DocumentationRelease Notes
Documentation

Mobile Application Management

Suggest Edits

Mobile Application Management (MAM) for Password Safe with Microsoft Intune

BeyondTrust supports management of the Password Safe application with Mobile Application Management (MAM) through Microsoft Intune. This enables the protection of corporate data within applications by enforcing device protection policies.

Prerequisites

To get started, you'll need:

  • The Microsoft Intune license
  • The Company Portal app installed on managed devices

Intune Capabilities

Using Intune, you can:

  • Protect corporate data within applications by enforcing device protection policies.
  • Prevent copying data from work apps to personal apps.
  • Control access to corporate applications.

ℹ️

For more information on Intune and how to configure it, see the following Microsoft resources:

Setup Microsoft Intune

The following instructions are based on the Microsoft documentation for using Intune to manage devices.

Configure application registration

To manage your mobile application using Microsoft Intune, the first step is registering your app in the Intune admin center.

  1. Access the Intune Admin Center: Sign in to the Microsoft Intune admin center. Make sure you have the required permissions to register your device and add policies in your Intune subscription.
  2. Working across multiple tenants: If you have access to multiple tenants, use the Settings icon located in the top menu to switch to the tenant where you want to register the application.

    ℹ️

    Once created, the application object cannot be moved between different tenants.

  3. Register the application: Go to Entra ID > App registrations and click New registration.
  4. Define the application identity: Enter a clear and descriptive name, for example identity-client-app. This name is visible to app users, and it can be changed at any time.
  5. Specify access scope: Under Supported account types, specify who can use the application. We recommend you select Accounts in this organizational directory only for most applications.
  6. Complete registration: Click Register to complete the app registration.
  7. Capture key integration details: On the app’s Overview page, note the Application (client) ID. This unique identifier is used later as part of validating the security tokens it receives from the Microsoft identity platform.

Your application is now registered in Intune, forming the foundation for applying mobile application management (MAM) policies securely.

Grant Intune Mobile App Management access to your registered application

To allow your application to interact with Intune’s Mobile Application Management (MAM) services, you must assign the appropriate API permissions. This enables your app to read and manage mobile application policies securely.

  1. Open your registered app: In App registrations, select the application you previously set up.
  2. Add the required permission: Click + Add a permission.
  3. Search for the required API: Click APIs my organization uses. In the search field, type Microsoft Mobile Application Management.
  4. Assign delegated access: Under Delegated Permissions, check DeviceManagementManagedApps.ReadWrite: Read and Write the User's App Management Data*.
  5. Finalize the setup: Click Add permissions to grant access.

Your app now has the necessary permissions to manage user-level app protection policies via Intune.

Create and Apply an App Protection Policy for Password Safe

To enforce security and data protection on the Password Safe mobile app, create a mobile application protection policy in Microsoft Intune.

  1. Create a new protection policy: In the Intune Portal, go to:
    Apps > App protection policies > Create policy, and select Android or iOS/PadOS.
Create new protection policy
  1. Define the policy basics: Fill in the policy Basics (name, description, platform), and then click Next.
  2. Assign the policy to the app: On the Apps page:
    • From the Target policy to dropdown, choose Selected Apps
    • Click Select custom apps
    • Under Select app to target, you can either enter the application bundle ID or choose Password Safe from the pre-added apps list
    • Click Select, and then click Next
Assign protection policy to app
  1. Set data protection controls: Under Data Protection , configure how users can interact with app data.
    • Use built-in Data Loss Prevention (DLP) options like restricting cut/copy/paste between apps and preventing save-as
    • Click Next
  2. Define access requirements: Configure the conditions users must meet to access the app. For example, set PIN for access to Require (recommended). For testing purposes leave the default settings.
  3. Set conditional launch rules: Set the sign-in security requirements for your access protection policy.
  4. Assign the policy to user groups: Select Assignments to choose who should have access to this policy and who is restricted from the policy. Once completed, click Next.

Manage user groups from the Groups menu item.

  1. Review and create the policy: After reviewing all settings, click Create. The policy is now active and applies when users launch the Password Safe app.

You can edit or update this policy anytime from the Intune portal to meet evolving security needs.

Updated about 22 hours ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.