Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below.
How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager? Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune.
The first one is the traditional way of MDM management, and the second way is the light management of apps installed on Android devices via Intune. We discussed the Android MDM management options and end-user experience in the previous post.
List of Intune App protection enabled apps are available -> Supported Microsoft Intune apps | Microsoft Docs
Video – End-user experience of Android Device MAM WE
Please check the video link
Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.
For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.
Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.
The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.
I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.
Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups.
With an app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deploy them to MAM WE user groups.
End-User Experience – How to Enable Intune MAM without Enrollment
The video here will provide you with the Intune MAM WE real-time end-user experience. How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…