Update 10/16/25 – The script has been completely rewritten to use raw Microsoft Graph API endpoints via Invoke-MgGraphRequest, rather than relying on the Microsoft Graph PowerShell SDK cmdlets. It also pulls the policy and configuration profile JSON files from my GitHub instead of as objects inside the script. If you want to use your own app protection policy templates, simply change the URL in the script to point to your policy files for the download.
MAM is becoming an increasingly popular Intune implementation. Especially for smaller organizations that don’t provide corporate cell phones but still want to allow employees access to company email and data from their personal devices. Manually configuring MAM for organizations can be slightly time-consuming, so I’ve created a script that creates and assigns everything needed for an Android/iOS MAM deployment. For more details on manually configuring MAM, see this blog post – Protect Company Data on Personal iOS/Android devices using Intune Mobile Application Management (MAM) – SMBtotheCloud.
I use the same baseline App Protection policies for all my MAM deployments. I also always target MAM to a pilot group of employees before rolling it out to larger subsets of users. In most situations, these app protection policies are sufficient, but you may need to edit some settings based on the organizational needs or the experience of the pilot group.
The script is available on GitHub and does the following:
- Creates a security group named “MAM_PilotGroup”
- Creates two managed app device filters for Unmanaged Android and Unmanaged iOS devices
- Creates App Protection Policy with common settings for Android and iOS Platforms and assigns the policies to the MAM_PilotGroup security group along with the filter to only include unmanaged devices
- Creates a conditional access policy targeting the MAM_PilotGroup security group to require an app protection policy for unmanaged iOS and Android Devices. The policy is in the “Off” state upon creation.
Simply run the script. It will check for the require modules and install them, if necessary, then prompt for authentication to your tenant. A log will be placed in the c:\temp directory of the device where the script is run. All you’ll need to do after the script is executed is add users to the MAM_PilotGroup security group and turn on the Conditional Access policy.
Here’s example the output from PowerShell and a demo. The script takes less than 10 seconds to run
