Support Tip: Setting up communication between MAM-managed and MDM-managed apps


Updated 11/2/17 with the Office Message Center post details. Updated 11/17 with new section on corporate data. Updated 11/29 with APP section.

We hear occasionally from customers that they want apps managed by App Protection – better known as Mobile Application Management (MAM) – to allow communication with apps managed by Mobile Device Management (MDM) on iOS devices.

Let's say you configure MAM app protection policies for Outlook, and you also deploy a third-party PDF viewer using Intune MDM. This viewer app does not have the Intune Software Development Kit (SDK), so you can't assign MAM policies. If users try to open Outlook attachments in the viewer, they will get an error. If you want to allow data transfer between the MAM app and MDM-deployed app, see https://aka.ms/app_data_transfer for how to set up this scenario.

If you have already set this up today in Intune, after the backend migration occurs with MAM and MDM to merge the two channels, you'll want to set it up again. More information and timing on the backend migration will be coming shortly through our targeted communication channel in the Office Message Center.

Remove Corporate Data Experience Through Channel Integration
When you (an IT admin) perform a “remove corporate data” on a device it used to result in a selective wipe in the Office apps.  The apps would be left on the device but the corporate data in them would be removed. Based on customer requests for corporate data improvements, the Office apps are completely removed from the device. The apps no longer stay behind as part of the “remove corporate data’. This could include personal data in the apps.

Multiple Application Protection policies(APP) post Intune MDM and MAM channel integration                                                  Click here to learn about different app deployment scenarios where you may see duplicate App Protection policies.                      

Let us know if you have any questions!

 

BTW - this post originally was done for a bit of support for the MDM and MAM channel integration. For those of you that found this post through search rather through the link from the Office Message Center post, here's the original posting in the OMC:

 

MC120514: Upcoming Intune MDM and MAM channel integration

Now that most customers are using Intune on Azure for your Mobile Device Management (MDM) management, we are going to start doing some backend work to merge the Intune App Protection (also known as Mobile App Management -MAM) and MDM policy channels. This will ultimately lead to all MAM capabilities being consolidated in one single blade within Intune on Azure, versus needing to go in multiple blades or in different Intune consoles. While we do not expect impact of this backend work for most customers, there are a few edge cases and workarounds we would like you to be aware of.

How will this affect me?
If you use both MDM and MAM in the Intune Silverlight (manage.microsoft.com) console, we are migrating your settings to the Intune on Azure portal. This is in the backend, so the policy migration itself will not be visible to you. However, after migration, you will not be able to use the Intune Silverlight console for any MAM policy changes, as this will become read only. Instead, you’ll use the MAM console in the Azure portal (aka.ms/mamconsole) or the MAM blade in the Intune on Azure console (aka.ms/mam_intune).

What do I need to do to prepare for this change?
Please evaluate if you have either of the two scenarios described below setup, and take the appropriate actions if needed to ensure that everything works as expected post migration. It will take at least the next month for the team to migrate all customer MDM and MAM settings.

  • If you haven’t done so already, rewrap your iOS Line of Business (LOB) apps with the Intune App Wrapping tool for iOS (version 7.1.1) as was communicated in a prior post. This wrapping tool has the MAM—MDM policy channel switch coded into the wrapper. If you do not do this rewrap, your iOS LOB apps will not work as expected.
  • If you want to allow data transfer between MAM-managed and MDM-managed apps with Intune, please refer to our support tip blog post, accessible from the Additional Information link (and the additional information links point to this post!).
Comments (6)

  1. Xperteks says:

    Good comparative explanation between MAM-managed and MDM-managed apps gives a good start. It moves towards a more secure data protected future. Will keep an eye for more updates about the same from you.

  2. Russ138 says:

    “If you want to allow data transfer between MAM-managed and MDM-managed apps with Intune, please refer to our support tip blog post, accessible from the Additional Information link”

    There is no “Additional Information link” on this page.

    1. “If you want to allow data transfer between MAM-managed and MDM-managed apps with Intune, please refer to our support tip blog post, accessible from the Additional Information link” is actually the content from an Office Message Center post. The Additional Information link from the message was linked to this to this support blog post.

  3. Matt says:

    How does one check what has been configured where? I have had Conditional Access policies in the Silverlight console, which I migrated to Azure according to https://docs.microsoft.com/en-us/intune/conditional-access-intune-reassign. I have Intune cloud app protection policies (I thought were MAM) configured, I also see I have “Intune App Protection” Exchange and SharePoint conditional access policies configured, and an Intune admin before me, may have configured MAM policies in the classic portal. How do I go about evaluating my scenarios and managing the policies in one place? How do I remove the old policies which are read only? It’s all VERY confusing at the moment!

    1. Matt, we have another support tip on our blog that could help make things less confusing for you. You can read it here: https://blogs.technet.microsoft.com/intunesupport/2017/11/16/support-tip-conditional-access-policies-for-intune-will-now-be-available-in-azure-active-directory/
      Basically, you will find all your Conditional Access policies in Azure AD and all Intune related policies in Intune on Azure. Hope this helps!

Skip to main content