Microsoft Intune for Vault CRM
Embedding the Microsoft Intune SDK in the Vault CRM iOS app provides granular Mobile Application Management (MAM) across both unmanaged and managed devices. Users with unmanaged devices can access Vault CRM from their own devices for a flexible and cost-effective bring-your-own-device (BYOD) model, while complying with corporate security requirements and protecting corporate data. For users with devices managed through Microsoft Intune Mobile Device Management (MDM), MAM can be used to layer additional app-level security protections.
Who can use this feature?
- iPad, iPhone Users
- Users do not require an additional Vault CRM license. A Microsoft Intune license is required.
- End Users
Configuring the Microsoft Intune Integration for

Microsoft Configuration
To configure this feature:
- Navigate to the Veeva-hosted webpage to grant Admin Consent to the Intune SDK Integration for Vault CRM app. This app is used by both the Vault CRM and Veeva CRM applications. Only Microsoft admins can grant consent.
If consent is already granted for the Veeva CRM application, Microsoft admins do not need to grant consent again for Vault CRM.
- Select the Consent button. Granting consent provides Admin Consent to the DeviceManagementManagedApps.ReadWrite API permission for Microsoft Mobile Application Management, enabling tenant-wide application permissions.
- Ensure User.Read permission is granted to the Microsoft Graph application, if not granted automatically when providing Admin Consent
- Navigate to the Microsoft Intune Admin Center.
- Ensure Microsoft’s App protection policies are configured for end users.
- Add the Vault CRM iOS app to an app protection policy as a custom app.
- Use the following bundle ID: com.veeva.vaultcrmapp
- Admins may create a new app protection policy or add Vault CRM to an existing policy. The Vault CRM iOS app must be added to an app protection policy for the policy to be enforced.
-
Add the value veeva to the Select apps to exempt list under Policy Managed Apps in the appropriate Microsoft Intune data transfer policies. This ensures the Vault CRM app is included in the data transfer policy, so users can successfully authenticate from the app.
For more on creating exceptions to an app protection policy, see How to create exceptions to the Intune App Protection Policy (APP) data transfer policy on the Microsoft help site.
Vault CRM Configuration
To configure this feature:
- Navigate to Business Admin > Objects > veeva_settings__v in Vault CRM.
- Select the Global Veeva Settings record.
- Select the enable_intune_mam_enrollment__v Veeva Setting check box to enable the setting.
User Enrollment with Microsoft Intune for

When users sync their devices after the enable_intune_mam_enrollment__v Veeva Setting is enabled, they are prompted to complete the MAM enrollment process by authenticating with their Microsoft work credentials.
Users must successfully authenticate and complete the Microsoft Intune enrollment dialog to continue using the Vault CRM app. After completing the Microsoft authentication dialog, users may be required to verify their identity, depending on their organization’s Microsoft sign-in policies. For example, Multi-Factor Authentication (MFA) may be required.
Once authentication is complete, users are prompted to restart the app.
After the app successfully relaunches, Microsoft Intune app protection policies are immediately enforced in Vault CRM.
Supported Microsoft Intune Functionality
The following Microsoft Intune functionality is supported for Vault CRM:
- Selective Wipe - When a Microsoft admin sends a wipe request for the user, the user is notified the next time they open the Vault CRM app. The app automatically closes and all Vault CRM data (downloaded and local) is removed from the device. Online data is not affected by the wipe. For information on executing a wipe request, see Selectively wipe apps on the Microsoft help site.
- Open Data from Selected Services - Through Microsoft Intune policies, users can be permitted to securely attach files–for example, OneDrive documents–to records in Vault CRM. For information on enforcing this policy, see Allow users to open data from selected services on the Microsoft help site.
To attach OneDrive documents to records in Vault CRM, users must first sign in to OneDrive from their device.
- Managed Browser Requirement - Microsoft admins can specify how web content is opened from policy-managed applications. For example, users can be required to open links from Vault CRM in a managed browser like Microsoft Edge. For information on enforcing this policy, see Restrict web content transfer with other apps on the Microsoft help site.
If your organization's Managed Browser policy requires users to open web content in the Edge browser, Veeva recommends users install the Edge browser and complete Microsoft Intune enrollment for the Edge app before using Veeva CRM features which rely on an external browser. Completing this step in advance provides a seamless user experience.
For example, the following features require an external browser and may trigger the Managed Browser policy:
Customers can implement additional Microsoft Intune functionality for Vault CRM, though Vault CRM's testing and documented support only cover the Microsoft Intune functionality listed here.