How to create exceptions to the Intune Mobile Application Management (MAM) data transfer policy for iOS and Andriod

Being as Intune Administrator ,you create intune MAM (mobile application management) policy to protect company data at application level. This is independent of any mobile-device management (MDM) solution . For more information about App protection policies ,please refer https://docs.microsoft.com/en-us/intune/app-protection-policies.

Like others ,we created MAM policy and applied to all Microsoft/non-Microsoft (wrapped with intune SDK ) applications and data transfer to managed applications only. We have users who would like to transfer the data or open some of the links from managed applications especially webex etc ,RSA Token with unmanaged applications .Since webex application is not managed application (not wrapped with Intune SDK) ,users will not be able to open any webex links using webex application. In such scenarios, we may have to look for exceptions (iOS/Andriod) .

Microsoft recently introduced exceptions feature with MAM for iOS and Andriod polices.  An exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps. The unmanaged apps that you included in the exception list must be trusted by IT.

This feature applies when you create an Intune Application Protection Policy with data transfer set to Managed apps only like shown below. If you have chosen all apps then you need to create any exception policy since you allowed to open the links with un-managed apps or other apps as well.

image

In this blog post, we will see how to create exceptions for some of the applications which are required by IT to use on their day to day basis. Couple of applications are like Webex, GlobalMeet ,RSA Token etc.

You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data leak risks.

Before we try to configure these exceptions ,we need to find out the some information related to the applications that we are excluding from the MAM policies.

iOS data transfer exceptions
For iOS, we  can configure data transfer exceptions by URL protocol. To add an exception,you need to check the documentation provided by the developer of the app to find information about supported URL protocols.

This is little tricky to find the right URL protocol for all iOS applications however ,for webex, MS given in TechNet site. For webex ,URL protocol is wbx . For other applications that you would like to find the protocol ,you can contact the vendor .
By adding the Webex package as an exception to the MAM data transfer policy, Webex links inside a managed Outlook email message will be opened in intune browser and browser will let these exceptions allowed to open directly in the Webex application.

Android data transfer exceptions:

For Android, we  can configure data transfer exceptions by app package name. It is easy to identify the package name for android applications using Google play store.  The package ID is contained in the URL of the app's page

If i want to search the package ID for webex, RSA Token ID ,go to Google play store and search for Webex ,copy the content after ID= to get the package name.

image

In this case ,it is com.cisco.webex.meetings for webex . for RSA Token: com.rsa.securidapp

Once we got the necessary information ,we will go intune MAM policy that you have already configured with option ‘allow app to transfer data to other apps set to : policy managed apps’ and make these changes.

If you have not set the option to policy managed apps for Allow app to transfer data to other apps ,you will not see select apps to exempt .

Also make sure, you configure this setting on MAM policy with targeted apps select ‘Managed browser’

If you already created Intune MAM policy ,click on the policy ,go to policy settings, look for select apps to exempt ,click on select.

iOS:

image

Add custom with value: wbx;

image

Click ok to save the changes.

For Andriod:

For android, click on select in MAM policy ,add the required applications into the fields that we captured from Google play store.

image

How does it work?

When you get any link (ex: webex) from managed applications like teams,onedrive or outlook  ,you click on the link ,it will be opened in intune managed browser ,then browser will understand there is exceptions made to the URL to open with and intune managed browser will redirect the URL to open with webex or application that is already installed on the device based on the package ID.

I tested this feature and it works perfectly fine.

For more information about  create exceptions to the Intune Mobile Application Management (MAM) data transfer policy https://docs.microsoft.com/en-us/intune/app-protection-policies-exception

 

Hope it helps!

Leave a Reply