App Protection Policies (APP) are one of the more underused features in Intune. They sit within the Mobile Application Management (MAM) side of Intune and let you apply data protection rules to specific apps on personal or unmanaged devices, without requiring the device itself to be enrolled into MDM.
This matters a lot for BYOD scenarios. A staff member using their personal iPhone to check work email should not be able to copy data out of Outlook and paste it into WhatsApp, or save attachments to their personal iCloud. APP gives you that control without forcing full device enrolment, which most personal device owners push back on.
ℹ️
MAM vs MDM
MDM (Mobile Device Management) manages the whole device. MAM (Mobile Application Management) manages just the apps. App Protection Policies are a MAM control. You can use them alongside full device enrolment or entirely without it.
Create the Policy
📋 Policy Setup
Navigate to the Intune admin centre and create a new App Protection Policy:
intune.microsoft.com›
Apps›
App Protection Policies›
Create Policy
You will need a separate policy for iOS/iPadOS and Android. The configuration options are very similar but they are platform-specific. Start with iOS.
Target Apps
🎯 Apps
Under the Apps tab, choose which apps the policy applies to. The most common choice is All Microsoft Apps, which covers Outlook, Teams, OneDrive, SharePoint, Word, Excel, PowerPoint, and Edge. You can also target specific apps only if you want tighter control.
✅
Target All Microsoft Apps
Selecting "All Microsoft Apps" makes sure coverage stays current as Microsoft adds new apps to the portfolio. You don't need to manually add each app or update the policy when new ones appear.
Data Protection Settings
⚙️ Configuration
This is the core of the policy. These settings control what users can and cannot do with data inside the protected apps.
Send org data to other appsWhere can users send data from managed apps?
Policy managed apps only
Receive data from other appsWhat can be pasted or opened into managed apps?
Policy managed apps only
Save copies of org dataRestrict saving to personal storage (iCloud, Google Drive etc.)
Block
Restrict cut, copy, paste with other appsPrevent copy/paste between managed and unmanaged apps
Policy managed apps
Send org data to unmanaged apps via share extensioniOS share sheet control
Block
PIN for accessRequire a PIN to open managed apps
Require
PIN typeNumeric vs passcode
Numeric
Recheck access requirements after (minutes of inactivity)How long before PIN is required again
30
Biometrics instead of PINAllow Face ID or fingerprint in place of PIN
Allow
Max PIN attemptsWipe app data after too many failed PIN attempts
5 attempts, then wipe
Jailbroken/rooted devicesBlock access from compromised devices
Block access
Min OS versionBlock outdated OS versions from accessing managed apps
iOS 16 / Android 11
Assignments
👥 Assignments
Assign the policy to a group containing your users. A few things worth noting:
- APP targets users, not devices. Every device that user signs into will be subject to the policy.
- You can use the same Entra ID security group you use for licensing assignments.
- The policy applies when the user signs into the managed app with their work account, whether or not the device is enrolled in Intune.
⚠️
Create a separate policy for Android
The iOS and Android platforms need separate policies. The settings are almost identical but you cannot combine them. Go back to App Protection Policies, create a second policy, and select Android as the platform. Assign it to the same group.
Verify the Policy Is Applying
After a user signs into Outlook or another managed app on their personal device, check the policy status in Intune:
intune.microsoft.com›
Apps›
Monitor›
App Protection Status
The report shows which users have checked in with an APP-protected app, which policies are applied, and whether there are any flagged devices. A status of Checked in means the policy is active on that device.
ℹ️
No licence required for MAM without enrolment
You do not need an Intune device licence to apply App Protection Policies to unmanaged personal devices. You only need an Intune App Protection licence, which is included in Microsoft 365 Business Premium and most E3/E5 plans. Check your licence assignment if the policy isn't showing up in the report.