How to configure Mobile Application Management (MAM) with Microsoft 365 Business (and Intune)
With a traditional MDM solution, the goal is typically to impose management controls at the device level–enforcing policies like pass code with automatic screen lock, encryption, and remote device wipe. It can also be helpful in tracking inventory of mobile devices. All of these “MDM” features are important, especially when the end points are corporately owned.
But the vast majority of small businesses do not provide corporate-owned and managed mobile device hardware to their employees. Most often, the SMB employee is “bringing their own device” (BYOD), and using corporate email and other applications alongside personal apps and data.
Enter Mobile Application Management (MAM). This is a solution available with Microsoft Intune subscriptions, included with Microsoft 365 Business and Enterprise plans, or via the Enterprise Mobility + Security suites. MAM allows administrators to exercise similar controls at the application level, instead of managing the devices themselves, which is ideal for a BYOD situation.
Today I am going to demonstrate how to configure MAM using a Microsoft 365 Business subscription. Later, in a follow-up post, I will add Azure AD Premium into the mix (sold separately from Microsoft 365 Business). Using Conditional Access, we can steer users toward the corporate approved apps, and enforce other rules which can raise our confidence level in the access requests coming from unmanaged devices.
A quick bit of history–when Microsoft 365 Business first came out, the full version of Intune was NOT part of the subscription, but this MAM functionality was still exposed via the 365 Admin center. However, full Intune capability is now available with the subscription bundle, so MDM policies will also be possible for you (hoping to see more easy-to-use policies added when the recently announced admin center updates are complete). I’ll keep an eye on this and post updates as this develops.
When you first setup the subscription you will have the opportunity to turn these policies on:
And then later, you will find them accessible also through the Microsoft 365 Admin center. Note: we are expecting some updates to the Admin Center soon, so these screens could look a little different by the time you read this, in the future. But right now you can find it located under Devices > Policies.
If you try to Add a new policy, at this time, we have the option for Application management policies (MAM) on Windows 10, Android and iOS. But you only have device configuration policies for Windows 10. Now that the full version of Intune is available as part of the Microsoft 365 Business subscription, I hope that we will see additional device-level management (MDM) options added here. *Fingers crossed*
Update: You should NOT use the Windows 10 application policies from this wizard. If you decide to use them, configure via Intune instead. You have been warned. I have not found any issues with the iOS/Android policies.
You can also Edit one of the existing policies to see what options you had selected during the initial setup, and so that you can change your mind and tweak them down the road.
Note that you can furthermore apply these policies, targeted to specific groups of users (by default they apply to all users). So you can have more or less restrictive policies. Just know that if two policies conflict, and a user falls under the scope of both of them, the more restrictive setting will always win.
View the policies in Intune
To see what this looks like under the hood, hop over to Microsoft Intune from the Admin centers area, and find Client apps > App protection policies. They should all show up in here.
Selecting one of them, you can browse the various settings and options–you will notice it is possible to manage additional apps, also. Choose Targeted apps.
Under Properties, you may even find a few other settings to expose, which are not available via the 365 admin center (yet).
Another time, as I mentioned above, we will look at how to layer Azure AD Premium on top of this setup (sold separately from Microsoft 365 Business), to enable Conditional Access–after all, when you aren’t managing devices, you may want other ways of “raising your confidence” in the access requests made against the application.