into OneDrive), it should be
represented by the ACCOUNT_DOCUMENT location. If the unknown or unlisted service signs in through another
account (e.g. "user@contoso.com" signed into Dropbox), it is not accessing the location with a managed account
and should be represented by the OTHER location.
Username for data transfer
When checking the save policy, the username should be the UPN/username/email associated with the cloud
service being saved to (not necessarily the same as the user owning the document being saved).
SaveLocation.LOCAL is not a cloud service and so should always be used with a null username parameter.

When checking the open policy, the username should be the UPN/username/email associated with the cloud
service being opened from. OpenLocation.LOCAL and OpenLocation.CAMERA are not cloud service locations and so
should always be used with a null username parameter.
The following locations will always expect a username that contains a mapping between the AAD UPN and the
cloud service username: ONEDRIVE_FOR_BUSINESS , SHAREPOINT , and ACCOUNT_DOCUMENT .
If a mapping between the AAD UPN and the cloud service username does not exist or the username is not known
use null .
Sharing blocked dialog
The SDK provides a dialog to notify the user that a data transfer action was blocked by MAM policy.
The dialog should be displayed to the user when the isSaveToAllowedForLocation or isOpenFromAllowedForLocation
API call results in the save/open action being blocked. The dialog displays a generic message and will return to the
Activity that called it when dismissed.

To display the dialog, make the following call:

MAMUIHelper.showSharingBlockedDialog(currentActivity)

Allow for file sharing

If saving to public storage locations is not allowed your app should still allow for the user to view files by
downloading them to app private storage and then opening them with the system chooser.
Example: Determine if notifications with organization data need to be restricted
If your app displays notifications, you must check the notification restriction policy for the user associated with the
notification before showing the notification. To determine if the policy is enforced, make the following call.

NotificationRestriction notificationRestriction =
MAMPolicyManager.getPolicyForIdentity(notificationIdentity).getNotificationRestriction();

If the restriction is BLOCKED , the app must not show any notifications for the user associated with this policy. If
BLOCK_ORG_DATA , the app must show a modified notification that does not contain organization data. If
UNRESTRICTED , all notifications are allowed.
If getNotificationRestriction is not invoked, the MAM SDK will make a best effort to restrict notifications
automatically for single-identity apps. If automatic blocking is enabled and BLOCK_ORG_DATA is set, the notification
will not be shown at all. For more fine-grained control, check the value of getNotificationRestriction and modify
app notifications appropriately.

Register for notifications from the SDK

Overview
The Intune App SDK allows your app to control the behavior of certain policies, such as selective wipe, when they
are deployed by the IT administrator. When an IT administrator deploys such a policy, the Intune service sends
down a notification to the SDK.
Your app must register for notifications from the SDK by creating a MAMNotificationReceiver and registering it
with MAMNotificationReceiverRegistry . This is done by providing the receiver and the type of notification desired in
App.onCreate , as the example below illustrates:

@Override
public void onCreate() {
super.onCreate();
MAMComponents.get(MAMNotificationReceiverRegistry.class)
.registerReceiver(
new ToastNotificationReceiver(),
MAMNotificationType.WIPE_USER_DATA);
}

MAMNotificationReceiver
The MAMNotificationReceiver interface simply receives notifications from the Intune service. Some notifications
are handled by the SDK directly, while others require the app's participation. An app must return either true or
false from a notification. It must always return true unless some action it tried to take as a result of the notification
failed.
This failure may be reported to the Intune service. An example of a scenario to report is if the app fails to wipe
user data after the IT administrator initiates a wipe.

NOTE
It is safe to block in MAMNotificationReceiver.onReceive because its callback is not running on the UI thread.

The MAMNotificationReceiver interface as defined in the SDK is included below:

 /**
* The SDK is signaling that a MAM event has occurred.
*
*/
public interface MAMNotificationReceiver {

/**
* A notification was received.
*
* @param notification
* The notification that was received.
* @return The receiver should return true if it handled the
* notification without error (or if it decided to ignore the
* notification). If the receiver tried to take some action in
* response to the notification but failed to complete that
* action it should return false.
*/
boolean onReceive(MAMNotification notification);
}

Types of notifications
The following notifications are sent to the app and some of them may require app participation:
WIPE_USER_DATA : This notification is sent in a MAMUserNotification class. When this notification is
received, the app must delete all data associated with the managed identity (from
MAMUserNotification.getUserIdentity() ). The notification may occur for diverse reasons, including when
your app calls unregisterAccountForMAM , when an IT admin initiates a wipe, or when admin-required
conditional access policies are not satisfied. If your app does not register for this notification, default wipe
behavior will be performed. The default behavior will delete all files for a single-identity app or all files
tagged with the managed identity for a multi-identity app. This notification will never be sent on the UI
thread.
WIPE_USER_AUXILIARY_DATA : Apps can register for this notification if they'd like the Intune App SDK to
perform the default selective wipe behavior, but would still like to remove some auxiliary data when the
wipe occurs. This notification is not available to single identity-apps -- it will only be sent to multi-identity
apps. This notification will never be sent on the UI thread.
REFRESH_POLICY : This notification is sent in a MAMUserNotification . When this notification is received,
any Intune policy decisions cached by your app must be invalidated and updated. If your app does not store
any policy assumptions, it need not register for this notification. No guarantees are made as to what thread
this notification will be sent on.
REFRESH_APP_CONFIG : This notification is sent in a MAMUserNotification . When this notification is
received, any cached Application Configuration data must be invalidated and updated. No guarantees are
made as to what thread this notification will be sent on.
MANAGEMENT_REMOVED : This notification is sent in a MAMUserNotification and informs the app that it
is about to become unmanaged. Once unmanaged, it will no longer be able to read encrypted files, read
data encrypted with MAMDataProtectionManager, interact with the encrypted clipboard, or otherwise
participate in the managed-app ecosystem. See further details below. This notification will never be sent on
the UI thread.
MAM_ENROLLMENT_RESULT : This notification is sent in a MAMEnrollmentNotification to inform the app
that an APP-WE enrollment attempt has completed and to provide the status of that attempt. No guarantees
are made as to what thread this notification will be sent on.
COMPLIANCE_STATUS : This notification is sent in a MAMComplianceNotification to inform the app of the
result of a compliance remediation attempt. No guarantees are made as to what thread this notification will
 be sent on.

NOTE
An app should never register for both the WIPE_USER_DATA and WIPE_USER_AUXILIARY_DATA notifications.

MANAGEMENT_REMOVED
The MANAGEMENT_REMOVED notification indicates that a previously policy-managed user will no longer be managed
by Intune MAM policy. This does not require wiping user data or signing out the user (if a wipe were required, a
WIPE_USER_DATA notification would be sent). Many apps may not need to handle this notification at all, however
apps which use MAMDataProtectionManager should take special note of this notification.
When MAM calls the app's MANAGEMENT_REMOVED receiver, the following will be true:
MAM has already decrypted previously encrypted files (but not protected data buffers) belonging to the app.
Files in public locations on the sdcard that don't directly belong to the app (e.g. the Documents or Download
folders) are not decrypted.
New files or protected data buffers created by the receiver method (or any other code running after the
receiver starts) will not be encrypted.
The app still has access to encryption keys, so operations such as decryption data buffers will succeed.
Once your app's receiver returns, it will no longer have access to encryption keys.

Configure Azure Active Directory Authentication Library (ADAL)

First, please read the ADAL integration guidelines found in the ADAL repository on GitHub.
The SDK relies on ADAL for its authentication and conditional launch scenarios, which require apps to be
configured with Azure Active Directory. The configuration values are communicated to the SDK via
AndroidManifest metadata.
To configure your app and enable proper authentication, add the following to the app node in
AndroidManifest.xml. Some of these configurations are only required if your app uses ADAL for authentication in
general; in that case, you will need the specific values your app uses to register itself with AAD. This is done to
ensure that the end user does not get prompted for authentication twice, due to AAD recognizing two separate
registration values: one from the app and one from the SDK.

<meta-data
android:name="com.microsoft.intune.mam.aad.Authority"
android:value="https://AAD authority/" />
<meta-data
android:name="com.microsoft.intune.mam.aad.ClientID"
android:value="your-client-ID-GUID" />
<meta-data
android:name="com.microsoft.intune.mam.aad.NonBrokerRedirectURI"
android:value="your-redirect-URI" />
<meta-data
android:name="com.microsoft.intune.mam.aad.SkipBroker"
android:value="[true | false]" />

ADAL metadata
Authority is the AAD authority in use. If this value is absent, the AAD public environment is used.
 NOTE
Do not set this field if your application is sovereign cloud aware.

ClientID is the AAD ClientID (also known as Application ID) to be used. You should use your own app's
ClientID if it is registered with Azure AD or leverage Default Enrollment if it does not integrate ADAL.
NonBrokerRedirectURI is the AAD redirect URI to use in broker-less cases. If none is specified, a default
value of urn:ietf:wg:oauth:2.0:oob is used. This default is suitable for most apps.
The NonBrokerRedirectURI is only used when SkipBroker is "true".
SkipBroker is used to override the default ADAL SSO participation behavior. SkipBroker should only be
specified for apps that specify a ClientID and do not support brokered authentication/device-wide SSO. In
this case it should be set to "true". Most apps should not set the SkipBroker parameter.
A ClientID must be specified in the manifest to specify a SkipBroker value.
When a ClientID is specified, the default value is "false".
When SkipBroker is "true," the NonBrokerRedirectURI will be used. Apps that do not integrate ADAL
(and therefore have no ClientID) will also default to "true".
Common ADAL configurations
The following are common ways an app can be configured with ADAL. Find your app's configuration and make
sure to set the ADAL metadata parameters (explained above) to the necessary values. In all cases, the Authority
may be specified if desired for non-default environments. If not specified, the public production AAD authority will
be used.
1. App does not integrate ADAL
ADAL metadata must not be present in the manifest.
2. App integrates ADAL

REQ UIRED A DA L PA RA M ET ER VA L UE

ClientID The app's ClientID (generated by Azure AD when the app is

registered)

Authority may be specified if necessary.

You must register your app with Azure AD and give your app access to the app protection policy service:
See Quickstart: Register an application with the Microsoft identity platform for information about registering an
application with Azure AD.
Ensure the steps to give your Android app permissions to the app protection policy (APP) service are followed.
Use the instructions in the getting started with the Intune SDK guide under "Give your app access to the Intune
app protection service (optional)".
Also see the requirements for Conditional Access below.
3. App integrates ADAL but does not support brokered authentication/device-wide SSO

REQ UIRED A DA L PA RA M ET ER VA L UE

ClientID The app's ClientID (generated by Azure AD when the app is

registered)
 REQ UIRED A DA L PA RA M ET ER VA L UE

SkipBroker True

Authority and NonBrokerRedirectURI may be specified if necessary.

Conditional Access
Conditional Access (CA) is an Azure Active Directory feature which can be used to control access to AAD resources.
Intune administrators can define CA rules which allow resource access only from devices or apps which are
managed by Intune. In order to ensure that your app is able to access resources when appropriate, it is necessary
to follow the steps below. If your app does not acquire any AAD access tokens, or accesses only resources which
cannot be CA-protected, you may skip these steps.
1. Follow ADAL integration guidelines. See especially Step 11 for Broker usage.
2. Register your application with Azure Active Directory. The redirect URI can be found in the ADAL integration
guidelines above.
3. Set the manifest meta-data parameters per Common ADAL configurations, item 2, above.
4. Test that everything is configured properly by enabling device-based CA from the Azure portal and confirming
That sign in to your app prompts for installation and enrollment of the Intune Company Portal
That after enrollment, sign in to your app completes successfully.
5. Once your app has shipped Intune APP SDK integration, contact msintuneappsdk@microsoft.com to be added
to the list of approved apps for app-based Conditional Access
6. Once your app has been added to the approved list, validate by Configuring app-based CA and ensuring that
sign-in to your app completes successfully.

App protection policy without device enrollment

Overview
Intune app protection policy without device enrollment, also known as APP-WE or MAM-WE, allows apps to be
managed by Intune without the need for the device to be enrolled Intune MDM. APP-WE works with or without
device enrollment. The Company Portal is still required to be installed on the device, but the user does not need to
sign into the Company Portal and enroll the device.

NOTE
All apps are required to support app protection policy without device enrollment.

Workflow
When an app creates a new user account, it should register the account for management with the Intune App SDK.
The SDK will handle the details of enrolling the app in the APP-WE service; if necessary, it will retry any
enrollments at appropriate time intervals if failures occur.
The app can also query the Intune App SDK for the status of a registered user to determine if the user should be
blocked from accessing corporate content. Multiple accounts may be registered for management, but currently
only one account can be actively enrolled with the APP-WE service at a time. This means only one account on the
app can receive app protection policy at a time.
The app is required to provide a callback to acquire the appropriate access token from the Azure Active Directory
Authentication Library (ADAL) on behalf of the SDK. It is assumed that the app already uses ADAL for user
authentication and to acquire its own access tokens.
When the app removes an account completely, it should unregister that account to indicate that the app should no
longer apply policy for that user. If the user was enrolled in the MAM service, the user will be unenrolled and the
app will be wiped.
Overview of app requirements
To implement APP-WE integration, your app must register the user account with the MAM SDK:
1. The app must implement and register an instance of the MAMServiceAuthenticationCallback interface. The
callback instance should be registered as early as possible in the app's lifecycle (typically in the
onMAMCreate() method of the application class).

2. When a user account is created and the user successfully signs in with ADAL, the app must call the
registerAccountForMAM() .

3. When a user account is removed, the app should call unregisterAccountForMAM() to remove the account
from Intune management.

NOTE
If a user signs out of the app temporarily, the app does not need to call unregisterAccountForMAM() . The call may
initiate a wipe to completely remove corporate data for the user.

MAMEnrollmentManager
All the necessary authentication and registration APIs can be found in the MAMEnrollmentManager interface. A
reference to the MAMEnrollmentManager can be obtained as follows:

MAMEnrollmentManager mgr = MAMComponents.get(MAMEnrollmentManager.class);

// make use of mgr

The MAMEnrollmentManager instance returned is guaranteed not to be null. The API methods fall into two categories:
authentication and account registration .
 package com.microsoft.intune.mam.policy;

public interface MAMEnrollmentManager {

public enum Result {
AUTHORIZATION_NEEDED,
NOT_LICENSED,
ENROLLMENT_SUCCEEDED,
ENROLLMENT_FAILED,
WRONG_USER,
MDM_ENROLLED,
UNENROLLMENT_SUCCEEDED,
UNENROLLMENT_FAILED,
PENDING,
COMPANY_PORTAL_REQUIRED;
}

//Authentication methods
interface MAMServiceAuthenticationCallback {
String acquireToken(String upn, String aadId, String resourceId);
}
void registerAuthenticationCallback(MAMServiceAuthenticationCallback callback);
void updateToken(String upn, String aadId, String resourceId, String token);

//Registration methods
void registerAccountForMAM(String upn, String aadId, String tenantId);
void registerAccountForMAM(String upn, String aadId, String tenantId, String authority);
void unregisterAccountForMAM(String upn);
Result getRegisteredAccountStatus(String upn);
}

Account authentication
This section describes the authentication API methods in MAMEnrollmentManager and how to use them.

interface MAMServiceAuthenticationCallback {
String acquireToken(String upn, String aadId, String resourceId);
}
void registerAuthenticationCallback(MAMServiceAuthenticationCallback callback);
void updateToken(String upn, String aadId, String resourceId, String token);

1. The app must implement the MAMServiceAuthenticationCallback interface to allow the SDK to request an
ADAL token for the given user and resource ID. The callback instance must be provided to the
MAMEnrollmentManager by calling its registerAuthenticationCallback() method. A token may be needed
early in the app lifecycle for enrollment retries or app protection policy refresh check-ins, so the ideal place
to register the callback is in the onMAMCreate() method of the app's MAMApplication subclass.
2. The acquireToken() method should acquire the access token for the requested resource ID for the given
user. If it can't acquire the requested token, it should return null.

NOTE
Ensure that your app utilizes the resourceId and aadId parameters passed to acquireToken() so that the
correct token is acquired.

class MAMAuthCallback implements MAMServiceAuthenticationCallback {

public String acquireToken(String upn, String aadId, String resourceId) {
return mAuthContext.acquireTokenSilentSync(resourceId, ClientID, aadId).getAccessToken();
}
}
3. In case the app is unable to provide a token when the SDK calls acquireToken() -- for example, if silent
authentication fails and it is an inconvenient time to show a UI -- the app can provide a token at a later time
by calling the updateToken() method. The same UPN, AAD ID, and resource ID that were requested by the
prior call to acquireToken() must be passed to updateToken() , along with the token that was finally
acquired. The app should call this method as soon as possible after returning null from the provided
callback.

NOTE
The SDK will call acquireToken() periodically to get the token, so calling updateToken() is not strictly required.
However, it is strongly recommended as it can help enrollments and app protection policy check-ins complete in a
timely manner.

Account Registration
This section describes the account registration API methods in MAMEnrollmentManager and how to use them.

void registerAccountForMAM(String upn, String aadId, String tenantId);

void registerAccountForMAM(String upn, String aadId, String tenantId, String authority);
void unregisterAccountForMAM(String upn);
Result getRegisteredAccountStatus(String upn);

1. To register an account for management, the app should call registerAccountForMAM() . A user account is
identified by both its UPN and its AAD user ID. The tenant ID is also required to associate enrollment data
with the user's AAD tenant. The user's authority may also be provided to allow enrollment against specific
sovereign clouds; for more information see Sovereign Cloud Registration. The SDK may attempt to enroll
the app for the given user in the MAM service; if enrollment fails, it will periodically retry enrollment until
the account is unregistered. The retry period will typically be 12-24 hours. The SDK provides the status of
enrollment attempts asynchronously via notifications.
2. Because AAD authentication is required, the best time to register the user account is after the user has
signed into the app and is successfully authenticated using ADAL. The user's AAD ID and tenant ID are
returned from the ADAL authentication call as part of the AuthenticationResult object.
The tenant ID comes from the AuthenticationResult.getTenantID() method.
Information about the user is found in a sub-object of type UserInfo that comes from
AuthenticationResult.getUserInfo() , and the AAD user ID is retrieved from that object by calling
UserInfo.getUserId() .
3. To unregister an account from Intune management, the app should call unregisterAccountForMAM() . If the
account has been successfully enrolled and is managed, the SDK will unenroll the account and wipe its data.
Periodic enrollment retries for the account will be stopped. The SDK provides the status of unenrollment
request asynchronously via notification.
Sovereign Cloud Registration
Applications that are sovereign cloud aware must provide the authority to registerAccountForMAM() . This can be
obtained by providing instance_aware=true in ADAL's 1.14.0+ acquireToken extraQueryParameters followed by
invoking getAuthority() on the AuthenticationCallback AuthenticationResult.
 mAuthContext.acquireToken(this, RESOURCE_ID, CLIENT_ID, REDIRECT_URI, PromptBehavior.FORCE_PROMPT,
"instance_aware=true",
new AuthenticationCallback<AuthenticationResult>() {
@Override
public void onError(final Exception exc) {
// authentication failed
}

@Override
public void onSuccess(final AuthenticationResult result) {
mAuthority = result.getAuthority();
// handle other parts of the result
}
});

NOTE
Do not set the com.microsoft.intune.mam.aad.Authority meta-data item in AndroidManifest.xml.

NOTE
Ensure that the authority is correctly set in your MAMServiceAuthenticationCallback::acquireToken() method.

Currently Supported Sovereign Clouds

1. Azure US Government Cloud
2. Microsoft Azure operated by 21Vianet (Azure China)
Important implementation notes
Authentication
When the app calls , it may receive a callback on its
registerAccountForMAM()
MAMServiceAuthenticationCallback interface shortly thereafter, on a different thread. Ideally, the app
acquired its own token from ADAL prior to registering the account to expedite the acquisition of the
requested token. If the app returns a valid token from the callback, enrollment will proceed and the app will
get the final result via a notification.
If the app doesn't return a valid AAD token, the final result from the enrollment attempt will be
AUTHORIZATION_NEEDED . If the app receives this Result via notification, it is strongly recommended to expedite
the enrollment process by acquiring the token for the user and resource previously requested from
acquireToken() and calling the updateToken() method to initiate the enrollment process again.

The app's registered MAMServiceAuthenticationCallback will also be called to acquire a token for periodic
app protection policy refresh check-ins. If the app is unable to provide a token when requested, it will not
get a notification, but it should attempt to acquire a token and call updateToken() at the next convenient
time to expedite the check-in process. If a token is not provided, the callback will still be called at the next
check-in attempt.
Support for sovereign clouds requires providing the authority.
Registration
For your convenience, the registration methods are idempotent; for example, registerAccountForMAM() will
only register an account and attempt to enroll the app if the account is not already registered, and
unregisterAccountForMAM() will only unregister an account if it is currently registered. Subsequent calls are
no-ops, so there is no harm in calling these methods more than once. Additionally, correspondence
between calls to these methods and notifications of results are not guaranteed: i.e. if
registerAccountForMAM() is called for an identity that is already registered, the notification may not be sent
 again for that identity. It is possible that notifications are sent that don't correspond to any calls to these
methods, since the SDK may periodically try enrollments in the background, and unenrollments may be
triggered by wipe requests received from the Intune service.
The registration methods can be called for any number of different identities, but currently only one user
account can become successfully enrolled. If multiple user accounts that are licensed for Intune and
targeted by app protection policy are registered at or near the same time, there is no guarantee on which
one will win the race.
Finally, you can query the MAMEnrollmentManager to see if a particular account is registered and to get its
current status using the getRegisteredAccountStatus() method. If the provided account is not registered,
this method will return null . If the account is registered, this method will return the account's status as one
of the members of the MAMEnrollmentManager.Result enumeration.
Result and status codes
When an account is first registered, it begins in the PENDING state, indicating that the initial MAM service
enrollment attempt is incomplete. After the enrollment attempt finishes, a notification will be sent with one of the
Result codes in the table below. In addition, the getRegisteredAccountStatus() method will return the account's
status so the app can always determine if access to corporate content is blocked for that user. If the enrollment
attempt fails, the account's status may change over time as the SDK retries enrollment in the background.

RESULT C O DE EXP L A N AT IO N

AUTHORIZATION_NEEDED This result indicates that a token was not provided by the
app's registered MAMServiceAuthenticationCallback
instance, or the provided token was invalid. The app should
acquire a valid token and call updateToken() if possible.

NOT_LICENSED The user is not licensed for Intune, or the attempt to contact
the Intune MAM service failed. The app should continue in an
unmanaged (normal) state and the user should not be
blocked. Enrollments will be retried periodically in case the
user becomes licensed in the future.

ENROLLMENT_SUCCEEDED The enrollment attempt succeeded, or the user is already

enrolled. In the case of a successful enrollment, a policy
refresh notification will be sent before this notification. Access
to corporate data should be allowed.

ENROLLMENT_FAILED The enrollment attempt failed. Further details can be found in

the device logs. The app should not allow access to corporate
data in this state, since it was previously determined that the
user is licensed for Intune.

WRONG_USER Only one user per device can enroll an app with the MAM
service. This result indicates that the user for whom this result
was delivered (the second user) is targeted with MAM policy,
but a different user is already enrolled. Because MAM policy
cannot be enforced for the second user, your app must not
allow access to this user's data (possibly by removing the user
from your app) unless/until enrollment for this user succeeds
at a later time. Concurrent with delivering this WRONG_USER
result, MAM will prompt with the option to remove the
existing account. If the human user answers in the affirmative,
it will indeed be possible to enroll the second user a short
time later. As long as the second user remains registered,
MAM will retry enrollment periodically.
 RESULT C O DE EXP L A N AT IO N

UNENROLLMENT_SUCCEEDED Unenrollment was successful.

UNENROLLMENT_FAILED The unenrollment request failed. Further details can be found

in the device logs. In general, this will not occur as long as the
app passes a valid (neither null nor empty) UPN. There is no
direct, reliable remediation the app can take. If this value is
received when unregistering a valid UPN, please report as a
bug to the Intune MAM team.

PENDING The initial enrollment attempt for the user is in progress. The
app can block access to corporate data until the enrollment
result is known, but is not required to do so.

COMPANY_PORTAL_REQUIRED The user is licensed for Intune, but the app cannot be enrolled
until the Company Portal app is installed on the device. The
Intune App SDK will attempt to block access to the app for
the given user and direct them to install the Company Portal
app (see below for details).

Company Portal requirement prompt override (optional)

If the COMPANY_PORTAL_REQUIRED Result is received, the SDK will block use of activities that use the identity for which
enrollment was requested. Instead, the SDK will cause those activities to display a prompt to download the
Company Portal. If you want to prevent this behavior in your app, activities may implement
MAMActivity.onMAMCompanyPortalRequired .

This method is called before the SDK displays its default blocking UI. If the app changes the activity identity or
unregisters the user who attempted to enroll, the SDK will not block the activity. In this situation, it is up to the app
to avoid leaking corporate data. Only multi-identity apps (discussed later) will be able to change the activity
identity.
If you do not explicitly inherit MAMActivity (because the build tooling will make that change), but still need to
handle this notification you may instead implement MAMActivityBlockingListener .
Notifications
If the app registers for notifications of type MAM_ENROLLMENT_RESULT , a MAMEnrollmentNotification will be
sent in order to inform the app that the enrollment request has completed. The MAMEnrollmentNotification will be
received through the MAMNotificationReceiver interface as described in the Register for notifications from the SDK
section.

public interface MAMEnrollmentNotification extends MAMUserNotification {

MAMEnrollmentManager.Result getEnrollmentResult();
}

The getEnrollmentResult() method returns the result of the enrollment request. Since MAMEnrollmentNotification
extends MAMUserNotification , the identity of the user for whom the enrollment was attempted is also available.
The app must implement the MAMNotificationReceiver interface to receive these notifications, detailed in the
Register for notifications from the SDK section.
The registered user account's status may change when an enrollment notification is received, but it will not change
in all cases (for example, if AUTHORIZATION_NEEDED notification is received after a more informative result such as
WRONG_USER , the more informative result will be maintained as the account's status). Once the account is
successfully enrolled, the status will remain as ENROLLMENT_SUCCEEDED until the account is unenrolled or wiped.
APP CA with Policy Assurance
Overview
With APP CA (Conditional Access) with Policy Assurance, access to resources is conditionalized on the application
of Intune App Protection Policies. AAD enforces this by requiring the app to be enrolled and managed by APP
before granting a token to access an APP CA with Policy Assurance protected resource. The app is required to use
the ADAL broker for token acquisition, and the setup is the same as described above in Conditional Access.
ADAL changes
The ADAL library has a new error code informing the app that the failure to acquire a token was caused by non-
compliance with APP management. If the app receives this error code, it needs to call the SDK to attempt to
remediate compliance by enrolling the app and applying policy. An exception will be received by the onError()
method of the ADAL AuthenticationCallback , and will have the error code
ADALError.AUTH_FAILED_INTUNE_POLICY_REQUIRED . In this case, the exception can be cast to an
IntuneAppProtectionPolicyRequiredException , from which additional parameters can be extracted for use in
remediating compliance (see code sample below). Once the remediation is successful, the app can re-attempt the
token acquisition through ADAL.

NOTE
This new error code and other support for APP CA with Policy Assurance require version 1.15.0 (or greater) of the ADAL
library.

MAMComplianceManager
The MAMComplianceManager interface is used when the policy-required error is received from ADAL. It contains the
remediateCompliance() method that should be called to attempt to put the app into a compliant state. A reference
to the MAMComplianceManager can be obtained as follows:

MAMComplianceManager mgr = MAMComponents.get(MAMComplianceManager.class);

// make use of mgr

The MAMComplianceManager instance returned is guaranteed not to be null.

package com.microsoft.intune.mam.policy;

public interface MAMComplianceManager {

void remediateCompliance(String upn, String aadId, String tenantId, String authority, boolean showUX);
}

The remediateCompliance() method is called to attempt to put the app under management to satisfy the conditions
for AAD to grant the requested token. The first four parameters can be extracted from the exception received by
the ADAL AuthenticationCallback.onError() method (see code sample below). The final parameter is a boolean
which controls whether a UX is shown during the compliance attempt. This is a simple blocking progress style
interface provided as a default for apps that don't have a need to show customized UX during this operation. It will
only block while the compliance remediation is in progress and will not display the final result. The app should
register a notification receiver to handle the success or failure of the compliance remediation attempt (see below).
The remediateCompliance() method may do a MAM enrollment as part of establishing compliance. The app may
receive an enrollment notification if it has registered a notification receiver for enrollment notifications. The app's
registered MAMServiceAuthenticationCallback will have its acquireToken() method called to get a token for the
MAM enrollment. acquireToken() will be called before the app has acquired its own token, so any bookkeeping or
account creation tasks that the app does after a successful token acquisition may not have been done yet. The
callback must be able to acquire a token in this case. If you can't return a token from acquireToken() , the
compliance remediation attempt will fail. If you call updateToken() later with a valid token for the requested
resource, the compliance remediation will be retried immediately with the given token.

NOTE
Silent token acquisition will still be possible in acquireToken() because the user will have already been guided to install the
broker and register the device before ADALError.AUTH_FAILED_INTUNE_POLICY_REQUIRED error is received. This results in
the broker having a valid refresh token in its cache, allowing silent acquisition of the requested token to succeed.

Here is a sample of receiving the policy-required error in the AuthenticationCallback.onError() method, and
calling the MAMComplianceManager to handle the error.

public void onError(@Nullable Exception exc) {

if (exc instanceof AuthenticationException &&
((AuthenticationException) exc).getCode() == ADALError.AUTH_FAILED_INTUNE_POLICY_REQUIRED) {

final IntuneAppProtectionPolicyRequiredException policyRequiredException =

(IntuneAppProtectionPolicyRequiredException) ex;

final String upn = policyRequiredException.getAccountUpn();

final String aadId = policyRequiredException.getAccountUserId();
final String tenantId = policyRequiredException.getTenantId();
final String authority = policyRequiredException.getAuthorityURL();

MAMComplianceManager complianceManager = MAMComponents.get(MAMComplianceManager.class);

complianceManager.remediateCompliance(upn, aadId, tenantId, authority, showUX);
}
}

Status Notifications
If the app registers for notifications of type COMPLIANCE_STATUS , a MAMComplianceNotification will be sent in
order to inform the app of the final status of the compliance remediation attempt. The MAMComplianceNotification
will be received through the MAMNotificationReceiver interface as described in the Register for notifications from
the SDK section.

public interface MAMComplianceNotification extends MAMUserNotification {

MAMCAComplianceStatus getComplianceStatus();
String getComplianceErrorTitle();
String getComplianceErrorMessage();
}

The getComplianceStatus() method returns the result of the compliance remediation attempt as a value from the
MAMCAComplianceStatus enum.

STAT US C O DE EXP L A N AT IO N

UNKNOWN Status is unknown. This could indicate an unanticipated failure

reason. Additional information may be found in the Company
Portal logs.

COMPLIANT Compliance remediation succeeded and the app is now

compliant with policy. The ADAL token acquisition should be
retried.
 STAT US C O DE EXP L A N AT IO N

NOT_COMPLIANT The attempt to remediate compliance failed. The app is not

compliant and ADAL token acquisition should not be retried
until the error condition is corrected. Additional error
information is sent with the MAMComplianceNotification.

SERVICE_FAILURE There was a failure while attempting to retrieve compliance

data from the Intune Service. Additional information may be
found in the Company Portal logs.

NETWORK_FAILURE There was an error connecting to the Intune Service. The app
should try its token acquisition again when the network
connection is restored.

CLIENT_ERROR The attempt to remediate compliance failed for some reason

related to the client. For example, no token or wrong user.
Additional error information is sent with the
MAMComplianceNotification.

PENDING The attempt to remediate compliance failed because the

status response had not yet been received from the service
when the time limit was exceeded. The app should try its
token acquisition again later.

COMPANY_PORTAL_REQUIRED The Company Portal must be installed on the device in order

for compliance remediation to succeed. If the Company Portal
is already installed on the device, the app needs to be
restarted. In this case, a dialog will be shown asking the user
to restart the app.

If the compliance status is MAMCAComplianceStatus.COMPLIANT , the app should re-initiate its original token acquisition
(for its own resource). If the compliance remediation attempt failed, the getComplianceErrorTitle() and
getComplianceErrorMessage() methods will return localized strings that the app can display to the end user if it
chooses. Most of the error cases aren't remediable by the app, so for the general case it may be best to fail account
creation or login and allow the user to try again later. If a failure is persistent, the MAM logs may help determine
the cause. The end user can submit the logs. For more information, see Upload and email logs.
Since MAMComplianceNotification extends MAMUserNotification , the identity of the user for whom the remediation
was attempted is also available.
Here is an example of registering a receiver using an anonymous class to implement the MAMNotificationReceiver
interface:
 final MAMNotificationReceiverRegistry notificationRegistry =
MAMComponents.get(MAMNotificationReceiverRegistry.class);
// create a receiver
final MAMNotificationReceiver receiver = new MAMNotificationReceiver() {
public boolean onReceive(MAMNotification notification) {
if (notification.getType() == MAMNotificationType.COMPLIANCE_STATUS) {
MAMComplianceNotification complianceNotification = (MAMComplianceNotification) notification;

// take appropriate action based on complianceNotification.getComplianceStatus()

// unregister this receiver if no longer needed

notificationRegistry.unregisterReceiver(this, MAMNotificationType.COMPLIANCE_STATUS);
}
return true;
}
};
// register the receiver
notificationRegistry.registerReceiver(receiver, MAMNotificationType.COMPLIANCE_STATUS);

NOTE
The notification receiver must be registered before calling remediateCompliance() to avoid a race condition that could
result in the notification being missed.

Implementation Notes

NOTE
Impor tant change!
The app's MAMServiceAuthenticationCallback.acquireToken() method should pass false for the new forceRefresh flag
to acquireTokenSilentSync() . Previously, we recommended passing true to address an issue with refreshing tokens from
the broker, but an issue with ADAL was found that could prevent acquiring tokens in some scenarios if this flag is true.

AuthenticationResult result = acquireTokenSilentSync(resourceId, clientId, userId, /* forceRefresh */ false);

NOTE
If you want to show a custom blocking UX during the remediation attempt, you should pass false for the showUX parameter
to remediateCompliance() . You must ensure that you show your UX and register your notification listener first before
calling remediateCompliance() . This will prevent a race condition where the notification could be missed if
remediateCompliance() fails very quickly. For example, the onCreate() or onMAMCreate() method of an Activity
subclass is the ideal place to register the notification listener and then call remediateCompliance() . The parameters for
remediateCompliance() can be passed to your UX as Intent extras. When the compliance status notification is received,
you can display the result or simply finish the activity.

NOTE
remediateCompliance() will register the account and attempt enrollment. Once the main token is acquired, calling
registerAccountForMAM() is not necessary, but there is no harm in doing so. On the other hand, if the app fails to acquire
its token and wishes to remove the user account, it must call unregisterAccountForMAM() to remove the account and
prevent background enrollment retries.

Protecting Backup data

As of Android Marshmallow (API 23), Android has two ways for an app to back up its data. Each option is available
to your app and requires different steps to ensure that Intune data protection is correctly implemented. You can
review the table below on corresponding actions required for correct data protection behavior. You can read more
about the backup methods in the Android API guide.
Auto Backup for Apps
Android began offering automatic full backups to Google Drive for apps on Android Marshmallow devices,
regardless of the app's target API. In your AndroidManifest.xml, if you explicitly set android:allowBackup to false ,
then your app will never be queued for backups by Android and "corporate" data will stay within the app. In this
case, no further action is necessary.
However, by default the android:allowBackup attribute is set to true, even if android:allowBackup isn't specified in
the manifest file. This means all app data is automatically backed up to the user's Google Drive account, a default
behavior that poses a data leak risk . Therefore, the SDK requires the changes outlined below to ensure that data
protection is applied. It is important to follow the guidelines below to protect customer data properly if you want
your app to run on Android Marshmallow devices.
Intune allows you to utilize all the Auto Backup features available from Android, including the ability to define
custom rules in XML, but you must follow the steps below to secure your data:
1. If your app does not use its own custom BackupAgent, use the default MAMBackupAgent to allow for
automatic full backups that are Intune policy compliant. Place the following in the app manifest:

android:fullBackupOnly="true"
android:backupAgent="com.microsoft.intune.mam.client.app.backup.MAMDefaultBackupAgent"

2. [Optional] If you implemented an optional custom BackupAgent, you need to make sure to use
MAMBackupAgent or MAMBackupAgentHelper. See the following sections. Consider switching to using
Intune's MAMDefaultFullBackupAgent (described in step 1) which provides easy back-up on Android M
and above.
3. When you decide which type of full backup your app should receive (unfiltered, filtered, or none), you'll
need to set the attribute android:fullBackupContent to true, false, or an XML resource in your app.
4. Then, you must copy whatever you put into android:fullBackupContent into a metadata tag named
com.microsoft.intune.mam.FullBackupContent in the manifest.
Example 1 : If you want your app to have full backups without exclusions, set both the
android:fullBackupContent attribute and com.microsoft.intune.mam.FullBackupContent metadata tag to true :

android:fullBackupContent="true"
...
<meta-data android:name="com.microsoft.intune.mam.FullBackupContent" android:value="true" />

Example 2 : If you want your app to use its custom BackupAgent and opt out of full, Intune policy
compliant, automatic backups, you must set the attribute and metadata tag to false :

android:fullBackupContent="false"
...
<meta-data android:name="com.microsoft.intune.mam.FullBackupContent" android:value="false" />

Example 3 : If you want your app to have full backups according to your custom rules defined in an XML
file, set the attribute and metadata tag to the same XML resource:
 android:fullBackupContent="@xml/my_scheme"
...
<meta-data android:name="com.microsoft.intune.mam.FullBackupContent" android:resource="@xml/my_scheme"
/>

Key/Value Backup
The Key/Value Backup option is available to all APIs 8+ and uploads app data to the Android Backup Service. The
amount of data per user of your app is limited to 5 MB. If you use Key/Value Backup, you must use a
BackupAgentHelper or a BackupAgent .
BackupAgentHelper
BackupAgentHelper is easier to implement than BackupAgent both in terms of native Android functionality and
Intune MAM integration. BackupAgentHelper allows the developer to register entire files and shared preferences
to a FileBackupHelper and SharedPreferencesBackupHelper (respectively) which are then added to the
BackupAgentHelper upon creation. Follow the steps below to use a BackupAgentHelper with Intune MAM:
1. To utilize multi-identity backup with a BackupAgentHelper, follow the Android guide to Extending
BackupAgentHelper.
2. Have your class extend the MAM equivalent of BackupAgentHelper, FileBackupHelper, and
SharedPreferencesBackupHelper.

A N DRO ID C L A SS M A M EQ UIVA L EN T

BackupAgentHelper MAMBackupAgentHelper

FileBackupHelper MAMFileBackupHelper

SharedPreferencesBackupHelper MAMSharedPreferencesBackupHelper

Following these guidelines will lead to a successful multi-identity back up and restore.
BackupAgent
A BackupAgent allows you to be much more explicit about what data is backed up. Because the developer is fairly
responsible for the implementation, there are more steps required to ensure appropriate data protection from
Intune. Since most of the work is pushed onto you, the developer, Intune integration is slightly more involved.
Integrate MAM:
1. Carefully read the Android guide for Key/Value Backup and specifically Extending BackupAgent to ensure
your BackupAgent implementation follows Android guidelines.
2. Have your class extend MAMBackupAgent .
Multi-identity Backup:
1. Before beginning your backup, check that the files or data buffers you plan to back up are indeed
permitted by the IT administrator to be backed up in multi-identity scenarios. We provide you with
the isBackupAllowed function in MAMFileProtectionManager and MAMDataProtectionManager to determine this.
If the file or data buffer is not allowed to be backed up, then you should not continue including it in your
backup.
2. At some point during your backup, if you want to back up the identities for the files you checked in step 1,
you must call backupMAMFileIdentity(BackupDataOutput data, File … files) with the files from which you
plan to extract data. This will automatically create new backup entities and write them to the
 BackupDataOutput for you. These entities will be automatically consumed upon restore.
Multi-identity Restore:
The Data Backup guide specifies a general algorithm for restoring your application’s data and provides a code
sample in the Extending BackupAgent section. In order to have a successful multi-identity restore, you must follow
the general structure provided in this code sample with special attention to the following:
1. You must utilize a while(data.readNextHeader()) * loop to go through the backup entities.
2. You must call data.skipEntityData() * if data.getKey() * does not match the key you wrote in onBackup .
Without performing this step, your restores may not succeed.
3. Avoid returning while consuming backup entities in the while(data.readNextHeader()) * construct, as the
entities we automatically write will be lost.
Where data is the local variable name for the MAMBackupDataInput that is passed to your app upon
restore.

Multi-Identity (optional)
Overview
By default, the Intune App SDK will apply policy to the app as a whole. Multi-identity is an optional Intune app
protection feature that can be enabled to allow policy to be applied on a per-identity level. This requires
significantly more app participation than other app protection features.

NOTE
A lack of the correct app participation can result in data leaks and other security issues.

Once the user enrolls the device or the app, the SDK registers this identity and considers it the primary Intune
managed identity. Other users in the app will be treated as unmanaged, with unrestricted policy settings.

NOTE
Currently, only one Intune managed identity is supported per device.

An identity is defined as a string. Identities are case-insensitive, and request to the SDK for an identity may not
return the same casing that was originally used when setting the identity.
The app must inform the SDK when it intends to change the active identity. In some cases, the SDK will also notify
the app when an identity change is required. In most cases, however, MAM cannot know what data is being
displayed in the UI or used on a thread at a given time and relies on the app to set the correct identity in order to
avoid data leak. In the sections that follow, some particular scenarios which require app action will be called out.
Enabling Multi-Identity
By default, all apps are considered to be single-identity apps. You can declare an app to be multi-identity aware by
placing the following metadata in AndroidManifest.xml.

<meta-data
android:name="com.microsoft.intune.mam.MAMMultiIdentity"
android:value="true" />

Setting the Identity

Developers can set the identity of the app user on the following levels in descending priority:
1. Thread level
2. Context (generally Activity ) level
3. Process level
An identity set at the thread level supersedes an identity set at the Context level, which supersedes an identity set
at the process level. An identity set on a Context is only used in appropriate associated scenarios. File IO
operations, for example, do not have an associated Context . Most commonly, apps will set the Context identity
on an Activity . An app must not display data for a managed identity unless the Activity identity is set to that
same identity. In general, the process-level identity is only useful if the app works only with a single user at a time
on all threads. Many apps may not need to make use of it.
If your app uses the Application context to acquire system services, ensure that the thread or process identity has
been set, or that you have set the UI identity on your app's Application context.
If your app uses a Service context to launch intents, use content resolvers, or leverage other system services be
sure to set the identity on the Service context.
To handle special cases when updating the UI identity with setUIPolicyIdentity or switchMAMIdentity , both
methods can be passed a set of IdentitySwitchOption values.
IGNORE_INTENT : Use if requesting an identity switch that should ignore the intent associated with the current
activity. For example:
1. Your app receives an intent from a managed identity containing a managed document, and your app
displays the document.
2. The user switches to their personal identity, so your app requests a UI identity switch. In the personal
identity, your app is no longer displaying the document, so you use IGNORE_INTENT when requesting the
identity switch.
If not set, the SDK will assume that the most recent intent is still being used in the app. This will cause
receive policy for the new identity to treat the intent as incoming data and use its identity.

NOTE
Because the CLIPBOARD_SERVICE is used for UI operations, the SDK uses the UI identity of the foreground activity for
ClipboardManager operations.

The following methods in MAMPolicyManager may be used to set the identity and retrieve the identity values
previously set.
 public static void setUIPolicyIdentity(final Context context, final String identity, final
MAMSetUIIdentityCallback mamSetUIIdentityCallback,
final EnumSet<IdentitySwitchOption> options);

public static String getUIPolicyIdentity(final Context context);

public static MAMIdentitySwitchResult setProcessIdentity(final String identity);

public static String getProcessIdentity();

public static MAMIdentitySwitchResult setCurrentThreadIdentity(final String identity);

public static String getCurrentThreadIdentity();

/**
* Get the current app policy. This does NOT take the UI (Context) identity into account.
* If the current operation has any context (e.g. an Activity) associated with it, use the overload below.
*/
public static AppPolicy getPolicy();

/**
* Get the current app policy. This DOES take the UI (Context) identity into account.
* If the current operation has any context (e.g. an Activity) associated with it, use this function.
*/
public static AppPolicy getPolicy(final Context context);

public static AppPolicy getPolicyForIdentity(final String identity);

public static boolean getIsIdentityManaged(final String identity);

NOTE
You can clear the identity of the app by setting it to null.
The empty string may be used as an identity that will never have app protection policy.

Results
All the methods used to set the identity report back result values via MAMIdentitySwitchResult . There are four
values that can be returned:

RET URN VA L UE SC EN A RIO

SUCCEEDED The identity change was successful.

NOT_ALLOWED The identity change is not allowed. This occurs if an attempt is

made to set the UI ( Context ) identity when a different
identity is set on the current thread.

CANCELLED The user canceled the identity change, generally by pressing

the back button on a PIN or authentication prompt.

FAILED The identity change failed for an unspecified reason.

The app should ensure that an identity switch is successful before displaying or using corporate data. Currently,
process and thread identity switches will always succeed for a multi-identity-enabled app, however we reserve the
right to add failure conditions. The UI identity switch may fail for invalid arguments, if it would conflict with the
thread identity, or if the user cancels out of conditional launch requirements (for example, presses the back button
on the PIN screen). The default behavior for a failed UI identity switch on an activity is to finish the activity (see
onSwitchMAMIdentityComplete below).
In the case of setting a Context identity via setUIPolicyIdentity , the result is reported asynchronously. If the
Context is an Activity , the SDK doesn't know if the identity change succeeded until after conditional launch is
performed -- which may require the user to enter a PIN or corporate credentials. The app may implement a
MAMSetUIIdentityCallback to receive this result, or may pass null for the callback object. Note that if a call is made
to setUIPolicyIdentity while the result from a previous call to setUIPolicyIdentity on the same context has not
yet been delivered, the new callback will supersede the old one and the original callback will never receive a result.

public interface MAMSetUIIdentityCallback {

void notifyIdentityResult(MAMIdentitySwitchResult identitySwitchResult);
}

You can also set the identity of an activity directly through a method in MAMActivity instead of calling
MAMPolicyManager.setUIPolicyIdentity . Use following method to do so:

public final void switchMAMIdentity(final String newIdentity, final EnumSet<IdentitySwitchOption>

options);

You can also override a method in MAMActivity if you want the app to be notified of the result of attempts to
change the identity of that activity.

public void onSwitchMAMIdentityComplete(final MAMIdentitySwitchResult result);

If you do not override onSwitchMAMIdentityComplete (or call the super method), a failed identity switch on an
activity will result in the activity being finished. If you do override the method, you must take care that corporate
data is not displayed after a failed identity switch.

NOTE
Switching the identity may require recreating the activity. In this case, the onSwitchMAMIdentityComplete callback will be
delivered to the new instance of the activity.

Implicit Identity Changes

In addition to the app's ability to set the identity, a thread, or a context's identity may change based on data ingress
from another Intune-managed app that has app protection policy.
Examples
1. If an activity is launched from an Intent sent by another MAM app, the activity's identity will be set based
on the effective identity in the other app at the point the Intent was sent.
2. For services, the thread identity will be set similarly for the duration of an onStart or onBind call. Calls
into the Binder returned from onBind will also temporarily set the thread identity.
3. Calls into a ContentProvider will similarly set the thread identity for their duration.
In addition, user interaction with an activity may cause an implicit identity switch.
Example: A user canceling out of an authorization prompt during Resume will result in an implicit switch to an
empty identity.
The app is given an opportunity to be made aware of these changes, and, if it must, the app can forbid them.
MAMService and MAMContentProvider expose the following method that subclasses may override:
 public void onMAMIdentitySwitchRequired(final String identity,
final AppIdentitySwitchResultCallback callback);

In the MAMActivity class, an additional parameter is present in the method:

public void onMAMIdentitySwitchRequired(final String identity,

final AppIdentitySwitchReason reason,
final AppIdentitySwitchResultCallback callback);

The captures the source of the implicit switch, and can accept the values CREATE ,
AppIdentitySwitchReason
RESUME_CANCELLED , and NEW_INTENT . The RESUME_CANCELLED reason is used when activity resume causes PIN,
authentication, or other compliance UI to be displayed and the user attempts to cancel out of that UI,
generally though use of the back button.
The AppIdentitySwitchResultCallback is as follows:

public interface AppIdentitySwitchResultCallback {

/**
* @param result
* whether the identity switch can proceed.
*/
void reportIdentitySwitchResult(AppIdentitySwitchResult result);
}

Where AppIdentitySwitchResult is either SUCCESS or FAILURE .

The method onMAMIdentitySwitchRequired is called for all implicit identity changes except for those made through
a Binder returned from MAMService.onMAMBind . The default implementations of onMAMIdentitySwitchRequired
immediately call:
reportIdentitySwitchResult(FAILURE) when the reason is RESUME_CANCELLED .
reportIdentitySwitchResult(SUCCESS) in all other cases.
It is not expected that most apps will need to block or delay an identity switch in a different manner, but if
an app needs to do so, the following points must be considered:
If an identity switch is blocked, the result is the same as if Receive sharing settings had prohibited
the data ingress.
If a Service is running on the main thread, reportIdentitySwitchResult must be called
synchronously or the UI thread stops responding.
For Activity creation, onMAMIdentitySwitchRequired will be called before onMAMCreate . If the app
must show UI to determine whether to allow the identity switch, that UI must be shown using a
different activity.
In an Activity, when a switch to the empty identity is requested with the reason as
RESUME_CANCELLED , the app must modify the resumed activity to display data consistent with that
identity switch. If this is not possible, the app should refuse the switch, and the user will be asked
again to comply with policy for the resuming identity (for example, by being presented with the app
PIN entry screen).
 NOTE
A multi-identity app will always receive incoming data from both managed and unmanaged apps. It is the
responsibility of the app to treat data from managed identities in a managed manner.

If a requested identity is managed (use MAMPolicyManager.getIsIdentityManaged to check), but the app is not
able to use that account (for example, because accounts, such as email accounts, must be set up in the app
first) then the identity switch should be refused.
Build plugin / tool considerations
If you do not explicitly inherit from MAMActivity , MAMService , or MAMContentProvider (because you allow the build
tooling to make that change), but still need to process identity switches, you may instead implement
MAMActivityIdentityRequirementListener (for an Activity ) or MAMIdentityRequirementListener (for a Service or
ContentProviders ). The default behavior for MAMActivity.onMAMIdentitySwitchRequired can be accessed by calling
the static method MAMActivity.defaultOnMAMIdentitySwitchRequired(activity, identity, reason, callback) .
Similarly, if you need to override MAMActivity.onSwitchMAMIdentityComplete , you may implement
MAMActivityIdentitySwitchListener without explicitly inheriting from MAMActivity .
Preserving Identity In Async Operations
It is common for operations on the UI thread to dispatch background tasks to another thread. A multi-identity app
will want to make sure that these background tasks operate with the appropriate identity, which is often the same
identity used by the activity that dispatched them. The MAM SDK provides MAMAsyncTask and
MAMIdentityExecutors as a convenience to aid in preserving the identity. These must be used if the asynchronous
operation could write corporate data to a file or could communicate with other apps.
MAMAsyncTask
To use MAMAsyncTask , simply inherit from it instead of AsyncTask and replace overrides of doInBackground and
onPreExecute with doInBackgroundMAM and onPreExecuteMAM respectively. The MAMAsyncTask constructor takes an
activity context. For example:

AsyncTask<Object, Object, Object> task = new MAMAsyncTask<Object, Object, Object>(thisActivity) {

@Override
protected Object doInBackgroundMAM(final Object[] params) {
// Do operations.
}

@Override
protected void onPreExecuteMAM() {
// Do setup.
};
}

MAMIdentityExecutors
MAMIdentityExecutors allows you to wrap an existing Executor or ExecutorService instance as an identity-
preserving Executor / ExecutorService with wrapExecutor and wrapExecutorService methods. For example

Executor wrappedExecutor = MAMIdentityExecutors.wrapExecutor(originalExecutor, activity);

ExecutorService wrappedService = MAMIdentityExecutors.wrapExecutorService(originalExecutorService, activity);

File Protection
Every file has an identity associated with it at the time of creation, based on thread and process identity. This
identity will be used for both file encryption and selective wipe. Only files whose identity is managed and has
policy requiring encryption will be encrypted. The SDK's default selective functionality wipe will only wipe files
associated with the managed identity for which a wipe has been requested. The app may query or change a file’s
identity using the MAMFileProtectionManager class.

public final class MAMFileProtectionManager {

/**
* Protect a file or directory. This will synchronously trigger whatever protection is required for the
file, and will tag the
* file for future protection changes. If an identity is set on a directory, it is set recursively on all
files and
* subdirectories. New files or directories will inherit their parent directory's identity. If MAM is
operating in offline mode,
* this method will silently do nothing.
*
* @param identity
* Identity to set.
* @param file
* File to protect.
*
* @throws IOException
* If the file cannot be protected.
*/
public static void protect(final File file, final String identity) throws IOException;

/**
* Protect a file obtained from a content provider. This is intended to be used for
* sdcard (whether internal or removable) files accessed through the Storage Access Framework.
* It may also be used with descriptors referring to private files owned by this app.
* It is not intended to be used for files owned by other apps and such usage will fail. If
* creating a new file via a content provider exposed by another MAM-integrated app, the new
* file identity will automatically be set correctly if the ContentResolver in use was
* obtained via a Context with an identity or if the thread identity is set.
*
* This will synchronously trigger whatever protection is required for the file, and will tag
* the file for future protection changes. If an identity is set on a directory, it is set
* recursively on all files and subdirectories. If MAM is operating in offline mode, this
* method will silently do nothing.
*
* @param identity
* Identity to set.
* @param file
* File to protect.
*
* @throws IOException
* If the file cannot be protected.
*/
public static void protect(final ParcelFileDescriptor file, final String identity) throws IOException;

/**
* Get the protection info on a file. This method should only be used if the file is located in the calling
application's
* private storage or the device's shared storage. If opening a file with a content resolver, use the
overload which
* takes a ParcelFileDescriptor instead.
*
* @param file
* File or directory to get information on.
* @return File protection info, or null if there is no protection info.
* @throws IOException
* If the file cannot be read or opened.
*/
public static MAMFileProtectionInfo getProtectionInfo(final File file) throws IOException;

/**
* Get the protection info on a file descriptor such as one opened through a content resolver.
*
* @param file
 * @param file
* File or directory to get information on.
* @return File protection info, or null if there is no protection info.
* @throws IOException
* If the file cannot be read or opened.
*/
public static MAMFileProtectionInfo getProtectionInfo(final ParcelFileDescriptor file) throws IOException;

public interface MAMFileProtectionInfo {

String getIdentity();
}

App Responsibility
MAM cannot automatically infer a relationship between files being read and data being displayed in an Activity .
Apps must set the UI identity appropriately before displaying corporate data. This includes data read from files. If a
file comes from outside the app (either from a ContentProvider or read from a publicly writable location), the app
must attempt to determine the file identity (using the correct MAMFileProtectionManager.getProtectionInfo
overload for the data source) before displaying information read from the file. If getProtectionInfo reports a non-
null, non-empty identity, the UI identity must be set to match this identity (using MAMActivity.switchMAMIdentity or
MAMPolicyManager.setUIPolicyIdentity ). If the identity switch fails, data from the file must not be displayed.

An example flow might look something like the following:

User selects a document to open in the app.
During the open flow, prior to reading data from disk, the app confirms the identity that should be used to
display the content:

MAMFileProtectionInfo info = MAMFileProtectionManager.getProtectionInfo(docPath)

if (info != null)
MAMPolicyManager.setUIPolicyIdentity(activity, info.getIdentity(), callback,
EnumSet.noneOf<IdentitySwitchOption.class>)

The app waits until a result is reported to callback.

If the reported result is a failure, the app does not display the document.
The app opens and renders the file.
If an app uses the Android DownloadManager to download files, the MAM SDK will attempt to protect these files
automatically using the process identity. If the downloaded files contain corporate data, it is the app's responsibility
to call protect if the files are moved or recreated after download.
Single-Identity to Multi-Identity Transition
If an app which previously released with single-identity Intune integration later integrates multi-identity,
previously installed apps will experience a transition (not visible to the user, there is no associated UX). The app is
not required to do anything explicit to handle this transition. All files created before the transition will continue
being regarded as managed (so they will stay encrypted if encryption policy is on). If desired, you can detect the
upgrade and use MAMFileProtectionManager.protect to tag specific files or directories with the empty identity
(which will remove encryption if they were encrypted).
Offline Scenarios
File identity tagging is sensitive to offline mode. The following points should be taken into account:
If the Company Portal is not installed, files cannot be identity-tagged.
If the Company Portal is installed, but the app does not have Intune MAM policy, files cannot be reliably
tagged with identity.
 When file identity tagging becomes available, all previously created files are treated as
personal/unmanaged (belonging to the empty-string identity) unless the app was previously installed as a
single-identity managed app in which case they are treated as belonging to the enrolled user.
Directory Protection
Directories may be protected using the same protect method used to protect files. Directory protection applies
recursively to all files and subdirectories contained in the directory, and to new files created within the directory.
Because directory protection is applied recursively, the protect call can take some time to complete for large
directories. For that reason, apps applying protection to a directory that contains a large number of files might
wish to run protect asynchronously on a background thread.
Data Protection
It is not possible to tag a file as belonging to multiple identities. Apps that must store data belonging to different
users in the same file can do so manually, using the features provided by MAMDataProtectionManager . This allows
the app to encrypt data and tie it to a particular user. The encrypted data is suitable for storing to disk in a file. You
can query the data associated with the identity and the data can be unencrypted later.
Apps that make use of MAMDataProtectionManager should implement a receiver for the MANAGEMENT_REMOVED
notification. After this notification completes, buffers that were protected via this class will no longer be readable if
file encryption was enabled when the buffers were protected. An app can remediate this situation by calling
MAMDataProtectionManager.unprotect on all buffers during this notification. It is also safe to call protect during this
notification if it is desired to preserve identity information -- encryption is guaranteed to be disabled during the
notification.

public final class MAMDataProtectionManager {

/**
* Protect a stream. This will return a stream containing the protected
* input.
*
* @param identity
* Identity to set.
* @param input
* Input data to protect, read sequentially. This function
* will change the position of the stream but may not have
* read the entire stream by the time it returns. The
* returned stream will wrap this one. Calls to read on the
* returned stream may cause further reads on the original
* input stream. Callers should not expect to read directly
* from the input stream after passing it to this method.
* Calling close on the returned stream will close this one.
* @return Protected input data.
* @throws IOException
* If the data could not be protected
*/
public static InputStream protect(final InputStream input, final String identity);

/**
* Protect a byte array. This will return protected bytes.
*
* @param identity
* Identity to set.
* @param input
* Input data to protect.
* @return Protected input data.
* @throws IOException
* If the data could not be protected
*/
public static byte[] protect(final byte[] input, final String identity) throws IOException;

/**
 /**
* Unprotect a stream. This will return a stream containing the
* unprotected input.
*
* @param input
* Input data to protect, read sequentially.
* @return Protected input data.
* @throws IOException
* If the data could not be unprotected
*/
public static InputStream unprotect(final InputStream input) throws IOException;

/**
* Unprotect a byte array. This will return unprotected bytes.
*
* @param input
* Input data to protect.
* @return Protected input data.
* @throws IOException
* If the data could not be unprotected
*/
public static byte[] unprotect(final byte[] input) throws IOException;

/**
* Get the protection info on a stream.
*
* @param input
* Input stream to get information on. Either this input
* stream must have been returned by a previous call to
* protect OR input.markSupported() must return true.
* Otherwise it will be impossible to get protection info
* without advancing the stream position. The stream must be
* positioned at the beginning of the protected data.
* @return Data protection info, or null if there is no protection
* info.
* @throws IOException
* If the input cannot be read.
*/
public static MAMDataProtectionInfo getProtectionInfo(final InputStream input) throws IOException;

/**
* Get the protection info on a stream.
*
* @param input
* Input bytes to get information on. These must be bytes
* returned by a previous call to protect() or a copy of
* such bytes.
* @return Data protection info, or null if there is no protection
* info.
* @throws IOException
* If the input cannot be read.
*/
public static MAMDataProtectionInfo getProtectionInfo(final byte[] input) throws IOException;
}

Content Providers
If the app provides corporate data other than a ParcelFileDescriptor through a ContentProvider , the app must
call the method isProvideContentAllowed(String) in MAMContentProvider , passing the owner identity's UPN (user
principal name) for the content. If this function returns false, the content must not be returned to the caller. File
descriptors returned through a content provider are handled automatically based on the file identity.
If you do not inherit MAMContentProvider explicitly and instead allow the build tooling to make that change, you
may call a static version of the same method:
MAMContentProvider.isProvideContentAllowed(provider, contentIdentity) .

Selective Wipe
If a multi-identity app registers for the WIPE_USER_DATA notification, it is the app's responsibility to remove all data
for the user being wiped, including all files that have been identity-tagged as belonging to that user. If the app
removes user data from a file but wishes to leave other data in the file, it must change the identity of the file (via
MAMFileProtectionManager.protect to a personal user or the empty identity). If encryption policy is in use, any
remaining files belonging to the user being wiped will not be decrypted and will become inaccessible to the app
after wipe.
An app registering for WIPE_USER_DATA will not receive the benefit of the SDK's default selective wipe behavior. For
multi-identity aware apps, this loss may be more significant since MAM default selective wipe will wipe only files
whose identity is targeted by a wipe. If a multi-identity aware application wishes MAM default selective wipe to be
done and wishes to perform its own actions on wipe, it should register for WIPE_USER_AUXILIARY_DATA notifications.
This notification will be sent immediately by the SDK before it performs the MAM default selective wipe. An app
should never register for both WIPE_USER_DATA and WIPE_USER_AUXILIARY_DATA .
The default selective wipe will close the app gracefully, finishing activities and killing the app process. If your app
overrides the default selective wipe, you may want to consider closing your app manually to prevent the user from
accessing in-memory data after a wipe occurs.

Enabling MAM targeted configuration for your Android applications

(optional)
Application-specific key-value pairs may be configured in the Intune console for MAM-WE and Android Enterprise.
These key-value pairs are not interpreted by Intune at all, but are passed on to the app. Applications that want to
receive such configuration can use the MAMAppConfigManager and MAMAppConfig classes to do so. If multiple policies
are targeted at the same app, there may be multiple conflicting values available for the same key.

NOTE
Configurations setup for delivery via MAM-WE can not be delivered in offline (when the Company Portal is not
installed). Only Android Enterprise AppRestrictions will be delivered via a MAMUserNotification on an empty identity in this
case.

Get the App Config For a User

App config may be retrieved as follows:

MAMAppConfigManager configManager = MAMComponents.get(MAMAppConfigManager.class);

String identity = "user@contoso.com"
MAMAppConfig appConfig = configManager.getAppConfig(identity);

If there is no MAM-registered user, but your app would still like to retrieve Android Enterprise configuration (which
will not be targeted at a specific user), you can pass a null or empty string.
Conflicts
A value set in MAM app config will override a value with the same key set in Android Enterprise config.
If an admin configures conflicting values for the same key (e.g by targeting different app config sets with the same
key to multiple groups containing the same user), Intune does not have any way of resolving this conflict
automatically and will make all values available to your app.
Your app can request all values for a given key from a MAMAppConfig object:
 List<Boolean> getAllBooleansForKey(String key)
List<Long> getAllIntegersForKey(final String key)
List<Double> getAllDoublesForKey(final String key)
List<String> getAllStringsForKey(final String key)

or request a value to be chosen:

Boolean getBooleanForKey(String key, BooleanQueryType queryType)

Long getIntegerForKey(String key, NumberQueryType queryType)
Double getDoubleForKey(String key, NumberQueryType queryType)
String getStringForKey(String key, StringQueryType queryType)

enum BooleanQueryType {
/**
* In case of conflict, arbitrarily picks one. This is not guaranteed to return the same value every time.
*/
Any,
/**
* In case of conflict, returns true if any of the values are true.
*/
Or,
/**
* In case of conflict, returns false if any of the values are false.
*/
And
}

enum NumberQueryType {
/**
* In case of conflict, arbitrarily picks one. This is not guaranteed to return the same value every time.
*/
Any,
/**
* In case of conflict, returns the minimum Integer.
*/
Min,
/**
* In case of conflict, returns the maximum Integer.
*/
Max
}

enum StringQueryType {
/**
* In case of conflict, arbitrarily picks one. This is not guaranteed to return the same value every time.
*/
Any,
/**
* In case of conflict, returns the first result ordered alphabetically.
*/
Min,

/**
* In case of conflict, returns the last result ordered alphabetically.
*/
Max
}

Your app can also request the raw data as a list of sets of key-value pairs.

List<Map<String, String>> getFullData()

Full Example
 MAMAppConfigManager configManager = MAMComponents.get(MAMAppConfigManager.class);
String identity = "user@contoso.com"
MAMAppConfig appConfig = configManager.getAppConfig(identity);
String fooValue = null;
if (appConfig.hasConflict("foo")) {
List<String> values = appConfig.getAllStringsForKey("foo");
fooValue = chooseBestValue(values);
} else {
valueToUse = appConfig.getStringForKey("foo", MAMAppConfig.StringQueryType.Any);
}
Long barValue = appConfig.getIntegerForKey("bar", MAMAppConfig.NumberQueryType.Min);

Notification
App config adds a new notification type:
REFRESH_APP_CONFIG : This notification is sent in a MAMUserNotification and informs the app that new app
config data is available.
Further Reading
For more information about how to create a MAM targeted app configuration policy in Android, see the section on
MAM targeted app config in How to use Microsoft Intune app configuration policies for Android.
App config can also be configured using the Graph API. For information, see the Graph API docs for MAM Targeted
Config.

Custom Themes (optional)

A custom theme can be provided to the MAM SDK which will be applied to all MAM screens and dialogs. If a
theme is not provided, a default MAM theme will be used.
How to provide a theme
To provide a theme, you need to add the following line of code in the Application.onCreate method:

MAMThemeManager.setAppTheme(R.style.AppTheme);

In the above example, you need to replace R.style.AppTheme with the style theme that you want the SDK to apply.

Style Customization (deprecated)

This is now deprecated and Custom Themes (above) is the preferred way of customizing views.
Views generated by the MAM SDK can be visually customized to more closely match the app in which it is
integrated. You can customize primary, secondary, and background colors, as well as the size of the app logo. This
style customization is optional and defaults will be used if no custom style is configured.
How to customize
In order to have style changes apply to the Intune MAM views, you must first create a style override XML file. This
file should be placed in the “/res/xml” directory of your app and you may name it whatever you like. Below is an
example of the format this file needs to follow.
 <?xml version="1.0" encoding="utf-8"?>
<styleOverrides>
<item
name="foreground_color"
resource="@color/red"/>
<item
name="accent_color"
resource="@color/blue"/>
<item
name="background_color"
resource="@color/green"/>
<item
name="logo_image"
resource="@drawable/app_logo"/>
</styleOverrides>

You must reuse resources that already exist within your app. For example, you must define the color green in the
colors.xml file and reference it here. You cannot use the Hex color code “#0000ff." The maximum size for the app
logo is 110 dip (dp). You may use a smaller logo image, but adhering to the maximum size will yield the best
looking results. If you exceed the 110 dip limit, the image will scale down and possibly cause blurring.
Below is the complete list of allowed style attributes, the UI elements they control, their XML attribute item names,
and the type of resource expected for each.

ST Y L E AT T RIB UT E UI EL EM EN T S A F F EC T ED AT T RIB UT E IT EM N A M E EXP EC T ED RESO URC E T Y P E

Background color PIN screen background color background_color Color

PIN box fill color

Foreground color Foreground text color foreground_color Color

PIN box border in default
state
Characters (including
obfuscated characters) in
PIN box when user enters a
PIN

Accent color PIN box border when accent_color Color

highlighted
Hyperlinks

App logo Large icon that appears in logo_image Drawable

the Intune app PIN screen

Default enrollment (optional)

The following is guidance for requiring user prompt on app launch for an automatic APP-WE service enrollment
(we call this default enrollment in this section), requiring Intune app protection policies to allow only Intune
protected users to use your SDK-integrated Android LOB app. It also covers how to enable SSO for your SDK-
integrated Android LOB app. This is not supported for store apps that can be used by non-Intune users.

NOTE
The benefits of default enrollment include a simplified method of obtaining policy from APP-WE service for an app on the
device.
 NOTE
Default enrollment is sovereign cloud aware.

Enable default enrollment with the following steps:

1. If your app integrates ADAL or you need to enable SSO, configure ADAL following common ADAL
configuration #2. If not, you may skip this step.
2. Enable default enrollment by adding the following value in the manifest under the <application> tag:

<meta-data android:name="com.microsoft.intune.mam.DefaultMAMServiceEnrollment" android:value="true" />

NOTE
This must be the only MAM-WE integration in the app. If there are any other attempts to call
MAMEnrollmentManager APIs, conflicts will arise.

3. Enable MAM policy required by adding the following value in the manifest under the <application> tag:

<meta-data android:name="com.microsoft.intune.mam.MAMPolicyRequired" android:value="true" />

NOTE
This forces the user to download the Company Portal on the device and complete the default enrollment flow before
use.

Limitations
Policy enforcement limitations
Using Content Resolvers : The "transfer or receive" Intune policy may block or partially block the use of a
content resolver to access the content provider in another app. This will cause ContentResolver methods to
return null or throw a failure value (for example, openOutputStream will throw FileNotFoundException if
blocked). The app can determine whether a failure to write data through a content resolver was caused by
policy (or would be caused by policy) by making the call:

MAMPolicyManager.getPolicy(currentActivity).getIsSaveToLocationAllowed(contentURI);

or if there is no associated activity:

MAMPolicyManager.getPolicy().getIsSaveToLocationAllowed(contentURI);

In this second case, multi-identity apps must take care to set the thread identity appropriately (or pass an
explicit identity to the getPolicy call).
Exported services
The AndroidManifest.xml file included in the Intune App SDK contains MAMNotificationReceiverSer vice , which
must be an exported service to allow the Company Portal to send notifications to a managed app. The service
checks the caller to ensure that only the Company Portal is allowed to send notifications.
Reflection limitations
Some of the MAM base classes (for example, MAMActivity , MAMDocumentsProvider ) contain methods (based on the
original Android base classes) which use parameter or return types only present above certain API levels. For this
reason, it may not always be possible to use reflection to enumerate all methods of app components. This
restriction is not limited to MAM, it is the same restriction that would apply if the app itself implemented these
methods from the Android base classes.
Robolectric
Testing MAM SDK behavior under Robolectric is not supported. There are known issues running the MAM SDK
under Robolectric due to behaviors present under Robolectric that do not accurately mimic those on real devices
or emulators.
If you need to test your application under Robolectric, the recommended workaround is to move your application
class logic to a helper and produce your unit-testing apk with an application class that does not inherit from
MAMApplication.

Expectations of the SDK consumer

The Intune SDK maintains the contract provided by the Android API, though failure conditions may be triggered
more frequently as a result of policy enforcement. These Android best practices will reduce the likelihood of
failure:
Android SDK functions that may return null have a higher likelihood of being null now. To minimize issues,
ensure that null checks are in the right places.
Features that can be checked for must be checked for through their MAM replacement APIs.
Any derived functions must call through to their super class versions.
Avoid use of any API in an ambiguous way. For example, using Activity.startActivityForResult without
checking the requestCode will cause strange behavior.
Services
Policy enforcement may affect service interactions. Methods that establish a bound service connection such as
Context.bindService may fail due to underlying policy enforcement in Service.onBind and may result in
ServiceConnection.onNullBinding or ServiceConnection.onServiceDisconnected . Interacting with an established
bound service may throw a SecurityException due to policy enforcement in Binder.onTransact .

Telemetry
The Intune App SDK for Android does not control data collection from your app. The Company Portal application
logs system-generated data by default. This data is sent to Microsoft Intune. As per Microsoft Policy, we do not
collect any personal data.

NOTE
If end users choose not to send this data, they must turn off telemetry under Settings on the Company Portal app. To learn
more, see Turn off Microsoft usage data collection.

Recommended Android best practices

All library projects should share the same android:package where possible. This will not sporadically fail in
run-time; this is purely a build-time problem. Newer versions of the Intune App SDK will remove some of
the redundancy.
 Use the newest Android SDK build tools.
Remove all unnecessary and unused libraries (for example, android.support.v4)

Testing
See the Testing Guide.
 Microsoft Intune App SDK for Android developers
testing guide
9/4/2020 • 4 minutes to read • Edit Online

The Microsoft Intune App SDK for Android testing guide is designed to help you test your Intune-managed Android
app.

Demo tenant setup

If you do not already have a tenant with your company, you can create a demo tenant with or without pre-
generated data. You must register as a Microsoft partner to access Microsoft CDX. To create a new account:
1. Navigate to the Microsoft CDX tenant creation site and create a Microsoft 365 Enterprise tenant.
2. Set up Intune to enable mobile device management (MDM).
3. Create users.
4. [Create groups]../fundamentals/(groups-add.md).
5. Assign licenses as appropriate for your testing.

Azure portal policy configuration

Create and assign app protection policies in the Azure portal's Intune blade. You can also create and assign your
app configuration policy in the Intune blade.

NOTE
If your app isn't listed in the Azure portal, you can target it with a policy by selecting the more apps option and providing
the package name in the text box.

Test Cases
The following test cases provide configuration and confirmation steps. Use these tests to verify your newly
integrated Android app.
Required PIN and corporate credentials
You can require a PIN to access corporate resources. Also, you can enforce corporate authentication before users
can use managed apps. Here's how:
1. Set Require PIN for access and Require corporate credentials for access to Yes . For more information,
see Android app protection policy settings in Microsoft Intune.
2. Confirm the following conditions:
App launch should present a prompt for PIN input, or the production user that was used during
enrollment with the Company Portal.
Failure to present a valid sign-in prompt might be due to an incorrectly configured Android manifest,
specifically the values for Azure Active Directory Authentication Library (ADAL) integration (SkipBroker,
ClientID, and Authority).
Failure to present any prompt might be due to an incorrectly integrated MAMActivity value. For more
information about MAMActivity , see Microsoft Intune App SDK for Android developer guide.
 NOTE
If the preceding test isn't working, the following tests will likely also fail. Review SDK and ADAL integration.

Restrict transferring and receiving data with other apps

You can control data transfer between corporate managed applications, as follows:
1. Set Allow app to transfer data to other apps to Policy-managed apps .
2. Set Allow app to receive data from other apps to All apps .
Use of intents and content providers are affected by these policies. 3. Confirm the following conditions: - Opening
from an unmanaged app into your app functions correctly. - Sharing content between your app and managed apps
is allowed. - Sharing from your app to non-managed apps (for example, Chrome) is blocked.
Restrict receiving data from other apps
1. Set Send org data to other apps to All apps .
2. Set Receive data from other apps to Policy managed apps .
3. Confirm the following conditions:
Sending to an unmanaged app from your app functions correctly.
Sharing content between your app and managed apps is allowed.
Sharing from non-managed apps (for example, Chrome) to your app is blocked.
If your app requires integrated 'open from' controls, you can control open from functionality as follows:
1. Set Receive data from other apps to Policy managed apps .
2. Set Open data into org documents to Block .
3. Confirm the following conditions:
Opening is restricted to only appropriate managed locations.
Restrict cut, copy, and paste
You can restrict the system clipboard to managed applications, as follows:
1. Set Restrict cut, copy, and paste with other apps to Policy managed with paste in .
2. Confirm the following conditions:
Copying text from your app into an unmanaged app (for example, Messages) is blocked.
Prevent save
If your app requires integrated Save As controls, you can control Save As functionality, as follows:
1. Set Prevent 'Save As' to Yes .
2. Confirm the following conditions:
Save is restricted to only appropriate managed locations.
File Encryption
You can encrypt data on the device, as follows:
1. Set Encr ypt app data to Yes .
2. Confirm the following conditions:
Normal application behavior isn't affected.
Prevent Android Backups
You can control app backup, as follows:
1. If you have set integrated backup restrictions, set Prevent Android backups to Yes .
2. Confirm the following conditions:
Backups are restricted.
Wipe
You can remotely wipe managed apps from containing corporate email and documents. Personal data is decrypted
when it's no longer administered. Here's how:
1. From the Azure portal, issue a wipe.
2. If your app doesn't register for any wipe handlers, confirm the following conditions:
A full wipe of the app occurs.
3. If your app has registered for WIPE_USER_DATA or WIPE_USER_AUXILARY_DATA , confirm the following conditions:
The managed content is removed from the app. For more information, see Intune App SDK for Android
developer guide - Selective Wipe.
Multi-Identity support
Integrating multi-identity support is a high risk change that needs to be thoroughly tested. The most common
issues occur because of improperly setting the active identity ( Context vs. thread level) or improperly tracking file
identities ( MAMFileProtectionManager ).
Minimally, confirm that:
Save As policy is working correctly for managed identities.
Copy and paste restrictions are correctly enforced from managed to personal.
Only data belonging to the managed identity is encrypted, and personal files are not modified.
Selective wipe during unenrollment only removes the managed identity data.
The end user is prompted for conditional launch when changing from an unmanaged to a managed account
(first time only).
App configuration (optional)
You can configure behavior of managed apps. If your app consumes any app configuration settings, you should test
that your app correctly handles all values that you (as the admin) can set. You can create and assign app
configuration policies in Intune.
 Microsoft Intune App SDK Xamarin Bindings
9/4/2020 • 9 minutes to read • Edit Online

NOTE
You may wish to first read the Get Started with Intune App SDK article, which explains how to prepare for integration on
each supported platform.

Overview
The Intune App SDK Xamarin Bindings enable Intune app protection policy in iOS and Android apps built with
Xamarin. The bindings allow developers to easily build in Intune app protection features into their Xamarin-based
app.
The Microsoft Intune App SDK Xamarin Bindings let you incorporate Intune app protection policies (also known as
APP or MAM policies) into your apps developed with Xamarin. A MAM-enabled application is one that is
integrated with the Intune App SDK. IT administrators can deploy app protection policies to your mobile app when
Intune actively manages the app.

What's supported?
Developer machines
Windows (Visual Studio version 15.7+)
macOS
Mobile app platforms
Android
iOS
Intune Mobile Application Management scenarios
Intune APP-WE (without device enrollment)
Intune MDM-enrolled devices
Third-party EMM-enrolled devices
Xamarin apps built with the Intune App SDK Xamarin Bindings can now receive Intune app protection policies on
both Intune mobile device management (MDM) enrolled devices and unenrolled devices.

Prerequisites
Review the license terms. Print and retain a copy of the license terms for your records. By downloading and using
the Intune App SDK Xamarin Bindings, you agree to such license terms. If you do not accept them, do not use the
software.
The Intune SDK relies on Microsoft Authentication Library (MSAL) for its authentication and conditional launch
scenarios, which require apps to be configured with Azure Active Directory.
If your application is already configured to use MSAL, and has its own custom client ID used to authenticate with
Azure Active Directory, ensure the steps to give your Xamarin app permissions to the Intune Mobile Application
Management (MAM) service are followed. Use the instructions in the "Give your app access to the Intune app
protection service" section of the getting started with the Intune SDK guide.
Security Considerations
To prevent potential spoofing, information disclosure, and elevation of privilege attacks:
Ensure that Xamarin app development is performed on a secure work station.
Ensure the bindings are from a valid Microsoft source:
MS Intune App SDK NuGet Profile
Intune App SDK Xamarin GitHub Repository
Configure your NuGet config for your project to trust signed, unmodified NuGet packages. See installing
signed packages for more information.
Secure the output directory that contains the Xamarin app. Consider using a user-level directory for the output.

Enabling Intune app protection polices in your iOS mobile app

1. Add the Microsoft.Intune.MAM.Xamarin.iOS NuGet package to your Xamarin.iOS project.
2. Follow the general steps required for integrating the Intune App SDK into an iOS mobile app. You can begin
with step 3 of the integration instructions from the Intune App SDK for iOS Developer Guide. You can skip
the final step in that section of running the IntuneMAMConfigurator, as this tool is included in the
Microsoft.Intune.MAM.Xamarin.iOS package and will be run automatically at build time. Impor tant :
Enabling keychain sharing for an app is slightly different in Visual Studio from Xcode. Open the app's
Entitlements plist and make sure the "Enable Keychain" option is enabled and the appropriate keychain
sharing groups are added in that section. Then, ensure the Entitlements plist is specified in the "Custom
Entitlements" field of the project's "iOS Bundle Signing" options for all the appropriate
Configuration/Platform combinations.
3. Once the bindings are added and the app is properly configured, your app can begin using the Intune SDK's
APIs. To do so, you must include the following namespace:

using Microsoft.Intune.MAM;

4. To begin receiving app protection policies, your app must enroll in the Intune MAM service. If your app does
not use Microsoft Authentication Library (MSAL) to authenticate users, and you'd like the Intune SDK to
handle authentication, your app should provide the user's UPN to the IntuneMAMEnrollmentManager's
LoginAndEnrollAccount method:

IntuneMAMEnrollmentManager.Instance.LoginAndEnrollAccount([NullAllowed] string identity);

Apps may pass in null if the user's UPN is unknown at the time of the call. In this case, users will be
prompted to enter both their email address and password.
If your app already uses MSAL to authenticate users, you can configure a single-sign-on (SSO) experience
between your app and the Intune SDK. First, you'll need to override the default AAD settings used by the
Intune SDK with those of your app. You can do so via the IntuneMAMSettings dictionary in the app's
Info.plist, as mentioned in the Intune App SDK for iOS Developer Guide, or you can do so in code via the
AAD override properties of the IntuneMAMSettings class. The Info.plist approach is recommended for
applications whose MSAL settings are static while the override properties are recommended for
applications that determine those values at runtime. Once all of the SSO settings have been configured,
your app should provide the user's UPN to the IntuneMAMEnrollmentManager's RegisterAndEnrollAccount
method after it has successfully authenticated:
 IntuneMAMEnrollmentManager.Instance.RegisterAndEnrollAccount(string identity);

Apps can determine the result of an enrollment attempt by implementing the EnrollmentRequestWithStatus
method in a subclass of IntuneMAMEnrollmentDelegate and setting the IntuneMAMEnrollmentManager's
Delegate property to an instance of that class.
Upon a successful enrollment, apps can determine the UPN of the enrolled account (if previously unknown)
by querying the following property:

string enrolledAccount = IntuneMAMEnrollmentManager.Instance.EnrolledAccount;

Sample Applications
Sample applications highlighting MAM functionality in Xamarin.iOS apps are available on GitHub.

NOTE
There is no remapper for iOS/iPadOS. Integrating into a Xamarin.Forms app should be the same as for a regular Xamarin.iOS
project.

Enabling Intune app protection policies in your Android mobile app

1. Add the Microsoft.Intune.MAM.Xamarin.Android NuGet package to your Xamarin.Android project.
a. For a Xamarin.Forms app, add the Microsoft.Intune.MAM.Remapper.Tasks NuGet package to your
Xamarin.Android project as well.
2. Follow the general steps required for integrating the Intune App SDK into an Android mobile app while
referring to this document for additional details.
Xamarin.Android integration
A complete overview for integrating the Intune App SDK can be found in the Microsoft Intune App SDK for
Android developer guide. As you read through the guide and integrate the Intune App SDK with your Xamarin app
the following sections are intended to highlight differences between the implementation for a native Android app
developed in Java and a Xamarin app developed in C#. These sections should be treated as supplemental and
cannot act as a substitute for reading the guide in its entirety.
Remapper
Beginning with the 1.4428.1 release, the Microsoft.Intune.MAM.Remapper package can be added to a
Xamarin.Android application as build tooling to perform the MAM class, method, and systems services
replacements. If the Remapper is included, the MAM equivalent replacement portions of the Renamed Methods
and MAM Application sections will be automatically performed when the application is built.
To exclude a class from MAM-ification by the Remapper the following property can be added in your projects
.csproj file.

<PropertyGroup>
<ExcludeClasses>Semicolon separated list of relative class paths to exclude from MAM-
ification</ExcludeClasses>
</PropertyGroup>
 NOTE
The Remapper currently prevents debugging in Xamarin.Android apps. Manual integration is recommended to debug your
application.

Renamed Methods
In many cases, a method available in the Android class has been marked as final in the MAM replacement class. In
this case, the MAM replacement class provides a similarly named method (suffixed with MAM ) that you should
override instead. For example, when deriving from MAMActivity , instead of overriding OnCreate() and calling
base.OnCreate() , Activity must override OnMAMCreate() and call base.OnMAMCreate() .

MAM Application
Your app must define an Android.App.Application class. If manually integrating MAM, it must inherit from
MAMApplication . Be sure that your subclass is properly decorated with the [Application] attribute and overrides
the (IntPtr, JniHandleOwnership) constructor.

[Application]
class TaskrApp : MAMApplication
{
public TaskrApp(IntPtr handle, JniHandleOwnership transfer)
: base(handle, transfer) { }

NOTE
An issue with the MAM Xamarin bindings can cause the application to crash when deployed in Debug mode. As a
workaround, the Debuggable=false attribute must be added to the Application class and the
android:debuggable="true" flag must be removed from the manifest if it was manually set.

Enable features that require app participation

Example: Determine if PIN is required for the app

MAMPolicyManager.GetPolicy(currentActivity).IsPinRequired;

Example: Determine the primary Intune user

IMAMUserInfo info = MAMComponents.Get<IMAMUserInfo>();

return info?.PrimaryUser;

Example: Determine if saving to device or cloud storage is permitted

MAMPolicyManager.GetPolicy(currentActivity).GetIsSaveToLocationAllowed(SaveLocation service, String username);

Register for notifications from the SDK

Your app must register for notifications from the SDK by creating a MAMNotificationReceiver and registering it
with MAMNotificationReceiverRegistry . This is done by providing the receiver and the type of notification desired
in App.OnMAMCreate , as the example below illustrates:
 public override void OnMAMCreate()
{
// Register the notification receivers
IMAMNotificationReceiverRegistry registry = MAMComponents.Get<IMAMNotificationReceiverRegistry>();
foreach (MAMNotificationType notification in MAMNotificationType.Values())
{
registry.RegisterReceiver(new ToastNotificationReceiver(this), notification);
}
...

MAM Enrollment Manager

IMAMEnrollmentManager mgr = MAMComponents.Get<IMAMEnrollmentManager>();

Xamarin.Forms integration
For Xamarin.Forms applications the Microsoft.Intune.MAM.Remapper package performs MAM class replacement
automatically by injecting MAM classes into the class hierarchy of commonly used Xamarin.Forms classes.

NOTE
The Xamarin.Forms integration must be done in addition to the Xamarin.Android integration detailed above. The Remapper
behaves differently for Xamarin.Forms apps, so the manual MAM replacements must still be done.

Once the Remapper is added to your project you will need to perform the MAM equivalent replacements. For
example, FormsAppCompatActivity and FormsApplicationActivity can continue to be used in your application
provided overrides to OnCreate and OnResume are replaced with the MAM equivalents OnMAMCreate and
OnMAMResume respectively.

public class MainActivity : global::Xamarin.Forms.Platform.Android.FormsAppCompatActivity

{
protected override void OnMAMCreate(Bundle savedInstanceState)
{
base.OnMAMCreate(savedInstanceState);
global::Xamarin.Forms.Forms.Init(this, savedInstanceState);
LoadApplication(new App());
}

If the replacements are not made then you may encounter the following compilation errors until you make the
replacements:
Compiler Error CS0239. This error is commonly seen in this form
'MainActivity.OnCreate(Bundle)': cannot override inherited member
'MAMAppCompatActivityBase.OnCreate(Bundle)' because it is sealed
. This is expected because when the Remapper modifies the inheritance of Xamarin classes, certain functions
will be made sealed and a new MAM variant is added to override instead.
Compiler Error CS0507: This error is commonly seen in this form
'MyActivity.OnRequestPermissionsResult()' cannot change access modifiers when overriding 'public' inherited
member ...
. When the Remapper changes the inheritance of some of the Xamarin classes, certain member functions will
be changed to public . If you override any of these functions, you will need to change those the access
modifiers for those overrides to be public as well.
 NOTE
The Remapper re-writes a dependency that Visual Studio uses for IntelliSense auto-completion. Therefore, you may need to
reload and rebuild the project when the Remapper is added for IntelliSense to correctly recognize the changes.

Troubleshooting
If you encounter a blank, white screen in your application on launch, then you may need to force the navigation
calls to execute on the main thread.
The Intune SDK Xamarin Bindings do not support apps that are using a cross-platform framework such as
MvvmCross due to conflicts between MvvmCross and Intune MAM classes. While some customers may have
had success with integration after moving their apps to plain Xamarin.Forms, we do not provide explicit
guidance or plugins for app developers using MvvmCross.
Company Portal app
The Intune SDK Xamarin Bindings rely on the presence of the Company Portal Android app on the device to enable
app protection policies. The Company Portal retrieves app protection policies from the Intune service. When the
app initializes, it loads policy and code to enforce that policy from the Company Portal. The user does not need to
be signed in.

NOTE
When the Company Portal app is not on the Android device, an Intune-managed app behaves the same as a normal app
that does not support Intune app protection policies.

For app protection without device enrollment, the user is not required to enroll the device by using the Company
Portal app.
Sample Applications
Sample applications highlighting MAM functionality in Xamarin.Android and Xamarin.Forms apps are available on
GitHub.

Support
If your organization is an existing Intune customer, please work with your Microsoft support representative to
open a support ticket and create an issue on the GitHub issues page. We will help as soon as we can.