https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/MS-900/page_4_img_2.jpg

Statement 1: Yes. Microsoft Intune uses Mobile Application Management (MAM) policies to apply data protection at the application layer. These policies can be configured to protect corporate data within specific managed apps without managing the entire device. This allows for selective data protection, enabling administrators to control actions like copy/paste, "save as," and data sharing between managed and unmanaged apps.

Statement 2: Yes. Microsoft Intune can define where corporate data is stored. Through MAM policies, an administrator can specify which apps are approved to access and store corporate data. This prevents corporate data from being saved to unmanaged cloud storage services or personal applications on a device, enforcing data residency and security policies.

Statement 3: No. Microsoft Intune provides two primary types of device wipe: a full device wipe and a selective wipe. The selective wipe option is specifically designed to remove only corporate data (managed apps, corporate email, and associated data) from a device, leaving the user's personal data, apps, and settings intact. A full device wipe will factory reset the device, which does remove personal data, but this is a distinct action from a selective wipe that is typically used for BYOD (Bring Your Own Device) scenarios.

1. Microsoft Docs. "What is Microsoft Intune?" https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune. Section: "Mobile application management (MAM) capabilities."

2. Microsoft Docs. "What is app protection policy management in Microsoft Intune?" https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy. Section: "How it works."

3. Microsoft Docs. "Remove devices by using wipe, retire, or manual unenrollment." https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe. Section: "Wipe" vs. "Retire."