Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below. The latest post is available for MAM policies are available – Step by Step procedure to create App Protection policies for iOS/iPadOS in Intune.
How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager? Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune.
The first one is the traditional way of MDM management, and the second way is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.
Video – End-user experience of Android Device MAM WE
Please check the video link
Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.
For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.
Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.
The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.
I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.
Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups.
With an app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deploy them to MAM WE user groups.
End-User Experience – How to Enable Intune MAM without Enrollment
The video here will provide you with the Intune MAM WE real-time end-user experience. How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Can you enforce MFA for MAM WE without also imposing it to MDM users? For example, if we want to enable MAM for specific apps such that users who are no enrolled with Intune can access these apps but require MFA for extra protection, where users that are enrolled are not required MFA – is this possible?
I think, this possible with different conditional access policies in new Azure Portal
Nice blog!
How can the applications be deployed on to the user device without enrollment? We are considering using Mobile Center Azure for this. For testing purpose can we side load the application as well? If so, do we still need to upload the app to Intune to assign the application with specific profile?
I this article – https://docs.microsoft.com/en-us/intune-classic/deploy-use/protect-app-data-using-mobile-app-management-policies-with-microsoft-intune
they mention “you can’t deploy apps to the device. The user has to get the apps from the store.” Can this be a private store?
How do you deploy MDM CA to device groups?
found it, but that is not applicable when using Intune hybrid. How can I use MAM CA and MDM CA when using Intune hybrid?
MAM CA or MDM CA – Are you looking for MAM CA and MDM CA for domain joined Windows 10 devices?
If so, we should have Domain Join option enabled in Azure CA. And also, Azure AD registration enabled (Write back) for domain joined devices. Also, there is a AAD connect dependency.
https://docs.microsoft.com/en-gb/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup
Hi,
Can I use CA for Users with Azure Ad Basic and Intune Direct license?
I think CA is available only for AAD Premium license
MAM-WE will be support to Windows mobile devices also??
As we are using MFA via conditional access.
I don’t whether it supports Windows mobile devices. MAM-WE for Windows is Windows Information Protection (WIP). I don’t whether WIP is supported for Windows mobile devices…I will try to check and post here
Do we need to set a MDM authority to use MAM-WE and conditional access.
If not, how will Intune know which user has installed an app that need to be managed.
Yes I think
You had said “I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.”
I was told that we need to apply CA for user group only and you can use filter now for any device specific things. I have tried to apply for a dynamic device group but it did not work.