Microsoft Tunnel for Mobile Application Management
Article
Note
This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see Use Intune Suite add-on capabilities.
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. With this solution, your users can use a single device that isn't enrolled with Intune to gain secure access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access. With Tunnel for MAM, your users can use their own device (BYOD) for both work and personal use, without having to grant the organization's IT department control over that device.
Applies to:
Android
iOS/iPadOS
Platform requirements and feature overview
Before you begin, you must already have deployed the Microsoft Tunnel gateway. To learn more about Microsoft Tunnel gateway and how to install and configure it, see:
Microsoft Tunnel for MAM supports the following platforms:
Android Enterprise version 10.0 or higher
iOS version 14.0 or higher
The following table identifies key features for the supported platforms:
Requirements and Features
Tunnel for Android
Tunnel for iOS
Requirements:
- Company Portal app (sign-in not required)
- Defender for Endpoint app
- No Company Portal app or Defender for Endpoint app requirement
Features:
- VPN is provided via the Defender for Endpoint app: --- Per App VPN --- Device-wide VPN
- Auto-launch: VPN automatically starts on app launch
- VPN is provided via Tunnel for MAM SDK for iOS integration
- Per-App VPN. Tunnel connection is restricted to each targeted app
- Auto-launch: VPN automatically starts on app launch
- No Device-wide VPN
- Trusted root certificate support for on-premises CA trust
Line of Business app requirements
- Intune App SDK for Android
- Microsoft Authentication Library (MSAL) integration
- Intune App SDK for iOS
- Microsoft Authentication Library (MSAL) integration --- Microsoft Entra App registration
- Tunnel for MAM SDK for iOS
Microsoft Edge browser support:
- Strict Tunnel Mode: When users sign into Microsoft Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.
- Identity switch: VPN connects when using a work or school account and disconnects when switching to a personal account or in-Private browsing.
- Device-wide and Per-App VPN support
- Strict Tunnel Mode: When users sign into Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.
- Identity switch: VPN connects when using a work/school account and disconnects when switching to a personal account or in-Private browsing.
Third-party browser support:
- Only with device-wide VPN enabled
- None
Try the interactive demos
Try the following interactive demos to discover how Tunnel for MAM extends Microsoft Tunnel VPN Gateway to support Android and iOS devices that aren't enrolled with Intune.
This module introduces Mobile Application Management (MAM). Students will learn about considerations for implementing MAM and will be introduced to the management of MAM using Microsoft Endpoint Manager.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.