Acquire a token with DeviceManagementApps.ReadWrite.All permission via client credentials or delegated flow
POST to https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections with a JSON body specifying displayName, periodOfflineBeforeWipeIsEnforced, pinRequired, allowedDataStorageLocations, and other MAM settings
Note the id returned in the 201 response; use it to assign the policy
POST to https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections/{policyId}/assign with a body containing target group IDs in the assignments array
Verify assignment by calling GET https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections/{policyId}/assignments
Test enforcement by enrolling a test device without MDM enrollment and launching an assigned app; policy should apply via Company Portal MAM registration
Known gotchas
App protection policy endpoints for iOS and Android remain in the /beta namespace; promote to production code with awareness that beta APIs may change without notice
The policy only applies to apps that integrate the Intune App SDK or are wrapped with the Intune App Wrapping Tool; arbitrary apps are not protected
Assigning to 'All Users' versus a scoped group has different precedence rules; a targeted group assignment overrides the 'All Users' assignment for included users
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp