This week is a short follow-up on a post of a few months ago about getting started with Mobile Application Management (MAM) for Windows. That post was really focused on getting started with MAM for Windows, while this post will be more focused on what’s coming after that. The concept and the basic configuration of MAM for Windows is pretty straight forward, once being familiar with the available configuration options. However, it gets more challenging when verifying the configuration and the behavior. Especially when there is not that much information available. The (location of the) log file is not really well documented, as is the process to verify the applied configuration. This post will provide answers to those questions. It will described were to find the log file and how to read it. Besides that, it will describe different methods to verify the configuration.
Verifying the applied configuration
At this moment, the only supported app with MAM for Windows is Microsoft Edge. After enrolling the work account in Microsoft Edge, for MAM, there are actually two methods for verifying the applied configuration. The easy method for more a general overview and the more difficult method for a bit more details. Let’s start with the easy method. That’s by simply opening Microsoft Edge for the work account and navigating to edge://edge-dlp-internals/, as shown below in Figure 1 and Figure 2. That provides an overview of the enabled features, and the applied policies. The Feature Flags for Data Loss Prevention table should contain msMamDlp as Enabled, the Status of Data Loss Prevention Providers table should contain Mam Intune Data Loss Prevention (Mam Dlp) as Available, and MAM DLP Policy Settings table should contain an overview of the applied configuration.
Alternatively, the more difficult method is by looking at the MamCache.json file that is located at C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data. That file contains CloudEnvironment, Enrollment, Identity, Location, Policy, Preproduction, and TenantId properties per user. Together, those properties described the configuration of MAM for the specific user. The Enrollment, the Location and the Policy properties, are all Base64 encoded properties. So, for a better understanding of the applied configuration, both app protection and app configuration, simply copy the the value of the Policy property (as shown below in Figure 3) to any Base64 decoder (as shown below in Figure 4). That provides an overview of the applied configurations. Not just the app protection policy, also the app configuration policy. The highlighted section shows in yellow the applied app protection policy and in blue the applied app configuration.
Besides that, it’s of course also possible to open Microsoft Edge for the work account and navigate to edge://policy to view the applied app configuration. That’s basically the easy method for verifying the applied app configuration. This is the same procedure as in other situations in which Microsoft Edge would be managed and the whole device is managed.
Locating and verifying the MAM log file
Like with any management solution, the best method to verify the behavior is by having a look at a log file. That is also applicable to MAM for Windows. Luckily, there is a log file available at C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data. That is the MamLog.txt file. That log file contains information around the enrollment process, the applied policies, and the check-ins with the MAM service. Below in Figure 5 and 6 are some examples of following that process. It starts with the initial enrollment and the requested policy, followed with an error on the MTD service. That can happen, for example, when the connector isn’t configured yet. After that, it shows the behavior of the offline timeout, followed with the restore of the user.
More information
For more information general about MAM for Microsoft Edge and Conditional Access, refer to the following docs.
- Microsoft Edge app protection policy settings for Windows MAM – Microsoft Intune | Microsoft Learn
- Conditional Access – Require app protection policy for Windows – Microsoft Entra | Microsoft Learn
- Enable the Mobile Threat Defense connector for unenrolled devices – Microsoft Intune | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Thanks , very useful.
Where did you find the documentation related to mamlog.txt and mamcache.json files ?
Hi Alexandre,
I did not find the documentation around those files. That’s all based on personal research.
Regards, Peter
Do you know if there’s a way to display the user check-in data from the Intune portal? All I can find is the user count, and the Troubleshooting + support page doesn’t include Windows for app protection policy observation.
You can use the App Protection status report under Apps > Monitor.
Regards, Peter