How to Exclude Apps from Intune Mobile Application Management (MAM)

By /

How to Exclude an App from Intune Mobile Application Management (MAM)

When you work with Mobile Application Management (MAM) in Intune, there is no single “exclude this app” button. Instead, you control which apps and which users are covered by App Protection Policies (APP).

In practice, you “exclude” an app in three main ways:

  1. Don’t target that app in the App Protection Policy.
  2. Exclude some users or groups from the policy.
  3. Use exempt apps for specific data-sharing exceptions.

This post walks through each option with simple steps.

Before You Start: How MAM Targeting Works

MAM App Protection Policies in Intune apply to:

  • Certain platforms (mainly iOS/iPadOS and Android).
  • Certain apps (Microsoft apps and supported third-party apps).
  • Certain users or groups (via assignments).

So, to “exclude an app,” you change either:

  • The app list the policy targets, or
  • The assignments (included/excluded groups), or
  • The data transfer rules (exempt apps).

Option 1 – Exclude an App by Not Targeting It

This is the cleanest way if you just don’t want a specific app to be managed by MAM.

Step-by-step

  1. Go to Intune admin center:
    https://intune.microsoft.com
  2. In the left menu, go to:
    Apps > App protection policies.
  3. Select the iOS/iPadOS or Android policy you want to adjust.
  4. On the policy page, select Properties.
  5. Under Apps, click Edit.
  6. Look for Target policy to.
    If it is set to something broad like:
    • All apps
    • All public apps
    • Microsoft apps
    • Core Microsoft apps
    change it to Selected apps.
  7. Click Select public apps.
  8. Add only the apps you want this policy to manage (for example: Outlook, Teams, OneDrive, Word, Excel, etc.).
  9. Do not add the app you want to exclude.
  10. Click OK, then Review + save, and finally Save.

Result

  • The policy applies only to the apps you selected.
  • The app you left out will not get this MAM policy.
  • From a MAM perspective, that app is unmanaged (but Conditional Access may still block it; we’ll cover that later).

Option 2 – Exclude Users or Groups from the Policy

Sometimes you want the same app to be protected for most users but not for a specific set of users, such as:

  • Executives
  • Test/pilot users
  • A support team

In that case, use assignment exclusions.

Step-by-step

  1. Go to Intune admin center.
  2. Go to Apps > App protection policies.
  3. Select your policy.
  4. Open the Assignments tab.
  5. Under Included groups, make sure your main user groups are listed (e.g., “All M365 users”).
  6. Under Excluded groups, add a group that contains the users you want to exclude, for example:
    • MAM-Excluded-Users
  7. Save the assignments.

Result

  • Users in the excluded group will not get the MAM policy.
  • For those users, the apps targeted by the policy will behave as unmanaged apps.

You can combine this with Option 1:

  • Use Selected apps for app targeting.
  • Use Excluded groups to carve out users who should stay unmanaged.

Option 3 – Use Exempt Apps (Allow Data to Specific Unmanaged Apps)

This option is different. Here, the app is not excluded from MAM. Instead, you:

  • Keep MAM protection on your main apps (for example, Outlook, Teams).
  • Allow those protected apps to send data to a specific unmanaged app.

This is useful when you want things like:

  • Outlook to open links or calendar events in a specific third-party app.
  • A protected app to hand off to a maps, conferencing, or browser app.

Step-by-step (Android / iOS)

  1. Go to Intune admin center.
  2. Go to Apps > App protection policies.
  3. Open your iOS/iPadOS or Android policy.
  4. Go to Settings (or Data protection tab, depending on the view).
  5. Find Send org data to other apps (or similar wording).
  6. Set it to Policy managed apps (not “All apps”).
  7. You should now see an option like Select apps to exempt.
  8. Add the unmanaged app:
    • For iOS/iPadOS
      • You usually add the app by its URL scheme / protocol
        • Example: zoomus, gmeet, googlemaps
    • For Android
      • You usually add the app by its package name
        • Example: com.google.android.apps.meetings
  9. Save the policy.

Result

  • Your core apps remain MAM-protected.
  • They can still send data to the listed exempt app in a controlled way.
  • The exempt app itself is not protected by MAM.

This is helpful when you want integration without fully managing that secondary app.

Important: How Conditional Access Affects “Excluding” Apps

If you are using Conditional Access (CA) with rules like:

  • Require app protection policy, or
  • Require approved client app,

then Intune and Entra ID work together like this:

  • CA decides whether the app can access the cloud resource (Exchange, SharePoint, Teams, etc.).
  • MAM decides how the app handles data (copy/paste, save, backup, etc.) once access is allowed.

This has a big impact:

  • If CA says “Require app protection policy for Exchange Online,” any app that tries to access Exchange must:
    • Be an approved client app, and
    • Have a MAM policy applied.

If you then “exclude” an app from MAM (by not targeting it), that app may simply get blocked by Conditional Access instead of working unmanaged.

So:

  • You can’t say “Require MAM for everyone, but let this one app access Exchange without MAM” using just MAM settings.
  • You’d need separate CA policies and groups to allow different access rules.

Common patterns

Pattern 1 – Only protected apps are allowed

  • CA: Require app protection policy for Exchange/SharePoint.
  • MAM: Policy targets the main Microsoft 365 apps (Outlook, Teams, OneDrive).
  • Any excluded app simply cannot access corporate data.

Pattern 2 – Allow one app to stay unmanaged

  • CA:
    • For most users/apps, require app protection policy.
    • For a specific group or scenario, do not require APP for that app or that group.
  • MAM: Do not target the app you want unmanaged, or exclude that user group.

Design Cheat Sheet

Here’s a quick summary you can use when planning:

  • Exclude app globally
    • In the App Protection Policy, set Target policy to = Selected apps.
    • Only add the apps you want protected.
    • Do not add the app you want to exclude.
  • Exclude for certain users only
    • Keep normal app targeting.
    • In Assignments, add a group in Excluded groups (for example, MAM-Excluded-Users).
  • Allow data to a specific unmanaged app
    • Keep MAM protection on main apps.
    • Use Select apps to exempt in the Data protection settings.
    • Add the app by URL scheme (iOS) or package name (Android).
  • Check Conditional Access
    • If an app you “excluded” cannot sign in or open data, review your CA policies.
    • Look for “Require app protection policy” or “Require approved client app.”

Final Thoughts

MAM in Intune is flexible, but that also means there isn’t a single “exclude app” checkbox. You get that behavior by:

  • Carefully choosing which apps a policy targets.
  • Controlling which user groups receive the policy.
  • Using exempt apps where you need controlled exceptions.
  • Aligning everything with your Conditional Access design.
LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Start typing and press enter to search

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top