What is Intune MAM?

Microsoft Intune Mobile Application Management (MAM) lets IT admins apply data protection policies to apps with or without requiring full device enrollment (MDM). By integrating the Intune SDK, Notability becomes "managed" — meaning corporate data stays protected within the app's boundaries, even on personal devices (BYOD).

Key distinction from MDM: MAM applies policies at the app level, not the device level. IT controls what data can enter or leave Notability.

Availability

• Platform: iOS only. macOS is not supported.
• SKU eligibility: Available for all VPP devices with valid Business licenses, and all Business Pro subscriptions.

How Intune MAM Works in Notability

When enrolled, Notability enforces the organization's Intune App Protection Policy. The policy is configured by the IT admin in the Intune portal and pushed to enrolled devices. Key policy controls include:

• Copy/paste restrictions — block copying Notability content to unmanaged apps
• Export controls — restrict which destinations (Files, cloud services) notes can be sent to
• Import controls — restrict which sources (OneDrive, Photos, Camera) can send data into Notability
• Writing Tools — can be blocked via policy

Policy changes propagate to devices in variable time (it can take up to 30 min) after being saved in the Intune portal.

Setup / Enablement

Step 1 — Enable Intune MAM

Config A: MDM-enrolled + Company Portal

Step 1 — Add Notability to the approved apps list

1. Sign in to the Microsoft Intune admin center.
2. Go to Apps → App protection policies; open the relevant policy or create one for iOS/iPadOS (or Android).
3. On the policy's Apps page, select Custom apps and enter bundle ID com.gingerlabs.notability.
4. Add the app, click Next through the remaining settings, and Save.
5. Confirm the policy is assigned to the correct user group(s) on the Assignments page.

Step 2 — Set the app configuration key/value pair

1. Go to Apps → App configuration policies → Create (or edit the existing one).
2. Choose Managed apps as the policy type (delivered through the MAM channel, not device enrollment).
3. Name it (e.g. "Notability MAM Config") and select Notability as the Targeted app.
4. On Settings, add: Configuration Key Intune MAM Required, Value Type Boolean, Value true.
   • Option A — XML plist format:
   • <dict>
   •   <key>Intune MAM Required</key>
   •   <true/>
   • </dict>
   • Option B — Key/value pair format:
   • Configuration Key: Intune MAM Required
   • Value Type: Boolean
   • Configuration Value: true

5. Assign to the same group(s) as the App Protection Policy in Step 1.
6. Review and Create/Save.

Step 3 — Grant admin consent for Notability

1. Go to the Microsoft Entra admin center.
2. Identity → Applications → Enterprise applications, search for Notability.
3. Open the app's Permissions page.
4. Select Grant admin consent for [organization] and confirm. Each listed permission should update to show consent granted.

Config B: BYOD/MAM-ONLY

1. Enabled Intune MAM in Notability

• Open Notability and go to Settings
• Navigate to Organization (owners only — members will not see this section)
• Scroll to the Feature Controls section
• Toggle On - Microsoft Intune

2. Log into the Intune portal as an admin
3. Navigate to: Apps → Manage apps - Protection → [Your Notability Policy] → Manage - Properties
4. Configure settings in the Data Protection section:

• Send org data to other apps — controls export destinations
• Receive data from other apps — controls import sources
• Restrict cut, copy, and paste between other apps — copy/paste policy

5. Go to the Microsoft Entra admin center.
   1. Identity → Applications → Enterprise applications, search for Notability.
   2. Open the app's Permissions page.
   3. Select Grant admin consent for [organization] and confirm. Each listed permission should update to show consent granted.

Step 2 — Confirm Enrollment

After the MDM profile is pushed to a device, the user launches Notability and logs in with their Microsoft/org credentials. Enrollment is confirmed when Intune policies begin enforcing.

Feature Behavior by Policy Setting

FAQs

Q: How does the SDK work with MDM?

• Before the SDK: Notability wasn't a policy-managed app. On MDM-enrolled devices, Outlook's "Policy managed apps with OS sharing" setting handed files to Notability unencrypted, relying on the OS managed-open-in boundary. Imports "just worked" because nothing was encrypted in the first place.
• After the SDK: Notability looks like a MAM-capable peer, so the sender routes the transfer over the encrypted MAM protected-sharing channel, expecting the receiving SDK to decrypt at the boundary.
• The break: installing via Company Portal gives MDM management but does not complete MAM enrollment, so Notability has the SDK but no enrolled identity/keys. The encrypted payload arrives with nothing to decrypt it (raw MSMAM-headered bytes) and the import fails.
• The fix: finish what the SDK started: make Notability a properly managed/enrolled MAM participant, so the SDK can decrypt.

Q: Are there workarounds for MDM?

Open the file in another unmanaged app first, then open it in Notability. Note this routes around the protected path, so set expectations accordingly.

Q: "We want it to work like it used to" without MAM applying

This is fundamentally incompatible with shipping the SDK — the supported answer is enrollment, not opting back out of the encrypted path. Escalate as a relationship/expectations conversation, not a config fix.

Q: App ID change: a new Azure AD enterprise app ID (7d23192f-46ca-41d7-8f82-ae00542a4172) replaced the older OneDrive-autobackup one (535d1baf-a26f-4c40-82af-ddf3e1aaebe2). Customers may see the new app ID in sign-in logs around the time issues started. 

Q: Does MAM require the device to be enrolled in MDM? No. MAM operates at the app level. The device does not need to be MDM-enrolled.

Q: What happens if Feature Controls and Intune policies conflict? Most restrictive wins. A setting in Notability's Business Feature Controls that restricts a capability will take precedence even if the Intune policy would allow it, and vice versa.

Q: Does Intune MAM work on Mac? No. iOS only. macOS Catalyst is explicitly not supported.

Q: How long do policy changes take to propagate? Typically 2–5 minutes from saving in the Intune portal to taking effect on device.

Q: Can users log out of the app while enrolled? Some enterprise MDM configurations prevent users from logging out. This behavior is controlled by the MDM policy, not Notability.

Q: Will adding the Intune MAM Required key enroll Notability even if we don't have a Notability-specific MAM policy configured? Yes. If no explicit Notability MAM policy exists in your Intune tenant, Microsoft will apply default app protection policy settings. Confirm the intended policy configuration with your IT admin before deploying the key.

Troubleshooting

Problem: Intune enrollment not triggering after MDM profile is pushed

• Confirm the Intune MAM Required key is set to true (Boolean, not string) in the App Configuration profile
• Confirm the profile is scoped to the correct device/user group
• In debug builds only: use the MDM Configuration Debug screen to manually enable "Intune MAM Required"

Problem: Import/export not being blocked even with a restrictive policy

• Policy changes can take 2–5 minutes. Wait and retry.
• Confirm the policy is saved and assigned to the correct user group in the Intune portal

Problem: Share extension from Outlook/OneDrive not working

• Ensure the Intune policy allows sharing between "Policy Managed Apps"

Problem: Sharing from Outlook into Notability fails with NSiteProviderErrorDomain error -1000 

• Complete the setup steps above

Updated June 24, 2026 17:38