In this video, Pete Zerger explains how Microsoft Intune mobile app management gives IT control over corporate data on users' personal mobile devices, without impacting user productivity or touching personal data, enabling app and data management in bring
- [Instructor] Today, preventing data loss on company- managed devices is only half the battle. Your employees use mobile devices for both personal and work tasks. While you're making sure your employees can be productive, you also want to prevent data loss, intentional and unintentional. And you want to protect company data that employees access, even when they're using devices that you don't manage, as in, bring your own device, or BYOD, scenarios. We can address this with Intune mobile app management, or MAM.
With Intune MAM, we can prevent data loss on personal devices accessing corporate data, even when MDM, or mobile device management, is not an option. With Intune MAM configured to protect an application on a BYOD device, the user installs the app from the app store, they log in with their Office 365 credentials, Azure AD verifies the app and user are allowed to access Office 365, Intune applies MAM policies to managed apps, access to Office 365 is granted, and the user continues to use the app as they normally do.
Which devices are covered by Intune MAM? Devices enrolled in Microsoft Intune, devices enrolled in a third-party MDM solution. Both of these tend to be corporately-owned devices, but also covered are devices not enrolled in any MDM solution, typically personal devices. Which apps are covered by Intune MAM? You can create app protection policies for office mobile apps that connect to Office 365 services. Bear in mind that app protection policies are not supported for apps that connect to on-premises exchange, Skype for Business, or SharePoint services hosted in your data center.
Here's the current list of apps in my Intune tenant, and the list of managed apps is growing all the time. The value proposition of app protection policies is pretty simple. They protect company data at the app level, because device management isn't required, and they center on user-identity. User productivity is not impacted and policies are not applied when the app is being used in a personal context. It's only applied in the work context, which gives you the ability to protect company data without touching personal data.
Which platforms support MAM? Currently, iOS 8.1 or later, Android 4 or later. You might be surprised to learn that Windows mobile is not supported by MAM policies, however, you can use Windows information protection once these devices are enrolled in Intune, which offers similar functionality. When users can use apps without restrictions, they can intermingle work and personal data, and apps in storage outside IT control. Without MAM protection, they're moving that data around, potentially copying data to locations that you have no influence in managing.
With MAM protections, IT can restrict access and use, preventing Save As, restricting copy, cut, and paste, even requiring a PIN for access, as well as blocking managed apps running on jail broken or routed devices. App protection on managed devices gives us an additional layer, there's a complimentary capability here. With MDM, we enroll the device, deploy apps to the device, and provide ongoing management while MAM adds value by preventing data leakage to consumer apps and services, applying usage restrictions, and enabling us to wipe company data selectively from the app.
On unmanaged devices, as you'll see in the diagram here, we can protect corporate data, governing the app when used in the work context, but this does come with some limitations. We can't control device settings, we can't deploy apps, we can't deploy certificates, nor can we deploy VPN Wi-Fi profiles to those unmanaged devices. Some managed apps, like the Outlook app for iOS and Android, support multi-identity.
This means that Intune applies management settings only to the corporate accounts or data in the app. Apps that support multi-identity, like the Outlook and OneDrive app for iOS and Android lets you use different accounts, both work and personal, to access the same apps and data, while app protection policies are applied only when the apps are used in the work context. Do bear in mind that some apps, like Outlook, are multi-identity, but support only a single work identity.
But in the end, Intune MAM gives us control over our corporate data, even without control of the mobile device.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups