Microsoft Intune Mobile Application Management (MAM) policy changes not working

The following blog describes the solution to a scenario I encountered whereby changes to a Microsoft Intune mobile application management (MAM) policy would not take effect

Environment

In preparation for rolling out an MS Intune Mobile Application Management (MAM) policy to Outlook for iOS clients I created a test policy to enable pin protection and applied it to a test user account.  The steps used can be found here

In summary

  1. Create a test user and assign a Microsoft Intune license via portal.office.com
  2. SummaryStep1
  3. Create a user group to apply the app protection policy to, and assign the test user to the group, again via portal.office.com
  4. SummaryStep2
  5. Create an App protection policy via portal.azure.com
  6. SummaryStep3
  7. Configure the policy settings (e.g. Require PIN access)
  8. SummaryStep4
  9. Choose Apps to associate with policy (e.g. Outlook)
  10. SummaryStep5
  11. Deploy policy to test group
  12. SummaryStep6

This worked well.  After the policy applied, when I opened Outlook for iOS as the test user I was prompted to enter a pin

PinPrompt

Note:  It can take up to 8 hours for a newly deployed app protection policy to be applied.

Problem

The problem arose when I removed the test MAM policy (or more specifically, removed the test user from the group “Test – MAM Policy”). I expected that the pin protection settings would no longer apply.  However, the test user continued to be prompted to enter a pin, even after waiting sufficient time for the changes to take effect.

Solution

It was the “Common IT administrator issues” section of the Troubleshoot Mobile Application Management guide that pointed me in the right direction.  Specifically, this section which indicated that I may need to force a sync of the Outlook for iOS client for the changes to take effect

Guide1

I used the following steps to force a sync of the Outlook for iOS client:

  1. From the Outlook app, click on settings
  2. Settings
  3. Select the test Office 365 account and then choose “Reset Account”
  4. ResetAccount

This forced a sync of the Outlook client.  Next time I opened the Outlook app, the pin protection policy had been removed.

Leave a Reply

Your email address will not be published. Required fields are marked *