5.4 App Protection, App Configuration, and Conditional Access
Key Takeaways
- App protection policies secure organizational data inside managed apps and can work on enrolled or unenrolled devices.
- MAM without enrollment is best for BYOD users who need Outlook, Teams, OneDrive, or other protected apps without full device management.
- Managed devices app configuration uses the MDM channel for apps deployed to enrolled devices; managed apps configuration uses the MAM channel for SDK-integrated or wrapped apps regardless of enrollment state.
- App configuration prepopulates app settings such as server URLs or allowed accounts; app protection controls data movement, access requirements, and selective wipe.
- Conditional Access can require an app protection policy or approved client app so only protected client apps can access Microsoft 365 resources.
Managed apps versus managed devices
A managed device is enrolled in Intune and managed through mobile device management. Intune can deploy profiles, compliance policy, certificates, apps, remote actions, and device-level settings. Managed devices are the right choice for corporate-owned devices, kiosks, shared devices, and scenarios that require device compliance.
A managed app is an app where Intune applies app protection policy or app configuration through the mobile application management channel. The device might be enrolled, enrolled in another MDM, or not enrolled at all. Management is centered on the user's work identity and the protected app data, not the whole device.
| Need | Use this control | Why |
|---|---|---|
| Require device encryption, OS version, or jailbreak/root state for access | Compliance policy plus Conditional Access | Device health is a device-level decision |
| Require PIN before opening Outlook work data | App protection policy | Controls access inside the managed app |
| Block copy from Outlook work account to personal apps | App protection policy | Controls data transfer between managed and unmanaged apps |
| Prepopulate an app with server URL or tenant ID | App configuration policy | Delivers app settings so users do not type them manually |
| Protect personal phones without enrollment | MAM without enrollment | Secures work data in supported apps without full MDM |
| Remove only corporate data from an app | Selective wipe / app protection | Leaves personal apps and personal data intact |
MAM without enrollment
Mobile Application Management (MAM) without enrollment is commonly used for personal or bring your own device scenarios. Users can install apps such as Outlook, Teams, Edge, Word, Excel, PowerPoint, or OneDrive from an app store or Company Portal path, sign in with their work account, and receive app-layer management. The organization protects work data without managing the entire device.
MAM without enrollment is not the right primary model for organization-owned shared devices or kiosks. Corporate-owned endpoints usually need Intune enrollment so you can apply device configuration, compliance, inventory, remote actions, and full app deployment.
App protection policies
App protection policies define how work data behaves inside supported apps. Common settings include app PIN, biometric access, encryption, block copy and paste to unmanaged apps, prevent Save As to personal storage, restrict web links to Microsoft Edge, conditional launch rules, and selective wipe of organizational data.
A key exam phrase is managed app. In Intune, a managed app for app protection is a protected app that has app protection policy applied. Public Microsoft apps commonly support this through the Intune App SDK. Line-of-business apps can be prepared with the Intune App SDK or App Wrapping Tool.
App configuration policies
App configuration is not the same as app protection. Configuration supplies settings to the app. Protection controls access and data movement.
Intune has two configuration channels:
| Configuration channel | Enrollment type in Intune | Use when |
|---|---|---|
| Managed devices | Device is enrolled in Intune and the app is deployed through MDM | You manage the device and want OS app configuration channels such as iOS managed app configuration or Android Enterprise app configuration |
| Managed apps | App supports Intune SDK or wrapping and is usually paired with app protection policy | You need configuration through the MAM channel, including on devices that are not enrolled |
For example, an enrolled iPhone can receive Outlook configuration through Managed devices. A personal iPhone that is not enrolled can receive supported Outlook configuration through Managed apps if the user is targeted and the app supports the MAM channel.
Conditional Access for app protection
App protection policy alone controls the app after policy is delivered. Conditional Access is what enforces access to cloud resources based on app and policy state. Microsoft Entra Conditional Access can require approved client apps or require an app protection policy, commonly for iOS and Android access to Office 365 resources.
Use report-only mode and exclude break-glass accounts when testing Conditional Access. For modern app protection designs, prefer requiring an app protection policy where supported. The older Require approved client app grant is being retired for policies that use it alone, so new designs should account for the app protection policy grant.
Exam decision pattern
If the scenario says protect corporate data in Outlook on personal phones without enrollment, choose app protection policy and MAM without enrollment. If it says preconfigure Outlook with account or server settings, choose app configuration. If it says only compliant devices can access SharePoint, choose device compliance with Conditional Access. If it says only apps with Intune app protection can access Exchange Online from iOS and Android, choose Conditional Access with the Require app protection policy grant.
Users access Outlook and Teams from personally owned iOS and Android devices. The organization does not want to enroll the devices but must block copy/paste of work data into personal apps. What should you deploy?
You need to preconfigure Outlook mobile with the organization account settings on devices that are not enrolled in Intune. Which app configuration enrollment type should you choose?
Which Conditional Access grant control best enforces that a supported mobile app has an Intune app protection policy before accessing Microsoft 365 resources?