App Configuration: Managed Apps & Managed Devices

What are app configuration policies?

Two delivery channels

App Configuration: Managed Devices vs Managed Apps

Feature	Managed Devices	Managed Apps
Device enrollment required	Yes — MDM enrolled	No — works on unenrolled BYOD
Delivery mechanism	MDM channel (device-level)	MAM channel (app-level)
Supported platforms	iOS, Android, Windows (limited)	iOS, Android
Configuration format	XML or key-value pairs via MDM	Key-value pairs via Intune App SDK
Best for	Corporate-owned devices with full management	BYOD devices with app protection policies
Works with	Any MDM-managed app	Apps integrated with Intune App SDK/App Wrapping Tool

When to use which

Scenario	Channel
Corporate iPhone enrolled in Intune — configure Outlook email account	Managed Devices
Personal Android phone (not enrolled) — configure Outlook email account	Managed Apps
Corporate Windows laptop — configure Edge browser homepage	Managed Devices (or Intune config profile)
Any device — configure a LOB app with specific backend URL	Managed Apps (if app supports it)

Common app configuration scenarios

Outlook email configuration

The most common use case — auto-configure Outlook so users don’t manually enter server settings:

Key	Value	Purpose
com.microsoft.outlook.EmailProfile.EmailAccountName	User display name	Shows in account list
com.microsoft.outlook.EmailProfile.EmailAddress	User email (use token: {{mail}})	Pre-fills email address
com.microsoft.outlook.EmailProfile.EmailUPN	User UPN (use token: {{userprincipalname}})	Authentication identity
com.microsoft.outlook.EmailProfile.ServerAuthentication	ModernAuthentication	Use modern auth (not basic)

Token replacement

Intune supports dynamic tokens that are replaced with user-specific values:

Token	Replaced With
{{userprincipalname}}	User’s UPN (e.g., sam@tuisolutions.com)
{{mail}}	User’s email address
{{partialupn}}	UPN prefix (e.g., “sam” from sam@tuisolutions.com)
{{AccountId}}	Intune account ID
{{deviceid}}	Intune device ID
{{userid}}	Intune user ID

Sam uses tokens to create a single configuration policy that auto-configures Outlook for all 500 Tui Solutions users — each user gets their own email address populated automatically.

Edge browser configuration

Key	Value	Purpose
com.microsoft.intune.mam.managedbrowser.homepage	https://intranet.tuisolutions.com	Set default homepage
com.microsoft.intune.mam.managedbrowser.bookmarks	JSON array of bookmarks	Pre-load company bookmarks

💡 Exam tip: managed apps vs managed devices confusion

The exam tests whether you know which channel to use:

• If the device is enrolled → you can use either channel, but Managed Devices is preferred (more reliable delivery, supports XML)
• If the device is NOT enrolled (BYOD) → you MUST use Managed Apps channel (MDM channel requires enrollment)
• If both are configured for the same app → Managed Devices takes priority on enrolled devices

Common trap: “An admin configures an app configuration policy using the Managed Devices channel for a BYOD phone.” This won’t work — BYOD isn’t enrolled, so the MDM channel can’t deliver the config.

ℹ️ Deep dive: apps that support configuration

Not every app supports app configuration. The app must be built with one of:

• Intune App SDK — embedded in the app code (most Microsoft apps: Outlook, Teams, Edge, OneDrive)
• App Wrapping Tool — wraps an existing app with Intune management layer
• Android Enterprise managed configurations — standard Android feature, supported by many apps (Zoom, Chrome, etc.)
• iOS managed app configuration — Apple’s MDM standard for delivering key-value pairs

Check the app’s documentation to see which configuration keys are supported. Microsoft publishes configuration keys for all their apps.

🎬 Video walkthrough

Flashcards

Question

What's the difference between Managed Devices and Managed Apps app configuration?

Click or press Enter to reveal answer

Answer

Managed Devices: requires MDM enrollment, delivers config via device MDM channel, supports XML. Managed Apps: no enrollment needed, delivers config via app-level MAM channel, uses key-value pairs. Use Managed Devices for corporate devices, Managed Apps for BYOD.

Click to flip back

Question

What are Intune configuration tokens and what do they do?

Click or press Enter to reveal answer

Answer

Tokens like {{userprincipalname}}, {{mail}}, and {{deviceid}} are placeholders in app configuration policies. Intune replaces them with actual user/device values at delivery time. This lets you create one policy that auto-configures for every user.

Click to flip back

Show hint

Question

Which channel must you use for app configuration on unenrolled BYOD devices?

Click or press Enter to reveal answer

Answer

Managed Apps channel — the Managed Devices (MDM) channel requires device enrollment and won't work on unenrolled BYOD devices.

Click to flip back

Knowledge Check

Knowledge Check

Sam creates an app configuration policy to auto-configure Outlook email for all Tui Solutions employees. He uses the Managed Devices channel. It works on corporate laptops but not on a contractor's personal phone (Entra Registered, not MDM enrolled). Why?

AOutlook doesn't support app configuration on mobile devicesBThe Managed Devices channel requires MDM enrollment — the contractor's personal phone isn't enrolledCApp configuration policies only work on Windows devicesDThe contractor needs an Intune Suite licence for app configuration

Check Answer

Knowledge Check

Riko wants Outlook on all devices at Pixel & Co to automatically configure with each user's email address — without creating individual policies for each of the 80 users. What should she use?

ACreate 80 individual app configuration policies, one per userBUse a single policy with the {{mail}} token — Intune replaces it with each user's email addressCConfigure Outlook manually on each device during setupDUse a PowerShell script to set the email address on each device

Check Answer

---

Next up: Endpoint Security: Antivirus, Firewall & Encryption — the first line of defense for your managed devices.