Office 365 MAM Policy
Office 365 Mobile Application Management (MAM) policies allow organization's to secure the corporate data within any Office 365 application. MDM allows organization to enforce policies that manage how the data is accessed and transfered between apps. It also allows you to block access or wipe data when the apps don't comply with the organization's security standards.
Office 365 MAM policies are applied when the user downloads the apps on any Apple or Android devices and logs in using their corporate Azure AD credentials. This means that the MAM policies can be applied to add a layer of security in BYOD deployments.
- The organization must have an Azure AD account.
- The organization must purchase Microsoft Intune licenses for all the users to whom the MAM policies need to be applied to, as enforced by Microsoft. For more details, refer this.
Follow the steps given below to apply the MAM policies on Office 365 apps
- On the console, navigate to Device Mgmt -> Office 365 MAM policy under Conditional Access.
- Click on Start and integrate your corporate Azure AD account.
- Upon successful integration, click on Create Policy and select whether the policy is for Android or Apple devices.
- Provide a name to the policy and click on Next.
- Select the apps to which you would like to apply the MAM policies and click on Next.
- Configure data transfer, access requirements and conditional launch policies. Refer the table below for more details on the policies.
- Click on Create to create the policy and associate it to the required Azure AD groups by clicking on Associate Groups.
|Backup org data to Android backup services
|Specify whether the app can backup the corporate data to Android backup services.
|Backup org data to iTunes and iCloud backups
|Specify whether the app can backup the corporate data to iTunes and iCloud
|Send org data to other apps
|Specify whether the apps can transfer data to other apps. Restrict this option to ensure corporate data is not accessed by unauthorised apps.
|Receive data from other apps
|Specify whether the apps can receive data from other apps. Restrict this option to ensure no malicious content is accessed by these apps
|Cut, copy, paste
|Select whether the user can cut, copy or paste corporate content to or from these apps.
You can choose between the following settings:
Allow: Cut, copy, paste will be allowed between all apps
Restrict: Cut, copy, paste will be restricted between all apps
Allow between policy applied apps: Allow cut, copy, paste only between the apps to which policies have been applied to.
Allow paste-in from policy applied apps: Allow content to be pasted in the app from other apps to which policies are applied to.
|Screen capture and Google Assistant
|Specify whether screen capture and Google Assistant are permitted while using the app.
|Encrypt org data
|Specify whether the coporate data in the app should be encrypted.
|Snyc app with native contact app
|Specify whether the app can sync the data with the native Contacts app installed on devices. This is to ensure the Phone app can access corporate contacts available in these apps.
|Print org data
|Specify whether the app can print the corporate data.
|PIN for access
|Specify whether a PIN is required to access the apps
|Select the PIN type that the user must set on the device. You can select between a numeric PIN or an alphanumeric passcode
|Specify whether the users can set a simple PIN for accessing the apps.
|Minimum PIN length
|Specify the minimum PIN length to be configured by the user.
|Fingerprint instead of PIN
|Specify whether the user can access the apps using Fingerprint instead of the configured PIN.
|TouchID instead of PIN
|Specify whether the user can access the apps using TouchID instead of the configured PIN.
|FaceID instead of PIN
|Specify whether the user can access the apps using FaceID instead of the configured PIN.
|Reset PIN after
|Specify the number of days after which the user will be prompted to set a new PIN for accessing the apps.
|App PIN when device PIN is set
|Specify whether an app PIN is required to secure corporate data if the device already has a PIN. If Require is selected, then the user will have to configure both device PIN and app PIN.
|Work or school account
|Specify whether a work or school account needs to be specified for accessing corporate data. If Require is selected, the user must enter both App PIN and the work or school account.
|Recheck access requirements upon inactivity
|Specify the inactivity time after which the app must check the access requirements and conditional launch settings to grant access to the app.
|Maximum PIN attempts
|Specify the number of incorrect PIN attempts after which the corporate data must be wiped from the apps.
|Offline grace period
|Specify the duration of offline access, after which the corporate data should be wiped or access to the app be blocked.
|Minimum app version
|Specify the minimum app version that must be installed on the device to access corporate data. You can configure two app versions with different actions to be performed. You can choose between notifying the user or blocking access to the app till the app is updated.
|Minimum SDK version
|Specify the minimum Intune app protection SDK version to access the corporate data. You can configure two SDK versions with different actions to be performed. You can choose between notifying the user or blocking access till the SDK version is updated.
|Minimum OS version
|Specify the minimum OS version for accessing corporate data. You can configure two OS versions with different actions to be performed. You can choose between notifying the user or blocking access till the OS version is updated.
|Minimum patch version
|Specify the minimum patch version for accessing corporate data. You can configure two patch versions with different actions to be performed. You can choose between notifying the user or blocking access till the patch version is updated