Microsoft Intune Admins: Important Update on Intune MAM for Outlook iOS Add-Ins

Intune MAM Update: Outlook for iOS Add-Ins

Microsoft changed how Intune MAM policies interact with Outlook for iOS add-ins. The update affects data protection controls for any add-in that transfers data to third-party services. Intune admins must review and update app protection policies to avoid security gaps or blocked functionality. EPC Group explains what changed and what to do.

Key facts

• Affected feature: Intune MAM app protection policies for Outlook on iOS.
• Risk: Add-ins can transfer data outside MAM boundaries if policies are not updated.
• Action required: Review app protection policy "Send org data to other apps" setting.
• Recommended setting: "Policy managed apps with Open-In/Share filtering."
• EPC Group has 29 years of Microsoft endpoint management experience.
• Contact: (888) 381-9725 · contact@epcgroup.net

What Changed in Intune MAM for Outlook iOS

Outlook for iOS add-ins run inside the Outlook app. However, they can move data to third-party services. That movement may conflict with your MAM data protection policies.

Microsoft updated how Intune evaluates add-in behavior. Policies that previously allowed add-ins silently may now block them — or expose data gaps you did not know existed.

• Before the update — add-in data transfers were not fully evaluated against MAM policies.
• After the update — Intune enforces MAM controls on data flowing through add-ins.
• Impact — add-ins that transfer org data to unmanaged services will be blocked or flagged.

Which Intune Settings to Review

Open your app protection policies in the Intune admin center. Check these settings for Outlook on iOS:

• Send org data to other apps — set to "Policy managed apps with Open-In/Share filtering."
• Receive data from other apps — confirm only policy-managed apps are allowed.
• Save copies of org data — block unless explicitly required.
• Restrict cut, copy, paste — set to "Policy managed apps with paste in."
• Add-in allow list — review all active add-ins against your approved app list.

How to Configure App Protection Policies

Follow these steps to update your MAM policies in the Intune admin center:

1. Sign into intune.microsoft.com.
2. Go to Apps > App protection policies.
3. Select the iOS Outlook policy you want to review.
4. Open Data protection settings.
5. Set "Send org data to other apps" to "Policy managed apps with Open-In/Share filtering."
6. Review any add-in exceptions already in place.
7. Save and monitor the Intune App Protection report for blocked events.

BYOD vs. Corporate Device Considerations

MAM without enrollment (MAM-WE) applies to personal iOS devices. The add-in update affects both enrolled and unenrolled devices.

• Enrolled devices (MDM + MAM) — full device management plus app protection. Strictest control.
• BYOD with MAM-WE — app-level protection only. Add-in controls apply within Outlook.
• Unmanaged devices — no MAM protection. Block org email access via Conditional Access.

For BYOD fleets, verify that your Conditional Access policies require an approved app before granting Exchange Online access.

Compliance and Regulated Industry Impact

If your org operates under HIPAA, SOC 2, or CMMC, uncontrolled add-in data flows create audit risk. Intune MAM is your control layer. Keep it tight.

• HIPAA — PHI must not flow to unmanaged third-party apps via add-ins.
• SOC 2 Type II — auditors review app protection policy configurations.
• CMMC Level 2/3 — CUI controls extend to mobile app data handling.
• FERPA — student data must remain in approved, managed apps.

EPC Group Credentials

• 29 years of Microsoft consulting. 11,000+ enterprise engagements.
• Microsoft Solutions Partner — core designations (fewer than 50 firms globally hold all six).
• Microsoft Gold Partner (2016-2022) (oldest continuous in North America).
• Compliance-ready: HIPAA, SOC 2, FedRAMP, CMMC, FERPA, GDPR.
• Clients: NASA, FBI, Federal Reserve, Pentagon, United Airlines, PepsiCo, Nike, Northrop Grumman.

Frequently Asked Questions

What is Intune MAM?

Intune MAM (Mobile Application Management) controls how org data moves within and between apps on mobile devices. It works with or without full device enrollment. MAM policies set rules for copy/paste, save locations, and data transfers between apps.

Do Outlook for iOS add-ins bypass MAM policies?

They can — if your app protection policy does not explicitly restrict third-party data transfers. The Microsoft update closes a gap where add-in data transfers were not fully evaluated. Review your "Send org data to other apps" setting to confirm add-ins are covered.

What setting should I use for the data transfer policy?

Set "Send org data to other apps" to "Policy managed apps with Open-In/Share filtering." This gives the most control over outbound data while still allowing approved managed apps to receive data from Outlook.

Does this affect MDM-enrolled devices too?

Yes. Both MDM-enrolled and MAM-only (BYOD) devices running Outlook on iOS are affected. Update your app protection policies for all iOS Outlook configurations, not just BYOD profiles.

How do I find which add-ins are active in Outlook iOS?

Check the Exchange admin center under Add-ins for org-deployed add-ins. Also review the Intune App Protection report for any flagged data transfer events after the policy update takes effect.

Can EPC Group help us update our Intune policies?

Yes. EPC Group architects have configured Intune MAM policies across healthcare, financial services, and government clients. We can audit your current policies, recommend changes, and test the update before broad rollout. Call (888) 381-9725 to start.

Schedule an Intune Policy Review

Don't wait for an audit finding. Let an EPC Group Intune architect review your MAM configuration. Call (888) 381-9725 or request a 30-minute discovery call.