# Deployment iOS - MAM-WE - APP only Implement SCA as [Mobile Application Management (MAM) App](https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-mamwe) within Microsoft Endpoint Manager.\ Our App can be downloaded from the App Store directly and installed on any device.\ The moment a user connects with the AAD-account Access control via Azure AD Conditional Access enforces our App to require a App Protection Policy for the SCA. ### App Protection Policy 1. Login to Endpoint Manager with your Admin-Account 2. Go to Apps → App protection policies or follow this link:\ [App protection policies - Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/appProtection) 3. Click on **Create policy** and select **iOS/iPadOS** 4. Enter a Name for your Policy e.g. “Secure Contacts App Protection Policy” 5. Click **Next** 6. In the Apps pane, change *Target to apps on all device types* to **No**\ Select the box **Unmanaged** for *Device types*
7. Click on **+ Select public apps** and search for “Secure Contacts” 8. Select the app and confirm with **Select** 9. Click **Next** on the Apps pane 10. Please proceed configuring App Protection Policies as recommended by Microsoft 11. Finish the setup by clicking on **Create** {% hint style="info" %} You can use all policies in App Protection Policies as recommended by Microsoft.\ It is possible to add SCA to your existing App Protection Policy. {% endhint %} ### Conditional Access Policy For SCA is mandatory to create a Conditional Access-Policies or you can add SCA to your existing Conditional Access Policies 1. Login to Endpoint Manager with your Admin-Account 2. Go to Endpoint security → Conditional access or follow this link:\ [Conditional Access - Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#view/Microsoft_AAD_IAM/ConditionalAccessBlade/~/Policies) 3. Click on **New policy** to create a new Conditional Access policy 4. Enter a Name for the Policy e.g. “Secure Contacts Conditional Access Policy” 5. Go to ***Users or workload identities*** in *Assignments* 6. *Include* your SCA-Testgroup to **Users and Groups**\ \ ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FR5NRmKuMiDeTqrXpRCKK%2Fimage.png?alt=media\&token=bc425609-1d12-4e6e-ba3e-e75b55539c29)
7. Go to ***Cloud apps or actions*** in *Assignments* 8. *Include as Cloud Apps the apps* **Office 365** and **Provectus - Secure Contacts**\ \ ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FJpftEE7eJapg8jTIl5N7%2Fimage.png?alt=media\&token=cc6507e2-08a2-4a7c-ba31-12e2ffa7d74c)
9. Set mandatory Conditions for your environment 10. Go to *Grant* in the *Access controls* pane 11. Set **Require app protection policy**\ \ ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FwFF6hL4BcCcyjyv9Zpyy%2Fimage.png?alt=media\&token=06310f8d-acd6-4ff2-93a4-b66fc4daedcf)
12. Set *Enable Policy* to **On** 13. Click on **Create** {% hint style="info" %} According to Microsoft, it is **mandatory** to target **Office 365** and **Secure Contacts** as Cloud App in your Conditional Access Policy in order to correctly implement SCA.\ It is required to add **Office 365** as Cloud App, because our Enterprise Application\ (Provectus - Secure Contacts) is using these data sources. {% endhint %}