Use Mobile App Management policies in Configuration Manager

Beginning with System Center 2012 Configuration Manager SP2, app management policies let you modify the functionality of apps that you deploy to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a restricted app, or configure an app to open all web links inside a managed browser. App management policies support:

  • Devices that run Android 4 and later.
  • Devices that run iOS 7 and later.
Tip

In addition to managed devices, mobile app management (MAM) policies can be used to protect apps on devices that are not managed by Intune. Using this new capability, you can apply mobile app management policies for apps connecting to Office 365 services. This is not supported for apps connecting to on-premises Exchange or SharePoint. To use this new capability, you must use the Azure portal. The following topics can help you get started:

Unlike configuration items and baselines in Configuration Manager, you do not deploy an application management policy directly. Instead, you associate the policy with the app deployment type (DT) that you want to restrict. When the app DT is deployed and installed on devices, the settings you specify will take effect.

To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software Development Kit (SDK). There are two methods of obtaining this type of app:

Create and deploy an app in Configuration Manager with a mobile app management policy

  • Step 1: Get the link to a policy managed app, or create a wrapped app.
  • Step 2: Create a Configuration Manager application that contains an app.
  • Step 3: Create a mobile app management policy.
  • Step 4: Associate the app management policy with a deployment type.
  • Step 5: Monitor the app deployment.

Step 2: Create a Configuration Manager application that contains an app.

The procedure to create the Configuration Manager application differs depending on whether you are using a policy managed app (external link), or an app that was created by using the Microsoft Intune App Wrapping Tool for iOS (App package for iOS).

See How to Control Apps Using Mobile Application Management Policies in Configuration Manager for the complete steps required to create a Configuration Manager application that contains an app.

After you have created the application, it is displayed in the Applications node of the Software Library workspace.

Step 3: Create a mobile application management policy.

Next, you will create an application management policy that you will associate with the application. You can create a general or managed browser policy.

After you have created the new policy, it is displayed in the Application Management Policies node of the Software Library workspace.

Step 4: Associate the app management policy with a deployment type.

When a deployment type is created for an app that requires an application management policy, Configuration Manager will recognize that an app management policy must be linked to this deployment type when the associated app gets deployed and prompt you to associate an app management policy. For the Managed Browser, you will be required to associate both a General and Managed Browser policy. For more information, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager.

Tip

For devices that run operating systems earlier than iOS 7.1, associated policies will not be removed when the app is uninstalled.

If the device is unenrolled from Configuration Manager, polices are not removed from the apps. Apps that had policies applied will retain the policy settings even after the app is uninstalled and reinstalled.

Step 5: Monitor the app deployment.

Once you have created and deployed an app associated with a MAM policy, you can monitor the app and resolve any policy conflicts.

For general information about monitoring applications, see How to Monitor Applications in Configuration Manager.

Where to go from here

After you have created and deployed an app associated with a MAM policy, you can learn more about the end-user experience of MAM. This will help prepare you for any issues that might arise.