We’ve waited for this one for a long time! Intune now offers the ability to block screenshots in MAM protected apps on iOS/iPadOS. A feature we’ve had on Android for quite some time.
However, unlike Android, where blocking screenshots involves a simple toggle in the app protection policy, iOS handles it differently with a secure-by-default approach. By default, screenshots and screen recordings stop working for all MAM-protected apps. To allow them, you must create a separate App Configuration Policy.
This feature uses the latest Intune App SDK and works alongside app protection policies. When you configure the Send Org data to other apps setting to anything other than All apps, the SDK automatically enforces screenshot blocking. Managed apps restrict screen capture attempts by intercepting them and replacing the screen content with a black overlay. For example, in Outlook, users see a black screen instead of sensitive content when trying to capture a screenshot. This ensures corporate data stays secure without requiring additional setup.
Microsoft announced this long-awaited update in their official blog post, and it’s a big step forward for enhancing security in BYOD (Bring Your Own Device) scenarios.
The app (Microsoft apps, third-party apps, or your line-of-business (LOB) app) must be updated and use the Intune App SDK v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16.
How to Use or Adjust Screenshot Blocking
Blocking screenshots is enabled by default for all MAM-protected apps in iOS/iPadOS.
Here's how you can allow screenshots if needed:
- Open the Microsoft Intune Admin Center.
- Navigate to Apps > App configuration policies.
- Click on + Create > Managed apps to create a new policy.
- Give it a meaningful namen and an optional description.
- To target apps you can use the same options you have in your App Protesion policy (MAM) or add just specific applications like I have it in my example.
- In the Settings catalog blade you can't add anthing.
- In the Settings section, choose General configuration settings and add the key like this:
- Name:
com.microsoft.intune.mam.screencapturecontrol
- Value:
Disabled
- Name:
- Assign the policy to the required users or devices.
Here it's very important to use a User group, since devices are not managed via MAM. - Save and deploy the policy.
âšī¸ The deployment can take a while; in my test it took between 14 and 24 hours.
My Take
This feature is a long-overdue addition to Intune’s MAM capabilities and a critical step for protecting corporate data in BYOD scenarios. The secure-by-default approach makes it easy for organizations to enforce this security measure right out of the box, ensuring data protection without additional configuration.
That said, I really wish the implementation to block screenshots in iOS MAM was as intuitive as it is on Android, where a simple toggle in the App Protection Policy does the job. For comparison, I’ll add a screenshot of the Android policy below, highlighting the toggle for clarity.
While iOS requires a bit more effort, this update closes a significant gap and aligns Intune’s functionality across platforms.