mobile security

Implementing Mobile Application Management

Implements Mobile Application Management (MAM) policies to protect enterprise data on managed and unmanaged mobile devices through app-level controls including data loss prevention, selective wipe, app configuration, and containerization. Use when securing corporate apps on BYOD devices, implementing Intune App Protection Policies, or enforcing data separation between personal and work apps. Activates for requests involving MAM deployment, app protection policies, mobile containerization, or BYOD security.

androidenterprise-securityiosmammobile-securityowasp-mobile
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Deploying enterprise mobile app protection without full device management (MDM)
  • Implementing BYOD policies that protect corporate data while respecting personal privacy
  • Configuring Microsoft Intune App Protection Policies for iOS and Android
  • Enforcing data loss prevention controls on managed mobile applications

Do not use when full device management (MDM) is already deployed and sufficient -- MAM adds complexity when MDM already provides the needed controls.

Prerequisites

  • Microsoft Intune or equivalent MAM platform (VMware Workspace ONE, MobileIron)
  • Azure AD for identity and conditional access policies
  • Intune App SDK integrated into target applications (or Intune App Wrapping Tool)
  • Test devices (Android 10+ and iOS 15+)
  • Azure AD Premium P1 or P2 licenses for conditional access

Workflow

Step 1: Define App Protection Policy Requirements

Classify data sensitivity and define protection tiers:

Tier Data Type Controls
Tier 1 - Basic General corporate email Require PIN, block screenshots
Tier 2 - Enhanced Financial data, HR records Encrypt app data, restrict cut/copy/paste
Tier 3 - High PII, healthcare, legal Selective wipe, offline access limits, DLP

Step 2: Configure Intune App Protection Policies

Android App Protection Policy:

{
    "displayName": "Corporate App Protection - Tier 2",
    "platform": "android",
    "dataProtectionSettings": {
        "allowedDataStorageLocations": ["oneDriveForBusiness", "sharePoint"],
        "blockDataTransferToOtherApps": "managedApps",
        "blockDataTransferFromOtherApps": "managedApps",
        "saveAsBlocked": true,
        "clipboardSharingLevel": "managedAppsWithPasteIn",
        "screenCaptureBlocked": true,
        "encryptAppData": true,
        "backupBlocked": true
    },
    "accessSettings": {
        "pinRequired": true,
        "minimumPinLength": 6,
        "biometricEnabled": true,
        "offlineGracePeriod": 720,
        "offlineWipeInterval": 90
    },
    "conditionalLaunchSettings": {
        "maxOsVersion": "15.0",
        "minOsVersion": "12.0",
        "jailbreakBlocked": true,
        "maxPinRetries": 5
    }
}

Step 3: Implement App Configuration Policies

Deploy managed app configuration for automatic endpoint setup:

{
    "displayName": "Email App Configuration",
    "targetedManagedApps": ["com.microsoft.outlooklite"],
    "settings": [
        {"key": "com.microsoft.outlook.EmailProfile.AccountType", "value": "ModernAuth"},
        {"key": "com.microsoft.outlook.EmailProfile.ServerName", "value": "outlook.office365.com"},
        {"key": "com.microsoft.outlook.EmailProfile.AllowedDomains", "value": "corporate.com"}
    ]
}

Step 4: Deploy Conditional Access Integration

Azure AD > Conditional Access > New Policy:
- Users: All users with corporate apps
- Cloud apps: Office 365, custom LOB apps
- Conditions: All platforms
- Grant: Require app protection policy
- Session: App enforced restrictions

Step 5: Test and Validate MAM Controls

Test each policy control on both platforms:

# Verify data transfer restrictions
1. Open managed app (Outlook)
2. Copy text from email body
3. Attempt paste in unmanaged app (Notes) -- should be blocked
4. Attempt paste in managed app (Teams) -- should work
 
# Verify selective wipe
1. Enroll test device with MAM
2. Access corporate data in managed apps
3. Trigger selective wipe from Intune portal
4. Verify corporate data removed, personal data intact
 
# Verify offline grace period
1. Access managed app while connected
2. Disconnect from network
3. After grace period expires, verify app access blocked

Step 6: Monitor and Respond

Configure MAM monitoring dashboards:

  • App protection policy assignment status
  • Non-compliant device/user reports
  • Selective wipe execution logs
  • Jailbreak/root detection alerts
  • Failed PIN attempt tracking

Key Concepts

Term Definition
MAM Mobile Application Management - app-level policies without requiring full device enrollment
App Protection Policy Set of rules enforcing data protection at the app level (encryption, DLP, access controls)
Selective Wipe Removing only corporate data from managed apps while preserving personal data
App Wrapping Post-build process applying MAM SDK policies to apps without source code modification
Containerization Isolating corporate app data in an encrypted container separate from personal apps

Tools & Systems

  • Microsoft Intune: Cloud-based MAM/MDM platform with app protection policies
  • Intune App SDK: SDK for integrating MAM controls into custom iOS/Android apps
  • Intune App Wrapping Tool: Post-compilation tool for applying MAM policies without code changes
  • VMware Workspace ONE: Alternative MAM platform with app containerization
  • Azure AD Conditional Access: Policy engine for enforcing MAM enrollment as access condition

Common Pitfalls

  • SDK version mismatch: Intune App SDK version must match the policy version. Outdated SDK versions may silently fail to enforce newer policies.
  • iOS managed pasteboard: iOS enforces paste restrictions through managed pasteboard, which requires the app to opt-in via Intune SDK integration.
  • App wrapping limitations: Wrapped apps cannot use certain features (push notifications on some platforms). SDK integration is preferred for full functionality.
  • User experience friction: Overly restrictive policies cause user frustration and shadow IT. Start with Tier 1 and escalate based on data sensitivity.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.3 KB

API Reference: Implementing Mobile Application Management

Microsoft Intune MAM API (Graph)

import requests
headers = {"Authorization": "Bearer <token>"}
# List MAM policies
policies = requests.get(
    "https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies",
    headers=headers).json()
# List managed apps
apps = requests.get(
    "https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations",
    headers=headers).json()

MAM Policy Settings

Setting Recommended Description
pinRequired true Require app PIN
encryptAppData true Encrypt app data
dataBackupBlocked true Block iCloud/Google backup
screenCaptureBlocked true Block screenshots
managedBrowserRequired true Force managed browser
maxPinRetries 5 Wipe after failures

Conditional Launch Settings

Condition Action Value
Jailbreak/root Block true
Min OS version Warn/Block 16.0
Offline wipe Wipe 30 days
Max PIN retries Wipe 5

References

standards.md0.7 KB

Standards Reference: Mobile Application Management

NIST SP 800-124 Rev 2 - Mobile Device Security

  • Section 4: Enterprise mobile security technologies (MDM, MAM, MTD)
  • Section 5: App vetting and management requirements

OWASP Mobile Top 10 2024

ID Risk MAM Mitigation
M6 Inadequate Privacy Controls Data separation between personal and corporate
M8 Security Misconfiguration Enforced app configuration policies
M9 Insecure Data Storage App-level encryption and backup restrictions

CIS Controls v8

Control MAM Relevance
2.5 Allowlist authorized mobile software
3.6 Encrypt data on end-user devices
6.4 Require MFA for remote access
workflows.md0.8 KB

Workflows: Mobile Application Management

Workflow 1: MAM Deployment

[Define data classification] --> [Create protection tiers] --> [Configure policies]
       |                                                              |
[Identify managed apps]                                    [App protection policies]
[Integrate Intune SDK]                                     [App configuration policies]
                                                           [Conditional access]
                                                                      |
                                                           [Test on pilot devices]
                                                           [Validate DLP controls]
                                                           [Roll out to users]

Scripts 2

agent.py5.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Mobile Application Management Agent - audits MDM policies, app inventory, and compliance posture."""

import json
import argparse
import logging
import subprocess
from collections import defaultdict
from datetime import datetime

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)


def mdm_api_request(base_url, token, endpoint, method="GET"):
    """Execute MDM API request via curl."""
    cmd = ["curl", "-s", "-X", method,
           "-H", f"Authorization: Bearer {token}",
           "-H", "Accept: application/json",
           f"{base_url}{endpoint}"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    return json.loads(result.stdout) if result.stdout else {}


def get_managed_devices(base_url, token):
    """Get all managed devices."""
    return mdm_api_request(base_url, token, "/api/v1/devices")


def get_managed_apps(base_url, token):
    """Get managed application inventory."""
    return mdm_api_request(base_url, token, "/api/v1/apps")


def get_compliance_policies(base_url, token):
    """Get device compliance policies."""
    return mdm_api_request(base_url, token, "/api/v1/compliance/policies")


def get_app_protection_policies(base_url, token):
    """Get MAM app protection policies."""
    return mdm_api_request(base_url, token, "/api/v1/app-protection-policies")


def audit_device_compliance(devices):
    """Audit device compliance status."""
    compliant = 0
    non_compliant = 0
    issues = defaultdict(int)
    for device in devices:
        if device.get("compliance_state") == "compliant":
            compliant += 1
        else:
            non_compliant += 1
            for issue in device.get("compliance_issues", []):
                issues[issue] += 1
    return {
        "total_devices": len(devices),
        "compliant": compliant,
        "non_compliant": non_compliant,
        "compliance_rate": round(compliant / max(len(devices), 1) * 100, 1),
        "top_issues": dict(sorted(issues.items(), key=lambda x: x[1], reverse=True)[:10]),
    }


def audit_app_security(apps):
    """Audit managed app security configuration."""
    findings = []
    for app in apps:
        app_name = app.get("name", "unknown")
        if not app.get("managed"):
            findings.append({"app": app_name, "issue": "unmanaged_app", "severity": "medium"})
        if app.get("data_sharing_allowed"):
            findings.append({"app": app_name, "issue": "data_sharing_enabled", "severity": "high"})
        if not app.get("encryption_required"):
            findings.append({"app": app_name, "issue": "encryption_not_required", "severity": "high"})
        if not app.get("pin_required"):
            findings.append({"app": app_name, "issue": "no_app_pin", "severity": "medium"})
        if app.get("allow_backup_to_cloud"):
            findings.append({"app": app_name, "issue": "cloud_backup_allowed", "severity": "medium"})
    return findings


def audit_protection_policies(policies):
    """Audit MAM protection policy configuration."""
    results = []
    for policy in policies:
        checks = {
            "data_transfer_restricted": policy.get("restrict_cut_copy_paste", False),
            "save_as_blocked": policy.get("block_save_as", False),
            "screen_capture_blocked": policy.get("block_screen_capture", False),
            "managed_browser_required": policy.get("require_managed_browser", False),
            "min_os_version_set": bool(policy.get("minimum_os_version")),
            "jailbreak_detection": policy.get("block_jailbroken", False),
            "offline_grace_period_set": bool(policy.get("offline_interval")),
        }
        passed = sum(1 for v in checks.values() if v)
        results.append({
            "policy_name": policy.get("name", "unknown"),
            "platform": policy.get("platform", "unknown"),
            "checks": checks,
            "score": round(passed / max(len(checks), 1) * 100, 1),
        })
    return results


def generate_report(devices, apps, policies, protection_policies):
    device_audit = audit_device_compliance(devices)
    app_findings = audit_app_security(apps)
    policy_audit = audit_protection_policies(protection_policies)
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "device_compliance": device_audit,
        "app_security_findings": len(app_findings),
        "high_severity_findings": len([f for f in app_findings if f["severity"] == "high"]),
        "app_findings_detail": app_findings[:20],
        "protection_policy_audit": policy_audit,
        "overall_mam_score": round(
            sum(p["score"] for p in policy_audit) / max(len(policy_audit), 1), 1),
    }
    return report


def main():
    parser = argparse.ArgumentParser(description="Mobile Application Management Audit Agent")
    parser.add_argument("--mdm-url", required=True, help="MDM/UEM API base URL")
    parser.add_argument("--token", required=True, help="API bearer token")
    parser.add_argument("--output", default="mam_audit_report.json")
    args = parser.parse_args()

    devices = get_managed_devices(args.mdm_url, args.token)
    apps = get_managed_apps(args.mdm_url, args.token)
    policies = get_compliance_policies(args.mdm_url, args.token)
    protection = get_app_protection_policies(args.mdm_url, args.token)
    report = generate_report(devices, apps, policies, protection)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("MAM audit: %d devices (%.1f%% compliant), %d app findings, MAM score %.1f%%",
                report["device_compliance"]["total_devices"],
                report["device_compliance"]["compliance_rate"],
                report["app_security_findings"], report["overall_mam_score"])
    print(json.dumps(report, indent=2, default=str))


if __name__ == "__main__":
    main()
process.py3.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
MAM Policy Compliance Checker

Validates Intune App Protection Policy configurations against security baselines.

Usage:
    python process.py --policy policy.json [--baseline tier2] [--output report.json]
"""

import argparse
import json
import sys
from datetime import datetime
from pathlib import Path

BASELINE_TIER2 = {
    "pin_required": True,
    "min_pin_length": 6,
    "biometric_enabled": True,
    "encrypt_app_data": True,
    "screen_capture_blocked": True,
    "backup_blocked": True,
    "clipboard_restriction": "managedApps",
    "jailbreak_blocked": True,
    "offline_grace_period_max_minutes": 1440,
    "max_pin_retries": 5,
}

BASELINE_TIER3 = {
    **BASELINE_TIER2,
    "min_pin_length": 8,
    "clipboard_restriction": "blocked",
    "offline_grace_period_max_minutes": 720,
    "save_as_blocked": True,
    "printing_blocked": True,
    "max_pin_retries": 3,
}


def check_compliance(policy: dict, baseline: dict) -> list:
    """Check policy against baseline requirements."""
    findings = []
    data = policy.get("dataProtectionSettings", {})
    access = policy.get("accessSettings", {})
    conditional = policy.get("conditionalLaunchSettings", {})

    checks = {
        "pin_required": access.get("pinRequired"),
        "min_pin_length": access.get("minimumPinLength", 0),
        "biometric_enabled": access.get("biometricEnabled"),
        "encrypt_app_data": data.get("encryptAppData"),
        "screen_capture_blocked": data.get("screenCaptureBlocked"),
        "backup_blocked": data.get("backupBlocked"),
        "jailbreak_blocked": conditional.get("jailbreakBlocked"),
    }

    for control, expected in baseline.items():
        actual = checks.get(control)
        if actual is None:
            findings.append({
                "control": control,
                "status": "MISSING",
                "expected": expected,
                "actual": None,
                "severity": "HIGH",
            })
        elif isinstance(expected, bool) and actual != expected:
            findings.append({
                "control": control,
                "status": "NON_COMPLIANT",
                "expected": expected,
                "actual": actual,
                "severity": "HIGH",
            })
        elif isinstance(expected, int) and isinstance(actual, int) and actual < expected:
            findings.append({
                "control": control,
                "status": "BELOW_MINIMUM",
                "expected": f">= {expected}",
                "actual": actual,
                "severity": "MEDIUM",
            })

    return findings


def main():
    parser = argparse.ArgumentParser(description="MAM Policy Compliance Checker")
    parser.add_argument("--policy", required=True, help="Policy JSON file")
    parser.add_argument("--baseline", choices=["tier2", "tier3"], default="tier2")
    parser.add_argument("--output", default="mam_compliance.json")
    args = parser.parse_args()

    with open(args.policy) as f:
        policy = json.load(f)

    baseline = BASELINE_TIER3 if args.baseline == "tier3" else BASELINE_TIER2
    findings = check_compliance(policy, baseline)

    compliant_count = len(baseline) - len(findings)
    report = {
        "check": {"policy": args.policy, "baseline": args.baseline, "date": datetime.now().isoformat()},
        "summary": {
            "total_controls": len(baseline),
            "compliant": compliant_count,
            "non_compliant": len(findings),
        },
        "findings": findings,
    }

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    print(f"[+] Compliance: {compliant_count}/{len(baseline)} controls pass")
    print(f"[+] Report saved: {args.output}")


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 0.6 KB
Keep exploring