For organizations already leveraging Microsoft Intune for corporate device management through Mobile Device Management (MDM), expanding the scope to include personal devices requires a focused approach on Mobile Application Management (MAM). The goal is to protect corporate data effectively without taking full management control of personal devices, which can be seen as invasive by users.
MAM in Intune allows the organization to manage and secure corporate applications and data on personal devices without enrolling the devices themselves into the management framework. This is particularly advantageous for supporting BYOD (Bring Your Own Device) policies, offering a flexible work environment while maintaining rigorous data security standards.
Implementing MAM enables the organization to enforce security policies on corporate data in applications, irrespective of the device ownership. It provides controls over how data is accessed and shared within apps and safeguards against data leaks without impacting the personal data on the device. This method ensures that personal privacy is respected, and that corporate IT can still exert the necessary controls over corporate resources.
This approach not only extends the utility of Intune but also aligns with modern workplace practices where employees are increasingly likely to use their personal devices for work purposes. By integrating MAM with existing MDM capabilities, organizations can achieve a balanced, secure, and user-friendly management system for both corporate and personal devices.
If you have been using Intune for managing corporate devices but now wish to extend protections to personal devices while keeping them unenrolled, the following steps provide a structured approach:
Configure Enrollment Restrictions
Step 1: Access Enrollment Restrictions
- Navigate to Devices -> Enrollment -> Device platform restriction in the Microsoft Endpoint Manager Admin Center.
Step 2: Set Device Platform Restrictions
- In the Enrollment restrictions section, click All Users for the Default policy.
- In the Properties section, click Edit next to Platform settings, ensure Personally Owned is set to Block for Android Enterprise (work profile), Android Device Administrator, iOS/iPadOS, macOS, and Windows (MDM). If your organization does not corporately manage a specific device type, like Android in the image below, then that entire platform can be set to Blocked.
- NOTE: If you cannot edit the Platform settings of the default profile, it is likely a licensing issue.
Block Enrollment Through Company Portal
Step 1: Customize Company Portal Settings
- Go to Tenant Administration > Customization in Intune, and Edit the Settings.
- Scroll down to the Configurating section and set the Company Portal enrollment experience to Unavailable. This will allow unenrolled devices the ability to view available corporate applications without attempting to enroll after successfully logging in.
Create App Protection Policies
Step 1: Create Unmanaged Device Filters
- To accommodate Windows MAM starting with Windows 11 23H2, the Unmanaged category was removed from App Protection Policies. Without this option, we have to use a filter to target Unmanaged devices.
- Click Apps -> Filters (it’s in the Other section) and create a new Managed Apps filter.
- Call it Unmanaged Android Devices, and select Android for the Platform.
- On the Rules page, choose deviceManagement for the Property, Equals for the Operator, and Unmanaged for the value.
- Repeat this process, creating an Unmanaged filter for iOS/iPadOS.
Step 2: Define Policy Settings
- Under Apps > App protection policies, create new policies for Android, iOS/iPadOS, and Windows.
- Select apps to protect and configure data protection settings like Encryption, Data Transfer limits, and Conditional Launch based on your organizational requirements, or consider implementing the OpenIntune Baseline policies located here.
Step 3: Assign Policies to Test Group
- On the Assignments page of the policy we’re creating, assign it to your test group, then click the Edit filter button.
- Choose Include filtered devices in assignment, select the Unmanaged Android Devices filter below, and click Select.
- Repeat the process for iOS/iPadOS and Windows devices.
Create Conditional Access Policies
Step 1: Create the Conditional Access Policy
- In the Endpoint Security section, go to Conditional Access and create a new policy from templates.
- Under the Devices category, choose the Require approved client apps and app protection template.
- Name the policy to reflect its purpose (e.g., “Enforce MAM for Personal Devices”).
- Create the policy, leaving it in the default “Report-Only” setting.
Step 2: Modify policy assignment and enforcement
- Edit the completed policy, adding exclusions for your break glass/exclusion accounts, changing the group from All Users to your Test group, finally changing the enforcement setting from Report-Only to On.
Testing and Validation
Step 1: Conduct Integration Tests
- Use test user accounts and devices to ensure that the app protection and conditional access policies work as expected without conflicting.
Step 2: Monitor Policy Application
- Check logs and reports in Intune to verify that policies are applied correctly and function as intended.
Documentation
Step 1: Document Configuration Settings
- Keep detailed records of all configurations and settings for internal IT use and for compliance purposes.
- If you want to automatically document your entire Intune implementation, a great script has been developed by MVP Thomas Kurth, and is available here.
User Training and Rollout
Step 1: Develop Training Materials
- Create user guides and training sessions to educate users about how to access and use corporate apps safely on their personal devices.
Step 2: Provide Support Resources
- Set up a helpdesk or support channel for users to address issues related to accessing corporate applications on their personal devices.
Step 3: Production Implementation
- When all tests have passed successfully and users have been adequately prepared for the use of personal devices in the enterprise, edit the App Protection Policy assignments and the associated Conditional Access Policy, changing the target from Test Group to All Users.
