App Protection Policies do not apply to managed iOS devices in Microsoft Intune

Issue:

When applying a specific App Protection Policy to only “Apps on Intune managed devices” the policy is not applied.

The devices are managed and compliant under Intune.

Intune > Client apps > App protection status

App Protection Report list all managed iOS devices as unmanaged, the issue lies in the way APP detects and reports on devices and therefore is unable to assign the appropriate policy to the device.

App Reporting for an individual user shows “Not checked in. On next sync, this app will receive one or more of policies: <policy name> based on the management level” indicating the policy is targeting the correct management type and relates to the reported device state.

This issue has been identified on at least 2 production and 1 test environment, Microsoft support has now also acknowledged the issue and is looking into a fix.

Workaround:

Change the policy target to one of the following

• Target to all application types = Yes
• Apps on unmanaged devices

For now you will have to manage all iOS devices with the same policy.

Hi, In case you haven’t found out why this was occuring already, the reason it’s failing against “managed devices” is that there’s a missing “App Configuration Policy” which defines the type of device management the app protection policy is targeting.

Refer to the entry for “IntuneMAMUPN” in the following Microsoft article Create and deploy app protection policies - Microsoft Intune | Microsoft Learn to add the missing policy, then you can split out the protection policies based on device state as you were wanting.