Extend support to MAM devices

  • 10 minutes

Not every device your users bring to work is enrolled in Intune. Employees on personal Android or iOS devices may need access to corporate resources, but your organization may not want to enforce full mobile device management (MDM) on those devices. Microsoft Tunnel for Mobile Application Management (Tunnel for MAM) bridges this gap by extending the same VPN gateway to unenrolled devices — without requiring enrollment.

Note

Tunnel for MAM requires Microsoft Intune Plan 2 or the Microsoft Intune Suite as an add-on license.

What is Tunnel for MAM?

Tunnel for MAM lets unenrolled Android and iOS/iPadOS devices use Microsoft Tunnel VPN Gateway to securely access on-premises resources. Users can authenticate with Microsoft Entra ID, benefit from Conditional Access policies, and keep their personal data completely separate from corporate data - all from their own device.

This approach supports bring-your-own-device (BYOD) scenarios where users want to use a single phone for both work and personal use without granting IT control over the entire device. Corporate data remains protected through app protection policies, and the VPN connection is scoped to MAM-enabled apps rather than routing all device traffic.

Building on your existing Tunnel Gateway deployment, you don't need separate infrastructure for MAM. Your current server configurations and sites support both enrolled and unenrolled devices at the same time.

Platform support

Tunnel for MAM supports the following platforms:

Platform Minimum version VPN scope
Android Enterprise Android 10.0 or higher Per-app VPN or device-wide VPN
iOS/iPadOS iOS 17.0 or higher Per-app VPN only

Note

Microsoft Intune supports the latest iOS version and the two previous versions ("current + 2"). Always verify the latest requirements in the official documentation:
Supported operating systems and browsers in Intune

On Android, the VPN is delivered through the Microsoft Defender app. On iOS, it's provided through the Tunnel for MAM iOS SDK integrated into your line-of-business (LOB) apps.

Configure Tunnel for MAM on Android

For Android devices, you need three policies that work together. When all three are deployed to the same user groups, the VPN starts automatically when Microsoft Edge launches.

App configuration policy for Microsoft Defender

This policy configures the Microsoft Defender app as the tunnel client on unenrolled Android devices.

  1. In the Microsoft Intune admin center, go to Apps > Configuration > Create > Managed Apps.

  2. On the Basics tab, enter a name, an optional description and select Microsoft Defender Endpoint as the public app, then select Next.

  3. Skip the Settings catalog tab by selecting Next.

  4. On the Settings tab, under Microsoft Tunnel for Mobile Application Management settings, configure:

    • Set Use Microsoft Tunnel for MAM to Yes.
    • Enter a Base VPN Connection name visible to users.
    • Select your Tunnel site.
    • Optionally configure Per-App VPN to restrict tunnel usage to specific apps.
    • If your app connects to resources protected by a private CA, select a Root Certificate.

  5. On the Assignments tab, select the user groups that should receive this policy, then select Next.

  6. On the Review + create tab, review the settings and select Create.

Important

Include Microsoft Edge in your Per-App VPN list to ensure correct identity switching and Tunnel notifications. MAM Tunnel for Android doesn't support Always-on VPN.

App configuration policy for Microsoft Edge

This policy enables identity switching in Edge — the VPN connects when users sign in with a work account and disconnects when they switch to a personal account.

  1. Create another Managed Apps configuration policy, enter a name, an optional description and set Microsoft Edge (Android) as the public app, then select Next.

  2. Skip the Settings catalog tab by selecting Next.

  3. On the Settings tab, under General configuration settings, add the following key-value pairs:

    Key Value Purpose
    com.microsoft.intune.mam.managedbrowser.StrictTunnelMode True Blocks internet traffic if VPN isn't connected when using a work account
    com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly True Enables identity-switch support so VPN connects and disconnects with account changes

  4. On the Assignments tab, assign this policy to the same groups as the Microsoft Defender app configuration policy, then select Next.

  5. On the Review + create tab, review the settings and select Create.

App protection policy for Microsoft Edge

This policy triggers the tunnel connection automatically when Edge launches.

  1. Go to Apps > Protection > Create > Android.

  2. On the Basics tab, enter a name and an optional description, then select Next.

  3. On the Apps tab, select Microsoft Edge as the public app, then select Next.

  4. On the Data protection tab, scroll to the bottom and set Start Microsoft Tunnel connection on app-launch to Yes.

  5. Select Next until you are on the Assignments tab. Assign this policy to the same groups as the other two policies.

  6. On the Review + create tab, review the settings and select Create.

Configure Tunnel for MAM on iOS

On iOS, the VPN is provided through the Tunnel for MAM iOS SDK, which your developers integrate into LOB apps. This is a per-app VPN only - there's no device-wide VPN option for iOS.

You need three policy types to configure Tunnel for MAM on iOS:

  • App configuration policy - Configures the Tunnel Gateway site, proxy settings, and trusted certificates for Edge and LOB apps.
  • App protection policy - Provides data protection settings and is required for the app configuration policy to deliver Tunnel settings to apps.
  • Trusted certificate profile - Required if apps connect to on-premises resources protected by a private certificate authority (CA).

App configuration policy for iOS

  1. Go to Apps > Configuration > Create > Managed Apps.

  2. On the Basics tab, enter a name and an optional description. Add your LOB app under Custom apps with its Bundle or Package ID, or select Microsoft Edge (iOS/iPadOS) as a public app, then select Next.

  3. Skip the Settings catalog tab by selecting Next.

  4. On the Settings tab, expand Microsoft Tunnel for Mobile Application Management settings:

    • Set Use Microsoft Tunnel for MAM to Yes.
    • Enter a Base VPN Connection name.
    • Select your Microsoft Tunnel site.
    • If your app connects to resources protected by a private CA, select a Root Certificate.
    • Optionally add settings to your Proxy if needed.

  5. Select Next to get to the Assignment tab and assign the target user groups, then select Next.

  6. On the Review + create tab, review the settings and select Create.

Note

For federated Microsoft Entra tenants, add a general configuration setting with key com.microsoft.tunnel.custom_configuration and a value that includes your federation STS URL as a bypassed URL. For example: {"bypassedUrls":["sts.contoso.com"]}.

App protection policy for iOS

  1. Go to Apps > Protection > Create > iOS/iPadOS.

  2. On the Basics tab, enter a name and an optional description, then select Next.

  3. On the Apps tab, add your LOB app under Custom apps with its Bundle ID, or select Microsoft Edge as a public app, then select Next.

  4. On the Data protection, Access requirements and Conditional launch tab configure the needed settings for your organization.

  5. On the Assignments tab assign to the same groups as the app configuration policy.

  6. On the Review + create tab, review the settings and select Create.

Use a trusted certificate profile

If your apps connect to internal resources that use SSL/TLS certificates from a private or on-premises CA, you need to add a trusted certificate profile to the app configuration policy. This profile establishes the chain of trust so the device can verify the server certificate.

For Android, the Intune App SDK supports trusted root certificates through the MAMTrustedRootCertsManager API. When you integrate the SDK into a line-of-business app, use a current SDK release and review the Intune App SDK changelog for the version that introduced this capability. For iOS, the Tunnel for MAM SDK supports trusted root certificates using DER encoded binary X.509 or PEM certificate format.

Tip

For Tunnel for MAM on iOS, a trusted certificate profile for any platform (Android, iOS, or Windows) can be used. You don't need to create a separate iOS-specific profile.

With Tunnel for MAM configured, users on unenrolled personal devices can securely access corporate resources using the same infrastructure that serves your enrolled devices without giving your organization control over their personal device.