Intune MAM Policies : The Key to Protecting Data on Unmanaged Devices

Mobile Application Management (MAM) policies are a set of rules that control how users can access and use corporate data on their mobile devices.

MAM policies help to protect corporate data from unauthorized access, leakage, or loss, especially on unmanaged devices that are not enrolled in a mobile device management (MDM) solution.

Because this is what it’s all about : Protection corporate data, even on unmanaged devices which are not enrolled in our favorite MDM aka Intune.

In this blog post, we’ll see why a MAM policy can protect your corporate data and how to target this policy on unmanaged devices so it can be forced through a conditional access rule.

Design the MAM policy in Intune

As it is aimed to secure an application go to Apps > App protection policies. Then, pick the platform and the applications you want to secure :

Once you’ve selected the applications, it’s the fun part : Let’s the design begins !

Just a few examples of possible protections (DLP) :

• Stop users screenshot inside the applications
• Control how your protected applications communicate with others applications
• Encrypt data
• Manage web content transfer

Once DLP is set, design how your users access the applications :

• PIN inside the applications with which complexity ? How often do you want to reset it ?
• Is biometry accepted ? Does it override PIN when set ?
• Do you force a PIN inside the application if the device is already protected by a PIN to be unlocked ?

Again, these settings will be applied on managed devices and/or unmanaged devices. Think about the end-user experience on personal devices and try to find a compromise between a solid security and a suitable end-user experience.

Nobody wants to enter a 8 long PIN with alphanumeric characters every 10 Minutes while using Outlook.

And finally, the Conditional Launch which is basically the actions run in specific context such as :

• How many PIN attempts before resetting it
• How many days offline before wiping the data
• Which minimum OS version do you allow accessing the data

And then the assignment part which leads us to…

Target Users but for Unmanaged Devices

MAM policies must be targeted on users. Please, consider the following :

What Microsoft says by writing this consideration is that MAM policy will, by default, impact enrolled devices and unenrolled devices.

Indeed, how do you separate the device nature if you target users ? Answer is : Filter

Intune Filters is a feature i love at first sight. You can specify device rules on your user assignments.

Which in our case means : Assign the MAM policies on every users but only on unmanaged devices. Have a look on my filter :

Back to your MAM policy. Target it on users and apply the filter you created eheh :

Having a very strong MAM policy for unmanaged devices and a lighter one for managed devices which are already secured by your baselines seems to be a good compromise in my opinion. Leverage the filters and you’ll be able to seperate the two.

Use Conditional Access to force the MAM policy

Nice, you have protected your corporate applications.

But how can you be sure the users use the protected applications and not an unmanaged app ? Answer is : Conditional Acess

Leverage conditional access to redirect users to use a protected outlook for example.

Target the Cloud app you want to protect and select which kind of application/authentication you want to focus on :

Now, it’s time to force the use of a protected application.

Organizations are most used to implement both requirements : One for approved client app, one for having a protected application. Something like :

In 2026, the only possibility will be having a protected application. For new conditional access rule, only Require app protection policy is and will be necessary.

If the application is not protected, the access is denied. Here is the experience when i try to access my corporate mail from my iOS native mail client, which is not a protected application :

Conclusion

MAM policy and conditionnal access is a wonderful duo.

Consider leverage both of these features to secure your corporate data on managed devices but also on un-managed devices.

Give it a try with your work account on your personal device. Get a Microsoft 365 app, log in with your work account, and see if you can get to your work data.

Ask yourself : Is this the kind of access I want for my company ? If it is, then MAM policy and Conditional Access are your allies to keep your work data secure for sure.