Share via

how does encryption work using Intunes Mobile Access Management (MAM) policy

SAM2023 31 Reputation points
2023-01-11T11:30:57.8166667+00:00

Hi

Just want to understand the concept of encryption using MAM v/s MDM

how does encryption work using Intunes Mobile Access Management (MAM) policy and what is encrypted?

Is the space (Internal memory) on your phone, where the application gets installed encrypted

or

Is there a virtual space created (kind of a folder) while the app is installed from the company portal (containerization technology) which does not encrypt the entire phone but by creating a virtual folder concept and encrypts only that portion where company apps are installed? (e.g. using true crypt)

or

It's only the data inside the application (e.g. Outlook) that's been encrypted using some concept of android SDK etc using some I/O topology, in this case, would it be DES/AES which is used for encrypting data at rest or would it be considered as data in transit (using TLS) Just want the technical documentation link for this on how this actually works.

It's not about MDM but about MAM

Thanks

SAM

Microsoft Security | Intune | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lasse Fletcher 0 Reputation points
    2026-06-18T08:31:25.9733333+00:00

    Been quite a bit since this post but didnt feel like it got answered fully

    Data gets encrypted by MAM based on what type of data it is "Corporate" or "Personal" this is further defined by where that data originates, if the data originates from Sharepoint or Onedrive it gets classified as Corporate and then encrypted (I do believe this classification can be modified in different ways with the MAM policies

    Android and iOS gets encrypted in different ways here are they from the docs

    iOS
    "Intune APP SDK uses iOS/iPadOS cryptography methods to apply 256-bit AES encryption to app data."

    Android
    "Intune uses a wolfSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted and can only be opened by apps that support Intune's app protection policies and have policy assigned. New files encrypt with 256-bit keys. Existing 128-bit encrypted files undergo a migration attempt to 256-bit keys, but the process isn't guaranteed. Files encrypted with 128-bit keys remain readable."

    Here is some more reading material

    https://learn.microsoft.com/en-gb/intune/app-management/protection/overview#app-protection-features

    https://learn.microsoft.com/en-gb/intune/app-management/protection/ref-settings-android

    https://learn.microsoft.com/en-gb/intune/app-management/protection/ref-settings-ios

    Was this answer helpful?

    0 comments
  2. Lu Dai-MSFT 28,531 Reputation points
    2023-01-12T01:44:54.43+00:00

    @simon selvin Thanks for posting in our Q&A.

    MAM is about app management. We use app protection policy to protect apps. This protection is in app level. For more details, please refer to the following article:

    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy

    For example, if we create an app protection policy (setting like Restrict cut, copy, and paste), add Outlook as a managed app in this policy and deploy this policy to a user group, when we use a user (which is included in this user group) to sign in Outlook, we can't copy data from Outlook to other apps. Outlook is a protected app.

    Hope it will clarify something.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.