Microsoft Intune - Mobile Application Management (MAM) standalone


Have you ever been asked the question “…after I enroll my device, what happens to the personal data on my device if I leave the company?” Sound familiar? I’ve heard this many times when I speak with organizations and in the past the answer was “we have the right to delete everything on your device, so you better back it up…” and so on. Not all employees are comfortable with this approach because wiping a device means personal data such as photos, emails, text messages, game data, and so on may be deleted. Especially if company policies restrict devices from saving data to cloud storage services.

Some Mobile Device Management (MDM) vendors have gone as far as building their own applications to segregate email and data, however not all of these MDM vendors specialize in developing and maintaining email and productivity apps and as a consequence those apps may leave a security hole you didn’t anticipate. If you’ve standardized on or your users prefer the use of productivity apps from Microsoft such as Microsoft Outlook app, OneNote, OneDrive, and so on, unfortunately 3rd party MDM vendors cannot apply policies nor do they have control over Microsoft Office apps whereas Microsoft does.

The good news is, managing the device and applying Mobile Application Management (MAM) policies to applications is built into Microsoft Intune, so from the time devices are enrolled, once deployed, MAM policies will begin to flow to MAM enabled applications such as Microsoft Office apps.

Additionally, if organizations want to maintain their current Mobile Devices Management (MDM) solution and use Intune to only apply MAM policies to applications, with the recent release of Mobile Application Management (MAM) standalone service, companies are able to do just that!

Scenarios to consider when planning your MDM and MAM strategy:

  • Microsoft Intune MAM Only with no MDM at all = Yes
  • 3rd party MDM + Microsoft Intune MAM Only = Yes
  • Microsoft Intune for full MDM/MAM = Yes

For a list of Microsoft Intune MAM supported apps please visit: https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps

Walk-Through of Microsoft Intune MAM standalone (w/o MDM)

The following demonstrates the new Microsoft Intune MAM standalone enrollment process without MDM:

Azure Portal experience

Log into http://portal.azure.com

Select “New” and search for Microsoft Intune

clip_image002

Locate Microsoft Intune (Intune (preview)):

clip_image004

Right click on Intune and select “Pin to dashboard”

clip_image006

Intune mobile application management tile will be pinned to the Azure Portal dashboard:

clip_image008

Select the Intune tile to be taken to the management blade (slide out pages are called blades in the new Azure Portal):

clip_image010

The first thing we need to do is create a MAM policy, we can select either iOS or Android. Do this by selecting App Policy, then Add a Policy from the next blade:

clip_image012

Fill in the necessary information and select “Apps”. Select the apps you’d like to apply MAM policies to and then select “Select” at the bottom of the blade.

Note: not all MAM enabled apps are available yet for MAM standalone. If you need to apply MAM policies to additional applications that support MAM policies, consider enrolling devices with Microsoft Intune and rolling out MAM policies from there.

clip_image014

Next we need to configure the setting for the policy. Do this by selecting “Settings”. This is where we can configure MAM policies such as blocking data from being copied or stored outside of MAM managed applications (e.g. prevent cut, copy, and paste outside of Word). When finished, select “OK” at the bottom of the blade.

clip_image016

Select “Create” at the bottom of “Add a policy” blade to create the policy. Once the policy is created, we’re ready to deploy it to users.

Note: Microsoft Intune MAM standalone is deployed to users not devices.

Lastly, we need to target users to deploy the policy to. Do this by selecting “User groups” from the policy blade. Find the group you’d like to add, press “Select” at the bottom of the User group blade (not shown in image):

Note: at this time, only groups can be selected. Best practice is to place the users who will need MAM policies applied into a MAM only group.

clip_image018

That’s all that needs to be done to create and deploy Microsoft Intune MAM only policies.

iOS/Android experience

Now that the MAM policies are created and deployed, let’s walk through how the policy is applied. For this demonstration, I’m using an iOS device and the Word app, however the Android experience is similar.

Find and download Microsoft Word from the iTunes store (if you need to deploy app, consider enrolling devices with Microsoft Intune). Once Word is downloaded, select the Word app and add the account where the user is a member of the Azure AD group added to the MAM policy. Once the user is logged in they’ll receive an alert similar to the image below. Select “OK” to close the app after 5 minutes or “Close” to close immediately. What is happening behind the scenes is the Microsoft Intune standalone MAM policy is being applied and needs to restart the Word app.

clip_image020

Once users re-launch the Word app, they’ll see the following:

clip_image022

To test the MAM policy, create a new Word doc and save it to the corporate O365 account (mine is the top account named cbazureintune.com):

clip_image024

If the policy is set to require a PIN, your users will be asked to enter a pin at this point:

clip_image026 clip_image028

After the PIN is configured, name and save the doc to the corporate OneDrive account:

clip_image030

This concludes the walk-through of Microsoft Intune Mobile Application Management standalone.

Stay tuned for additional updates via the Microsoft Intune Blog: http://blogs.technet.com/b/microsoftintune/

Comments (6)

  1. broonie27 says:

    But you still haven't answered the question “…after I enroll my device, what happens to the personal data on my device if I leave the company?”.

    For example, say I have a MAM policy in place for Word; I have personal word files and I have corporate word files. What happens when I leave the company? How does an IT admin even invoke the removal of the data?

    1. Hi, the data is removed from the device.

      1. Milandon says:

        Courtenay, you mean that the CORPORATE data is removed, NOT the personal data.

        To wit:

        "Remotely wipe corporate data

        IT administrators can remotely wipe corporate data from an Intune-managed app when the device is unenrolled from Microsoft Intune. This feature is identity-based and will delete only the files that relate to the corporate identity of the end user. To do that, the feature requires the app’s participation. The app can specify the identity for which the wipe should occur based on user settings. In the absence of these specified user settings from the app, the default behavior is to wipe the application directory and notify the end user that company resource access has been removed."

        https://docs.microsoft.com/en-us/intune/develop/intune-app-sdk

        Correct? Or is the answer "better backup your data as the company has the right to delete all info"?

        1. Hi, corporate identity and data will only be removed from MAM managed apps when a wipe is issued. Personal accounts/data will remain intact.

  2. Subodh Kumar says:

    Any plan to add Windows platform for MAM Intune for Windows mobile?

    1. Yes, with Windows Information Protection and is available with Windows 10 Anniversary update. The policies may be deployed with Intune or SCCM.

Skip to main content