Microsoft Tunnel for Mobile Application Management
Note
This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see Use Intune Suite add-on capabilities.
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. With this solution, your users can use a single device that isn't enrolled with Intune to gain secure access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access. With Tunnel for MAM, your users can use their own device (BYOD) for both work and personal use, without having to grant the organization's IT department control over that device.
Applies to:
- Android
- iOS/iPadOS
Platform requirements and feature overview
Before you begin, you must already have deployed the Microsoft Tunnel gateway. To learn more about Microsoft Tunnel gateway and how to install and configure it, see:
- Learn about the Microsoft Tunnel VPN solution for Microsoft Intune
- Identify the prerequisites to install and use the Microsoft Tunnel VPN solution for Microsoft Intune
- Install and configure Microsoft Tunnel VPN solution for Microsoft Intune
Microsoft Tunnel for MAM supports the following platforms:
- Android Enterprise version 10.0 or higher
- iOS version 14.0 or higher
The following table identifies key features for the supported platforms:
| Requirements and Features | Tunnel for Android | Tunnel for iOS |
|---|---|---|
| Requirements: | - Company Portal app (sign-in not required) - Defender for Endpoint app |
- No Company Portal app or Defender for Endpoint app requirement |
| Features: | - VPN is provided via the Defender for Endpoint app: --- Per App VPN --- Device-wide VPN - Auto-launch: VPN automatically starts on app launch |
- VPN is provided via Tunnel for MAM SDK for iOS integration - Per-App VPN. Tunnel connection is restricted to each targeted app - Auto-launch: VPN automatically starts on app launch - No Device-wide VPN - Trusted root certificate support for on-premises CA trust |
| Line of Business app requirements | - Intune App SDK for Android - Microsoft Authentication Library (MSAL) integration |
- Intune App SDK for iOS - Microsoft Authentication Library (MSAL) integration --- Microsoft Entra App registration - Tunnel for MAM SDK for iOS |
| Microsoft Edge browser support: | - Strict Tunnel Mode: When users sign into Microsoft Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again. - Identity switch: VPN connects when using a work or school account and disconnects when switching to a personal account or in-Private browsing. - Device-wide and Per-App VPN support |
- Strict Tunnel Mode: When users sign into Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again. - Identity switch: VPN connects when using a work/school account and disconnects when switching to a personal account or in-Private browsing. |
| Third-party browser support: | - Only with device-wide VPN enabled | - None |
Try the interactive demos
Try the following interactive demos to discover how Tunnel for MAM extends Microsoft Tunnel VPN Gateway to support Android and iOS devices that aren't enrolled with Intune.
- Microsoft Tunnel for Mobile Application Management for Android
- Microsoft Tunnel for Mobile Application Management for iOS/iPadOS