Microsoft Intune App Protection Policies (MAM) for Small Businesses in Berlin

Modern device management has a boundary problem. Intune MDM manages company-owned devices comprehensively: device configuration, compliance policies, app deployment, remote wipe. But employees also use personal phones and tablets to read work email, edit SharePoint documents, and participate in Teams meetings — and those personal devices are not enrolled in MDM, do not have Intune management profiles, and cannot be managed at the device level. The corporate email, OneDrive files, and Teams messages on those personal devices have no protection if the device is lost, the employee leaves, or the app is used to leak data. Microsoft Intune App Protection Policies (APP), also called Mobile Application Management (MAM), solve this by managing the application rather than the device — protecting corporate data inside Microsoft apps on unmanaged personal devices without requiring MDM enrolment or touching the personal portions of the device.

This guide explains how APP works, what data protection controls it provides, how it integrates with Conditional Access, and how Berlin businesses can deploy it to protect corporate data on employee-owned devices.

MDM vs MAM: The Distinction That Matters

The key architectural distinction:

Dimension	MDM (Device Management)	MAM (App Management)
What is managed	The entire device	Specific applications on the device
Enrolment required	Yes — device must be enrolled in Intune	No — works on unmanaged devices
Personal data visibility	IT can see device inventory, apps, location	IT has no visibility into personal data or apps
Remote wipe scope	Can wipe the entire device	Can only wipe corporate app data (selective wipe)
Typical device type	Company-owned Windows PCs, phones, tablets	Employee-owned (BYOD) phones and tablets
User acceptance	Higher friction — users may resist personal device enrolment	Lower friction — personal data remains entirely private

MAM without MDM enrolment (MAM-WE) is the correct model for personal devices: it protects the corporate data inside Outlook, Teams, OneDrive, and Edge without managing or monitoring anything else on the employee’s personal phone. This distinction is also important for GDPR: an employer managing a personal device through MDM creates data processing obligations related to the personal data on that device; MAM-WE avoids this by scoping management exclusively to corporate app data.

What App Protection Policies Control

An App Protection Policy is a set of rules applied to data within a managed application. The rules operate at the data boundary between managed apps and unmanaged apps on the same device. Key settings:

Data transfer controls: prevent corporate data from being copied out of managed apps into personal apps. Settings include: restrict cut/copy/paste between managed and unmanaged apps, prevent Save As to personal storage locations (only allow saving to OneDrive for Business, SharePoint, or other managed destinations), prevent printing to non-work printers.

Access requirements: require PIN or biometric to open a managed app, require re-authentication after inactivity, require a minimum OS version (block apps on iOS below 16.x or Android below 12).

Conditional launch: block access or wipe data if certain conditions are met: device jail-broken/rooted, device has an active threat from a Defender for Endpoint integration, maximum allowed offline access period exceeded, app PIN failed too many times.

Selective wipe: when an employee leaves or a device is reported lost, the IT admin initiates a selective wipe from the Intune admin centre. This removes all corporate app data (emails, attachments, OneDrive files, Teams chat history stored in the app) from the managed apps on that device — without touching personal photos, messages, or apps. The employee’s personal data is unaffected.

Supported Applications

App Protection Policies work with Microsoft apps that have the Intune SDK integrated. The primary apps for Berlin small businesses:

• Outlook (iOS and Android): email, calendar, contacts — the most important MAM target, as corporate email on personal phones is the highest-risk data exposure vector
• Microsoft Teams (iOS and Android): chat, meetings, files — prevents screenshots, restricts data export to personal apps
• OneDrive (iOS and Android): corporate file access — prevents saving to personal storage
• Edge for Business (iOS and Android): managed browser for internal web applications — data rendered in Edge is not accessible to other browsers or apps on the device
• Office Mobile apps (Word, Excel, PowerPoint on iOS and Android): document editing with data protection applied

Third-party apps can also participate through the Intune App Wrapping Tool (for LOB apps) or by integrating the Intune SDK directly. This allows custom business applications to receive the same MAM policy as Microsoft apps.

Conditional Access Integration

App Protection Policies integrate with Conditional Access through the “Require approved client app” and “Require app protection policy” grant controls. This allows a CA policy that says: to access Exchange Online from an iOS or Android device, the device must either be enrolled in Intune MDM (company-owned path) or the app must have an active APP applied (BYOD path). This is the recommended model for mobile access:

• Company-owned enrolled devices: MDM compliance + app protection (belt-and-suspenders)
• Personal BYOD devices: MAM app protection policy required (no MDM enrolment needed)
• Unmanaged devices with no protection: blocked from accessing corporate data

Deployment Steps for Berlin Small Businesses

1. Microsoft Intune admin centre (intune.microsoft.com) → Apps → App protection policies → Create policy → select iOS/iPadOS or Android
2. Name the policy (e.g., “BYOD-iOS-Outlook-Teams”) → select the targeted apps (Outlook, Teams, OneDrive, Edge)
3. Configure Data protection settings: set “Restrict web content transfer with other apps” to Edge, set “Send org data to other apps” to Policy managed apps only, enable “Save copies of org data” restriction to OneDrive for Business only
4. Configure Access requirements: require PIN for access, set PIN reset after 5 failed attempts, enable biometric override for PIN
5. Configure Conditional launch: block access if device is jailbroken/rooted, set “Max allowed device threat level” to Low (requires Defender for Endpoint integration for mobile), set offline grace period to 720 hours
6. Assign the policy to a user group (All Users, or a pilot group first) and set assignment to “Include”
7. Create the Conditional Access policy: Entra admin centre → CA → New policy → assign to All Users → Target: Exchange Online and SharePoint Online → Conditions: device platforms = iOS, Android → Grant: Require app protection policy
8. Communicate the change to employees: they will be prompted to sign in to Outlook and Teams with their work account; the app will enforce PIN after first sign-in with the policy applied

App Protection Policies complement Intune device compliance policies (which cover enrolled company-owned devices) to create a complete mobile data protection posture: enrolled devices are managed at the device level, personal devices are managed at the application level, and unmanaged devices without any policy are blocked from accessing corporate data through Conditional Access enforcement.