MDM vs. MAM — Understanding the Difference

Mobile Device Management (MDM) via Intune enrolls the entire device. The organisation can wipe the device, enforce device-level policies, and deploy applications. This is appropriate for company-owned devices. For personally owned devices, MDM raises legitimate employee concerns about privacy — and creates legal complexity in Germany, where works councils and GDPR privacy rights apply.

Mobile Application Management (MAM) — delivered through App Protection Policies — controls only the application layer. Intune wraps Microsoft 365 apps in a managed container: data can’t flow outside the container (no copy-paste to personal apps, no save-to-personal-storage), but the employee’s photos, WhatsApp messages, and personal email remain completely untouched by corporate management. This is the correct architecture for BYOD scenarios.

What App Protection Policies Actually Control

Supported Apps and Platforms

App Protection Policies apply natively to Microsoft 365 apps: Outlook, Teams, OneDrive, SharePoint (mobile), Word, Excel, PowerPoint, and Edge. On iOS and Android, these apps support the Intune SDK and honour policy controls without device enrollment. Third-party apps can also be integrated if they include the Intune SDK — many enterprise applications (Slack, Zoom, ServiceNow) now support this.

Key platform nuance: on iOS, App Protection Policies work without Company Portal installation. On Android, the Company Portal app must be installed (but not used to enroll the device) for MAM to function. This is a common setup friction point — communicate it clearly to users during rollout.

Licensing Requirements

App Protection Policies require Microsoft Intune licensing. The following M365 licences include Intune: Microsoft 365 Business Premium, Microsoft 365 E3/E5, and the standalone Intune plan. Microsoft 365 Business Basic and Standard do not include Intune — this is the most common licensing gap we encounter with Berlin SMBs who assume their M365 licence covers MAM. Verify your licence assignment before deploying.

Configuring Your First App Protection Policy

Navigate to Intune admin center → Apps → App protection policies → Create policy. Select the platform (iOS/iPadOS or Android). Under Apps, select the Microsoft 365 apps you want to protect — at minimum: Outlook, OneDrive, Teams. Under Data protection, configure: Restrict cut/copy/paste to policy managed apps only; Block Save As; Block Send To personal apps. Under Access requirements, require PIN with minimum 6-digit length and biometric override enabled.

Assign the policy to your All Users group (or a pilot group first). Users receive the policy silently the next time they open a protected app while authenticated to their work account. No device enrollment prompt, no Company Portal wizard — the policy applies in the background.

The Selective Wipe Workflow

When an employee leaves, the selective wipe removes all corporate data — Outlook email and calendar, Teams messages, OneDrive files, SharePoint cached content — from their personal device without touching personal photos, messages, or apps. Trigger it from Intune admin center → Devices → select user → Retire. The wipe executes the next time the device connects to the internet. Document this in your offboarding SOP and include it in employment contracts as an agreed BYOD condition.