Microsoft Intune - Mobile Application Management (MAM) standalone
Have you ever been asked the question “…after I enroll my device, what happens to the personal data on my device if I leave the company?” Sound familiar? I’ve heard this many times when I speak with organizations and in the past the answer was “we have the right to delete everything on your device, so you better back it up…” and so on. Not all employees are comfortable with this approach because wiping a device means personal data such as photos, emails, text messages, game data, and so on may be deleted. Especially if company policies restrict devices from saving data to cloud storage services.
Some Mobile Device Management (MDM) vendors have gone as far as building their own applications to segregate email and data, however not all of these MDM vendors specialize in developing and maintaining email and productivity apps and as a consequence those apps may leave a security hole you didn’t anticipate. If you’ve standardized on or your users prefer the use of productivity apps from Microsoft such as Microsoft Outlook app, OneNote, OneDrive, and so on, unfortunately 3rd party MDM vendors cannot apply policies nor do they have control over Microsoft Office apps whereas Microsoft does.
The good news is, managing the device and applying Mobile Application Management (MAM) policies to applications is built into Microsoft Intune, so from the time devices are enrolled, once deployed, MAM policies will begin to flow to MAM enabled applications such as Microsoft Office apps.
Additionally, if organizations want to maintain their current Mobile Devices Management (MDM) solution and use Intune to only apply MAM policies to applications, with the recent release of Mobile Application Management (MAM) standalone service, companies are able to do just that!
Scenarios to consider when planning your MDM and MAM strategy:
- Microsoft Intune MAM Only with no MDM at all = Yes
- 3rd party MDM + Microsoft Intune MAM Only = Yes
- Microsoft Intune for full MDM/MAM = Yes
For a list of Microsoft Intune MAM supported apps please visit: https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps
Walk-Through of Microsoft Intune MAM standalone (w/o MDM)
The following demonstrates the new Microsoft Intune MAM standalone enrollment process without MDM:
Azure Portal experience
Log into https://portal.azure.com
Fill in the necessary information and select “Apps”. Select the apps you’d like to apply MAM policies to and then select “Select” at the bottom of the blade.
Note: not all MAM enabled apps are available yet for MAM standalone. If you need to apply MAM policies to additional applications that support MAM policies, consider enrolling devices with Microsoft Intune and rolling out MAM policies from there.
Next we need to configure the setting for the policy. Do this by selecting “Settings”. This is where we can configure MAM policies such as blocking data from being copied or stored outside of MAM managed applications (e.g. prevent cut, copy, and paste outside of Word). When finished, select “OK” at the bottom of the blade.
Select “Create” at the bottom of “Add a policy” blade to create the policy. Once the policy is created, we’re ready to deploy it to users.
Note: Microsoft Intune MAM standalone is deployed to users not devices.
Lastly, we need to target users to deploy the policy to. Do this by selecting “User groups” from the policy blade. Find the group you’d like to add, press “Select” at the bottom of the User group blade (not shown in image):
That’s all that needs to be done to create and deploy Microsoft Intune MAM only policies.
Now that the MAM policies are created and deployed, let’s walk through how the policy is applied. For this demonstration, I’m using an iOS device and the Word app, however the Android experience is similar.
Find and download Microsoft Word from the iTunes store (if you need to deploy app, consider enrolling devices with Microsoft Intune). Once Word is downloaded, select the Word app and add the account where the user is a member of the Azure AD group added to the MAM policy. Once the user is logged in they’ll receive an alert similar to the image below. Select “OK” to close the app after 5 minutes or “Close” to close immediately. What is happening behind the scenes is the Microsoft Intune standalone MAM policy is being applied and needs to restart the Word app.
This concludes the walk-through of Microsoft Intune Mobile Application Management standalone.
Stay tuned for additional updates via the Microsoft Intune Blog: https://blogs.technet.com/b/microsoftintune/