Can MAM can be used to manage Microsoft 365 apps?

An evaluation of Microsoft Intune led our global IT organization to decide to migrate from Accenture's legacy solution to Intune. One key factor was that in addition to traditional MDM features, Intune also offered MAM. MDM places an agent on a mobile phone and manages the phone, enforcing encryption and use of a PIN. MAM, on the other hand, provides secure use of mobile applications without requiring full device control.

Initially, MDM was further developed than MAM, and was the first solution Accenture adopted along with enhancement. For MDM, our global IT organization collaborated with Microsoft to develop additional features Accenture needed before migrating approximately 110,000 registered devices at the time from the legacy MDM solution to Intune. Many employees, however, were reluctant to adopt the solution due to a number of misconceptions about what companies monitor with MDM solutions. Three years later, the adoption rate remained relatively low at 140,000 personal devices.

During this time, Microsoft continued to develop its MAM solution. Accenture, among other partners, collaborated on the features and functionalities that a large enterprise like Accenture needs. Our global IT team appreciated that Intune MAM offers seamless integration with Accenture's suite of Microsoft productivity tools; enables secure access to many Accenture mobile applications without requiring root-level access; and includes a separate mobile application catalog that does not require device enrollment to access it.

Our global IT team hoped that these advantages would also address a population of employees concerned about broad company access to personally owned devices. We knew we needed a new solution that removed the misunderstanding that Accenture could or would be looking at the daily activity of our workforce and that offered immediate mobile productivity benefits.

That solution was a combination of Intune MAM, which allows employees to access company applications without fully enrolling in mobile device management, and providing seamless, helpful mobile apps for our people enabling them to work from wherever they are. Mobile apps like Microsoft Outlook, OneDrive, and Teams, were a selling point for our people to adopt Intune MAM. Outlook and Teams work seamlessly with Microsoft 365 and MAM is enabled out of the box.

Issue Description : Some users can’t access Microsoft Teams with Mobile Application Management (MAM) enrolled iOS devices

More info : Specifically, users may not have App Protection Policies applied when using Microsoft Teams. If conditional access is enabled, this may prevent some users from accessing Microsoft Teams on MAM enrolled iOS devices.

Affected users may see the following error: “The app could not be protected due to an issue with the Intune Service.”

Scope of impact : Your organization is affected and impact is limited to a subset of users with MAM enrolled iOS devices.

Final Update : 01/08/2022 14:26:00 PM – Microsoft determined that this issue is a duplicate of another event. Please look for further updates in MO406564.

Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) provider for all digital devices, including mobile phones, tablets and laptops and other mobile devices. Windows 10, Windows 11, macOS, Android and Apple iOS are all supported by Microsoft Intune – a cloud-based service that allows you ultimate control in how your organisation’s devices are used daily in the workplace. 

Intune is part of a Microsoft package – Enterprise Mobile + Security (EMS) suite. It can natively integrate with the full suite of Microsoft 365 products, including Azure Active Directory (Azure AD), and can allow control over access (who and what users can access) as well as Azure Information Protection (AIP), and providing data protection. 

What does Microsoft Intune do? 

Intune allows you to control applications using specific policies, such as preventing access to your office 365 applications unless using a company device, or even enforcing password policies on mobile phones. You can deploy apps such as Office 365, Microsoft Teams, OneDrive as customised apps to devices. 

One of the great features of Intune is controlling how users access company data on personal devices. This ensures that all company data stays protected and separate from personal data. 

There are endless opportunities and possibilities using Intune. A few key features are:  

• Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune together 
• Secure your company information by controlling the way users access and share information 
• Set policies and configure settings on personal and organization-owned devices to access data and networks 
• Deploy and authenticate apps on devices 
• Manage your devices making sure they are compliant with your security requirements 
• Manage your apps ensuring that they comply with security requirements 

How does Microsoft Intune work? 

Microsoft Intune is a cloud-based service that allows you to remotely manage mobile devices and mobile applications. This allows you to have a super effective and productive mobile workforce, without the worry of your company’s data being compromised. 

Below is a high-level diagram of the Microsoft Intune architecture. As you can see, the three main areas are configuring devices, protecting data, and managing apps. One thing to note, is even though Intune is a cloud-based product, it can also hook in to Configuration Manager to control your domain-joined devices that are already enrolled into Configuration Manager on premises. 

How to use Microsoft Intune 

The common practices of ways to use Microsoft Intune: 

• Protecting your on-premises email and data so it can be accessed by devices safely 
• Protecting your Microsoft 365 email and data so it can be accessed by devices safely 
• Offering a ‘bring your own device’ (BYOD) programme to all employees 
• Issue corporate-owned devices such as laptops, tablets and phones to employees 

MICROSOFT INTUNE FEATURES 

Device choice & customization 

With Intune, you aren’t restricted to corporate devices. Intune gives you the flexibility of issuing corporate devices or allowing employees to use their personal devices too – by registering, enrolling, and managing their devices and then installing corporate applications from the Company Portal. 

Mobile & PC device management 

Intune allows you to manage devices using an approach that’s right for the company. As touched upon previously, you may require full control over your organization-owned devices – covering settings, features and security. This requires the device and users to “enroll” into Intune. This can be an automatic, or manual process which I will expand on in greater depth in this blog. Essentially, once enrolled, they will receive settings and controls through policies configured in Intune for the organisation. This could include settings such as enforcing BitLocker encryption or a password policy. 

The alternative approach is for personal or bring-your-own devices (BYOD) where users may not want you to have full control of their devices. This is where you and the end-user have two options: 

• Enroll the device so the user has full access to company resources 
• Use app protection policies that enforce MFA to only access company apps such as email, SharePoint, or Teams 

Access to corporate resources 

Devices that are enrolled into Intune give administrators the ability to view a list of devices and pull an inventory for them. From there, they can: 

• Configure devices to ensure they meet the company’s security and health standards. For example, you may require devices to be encrypted 
• Deploy certificates to allow devices to connect to Wi-Fi networks or VPNs  
• Pull reports on device compliance and users 
• Wipe devices or remove data from the device 

Data protection 

As mentioned earlier in this blog, Microsoft Intune integrates with several other Microsoft services allowing you to fully secure your corporate data. 

Intune integrates with Azure Active Directory for access control and Azure Information Protection and also with the Microsoft Office suite of products. This enables you to remotely deploy apps such as Outlook for specific devices or specific users and control how these apps work if users access company data on their personal devices with app policies. For example, you can prevent users from copying text from a company app and into a personal app on their personal device. There are so many options here, but it allows you to really build a governance plan.

Managed in the cloud 

One of the major benefits of using Intune to manage your devices is the fact it’s cloud-based, thus removing the need for any on-premises infrastructure. This eliminates the need to plan, purchase and maintain any on-premises equipment. This could be a huge cost-saving area benefit. 

Flexible pricing plans 

There are a few ways to add Intune licenses which I will cover later in this article, but what’s great is that you can license the user instead of the device! This avoids the endless task of counting devices, and the Microsoft Intune cost might be £0 if you already subscribe to another service. Like most of the other M365 products, you can also choose to license users monthly or yearly. 

DEVICE CONFIGURATION 

What is device enrollment? 

To use the mobile device management (MDM), your devices need to be enrolled into Intune. Once a device is enrolled, it’s issued an MDM certificate. This is used to communicate between the Intune service and the device. There are several methods to enroll devices and they are different depending on the type of device (Windows, macOS, iOS, Android), the device ownership (corporate or personal), and the management requirements (resets, locking).  

More information can be found here: https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment  

Automatic enrolment 

So, we know that to manage any device it needs to be enrolled into Intune. This is a manual process, but it can be automated depending on the current state of the device. 

Windows 10 devices that are Hybrid Azure AD-joined can be automatically enrolled into Intune by configuring a group policy object (GPO) on the on-premises domain that targets the OU that you want the member devices to enroll in Intune. 

Azure Active Directory can be configured so that any devices that are Azure AD-joined are auto-enrolled into Intune as well. This is simply a setting within the Mobility (MDM and MAM) section within your Azure AD admin center. User groups can be targeted, or the scope can be set to All. I would recommend multi-factor authentication is enabled for anyone that is registering a device.  

CNAME registration 

To simplify enrollment without an Azure AD Premium subscription you can create a DNS (domain name system) alias (CNAME record) that redirects enrollment requests to Microsoft’s Intune servers. Without this, users will have to manually type in the Intune server names during enrollment.  

Note – this would need to be configured on each domain that you have registered within your M365 tenant if you are using it for Intune. Once the DNS records are in place you can verify them within the Intune admin center.  

Windows autopilot configuration 

Windows Autopilot can be used to deploy Windows PCs. It is a collection of technologies used to pre-configure new devices before production use. Autopilot can also reset, repurpose, and recover devices. This can all be achieved remotely with little to no infrastructure with a very simple and easy process. 

A troublesome device can be wiped, reconfigured and ready to go within an hour in the comfort of someone’s home without the need of any physical support from the IT team, therefore simplifying the device lifecycle for both IT and end users. 

When new devices are deployed, Windows Autopilot users the OEM-optimised version of Windows client. This is pre-installed on the device so there is no need for any custom images and the device can be shipped directly to the end user. The device can be transformed into a business-ready state. 

Once deployed, you can manage the Windows device using Microsoft Intune. 

APPLICATION MANAGEMENT 

App configuration 

To avoid any issues when initially installing the application, app configuration policies can be utilised. This helps by assigning configuration settings to an end-user assigned policy prior to setup. These settings are then automatically supplied when the app is configured on the end-user’s device – leaving no outstanding actions for end-users. These configuration settings are unique to each user and for each app. 

Configuration policies can be created and implemented to provide configuration settings for both Android and iOS/iPadOS apps alike. These configuration settings allow full app customization by app management and configuration. Typically, these configuration policy settings are actioned when the app is run for the very first time (when the app checks for these settings). 

App configuration settings may require the following: 

• Language settings 
• Security settings 
• Custom port 
• Brand and company logo settings  

App configuration policies are important and eliminate the potential of error if end users were to enter these settings themselves. They can also help to provide consistency across your organisation, reducing the need for helpdesk calls, and ensuring the greatest efficiencies. By using app configuration policies, new app installations can be easier and quicker, and processes more efficient. 

Configuration parameters (and the implementation of these that are available) are set by app developers and creators. Always remember to seek validation in the form of legal documentation from these application vendors to ensure all configurations are available, and how these may potentially impact the application.  

For some applications, Intune will populate the available configuration settings. 

Assigning groups 

App configuration policies can be assigned to groups of end-users and devices by using a combination of include and exclude assignments. Once and app configuration policy has been added, you can set the assignments to that policy. When setting assignments, you have the option to include and exclude groups of end-users for which the policy applies to. You can then choose to include one or more groups of end-users or devices. 

Protection policies 

App protection policies (APP) are rules that make sure your company’s data is contained in a managed app or that it remains safe. A policy can be a set of actions that are restricted or monitored when the user is inside that app, or a policy could be a rule that comes into effect when a user tries to move or access corporate data and prevents them from doing so.  

Mobile Application Management (MAM) app protection policies allow you to control your company data within your applications. Many Microsoft and third-party apps are supported and can be managed by Intune MAM. The official list can be found here: https://docs.microsoft.com/en-us/mem/intune/apps/apps-supported-intune-apps  

Remote access 

The benefit of controlling and protecting your applications with Intune is that you can remote control over your apps and data. There are 3 ways you can wipe app data from Intune: 

• MAM selective wipe 
• Full device wipe 
• MDM selective wipe  

MAM selective wipe removed any company data from the app. When a user is using an app, a request is sent every 30 minutes to the Intune service. This check is also carried out whenever the user first launches the app and signs in with their work or school account. 

Full device wipe does what is says on the tin – removes all settings and user data from the device by resetting the device to factory defaults. The device is then removed from Intune. 

MDM selective wipe removes any company data from the device. This is generally used for personally owned devices when retiring them from Intune but without needed to wipe the entire device due to personal data. There are a lot of things to think about with this option such as what type of device you are talking about so more information can be found here: https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe  

Intune also offers integration with TeamViewer, which is an exclusive partnership. This allows further remote control and support capabilities to multiple platforms such as Windows, MacOS, iOS and Android devices. You can even go as far as gaining remote access to point of sale (POS) systems, kiosks, and digital signage. It is very easy to configure as there is a pre-built TeamViewer Connector within Intune ready for activation.  

By using TeamViewer, you can leverage real-time sharing to view issues and fix devices with minimal downtime or disruption. All data is end-to-end encrypted and not even TeamViewer can read the data in transit or at rest. 

CLOUD-BASED SERVICE COMPARISONS 

Microsoft MDM vs Intune 

Microsoft offers two ways to handle mobile device management (MDM). MDM for Office 365 and Intune. MDM for Office 365 is a lightweight version of MDM that doesn’t include mobile application management (MAM). It does allow you to enforce MDM policies and settings that will help control access to Office 365 data for supported devices and also remotely wiping devices to remove any company data. 

It is also included in most Office 365 subscriptions, whereas Intune might be in a pricier subscription. The main configuration capabilities are somewhat limited and there are no deployment functions or abilities to wipe apps remotely. 

Endpoint manager vs Intune 

Microsoft Endpoint Configuration Manager, previously known as Microsoft System Center Configuration Manager (SCCM), is now part of Microsoft Endpoint Manager (MEM). Configuration Manager has been around for many years, and is widely used in hundreds of thousands of companies. It is an on-premises solution that is fairly complex to set up and requires a lot of maintenance. Intune gives you the ability to move away from your on-premises infrastructure, or to co-manage your devices by using Config Managed in conjunction with Intune. 

I wouldn’t say that Intune is a directly replacement for Endpoint Manager. Intune doesn’t allow you to deploy images as it is designed around the modern workplace where images are being phased out and configuring devices out of the box with deployment profiles is becoming the new way of working. Why deploy a bulky image when you can configure the one already on your device and deploy the relevant apps?! 

Intune vs Workspace One 

Workspace One, previously known as AirWatch, which was rebranded in 2018 by VMware. Many organisations are migrating their devices to Intune as it’s part of the Microsoft 365 ecosystem therefore reducing costs and simplifying management of devices and users.  

GPO vs Intune 

You may be familiar with Group Policy Objects (GPO) if you’ve supported an on-premises infrastructure. GPOs don’t exist in Azure or Intune. Intune has something called Configuration Profiles that do a very similar thing. They allow you to control devices or users using a set of policies. I have written another blog which goes into more detail around Group Policy analytics in Microsoft Endpoint Manager.  

CERTIFICATION 

There is no specific certification for Microsoft Intune, as Microsoft now aim for around role-based certifications, although there are few certifications that cover Intune in the topics though such as: 

• Microsoft 365 Certified: Modern Desktop Administrator Associate 
• Microsoft 365 Certified: Enterprise Administrator Expert 

INTUNE PRICING & LICENSING 

Microsoft Intune is included in many subscriptions, so you may already be paying for it, but it is also available as a stand-alone subscription. 

Intune is included in the following M365 subscriptions: 

• Microsoft 365 Business Premium 

• Microsoft 365 E3 
• Microsoft 365 E5 
• Microsoft Enterprise Mobility + Security (EMS) 
• Microsoft 365 Education A1 (Intune for Education) 
• Microsoft 365 Education A3 (Intune for Education) 
• Microsoft 365 Education A5 (Intune for Education) 

Microsoft also offer a device-only subscription service for Intune, that allows you to manage devices that aren’t affiliated to specific users, if this is needed.  

SUMMARY 

I hope this blog has been informative and answered any questions on Intune and explained the positive outcomes it can bring to your organisations. It is such a huge product, that is constantly evolving and growing. Remember, Insentra can help with all your Intune queries and more! Get in touch today with one of our friendly team.  

How do you get Intune? You can try Intune for free  

https://docs.microsoft.com/en-us/mem/intune/fundamentals/free-trial-sign-up

THANK YOU FOR YOUR SUBMISSION!

The form was submitted successfully.

Hungry for more?

How to Provide Value When Multiple Stakeholders are Involved

Managing stakeholder relationships is one of the most important and challenging aspects of running a service delivery business, particularly one like ours where we have

Read More »

What to do if you Want to Keep your Partners

Partnership means different things to different people in different situations. For some, it is simply a contract signed by both parties or “you give me

Read More »

Late Night Brew – What is Contextual Relevance for Rimo3?

In this final episode, Buk and Josh explain Rimo3’s concept of contextual relevance and the improvements we get from image customisations.

What is MAM in Microsoft?

MAM is an option for users who don't enroll their personal devices, but still need access to organization email, Teams meetings, and more. MAM is available on the following platforms: Android. iOS/iPadOS. Windows.

What is the difference between Intune MDM and MAM?

MDM is a way of securing mobile devices such as smartphones and tablets, whereas MAM secures the applications on those devices that are used to access organizational data, such as Outlook, SharePoint, and OneDrive. MDM software is typically designed to support one or more operating systems such as iOS and Android.

What are the features of MAM?

Core features of mobile application management systems include:.

App configuration..

App delivery (Enterprise App Store).

App performance monitoring..

App updating..

App version management..

App wrapping..

Crash log reporting..

Event management..

What MDM does Microsoft use?

Enroll in device management, application management, or both Organization-owned devices are enrolled in Intune for mobile device management (MDM).