MAMStrictCheck

An Application context was used when an Activity context was expected.

The MAMServiceAuthenticationCallback was not registered in the Application's onCreate method.

Window.clearFlags() was called on FLAG_SECURE when app had a configured policy that restricts screenshots. This will allow users to bypass the MAM policy and take screenshots.

We expect config-only apps to call MAMComponents.initialize() via Application.onCreate(). However, initialize() was called from a different place.

The config-only app was improperly integrated with the MAM SDK. For example, its Application class may extend MAMApplication. Config-only apps should never leverage the build plugin or manually integrate wrappers.

Conditional Access is not supported for config-only mode apps, but the application tried to remediate compliance for a user.

An intent was started to transfer content to another app without an identity, while the foreground activity does have an identity set. This likely indicates a failure to plumb through the identity.

A multi-identity app used a ContentResolver without any identity set on the context the resolver was retrieved from or on the thread/process. This indicates likelihood that the app is performing app-to-app communication on a background thread without proper consideration of what account the operation is running under.

Call to an API which we have deprecated and which has the potential to result in an incorrect customer outcome.

Attempt to protect a file which does not exist.

An incoming activity identity switch was not handled properly. If your app uses the process identity, it must override MAMActivityIdentityRequirementListener.onMAMIdentitySwitchRequired in order to ensure that the incoming data is compatible with the already set process identity. Apps which use the process identity need to take even more care with incoming identity switches than most because these apps usually assume that only one identity (the process one) will be active. If data belonging to a different identity (e.g. a personal one) comes in, the app needs to either be able to handle that data properly (segregate it from the managed user) or refuse the identity switch.

Mismatch between the identity tag for an intent and a file transferred by that intent.

There was a mismatch between the user's passed in aadId and resourceId, and the decoded aadId and resourceId from the MAMService token returned by MAMServiceAuthenticationCallback.

An activity was launched which was not MAM-integrated and not explicitly excluded by build-plugin configuration.

A view was used which should have been MAM-integrated, but was not.

Use of getIsOpenFromLocationAllowedForOID for OneDrive for Business/SharePoint/an account document, but there was no OID provided for the account.

Use of getIsOpenFromLocationAllowed for OneDrive for Business/SharePoint/an account document, but there was no UPN provided for the account.

registerAccountForMAM was called on an account which is already in the WRONG_USER state. Apps should remove accounts in the WRONG_USER state (or at least block them).

Use of getIsSaveToLocationAllowedForOID for OneDrive for Business/Sharepoint/an account document, but there was no OID provided for the account.

Use of getIsSaveToLocationAllowed for OneDrive for Business/Sharepoint/an account document but no UPN provided.

No longer used. Replaced by SAVE_TO_LOCATION_MISSING_UPN

An internal error occurred which is not expected in the course of normal operation. More detail is available in the message.

Ensure the app is not using a newer target Android SDK than the current MAMSDK version supports.

MAM was unable to locate a Context that would allow for policy enforcement within the specified System Service/ContentResolver/ContentProviderClient. This indicates one of the following: 1. The SDK surface included by the plugin for your app may be incorrect. To remediate, please review your build plugin configuration for improperly excluded classes. For example, an improperly excluded `Activity` class may be passing its `Context` into a rewritten utility class, which would produce an unprotected System Service/ContentResolver/ContentProviderClient based on the passed in `Context`. 2. The MAM SDK is missing surface coverage required by your app. To remediate, please reach out to the MAM team.

The MAMEnrollmentManager's unregisterAccountForMAM() method was called from within the provided MAMServiceAuthenticationCallback's acquireToken() method. This could cause compliance remediation to fail.

The MAMEnrollmentManager's updateToken() method was called from within the provided MAMServiceAuthenticationCallback's acquireToken() method. This is not the intended purpose of updateToken(), and could cause a deadlock.

The app called a MAM SDK API method taking an identity by UPN instead of the corresponding OID-based method.