App configuration policies for Intune App SDK managed apps

The Intune App Software Development Kit (SDK) supports app configuration delivery through the mobile app management (MAM) channel. Within the Intune admin center, the MAM channel is referred to as a Managed Apps app configuration policy. The MAM channel is different than the mobile device management (MDM) OS platform channels that are offered when a device is enrolled.

To support app configuration through the MAM channel, the app must be integrated with Intune App SDK. Line-of-business apps can either integrate the Intune App SDK or use the Intune App Wrapping Tool. For a comparison between the Intune App SDK and the Intune App Wrapping Tool, see Prepare line-of-business apps for app protection policies.

By using the MAM channel, apps can receive app configuration policies regardless of the device enrollment state. For information on which apps support app configuration through the MAM channel, see Microsoft Intune protected apps. Documentation from the app vendor should be reviewed to see what configurations are available and how the configurations influence the behavior of the app.

For more information, see App configuration policies for Microsoft Intune.

Note

Intune requires Android 8.x or higher for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. This requirement does not apply to Microsoft Teams Android devices as these devices will continue to be supported.

For Intune app protection policies and app configuration delivered through Managed apps app configuration policies, Intune requires Android 9.0 or higher.

Add an app configuration policy for managed apps on iOS/iPadOS and Android devices

Use the following steps to create a Managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of users.

  1. Sign in to the Microsoft Intune admin center.

  2. Choose the Apps > App configuration policies > Add > Managed apps.

  3. On the Basics page, set the following details:

    • Name: The name of the profile that will appear in the portal.
    • Description: The description of the profile that will appear in the portal.
    • Device enrollment type: Managed apps is selected.
  4. Choose either Select public apps or Select custom apps to choose the app that you are going to configure. Select the app from the list of apps that you've approved and synchronized with Intune.

  5. Click Next to display the Settings page.

  6. The Settings page provides options that are displayed based on the app that you're configuring:

    • General configuration settings - For each general configuration setting that the app supports, type the Name and Value.

      Intune App SDK-enabled apps support configurations in key/value pairs. To learn more about which key-value configurations are supported, consult the documentation for each app. Note that you can use tokens that will be dynamically populated with data generated by the application. To delete a general configuration setting, choose the ellipsis () and select Delete. For more information, see Configuration values for using tokens.

    Note

    Use the LocalDocsMLExempt configuration key to suppress managed apps from opening documents contained in local storage and personal cloud storage. Personal cloud storage includes personal OneDrive and iCloud. For related app configuration information, see App configuration policies for Microsoft Intune.

    For information about app configuration settings for specific Microsoft apps, see:

  7. Click Next to display the Assignments page.

  8. Click Select groups to include.

  9. Select a group in the Select groups to include pane and click Select.

  10. Click Select groups to exclude to display the related pane.

  11. Choose the groups you want to exclude and then click Select.

    Note

    When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as an excluded group.

  12. Click Next to display the Review + create page.

  13. Click Create to add the app configuration policy to Intune.

Add an app configuration policy for managed apps on Windows devices

Use the following steps to create a Managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of users.

  1. Sign in to the Microsoft Intune admin center.

  2. Choose the Apps > App configuration policies > Add > Managed apps.

  3. On the Basics page, set the following details:

    • Name: The name of the profile that will appear in the portal.
    • Description: (Optional) The description of the profile that will appear in the portal.
    • Device enrollment type: Managed apps is selected.
  4. Choose either Select public apps or Select custom apps to choose the app that you are going to configure. Select the app from the list of apps that you've approved, added, and synchronized with Intune.

    Note

    At this time, the only supported app is Microsoft Edge for Windows. No other public or custom apps are currently supported.

  5. Click Next to display the Settings catalog page. The Settings catalog allows you to choose which settings you want to configure.

  6. Click Add settings to display the Settings picker pane.

  7. Search, filter, or browse the setting catalog to find the category settings to select. Click Search to find a specific settings or setting subcategory.

  8. Select all configuration settings that your organization requires.

  9. Once you have selected the settings to configure, the Settings catalog page will display the selected settings that you can configure.

  10. Configure each setting by adding required details. Click the information icon to find additional information for each setting.

  11. Click Next to display the Settings page.

  12. The Settings page provides options that are displayed based on the app that you're configuring:

    • General configuration settings - For each general configuration setting that the app supports, type the Name and Value.

      Intune App SDK-enabled apps support configurations in key/value pairs. To learn more about which key-value configurations are supported, consult the documentation for each app. Note that you can use tokens that will be dynamically populated with data generated by the application. To delete a general configuration setting, choose the ellipsis () and select Delete. For more information, see Configuration values for using tokens.

  13. Click Next to display the Assignments page.

  14. Click Select groups to include.

  15. Select a group in the Select groups to include pane and click Select.

  16. Click Select groups to exclude to display the related pane.

  17. Choose the groups you want to exclude and then click Select.

    Note

    When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as an excluded group.

  18. Click Next to display the Review + create page.

  19. Click Create to add the app configuration policy to Intune.

Configuration values for using tokens

Intune can generate certain tokens and send them to the managed application. For example, if your app configuration can use an email setting, you can add a dynamic email by using a token. Type the name expected by the app in the Name field, and then type {{mail}} in the Value field.

Intune supports the following token types in the configuration settings. Other custom key/value pairs aren't supported.

  • {{userprincipalname}}—for example, John@contoso.com
  • {{mail}}—for example, John@contoso.com
  • {{partialupn}}—for example, John
  • {{accountid}}—for example, fc0dc142-71d8-4b12-bbea-bae2a8514c81
  • {{userid}}—for example, 3ec2c00f-b125-4519-acf0-302ac3761822
  • {{username}}—for example, John Doe
  • {{PrimarySMTPAddress}}—for example, testuser@ad.domain.com

Note

The {{ and }} characters are used by token types only and must not be used for other purposes.

Next steps

Continue to assign and monitor the app as usual.