Are you experiencing strange behaviors when applying App Protection policies? Never heard of “IntuneMAMDeviceID”? When securing iOS/iPadOS apps with Intune App Protection policies, several app configuration keys like “IntuneMAMUPN” and “IntuneMAMOID” play an important role. Let’s explore what’s behind these keys and why they are needed.
App Protection Policies
A common customer scenario is having two App Protection policies for iOS/iPadOS devices scoped via filters:
one for managed devices (via MDM)
and another for unmanaged devices (BYOD, with just App Protection applied, known as “MAM-WE”).
This allows to vary the restrictions based on the device usage model (e.g., only requiring an app PIN for unmanaged devices).
Already received the policy for unmanaged devices on an MDM device? One possibility is that the user downloaded the app from the App Store (instead of the Intune Company Portal). Another possibility is a missing app configuration:
IntuneMAMUPN, IntuneMAMOID and IntuneMAMDeviceID
The app configuration “IntuneMAMUPN” is the key indicator for App Protection policies to distinguish between “Managed” and “Unmanaged” devices. If not set on an MDM device, your apps might receive the wrong App Protection policy for unmanaged devices. In our example, this would result in a PIN requirement at the app level. If you only have an App Protection policy configured for managed devices, the apps might end up without any policy at all.
So, IntuneMAMUPN can be seen as a flag for App Protection policies that indicates an app is installed on an MDM device.
In addition, the UPN is required to identify the enrolled user account in a policy managed app when sending org data to an iOS managed app (app installed via Intune). Example: When sharing a file from the OneDrive app (protected) to an app without App Protection support (managed / installed via Intune), the file will be protected by the iOS native “Open-in management”. Sharing this file again to another app like WhatsApp (installed from the App Store / not managed) would be blocked. So, this allows you to control sharing of org data across all Intune managed apps independent of App Protection support (setting in App Protection policy: “Send org data to other apps” set to “Policy managed apps with OS sharing”, MDM setting “allowOpenFromManagedToUnmanaged” has to be turned off).
But wait, what is IntuneMAMOID? Essentially, it serves the same purpose. Identifying a user in an app by their UPN can be challenging in scenarios like UPN changes, guest accounts, or migrating users between tenants.
IntuneMAMOID uses the Entra ID of an user as identifier.
If IntuneMAMOID is defined, it will take precedence over IntuneMAMUPN. However, this may depend on the app and SDK version, as IntuneMAMOID has not been around for a long time.
Last but not least, there is a third key: “IntuneMAMDeviceID” which is set to the Intune device ID. It is required for third-party and line-of-business apps (e.g. Adobe Acrobat Reader).
As summary, configuring IntuneMAMUPN and IntuneMAMOID is the way to go. For third-party and line-of-business apps, also add IntuneMAMDeviceID.
IntuneMAMAllowedAccountsOnly
This additional optional key allows to restrict the usage of scoped apps with the account resp. UPN defined by “IntuneMAMUPN”. Please check this article for supported apps.
IntuneMAMRequireAccounts
Another (more specialized) setting enforces the user to log in with the account resp. UPN defined by “IntuneMAMUPN”. Currently, this only applies when the receiving of data is set to “All Apps with incoming org Data” via App Protection Policy.
Key takeaways
When using App Protection policies on MDM devices, go ahead and add the following App configurations. I recommend assigning them to apps licensed via Apple Business Manager (VPP):
For Microsoft apps that support App Protection policies:
For third-party and line-of-business apps that support App Protection policies:
Key and values for copy-paste:
IntuneMAMUPN String {{userprincipalname}}
IntuneMAMOID String {{userid}}
IntuneMAMDeviceID String {{DeviceId}}And yes, this will require a lot of profiles… 😉 The good news is that this announcement already saves you time::
Starting with Intune's service release from September 2024 (2409) service release, these app configuration values will be automatically set for: Excel, Outlook, PowerPoint, Teams and Word.
This list should be extended in future releases. See also: Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases.
Comments