Mobile Management | Supporting MAM

Next: Enrollment Guide for iOS Devices

Supporting iOS and Android with MAM (Mobile Application Management)

When a device isn’t fully enrolled in Intune, organisations can still protect company data using Mobile Application Management (MAM). MAM applies app protection policies to corporate apps, such as Outlook, Teams, and OneDrive, without requiring full device management.

This article explains what IT can expect when supporting users under MAM and the most common issues they’ll face.

What to Expect

For end users:

No full device enrollment required.
Sign-in to Microsoft apps with work account triggers app protection policies.
App PIN or biometric may be required to open apps.
Restrictions apply inside corporate apps, such as blocking copy/paste to personal apps or requiring data to stay in OneDrive.
Company data can be wiped from apps if access is removed, but personal data is unaffected.

For IT:

No visibility or control of the device itself.
Policy applies only to apps tied to the user’s work account.
Conditional Access can enforce MAM — requiring apps to be protected before data is accessible.
Troubleshooting is focused on app behaviour, not device compliance.

Common Issues and How to Handle Them

1. App Asking for PIN or Biometric Setup

Symptom: User prompted repeatedly to set or reset an app PIN, or enable biometrics.
Likely cause: App protection policy requires PIN/biometric; resets happen after too many failed attempts or policy change.
What IT should do:
- Confirm this is expected behaviour from applied policy.
- Ask user to reset the PIN inside the app when prompted.
- Reassure user that personal device PIN is not affected — only app access.

2. Blocked Copy/Paste or Save Options

Symptom: User can’t copy text from Outlook to Notes or save files to local storage.
Likely cause: App protection policy prevents data transfer to personal apps or locations.
What IT should do:
- Confirm restriction is expected (protects company data).
- Explain policy to the user and advise approved alternatives (e.g. save to OneDrive).

3. User Signed Out of Apps

Symptom: User reports being signed out of Outlook, Teams, or OneDrive unexpectedly.
Likely cause: Token expiry, Conditional Access refresh, or selective wipe issued.
What IT should do:
- Ask user to sign back in with work credentials.
- Check if Conditional Access or a selective wipe was applied.
- Confirm user still has an active license and account.

4. Selective Wipe Confusion

Symptom: User thinks their personal data was wiped when only corporate apps were reset.
Likely cause: Selective wipe removed company data from protected apps, leaving personal apps untouched.
What IT should do:
- Reassure user that only corporate data was removed.
- Confirm if wipe was triggered intentionally (e.g. device lost, user offboarded).

5. Access Blocked to Company Apps

Symptom: User can’t sign into Outlook or Teams; sees a message about needing a protected app.
Likely cause: Conditional Access requires MAM; user is trying to use an unprotected app or hasn’t installed the official Microsoft app.
What IT should do:
- Confirm user is using supported Microsoft apps (e.g. Outlook, Teams from App Store/Play Store).
- Check if App Protection Policy is applied to their account.
- Ask user to reinstall the app and sign in again.

Key Platform Differences

iOS / iPadOS

Policies apply to Microsoft apps installed from the App Store.
App behaviour changes once user signs in with work account.
Selective wipe only affects corporate account data in apps.

Android

Protected apps may appear in the Work profile if the device has one.
If no work profile, app protection applies directly within the standard app.
Selective wipe clears only corporate data, not personal.

IT Support Focus

Help users understand why apps behave differently under MAM.
Confirm app protection policy is applied to the user.
Check if Conditional Access is blocking access.
Reassure users about data separation: corporate vs personal.