Our Blog

where we write about the things we love



Mobile Application Management without device enrolment

­Device enrolment (Mobile Device Management or MDM) is an easy way for organisations to enforce policies on company owned devices; company device = company rules. But what if you’re not using a company device, e.g. you support the use of BYOD? How do organisations provision for a more mobile workforce when users don’t want the company to have full control on their personal device?

The answer is Mobile Application Management (MAM) without device enrolment. MAM enforces data protection policies at the application layer associated with the users organisational account and not the device itself. Without company control over their personal device, users are more willing to access corporate data and line of business applications where and when they need, thus encouraging a more mobile workforce.

Without device enrolment organisations no longer have the ability to deploy mobile apps directly to devices. This means users who require access to corporate data via a mobile app must install the application on their device from the appropriate app store.

Data protection policies at the application level without device enrolment
Data protection policies at the application level without device enrolment

To configure MAM policies, you will need the following: 

  • Microsoft Intune subscription
  • Office 365 subscription to utilise multi identity support within apps
  • Azure Active Directory (Azure AD) used to authenticate user’s corporate credentials
  • The application(s) must support Mobile Application Management policies

Setting MAM polices in the Azure Portal

The Azure Portal is the new administration console for creating MAM policies. MAM policies created in the Azure Portal take precedence over the same MAM policies created and deployed within the Intune Administration Console. Existing MAM policies configured in the Intune Administration Console need to be re-created in the Azure Portal.

Adding a MAM policy in the Azure Portal is simple!

MAM supported apps are listed in the Azure portal. This set of applications is ever increasing as vendors realise the benefits of partnering with Microsoft to offer mobile corporate data security.

Supported pre-provisioned mobile apps - Android

Supported pre-provisioned mobile apps - Apple iOS

The list of supported pre-provisioned mobile apps by platform (as at the 5th of August, 2016)

If the application you need is not on the pre-provisioned list, don’t panic! Organisations are able to offer MAM security for line of business apps by either using the Microsoft Intune App Wrapping tool or applying the Intune SDK to the source code of the app. For more information on this, read Protect line of business apps and data on devices not enrolled in Microsoft Intune.

MAM policy settings platform specific ie. iOS or Android, and offer Data relocation and Access guidelines.

Platform specific MAM Policy settings: Android Platform specific MAM Policy settings: Android
Platform specific MAM Policy settings: Android

Platform specific MAM Policy settings: Apple iOS Platform specific MAM Policy settings: Apple iOS
Platform specific MAM Policy settings: Apple iOS

Apply the policy to a set of users directly or to a security group from your Azure AD, and you’re done! Users have secure access to corporate data using applications which support MAM on a device they are comfortable with.

And what happens when those employees leave? Simple: if they don’t have an organisation account, they don’t have access to work resources anymore.

If you are interested in trying Microsoft Mobile Application Management, sign up for the 30-day free Enterprise Mobility trial. If you wish to discuss Microsoft Mobile Application Management or Mobile Device Management, please feel free to contact Intergen.

Posted by: Vanita Parbhu, Infrastructure Consultant | 15 August 2016

Tags: Mobile applications, mobility, MDM, Mobile Device Management, MAM, Mobile Application Management

Blog archive

Stay up to date with all insights from the Intergen blog