Blog Post

Intune Customer Success
3 MIN READ

New block screen capture for iOS/iPadOS MAM protected apps

Intune_Support_Team's avatar
Jan 14, 2025

Following the announcement of Microsoft Intune support for Apple Intelligence, we recently introduced support to block screen capture for mobile application management (MAM) protected apps. This blog provides details of the default screen capture behavior to help you understand how it affects your users and the settings available to change the default behaviour.

Background

Previously, for iOS/iPadOS, there were no controls to limit screen captures per application, per user or without device enrollment. this resulted in a gap for organizations with only MAM protection.

As part of our secure-by-default commitment, the new default behavior for your MAM-protected app may have changed. Now, based on your Intune app protection policy settings, when a user attempts to screen capture or share the screen from a managed account within a MAM-protected app, a blank screen will be captured instead of the actual screen image.

How the MAM block screen capture works

In Intune, the screen capture is controlled using the existing Send Org data to other apps setting within the Data Protection section of the iOS app protection policy (APP) and is blocked if both the following conditions are met:

  • The app (Microsoft apps, third-party apps, or your line-of-business (LOB) app) is updated to use Intune App SDK v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16.
  • The app is targeted by APP and the setting Send Org data to other apps is set to “None” or any of the “Policy managed apps...” values.

If Send Org data to other apps is configured to “All Apps”, the screen capture for your MAM protected apps isn’t blocked.

 

Changing the default MAM screen capture block

For some scenarios, you may wish to allow screen capture while retaining the existing APP configuration, such as allowing screen capture and sharing to policy managed apps.

Therefore, we introduced a Managed app configuration key com.microsoft.intune.mam.screencapturecontrol = Disabled” to override the default behavior. To allow screen capture on iOS devices targeted with an app protection policy, follow these steps:

  1. Navigate to the Microsoft Intune admin center.
  2. Select Apps > App configuration policies > Create > Managed apps.

    Example of creating a new managed app configuration policy in the Microsoft Intune admin center.

     

  3. On the Basics page, select the apps you wish to target. For this example we’ve selected Outlook (iOS/iPadOS), Teams (iOS/iPadOS) and an LOB app.

    Example of creating a new managed app configuration policy in the Microsoft Intune admin center, including the blog recommended Settings catalog configurations assigned.

     

  4. On the Settings page, within the "General configuration settings” section, add the key "com.microsoft.intune.mam.screencapturecontrol" with the value "Disabled".

    Example of creating a new managed app configuration policy in the Microsoft Intune admin center, highlighting the "General configuration settings” section, with the key: "com.microsoft.intune.mam.screencapturecontrol" with the value "Disabled" configured.

     

  5. Assign the configuration policy to the users who you want to target with the override setting.

For more details, refer to Add an app configuration policy for managed apps on iOS/iPadOS and Android devices.

 

Conclusion

To keep your organizations secure, based on your policy, all screen capture attempts are blocked for MAM protected apps. The managed app configuration settings detailed in this blog allows you to override the default settings to meet any specific requirements within your organization. 

Stay tuned to What's new in Microsoft Intune for future improvements to the blocking screen capture capabilities and more Apple Intelligence features.

Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.

Updated Feb 20, 2025
Version 4.0
  • rroehren's avatar
    rroehren
    Occasional Reader

    What about the differentiation between taking a screenshot and sharing the screen via Teams or via airplay? We want to disable screenshots and to enable sharing the screen via Teams or via Airplay. How can this be done, when a protection policy covers all managed apps, mostly Office 365 apps? 

    • midsommaria's avatar
      midsommaria
      Icon for Microsoft rankMicrosoft

      Great question! I was actually testing this feature out, today. Seems like, you're still able to screen share from Teams as normal, however, when screen sharing, managed apps will display a black screen, I tested it in a live Teams meeting and it was showing a black screen since I was in Teams but when I exited out and shared my main screen, it was visible as well as other non-managed apps.

  • IntuneGuy5's avatar
    IntuneGuy5
    Copper Contributor

    Intune_Support_TeamWhat if people are using managed device policies for their application configurations? How will this managed app policy conflict or work with a managed device policy? What do you recommend for those using managed device policies? Do we need to move to a managed app policies now? Why is this not supported in managed device apps?

  • JSal's avatar
    JSal
    Copper Contributor

    Greetings Intune_Support_Team 

    In a previous comment you ask for a DM for a situation in which we need to apply an exception policy (allow screenshots) to MDM devices, as opposed to named individuals/groups of individuals. 

     

    Can you share the process to do this? I need to be able to support screenshots on managed devices, while not allowing it on (users) personal devices. 

     

    Thank you. 

    • Sanggaa_Honeywell's avatar
      Sanggaa_Honeywell
      Brass Contributor

      its vice versa JSal 

      Use disabled as Value for allowing screenshots 

      and use Enabled as Value for blocking screenshots and based on your requirement assign the groups it will be solved. 

      • Amitv_V's avatar
        Amitv_V
        Copper Contributor

        I have added the value as Enabled, however this setting is working for all other apps except MS Outlook, any suggestion or reason for it, in App protection I have selected all Core Apps and in Manage app config also I have selected MS Core apps.

  • CorMar810's avatar
    CorMar810
    Copper Contributor

    Will there be an ability to force where those files are saved at any point? Its great to get screenshots but from testing it just puts the image in the ios user's personal photos apps.

  • cgolebiowski's avatar
    cgolebiowski
    Copper Contributor

    Can it be assigned to only Intune enrolled or MDM enrolled devices as opposed to users?

    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft

      Hi cgolebiowski 

      This feature applies to MAM protected apps in the context of screen capture or sharing the screen from a managed user account. Though if there's a scenario which you are trying to achieve relating to MDM devices, feel free to drop us a DM, and we'd be happy to help! 

      Thanks!

      • Sanggaa_Honeywell's avatar
        Sanggaa_Honeywell
        Brass Contributor

        There should be a feature to block the email tag as Confidential from Outlook app. 
        If we allow users to take screenshot but to restrict them from Confidential emails. 

  • Jchetan's avatar
    Jchetan
    Copper Contributor

    Hello Everyone,

    Can someone please confirm, does this setting works for other MS Application like OneNote, MS List, MS To-Do, MS Word, Excel PowerPoint etc. apps?

     

    Thanks

    Chetan

    • MichaelG75's avatar
      MichaelG75
      Copper Contributor

      Same setting for all apps. You can set it to All Microsoft Apps if you dont want to keep track of when a app gets the new SDK. 

  • Simon_Liu2165's avatar
    Simon_Liu2165
    Copper Contributor

    Why is there no granularity to the control? This effectively makes remote support of devices impossible unless we allow screen capture for everyone in all apps. 

    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft

      Hi Simon_Liu2165 

       

      Just checking in to see if the if the managed app configuration key setting detailed in the blog allows you to override the default settings to achieve the intended goal?

       

      Keep us posted!

      Thanks!

  • Hi casse1k & paddy_braun 

     

    We appreciate your feedback, and we're always listening to the community on how we can improve features and our docs. We'll definitely take this onboard and liaise with the team internally to see how we can better align this blog with our docs. Additionally, for feature improvements, we'd love to hear it in our Intune Feedback hub: aka.ms/IntuneFeedback where other customers can vote and comment on this suggestion🙂

     

    Thanks again for the feedback!

    Intune Support Team

  • paddy_braun's avatar
    paddy_braun
    Copper Contributor

    Now it would be nice, if you added this kind of documentation to the Microsoft Learn articles. Currently the only thing you find there is this article:
    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#data-protection
    and there is a little info box: 
    "Important

    For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, screen capture block will be applied if you have configured Send Org data to other apps setting to a value other than "All apps". You can configure app configuration policy setting com.microsoft.intune.mam.screencapturecontrol = Disabled (Apps > App configuration policies > Create > Managed apps > under the Settings step, select General configuration settings) if you need to allow screen capture for your iOS devices."

    At least there should be a cross reference to this techcommunity post.

  • casse1k's avatar
    casse1k
    Copper Contributor

    Any plans to implement an option to disable the screen capture block within the App Protection policy? It would make much more sense to have it there than as an app config key.