Enterprise mobility management (EMM) includes Moblie Device Management (MDM) and Mobile Application Management (MAM). It includes:

  • Protection of all Office 365 contents on any device
  • Intune Moblie Device Management and Mobile Application Management
  • Conditional Access to grant or block access
  • Session controls to protect corporate data in the browser

Management types

  • MAM just controls the corporate applications and data.
  • MDM controls the whole device.

comparison-mdm-mam-device-1
Source: Microsoft


Mobile Device Management

Key facts

  • Fully manage a corporate-owned device for personal or shared use
  • Enrollment and configuration as well as installation of apps is possible through the IT
  • More focus on security and compliance

Enrollment types

  • Windows: Autopilot
  • Apple: Apple Enrollment program (DEP) - Apple Configurator
  • Android: Managed Google Play - Token setup with Work profiles, Android Open Source Project (AOSP), Android device administrator

You can restrict OS platforms, their versions and ownership type for MDM enrollment on the Intune Enrollment device platform restrictions page.
intune-enrollment-restrictions

Device compliance policies

To ensure MDM devices stay secure and compliant, you should consider Intune compliance policies. The requirements in these policies are different for each OS, but usually hold encryption, code integrity, OS versions, firewall, antivirus (version), real-time protection, device lock options or device threat levels.

For expanding MDM resources, I would recommend you my full tutorial path about Microsoft Intune Endpoint Management.


Mobile Application Management

Key facts

  • Protect the organizational data on a device (mostly personal BYOD), especially in Office 365 applications
  • More granular control options within corporate resources (apps)

App protection policies

App protection policies are here to protect corporate data in managed apps and is part of Microsoft's MAM solution. These are available for iOS/iPadOS, Android and Windows 10 and later (more about WIndows Information Protection). These policies are usually applied when the device is not corporate managed and also hold personal data. The danger is that corporate data could be exfiltrated to other workloads on the device. App protection policies consists of three sections:

  • Data protection - the protection, settings and functions in the corporate app or for sharing with other apps
  • Access requirements - defines how to corporate app must be started
  • Conditional launch - sets actions when certain settings are not met

To adapt this service, I would recommend the Data protection framework using app protection policies from Microsoft, which is graded in three levels: Level 1 enterprise basic data protection, Level 2 enterprise enhanced data protection, Level 3 enterprise high data protection.

Data protection
mam-app-protection-data-protection-1

Access requirements
mam-app-protection-access-requirements-1

Conditional launch
mam-app-protection-conditional-launch-1


Conditional Access

To grant access for both MDM or MAM, you should implement a Conditional Access policy that validates the access attempt to any Microsoft Office 365 service is coming from a managed device or app. Read more about Conditional Access

mdm-mam-ca-flow-1

Access grant options

From a technical perspective there are the following grant controls which ensure an access is secured by either MAM or MDM. (some are only applicable to certain OS types) This is included in the grant option, and should be set to "require one of the selected controls".
ca-mam-mdm-1

Sample iOS and Android mobile policy

Setting value
Users or workload identities include: all users exclude: CA exclusion groups
Cloud apps or actions include: Office 365
Conditions device platform include: iOS, Android client apps include: Mobile Apps and Desktop Clients
Action Grant access, require one of the selected controls: Require device to be marked as compliant (MDM), Require app protection policy (MAM)

Sample Windows policy

Setting value
Users or workload identities include: all users exclude: CA exclusion groups
Cloud apps or actions include: Office 365
Conditions device platform include: Windows 10 and later client apps include: Mobile Apps and Desktop Clients
Action Grant access, require one of the selected controls: Require device to be marked as compliant (MDM), Require Hybrid Azure AD joined device (MDM), Require app protection (MAM) policy

Protecting apps accessed from the browser

You may now ask how to protect Office 365 or other apps from browser access. The answer is: Conditional Access App Control (read my dedicated blog post about it) with Microsoft Defender for Cloud Apps to control the browser session on any device.

This is allows you to monitor or control app access and set granular policies through Defender for Cloud Apps such as restricting cut/copy paste, require elevated authentication (MFA), secure up- and downloads or other activities. Read the Microsoft docs


Further considerations

  • Prepare a modern endpoint management solution such as Intune
  • Combine with a full security stack through Microsoft Defender
  • Think about different types of endpoints (physical, VM, BYOD) and their ownership types and user affinity
  • Define application lifecycle management
  • CASB/CA App Control integration to protect browser content from non corporate devices
  • Integrate with Azure Information Protection with content classification and labeling (data classification, data loss prevention (DLP), data lifecylce management and information protection)
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.