Following the announcement of Microsoft Intune support for Apple Intelligence, we recently introduced support to block screen capture for mobile application management (MAM) protected apps. This blog provides details of the default screen capture behavior to help you understand how it affects your users and the settings available to change the default behaviour.
Background
Previously, for iOS/iPadOS, there were no controls to limit screen captures per application, per user or without device enrollment. this resulted in a gap for organizations with only MAM protection.
As part of our secure-by-default commitment, the new default behavior for your MAM-protected app may have changed. Now, based on your Intune app protection policy settings, when a user attempts to screen capture or share the screen from a managed account within a MAM-protected app, a blank screen will be captured instead of the actual screen image.
How the MAM block screen capture works
In Intune, the screen capture is controlled using the existing Send Org data to other apps setting within the Data Protection section of the iOS app protection policy (APP) and is blocked if both the following conditions are met:
- The app (Microsoft apps, third-party apps, or your line-of-business (LOB) app) is updated to use Intune App SDK v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16.
- The app is targeted by APP and the setting Send Org data to other apps is set to “None” or any of the “Policy managed apps...” values.
If Send Org data to other apps is configured to “All Apps”, the screen capture for your MAM protected apps isn’t blocked.
Changing the default MAM screen capture block
For some scenarios, you may wish to allow screen capture while retaining the existing APP configuration, such as allowing screen capture and sharing to policy managed apps.
Therefore, we introduced a Managed app configuration key com.microsoft.intune.mam.screencapturecontrol = Disabled” to override the default behavior. To allow screen capture on iOS devices targeted with an app protection policy, follow these steps:
- Navigate to the Microsoft Intune admin center.
- Select Apps > App configuration policies > Create > Managed apps.
Example of creating a new managed app configuration policy in the Microsoft Intune admin center.
- On the Basics page, select the apps you wish to target. For this example we’ve selected Outlook (iOS/iPadOS), Teams (iOS/iPadOS) and an LOB app.
Example of creating a new managed app configuration policy in the Microsoft Intune admin center, including the blog recommended Settings catalog configurations assigned. - On the Settings page, within the "General configuration settings” section, add the key "com.microsoft.intune.mam.screencapturecontrol" with the value "Disabled".
Example of creating a new managed app configuration policy in the Microsoft Intune admin center, highlighting the "General configuration settings” section, with the key: "com.microsoft.intune.mam.screencapturecontrol" with the value "Disabled" configured. - Assign the configuration policy to the users who you want to target with the override setting.
For more details, refer to Add an app configuration policy for managed apps on iOS/iPadOS and Android devices.
Conclusion
To keep your organizations secure, based on your policy, all screen capture attempts are blocked for MAM protected apps. The managed app configuration settings detailed in this blog allows you to override the default settings to meet any specific requirements within your organization.
Stay tuned to What's new in Microsoft Intune for future improvements to the blocking screen capture capabilities and more Apple Intelligence features.
Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.
Microsoft
