Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune. First one is the traditional way of MDM management and the second way is the light management of apps which are installed on Android devices via Intune. We have discussed the Android MDM management options and end user experience in the previous post here.
Video – End-user experience of Android Device MAM WE – Here
Mobile Application Management (MAM) Without Enrollment (WE) is the light weight way of management option for Android devices. This option has some advantages over full MDM management options. For example, if a consultant’s device has already enrolled to a 3rd part EMM solution, but he wanted to have access to client’s corporate mail access on his mobile device for a very short period then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM enabled applications are protected with MAM policies.
Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.
The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to same user groups. I would use avoid using same user group for both the policies or you could use the exclude groups options. I would avoid deploying MDM CA policy to user groups whenever possible rather I would deploy MDM CA policy to device groups. Otherwise, we should have different MDM CA user group and MAM WE CA user group with unique users in both the groups and that is going to be little tricky.
Each MAM enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember these types (MAM WE) of policies can’t be deployed to Device Groups. With app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deployed to MAM WE user groups.
End User Experience :-
The video here will provide you the Intune MAM WE real time end user experience.
- How to assign apps to groups with Microsoft Intune – here
- Protect app data using app protection policies with Microsoft Intune – here