When using Microsoft Intune integrated with the newly released service packs for System Center 2012 and R2 Configuration Manager, hybrid customers can now leverage the Mobile Application Management (MAM) capabilities of Intune and deploy application management policies to MAM managed apps. These policies allow you to ensure company compliance and security policies are met. For example, you can restrict actions such as cut, copy and paste within a MAM managed app, or configure a MAM managed app to open all web links inside the Intune Managed Browser app (as this app is a MAM managed app).
App management policies support:
- Devices that run Android 4 and later.
- Devices that run iOS 7 and later.
When using System Center Configuration Manager (ConfigMgr) integrated with Intune, you can associate the app management policy with the ConfigMgr application’s deployment type (DT) that you want to restrict. When the application is deployed and the application’s DT is installed on devices, the settings you specify will take effect.
To apply policy to an app, the app must incorporate the Microsoft Intune App Software Development Kit (SDK). There are two methods of obtaining this type of app:
- Use a policy managed app (Android and iOS): Apps that have the Intune App SDK built-in. To add this type of app, you specify a link to the app from an app store such as iTunes or Google Play. No further processing is required for this type of app. See the list of Available policy managed apps on TechNet.
- Use a ‘wrapped’ app (iOS only): Apps that are repackaged using the Microsoft Intune App Wrapping Tool for iOS. This tool is typically used to process existing line-of-business apps. It cannot be used to process apps that were downloaded from a mobile device’s public store. See the TechNet article on Preparing apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS. The Intune App Wrapping Tool for Android is coming soon.
Step 1: Create an app management policy
To define an app management policy, navigate to Software Library -> Overview -> Application Management -> Application Management Policies. Click Create Application Management Policy from the ribbon.
In the Create Application Management Policy Wizard enter a name and description for the policy in the General page.
In the Policy Type page, choose the platform and policy type for this policy. There are currently two policy types available:
- The General policy type lets you modify the behavior of apps that you deploy to ensure company compliance and security requirements are met. For example, you can restrict actions such as cut, copy and paste within a corporate managed app.
- The Managed Browser policy type lets you modify the functionality of the Intune Managed Browser app. This app allows you to manage web browsing experience for users. This includes the sites they can visit and how links to content within the browser are opened. For more information on the Intune Managed Browser app, see here for iOS and here for Android.
Next you can configure the individual settings that are applicable to the platform and policy type selected. For more information on these settings, see here for the General policy type and here for the Managed Browser policy type.
After the wizard is complete, click Close to save the policy. You do not deploy the policy directly. Instead, you associate the policy with the ConfigMgr application’s deployment type (DT). The next section will walk you through how to do this.
Step 2: Associate the app management policy with a deployment type
When a ConfigMgr application is deployed, ConfigMgr will recognize that an application management policy must be linked to this deployment type (DT) based on that DT’s type.
If the application is not yet deployed, then this association can be made in the Deploy Software Wizard, on the Application Management page. ConfigMgr will recognize all deployment types that are associated with the application being deployed, and prompt you to associate an app management policy at this time. (In the case of the Managed Browser, you will be required to associate both a General and Managed Browser policy.)
If the software is already deployed, then the deployment of that application’s DT will fail until this association is made. For existing applications, the association can be made in the Properties page of the application deployment, under the Application Management tab.
Step 3: Monitor app management policies
Under Monitoring -> Overview -> Deployments, you can view the status of the app management policies for a particular deployment by selecting App Management in the details pane of that deployment, under Related Objects.
Monitoring a particular deployment with an app management policy is the same as monitoring any other deployment under Monitoring -> Overview -> Deployments. Remember that application deployments will fail if an app management policy has not been associated with Deployment Type that requires it (see step 2 to remedy this).
- Find technical resources for ConfigMgr in the TechNet library
- Find technical resources for Intune in the TechNet library
- Evaluate System Center 2012 R2 Configuration Manager SP1
- Sign up for a free trial of Microsoft Intune
I hope that you’ve found this blog post useful. Please bookmark this blog and Intune blog as we plan to post new content regularly!
– Joey Glocke, Program Manager
This posting is provided “AS IS” with no warranties and confers no rights.