MDM & MAM at a glance with Intune
Enterprise mobility management (EMM) includes Moblie Device Management (MDM) and Mobile Application Management (MAM). It includes:
- Protection of all Office 365 contents on any device
- Intune Moblie Device Management and Mobile Application Management
- Conditional Access to grant or block access
- Session controls to protect corporate data in the browser
Management types
- MAM just controls the corporate applications and data.
- MDM controls the whole device.
Source: Microsoft
Mobile Device Management
Key facts
- Fully manage a corporate-owned device for personal or shared use
- Enrollment and configuration as well as installation of apps is possible through the IT
- More focus on security and compliance
Enrollment types
- Windows: Autopilot
- Apple: Apple Enrollment program (DEP) - Apple Configurator
- Android: Managed Google Play - Token setup with Work profiles, Android Open Source Project (AOSP), Android device administrator
You can restrict OS platforms, their versions and ownership type for MDM enrollment on the Intune Enrollment device platform restrictions page.
Device compliance policies
To ensure MDM devices stay secure and compliant, you should consider Intune compliance policies. The requirements in these policies are different for each OS, but usually hold encryption, code integrity, OS versions, firewall, antivirus (version), real-time protection, device lock options or device threat levels.
For expanding MDM resources, I would recommend you my full tutorial path about Microsoft Intune Endpoint Management.
Mobile Application Management
Key facts
- Protect the organizational data on a device (mostly personal BYOD), especially in Office 365 applications
- More granular control options within corporate resources (apps)
App protection policies
App protection policies are here to protect corporate data in managed apps and is part of Microsoft's MAM solution. These are available for iOS/iPadOS, Android and Windows 10 and later (more about WIndows Information Protection). These policies are usually applied when the device is not corporate managed and also hold personal data. The danger is that corporate data could be exfiltrated to other workloads on the device. App protection policies consists of three sections:
- Data protection - the protection, settings and functions in the corporate app or for sharing with other apps
- Access requirements - defines how to corporate app must be started
- Conditional launch - sets actions when certain settings are not met
To adapt this service, I would recommend the Data protection framework using app protection policies from Microsoft, which is graded in three levels: Level 1 enterprise basic data protection, Level 2 enterprise enhanced data protection, Level 3 enterprise high data protection.
Data protection
Access requirements
Conditional launch
Conditional Access
To grant access for both MDM or MAM, you should implement a Conditional Access policy that validates the access attempt to any Microsoft Office 365 service is coming from a managed device or app. Read more about Conditional Access
Access grant options
From a technical perspective there are the following grant controls which ensure an access is secured by either MAM or MDM. (some are only applicable to certain OS types) This is included in the grant option, and should be set to "require one of the selected controls".
Sample iOS and Android mobile policy
Setting | value |
---|---|
Users or workload identities | include: all users exclude: CA exclusion groups |
Cloud apps or actions | include: Office 365 |
Conditions | device platform include: iOS, Android client apps include: Mobile Apps and Desktop Clients |
Action | Grant access, require one of the selected controls: Require device to be marked as compliant (MDM), Require app protection policy (MAM) |
Sample Windows policy
Setting | value |
---|---|
Users or workload identities | include: all users exclude: CA exclusion groups |
Cloud apps or actions | include: Office 365 |
Conditions | device platform include: Windows 10 and later client apps include: Mobile Apps and Desktop Clients |
Action | Grant access, require one of the selected controls: Require device to be marked as compliant (MDM), Require Hybrid Azure AD joined device (MDM), Require app protection (MAM) policy |
Protecting apps accessed from the browser
You may now ask how to protect Office 365 or other apps from browser access. The answer is: Conditional Access App Control (read my dedicated blog post about it) with Microsoft Defender for Cloud Apps to control the browser session on any device.
This is allows you to monitor or control app access and set granular policies through Defender for Cloud Apps such as restricting cut/copy paste, require elevated authentication (MFA), secure up- and downloads or other activities. Read the Microsoft docs
Further considerations
- Prepare a modern endpoint management solution such as Intune
- Combine with a full security stack through Microsoft Defender
- Think about different types of endpoints (physical, VM, BYOD) and their ownership types and user affinity
- Define application lifecycle management
- CASB/CA App Control integration to protect browser content from non corporate devices
- Integrate with Azure Information Protection with content classification and labeling (data classification, data loss prevention (DLP), data lifecylce management and information protection)