Enable Microsoft Intune for Android Devices

The Emburse Enterprise mobile app supports Microsoft Intune Mobile Application Management (MAM) on Android devices to protect corporate data within the app.

After the user signs in, Intune determines how policies are applied based on device state, app capabilities, and organizational configuration.

What Intune Does

Your company’s Intune policies may automatically:

  • Prevent copying or pasting sensitive data outside the app.
  • Encrypt or securely store company data on your device.
  • Require company-managed authentication for access.

Policies vary by organization and are controlled by your company's IT team.

End User Experience

End users follow the same basic flow regardless of device type.

Sign In

1. Open the Emburse Enterprise mobile app and select Log In.

What happens next depends on your device’s configuration:

  • Managed Devices: Your work email address may be pre-filled on the sign-in screen. This occurs when an Intune app configuration policy passes the IntuneMAMUPN value.
  • BYOD (Unmanaged) Devices: You will be prompted to manually enter your work email address.

2. Complete sign-in using your Microsoft Entra ID credentials.

After authentication, Intune evaluates whether app protection policies apply.

Any enrollment or protection prompts are controlled by Intune and the operating system, not by the Emburse Enterprise app.

Company Portal Requirement

The Company Portal app must be installed on all devices. Requirements vary by device type:

  • Managed Devices: Installed and signed in.
  • BYOD (Unmanaged) Devices: Installed only. The app acts as a broker; do not sign in.

App Version Requirements

Support for different device scenarios depends on the version of the Emburse Enterprise Android app installed on the device.

Capability Minimum App Version
Phase 1: Managed devices (Intune MAM with device enrollment)
 		 v2.4.2 – December 18, 2025
Phase 2: Managed devices and BYOD devices (Intune MAM without device enrollment) v2.5.0

What Changed in Phase 2: Simplified Microsoft Integration

Phase 1 used two separate Microsoft Entra ID enterprise applications:

  • One for user authentication (via federated sign-in)
  • One for Intune app protection

This means users saw multiple Microsoft sign-in prompts, and IT administrators needed to manage permissions for two separate app registrations.

Emburse Enterprise app version 2.5.0 and later consolidates this into a single Microsoft Entra ID enterprise application.

Setting Value
Application (client) ID de125cab-0189-4abc-9034-0ec98e554ccb

Users now authenticate once with Microsoft, and that same authentication is used for both app access and Intune protection.

Additionally, Phase 2 uses Microsoft's native authentication library (MSAL). This means:

  • Users sign in through a native Microsoft login experience.
  • Conditional Access policies that require Microsoft Edge for web sign-in do not apply to this flow.

What This Means for IT Administrators

Area Phase 1 (v2.4.2+) Phase 2 (v2.5.0+)
Entra ID App Registrations Two enterprise apps One enterprise app
User Sign-in Experience May see multiple Microsoft prompts Single Microsoft sign-on

IT Administrator Setup

To enable Microsoft Intune MAM for the Emburse Enterprise Android app, complete the steps below.

1. Enable Microsoft Intune in Emburse

Before Intune policies can be applied, Intune must be enabled for your organization in Emburse.

  • This setting determines whether the Emburse Enterprise app attempts to register with Intune during sign-in.
  • If Intune is not enabled in Emburse, users will sign in without Intune app protection, even if Intune is configured in Microsoft Intune.
Contact Emburse Support to enable Intune for your organization.

Upgrade from Phase 1 to Phase 2

Scenario Action Required
Managed Devices  None — users will automatically get Phase 2 flow on update to v2.5.0
BYOD (Unmanaged) Devices Contact Emburse Support to enable BYOD support

2. Add the Emburse Enterprise App to Intune

  • Connect Intune to Managed Google Play.
  • Select the Emburse Enterprise app.
  • Sync the app into Intune.
    • You might need to do a hard refresh on the web page for the app to appear on Intune.
  • Assign the app to appropriate users or device groups.

3. Grant Required Microsoft Entra ID Permissions

The following Microsoft Entra ID permissions are required for Intune MAM:

  • User.Read
  • DeviceManagementManagedApps.ReadWrite.All

An administrator must grant tenant-wide admin consent for these permissions.

Use this link to automatically grant admin consent for the required permissions described below.

If these permissions are not granted, users will see an “Admin approval required” error during sign-in if User.Read is not granted and an “Authentication Required” error dialog if DeviceManagementManagedApps.ReadWrite.All is not granted.

4. Configure App Protection Policies

  • Create app protection policies for:
    • Managed devices
    • Unmanaged (BYOD) devices
  • Configure data protection settings according to organizational requirements.
  • Assign policies to the same user groups as the app.
The Emburse Enterprise app already enforces a passcode or biometric authentication requirement when the app is opened. If you configure a screen lock requirement in your Intune app protection policy, users will need to pass both prompts — first the Intune PIN, then the app's built-in passcode or biometric authentication.

5. Configure App Configuration (Managed Devices Only)

For managed Android devices, an app configuration policy improves the sign-in experience.

  • Platform: Android Enterprise
  • Target app: Emburse Enterprise
  • Required key/value pair:
    • Key: IntuneMAMUPN
    • Value: {{UserPrincipalName}}

When configured, this value pre-populates the user’s email address during sign-in.

6. Update Conditional Access Policies (If Applicable)

If your organization uses Microsoft Entra ID Conditional Access policies, you may need to include the Emburse Enterprise app in your policies.

The "Require app protection policy" grant control in Conditional Access is not supported for the Emburse Enterprise app. This is because the app is not currently on Microsoft's list of policy-managed client apps. However, this does not affect Intune protection — the Emburse Enterprise app automatically enrolls users in Intune MAM as soon as they sign in, ensuring app protection policies are applied without requiring this Conditional Access setting.

7. Verify Your Setup

After completing the configuration steps above, verify that Intune app protection is working correctly.

Option A: Check Enrollment Status in Intune

  1. Go to the Microsoft Intune admin center.
  2. Navigate to Apps > Monitor > App Protection Status.
  3. Confirm the Emburse Enterprise app (com.emburse.mobile) appears protected.

Option B: Test with a PIN Requirement

  1. In your app protection policy, under Access Requirements, enable Require PIN for Access.
  2. Have a user sign in to the Emburse Enterprise app.
  3. If the user sees an Intune PIN prompt after sign-in, the app protection policy is being applied correctly.
The PIN prompt is managed by Intune, not by the Emburse Enterprise app. If users do not see the prompt, verify that the app protection policy is assigned to the correct user groups and that the users' devices meet policy requirements.

Was this article helpful?