Does MAM require Intune device enrollment?
Enterprise mobility management (EMM) includes Moblie Device Management (MDM) and Mobile Application Management (MAM). It includes: Show
Management types
Mobile Device ManagementKey facts
Enrollment types
You can restrict OS platforms, their versions and ownership type for MDM enrollment on the Intune Enrollment device platform restrictions page. Device compliance policiesTo ensure MDM devices stay secure and compliant, you should consider Intune compliance policies. The requirements in these policies are different for each OS, but usually hold encryption, code integrity, OS versions, firewall, antivirus (version), real-time protection, device lock options or device threat levels. For expanding MDM resources, I would recommend you my full tutorial path about Microsoft Intune Endpoint Management. Mobile Application ManagementKey facts
App protection policiesApp protection policies are here to protect corporate data in managed apps and is part of Microsoft's MAM solution. These are available for iOS/iPadOS, Android and Windows 10 and later (more about WIndows Information Protection). These policies are usually applied when the device is not corporate managed and also hold personal data. The danger is that corporate data could be exfiltrated to other workloads on the device. App protection policies consists of three sections:
To adapt this service, I would recommend the Data protection framework using app protection policies from Microsoft, which is graded in three levels: Level 1 enterprise basic data protection, Level 2 enterprise enhanced data protection, Level 3 enterprise high data protection. Data protection Access requirements Conditional launch Conditional AccessTo grant access for both MDM or MAM, you should implement a Conditional Access policy that validates the access attempt to any Microsoft Office 365 service is coming from a managed device or app. Read more about Conditional Access Access grant optionsFrom a technical perspective there are the following grant controls which ensure an access is secured by either MAM or MDM. (some are only applicable to certain OS types) This is included in
the grant option, and should be set to "require one of the selected controls". Sample iOS and Android mobile policy
Sample Windows policy
Protecting apps accessed from the browserYou may now ask how to protect Office 365 or other apps from browser access. The answer is: Conditional Access App Control (read my dedicated blog post about it) with Microsoft Defender for Cloud Apps to control the browser session on any device. This is allows you to monitor or control app access and set granular policies through Defender for Cloud Apps such as restricting cut/copy paste, require elevated authentication (MFA), secure up- and downloads or other activities. Read the Microsoft docs Further considerations
Does Intune MAM require Company Portal?You don't need to enroll your device in Intune to use work or school apps, unless it's required by your organization, but you do need to have the Intune Company Portal app installed on your device.
Is Mam an Intune?Microsoft Endpoint Manager (Intune) can configure and protect apps on mobile devices by leveraging App protection policies. This Intune Mobile Application Management (MAM) feature secures corporate data at the app level for iOS and Android devices.
What is the difference between MDM and MAM in Intune?MDM is a way of securing mobile devices such as smartphones and tablets, whereas MAM secures the applications on those devices that are used to access organizational data, such as Outlook, SharePoint, and OneDrive. MDM software is typically designed to support one or more operating systems such as iOS and Android.
How do you set up Intune mam?To configure the MAM provider
Choose Mobility (MDM and MAM) in the Manage group. Click Microsoft Intune. Configure the settings in the Restore default MAM URLs group on the Configure pane. Use MAM auto-enrollment to manage enterprise data on your employees' Windows devices.
|