Home » Clients » Mobile Devices » Securing Mobile Access with Intune MAM Conditional Access Policies

Securing Mobile Access with Intune MAM Conditional Access Policies

Embracing a BYOD strategy is usually a good thing for your users and your company, but it also creates some concerns about the devices and applications that are being used to access corporate data.

To demonstrate the type of issues that arise I've connected an iPad to a user's Exchange Online mailbox by setting up an account using the native email app on iOS. The user is able to make an ActiveSync connection to their mailbox, download email messages, and save any attachments to his personal Dropbox account that is also set up on the device.

Dropbox itself is not necessarily a problem. The concern for the organization is that users will save corporate data to untrusted or insecure external services that are owned by the individual user. There's multiple strategies that can be implemented to mitigate this risk, one of which is Intune conditional access policies in combination with Intune mobile application management (MAM) policies.

To begin, lets set up conditional access in Intune for Exchange Online and SharePoint Online. In the Azure portal navigate to Intune mobile application management, and then go to the two conditional access settings. For each of Exchange Online and SharePoint Online, configure the Allowed apps to “Allow apps that support Intune app policies.”

After saving the change, go to Restricted user groups and add the groups that contain the users you want the conditional access policies to apply to. For this example I'm using the same Azure AD group that is used to assign the EMS licenses to users, rather than create a separate group. For your own deployment you might choose to target MAM conditional access policies at a separate group that represents approved BYOD users.

Make sure you repeat the same steps for SharePoint Online.

After creating the conditional access policies it will take a short time before they take effect for users. When the policies take effect the users who are targeted by the policies will no longer be able to connect to Exchange Online and SharePoint Online with apps that don't support Intune policies. That will prevent the native mail app on iOS or Android from connecting, as well as a wide range of third party mail apps. An email notification is sent to the user to let them know that they need to use Outlook. This email notification will appear on the mobile device, but no other new emails will arrive on the device.

The user in this example will need to install the Outlook app for iOS. They'll also need to install the Microsoft Authenticator app to act as an authentication broker for the managed Outlook app (Android devices need the Company Portal app instead). However, the user does not need to enrol their device in Intune, which is ideal for employee owned devices (BYOD).

When I was working through this demonstration I ran into what seems to be a bug with Outlook for iOS at the moment. When the user sets up Outlook to connect to the Exchange Online mailbox, they are prompted to authenticate via the Microsoft Authenticator app.

This is the normal process, but right now instead of a successful authentication the Outlook app returns an “Oops, something went wrong” message.

When I repeat the login process with another app on the device, the Microsoft Teams app, the authentication process takes me to the correct step to register the device. Registering a device for MAM conditional access is not the same as full enrolment in Intune, but is required for the MAM policies to be able to be enforced.

Registration takes just a few seconds, after which the user can access Exchange Online and SharePoint Online with managed apps (e.g. Outlook starts working after the device is registered successfully via Teams).

At this stage we've solved part of the original problem. Users are prevented from accessing Exchange Online or SharePoint Online using unmanaged apps such as the native mail app on iOS, and instead are required to use managed apps like Outlook, OneDrive, Teams and so on. However, the user can still access Dropbox from within the Outlook app.

The solution to that problem is to configure an App policy in Intune App Protection. App policies are quite comprehensive and flexible. Among other things, you can use an app policy to restrict the transfer of data in or out of policy managed apps, including copy and paste of data. For this example I've configured:

  • Policy managed apps to transfer data only to other policy managed apps. So the user can transfer data from Outlook to OneDrive or Excel, but not Outlook to Dropbox.
  • Policy managed apps can receive data from all apps. So the user can copy data from Dropbox to Outlook if they need to.
  • Cut, copy and paste can only be performed between policy managed apps, or from other apps to policy managed apps. But the user will not be able to copy and paste from a policy managed app like Outlook to an unmanaged app like Dropbox or Safari.
  • For good measure I have also required a PIN for access to the policy managed apps. The user has not enrolled the device in Intune for MDM, so a device-level PIN isn't enforced. The app policy will enforce the PIN at the app level instead.

After creating the policy we then need to go into the policy settings and configure an assignment to target the policy to a security group. Again I am using the same security group that is used to assign my Intune licenses.

The policy assignment doesn't take effect until the device or application checks in. You can see the status of the app policy for a user in the App protection user report that is available in the Intune App Protection area of the Azure portal. In the example below, the user's Word app has picked up the app policy, but the other apps haven't yet applied it.

Word will now enforce the configured policy by preventing the user from saving corporate data to unmanaged apps. For example, a Word document opened from OneDrive for Business can't be saved to Dropbox.

As you can see it is possible to use Intune mobile application management to prevent corporate data from leaking when it is accessed by users on personal devices. These features do require an Intune license for the user, but do not require the user to enrol their personal device for full MDM, which is often more appealing to them as they don't need to allow total control over the device by corporate IT.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Mobile Devices


  1. Gurkirat Singh says:

    Hi Paul
    Can you please let me know if it is possible to configure Mobile Device Management Service for O365 from PowerShell? From configuration, I mean enabling MDM, changing device related settings, etc.

  2. Csaba Papp says:

    Hi Paul,
    When I go to Azure Portal ->Intune->Conditional access, I am getting
    We’re not quite ready for you.. We’re updating accounts to be able to take advantage of the public preview as fast as possible over the coming weeks.

    Is it a general issue?
    Thank you.

  3. Ian Wright says:

    Hi Paul,

    Another great article.

    I’m fairly new to Intune but ive put a couple of policies in place for BYOD (MAM policies) and COPE (MAM/MDM policies).

    I cant seem to find a way of stopping a BYOD user from just using their native safari browser to login to 365 and copy/paste data between that and personal apps as well as downloading attachments etc.

    How have you addressed this issue in the past?

    • Kris Cears says:

      Hi Ian,

      There is a new feature in Preview right now for SharePoint called App Enforced Restrictions that will block some of the behavior you’re talking about, at least for SharePoint currently.

      You can create a conditional access policy for SharePoint Online in Azure AD that only applies to iOS and Android, and only web browsers. Target it at any users/groups you want it to apply to. Within that conditional access policy you then go to the Sessions section and check the box to enable app enforced restrictions.

      Once that’s done, go to your SharePoint admin portal and click the Device Access option in the bottom left. Check the box in the middle of the screen to enabled limited SharePoint access, and then choose if documents unsupported by Office Online are allowed to be downloaded, or just blocked from access via mobile browsers. Click OK to save the settings.

      Now, users who are accessing SharePoint via a browser on a mobile device will be in a “limited” mode where they can’t download, print, or sync files. They can still view and edit files in Office Online. They will see a warning about this in a yellow notification bar across the top of the screen.

      Since this feature is in preview, it will only show up in your SharePoint admin console if you have “First Release for Everyone” set for your O365 Organization. You can check this by going to the O365 Admin Center – Settings – Organization Profile and looking at “Release preferences”. Also, I believe you need to turn on Preview Features in SharePoint, which is in the SharePoint admin portal under Settings – Preview Features.

      My understanding is that Microsoft will be rolling out these app based restrictions to all of the O365 products, but they are starting with SharePoint first.

      That won’t stop them from copying/pasting data out of documents into non-managed apps, but it would stop them from downloading files to non-managed locations. To stop the copy/paste behavior, you could create a more restrictive conditional access policy that is based on iOS and Android, again target it at web browsers only, and then choose Block Access under the Grant section of Access Controls. That should keep them from accessing SharePoint online, Exchange Online, or any other cloud app you add to the conditional access policy, and force them to use the managed app.

      I hope that helps!

  4. Tim says:

    Thanks great post.

    One thing that keeps coming up with almost every company I go to is the use by the same user of both personal BYOD devices and Corporate CYOD devices.

    The byod device only needs to register and nor enroll
    the CYOD device needs to enroll

    This scenario does not seem possible yet most companie I go to the user has 3-4 devices at least.

Leave a Reply

Your email address will not be published. Required fields are marked *