Browse all topics
All guidesGlossary

Intune app protection policies

How MAM-WE protects corporate data inside specific apps on personal devices — without managing the device itself.

Intune app protection policies (APP) — sometimes called Mobile Application Management without enrolment (MAM-WE) — protect corporate data inside specific apps on personal mobile devices without managing the device itself. They're the right answer for the bring-your-own-device problem: keep work data safe, leave personal data alone.

The model

When a user opens Outlook, Teams, or another Intune-aware app on their personal phone and signs in with their work account, Intune evaluates the app protection policy for that user and that app. The policy then enforces controls inside the app:

  • Encrypt all data stored by the app.
  • Require a PIN or biometric on app launch.
  • Block copy/paste out to non-protected apps.
  • Block screenshots in some scenarios.
  • Force "open in" to managed apps — files open only in Word or Excel, not in third-party apps.
  • Block saving to local device storage or non-corporate cloud storage.
  • Remote wipe of corporate data inside the app on demand, leaving personal data untouched.
  • Require app version minimums (block sign-in on outdated apps).
  • Conditional launch — block sign-in if the device has root/jailbreak, doesn't meet OS minimums, or is offline too long.

Apps that support it

Microsoft's first-party mobile apps all support APP: Outlook, Teams, Word, Excel, PowerPoint, OneDrive, OneNote, Edge for iOS/Android, Power BI, Authenticator, To Do, Planner, Yammer. A long list of third-party apps also support it via the Intune App SDK (or Wrapping Tool) — Adobe Acrobat, Box, Cisco Webex, ServiceNow, many others.

If an app supports APP, Intune can enforce policy inside it; if it doesn't, the work account simply can't sign in (when conditional launch is configured to require APP).

Conditional Access integration

In Entra ID Conditional Access, you can require that mobile access to Microsoft 365 happens only through approved client apps with APP. The combination is the gold standard for personal-device access:

  • Conditional Access: require approved client app + app protection policy.
  • Result: a user on their personal iPhone can only access Microsoft 365 through Outlook, Teams, etc., with PIN/biometrics/encryption/etc. enforced. Native iOS Mail simply won't authenticate.

MAM vs MDM

The choice isn't binary; it's per-device-population:

  • Corporate-owned devicesMDM (full Intune enrolment) gives you broad device control.
  • Personal devicesMAM (APP only, no enrolment) keeps user trust while protecting data.

Many organisations run both: MDM for company iPhones, APP for personal Android. Conditional Access decides which path each user takes.

Licensing

App protection policies require an Intune licence — included in Microsoft 365 E3, E5, F3, F1, Business Premium, and the Intune standalone SKU.

For organisations that don't fully manage every device but still want corporate data protected on phones, APP is one of the highest-value controls in Microsoft 365.