The following blog describes the solution to a scenario I encountered whereby changes to a Microsoft Intune mobile application management (MAM) policy would not take effect
In preparation for rolling out an MS Intune Mobile Application Management (MAM) policy to Outlook for iOS clients I created a test policy to enable pin protection and applied it to a test user account. The steps used can be found here
- Create a test user and assign a Microsoft Intune license via portal.office.com
- Create a user group to apply the app protection policy to, and assign the test user to the group, again via portal.office.com
- Create an App protection policy via portal.azure.com
- Configure the policy settings (e.g. Require PIN access)
- Choose Apps to associate with policy (e.g. Outlook)
- Deploy policy to test group
This worked well. After the policy applied, when I opened Outlook for iOS as the test user I was prompted to enter a pin
Note: It can take up to 8 hours for a newly deployed app protection policy to be applied.
The problem arose when I removed the test MAM policy (or more specifically, removed the test user from the group “Test – MAM Policy”). I expected that the pin protection settings would no longer apply. However, the test user continued to be prompted to enter a pin, even after waiting sufficient time for the changes to take effect.
It was the “Common IT administrator issues” section of the Troubleshoot Mobile Application Management guide that pointed me in the right direction. Specifically, this section which indicated that I may need to force a sync of the Outlook for iOS client for the changes to take effect
I used the following steps to force a sync of the Outlook for iOS client:
- From the Outlook app, click on settings
- Select the test Office 365 account and then choose “Reset Account”
This forced a sync of the Outlook client. Next time I opened the Outlook app, the pin protection policy had been removed.