A Helicopter Tour of Intune, MAM, MDM and Conditional Access
As an IT pro, you’re likely juggling conflicting interests, especially when it comes to end-user device management. How do you ensure that your users can work from anywhere while protecting your company’s data?
Even before the lockdown, this was a challenge. And as budgets tighten, the pressure is on to ‘do more with less’. As we transition to a return to the workplace, now is an ideal opportunity to modernise your approach. Because whatever the future looks like, you need tools that meet the needs of your users and organisation in an agile and secure way.
- At a high level, here is an overview of Intune’s features and functionality:
- MAM – mobile application management
- MDM – mobile device management
- Conditional Access
- The Intune company portal app
How does Intune protect my company’s data on corporate and personal devices?
Intune helps to safeguard your organisation’s data in three fundamental ways:
1. Mobile Device Management (MDM) – you control the device settings to manage which device can access what data. You can also wipe data and retire devices.
2. Mobile Application Management (MAM). Instead of securing the devices, you secure the data on them – for example, company emails in the Outlook app.
3. Desktop Management (Windows PCs and Macs). Ensure that only secure and compliant desktops can access your organisation’s data. For example, maintain Windows updates and the correct configuration settings.
Does Intune protect employee-owned and third-party devices?
Yes, even on devices you don’t manage, Intune secures your data and applications. It applies across three scenarios:
1. Company-owned or company-managed devices – giving you total control over your organisation’s devices. Secure your data and manage what users can and can’t do – even down to changing the wallpaper.
2. Employee-owned or employee-managed devices – with the growth of BYOD, more employees are using personal devices to access company email and cloud services, like OneDrive for Business. Enable productivity, ensure their devices are in a fit state and keep on top of your data and security.
3. Third-party managed devices – a scenario we’ve seen a lot in lockdown. Devices or data that are secured by a third-party system or MDM. In this scenario, we can protect specific applications using MAM while the third-party system or MDM still controls the device settings.
What are Intune’s licensing options?
There are three Intune licensing options:
- A standalone licence within Office 365.
- As part of the EMS suite and your Microsoft 365 user licenses. Also gives you Azure AD (Active Directory) Premium and conditional access functionality.
- Device-based licensing for devices that are not user-defined or user-applicable. For example, a kiosk taking orders in a retail store, or a handheld device for servers in a restaurant.
What is Mobile Application Management (MAM)?
MAM enables you to control user access and quickly and easily secure your organisation’s data using Office 365 EMS (Enterprise Mobility and Security).
MAM is especially relevant to the COVID era, as you don’t need to touch the devices. Benefits include:
- Selective wipe, so you don’t inadvertently delete your users’ private data.
- Prevent data leakage via encryption, copy and paste restrictions and additional policies. For example, stop someone copying the content of an email from the Outlook app to their personal email in active sync. And stop users from downloading files from OneDrive onto their device without having to control the device itself.
- Protect your corporate applications and line of business apps using Intune’s wrapping tool.
- Take a lower-level approach to document or data protection using Azure Rights Management. The key here is that you’re only protecting data that your company has an interest in.
- Encryption at rest. You can only apply MAM policies once the application is encrypted. It creates a partition in the storage of the device which protects the corporate data inside it.
- Apply access control to applications. For example, only permit access to the corporate Outlook app using a PIN.
- When a user leaves the business, or if they lose their device, you can safely remove corporate data without touching the device or deleting personal data.
You can apply mobile application management with or without mobile device management; you don’t need to control the whole device. And MAM doesn’t just protect a corporate or Microsoft apps – it protects third party applications too.
Do I need to enrol devices to use Mobile Application Management (MAM)?
No, your users just install the app and get the familiar Office experience without enrolling their devices.
The Mobile Application Management policies protect only the data stored in the corporate profile:
What are examples of applications that are protected using MAM policies?
These include popular ones for the COVID era, such as Microsoft Teams, the Outlook app and OneDrive. You can also protect your data in third-party applications such as Zoom, Citrix and ServiceNow.
And if you have any custom or line of business applications, you can use the Intune app SDK to wrap and protect your apps. Or you can build MAM capabilities into the app itself while you develop it. To access the full list of apps supported by MAM policies, visit this link:
How does Intune improve my users’ mobile browsing experience?
Give your users fast access to the information they need by setting a predefined homepage or bookmarks on your users’ corporate device. For example, push people to your corporate Intranet, or if you don’t have one, push useful links into the browser.
Similarly, you can control how your users access corporate web pages on personal devices. If you have URLs or web applications that must be protected, permit access via Microsoft Edge only. Apply the app protection policy – which is fully supported in the Edge browser, ensuring the safety of the data in the web application.
What is MDM (Mobile Device Management)?
MDM is ideal for two common scenarios:
1. You want tighter control over what your users are doing on company-owned devices.
2. You want more jurisdiction over your users’ own devices when they enrol.
All the functionality in the above graphic can be defined at the user level. Depending on the type of device, there are different approaches to MDM.
For example, allow someone to remotely access their emails on their iPhone, or restrict a device to a limited set of applications. Fundamentally, MDM enables you to give your users no more and no less than what you want them to have, and the confidence in the security of your data.
What happens when I enforce or enrol devices with Intune?
When your users enrol their device, they will log in with a corporate Office 365 or Azure AD credential, which will push the applicable policies to the device. Policies can be things like automatically configuring a user’s email profile, a VPN so that they can connect to corporate resources or Wi-Fi profiles.
You can also deploy your corporate SSL certificates and apps. To apply more restrictions to apps, you can apply managed app configuration policies.
What are the typical use cases for Intune?
Use case one: User signs in with their corporate iPad to Microsoft Intune and enrols.
Automatically configures the email profile for the user, applying the server and account settings and any security and synchronisation restrictions you want. This service is supported across iOS, Android and Windows devices. Once the profile is deployed, it will connect to your email service and synchronise email in line with how you configured it.
Use case two: Locking down devices.
Ensuring that people can only access the applications or the data that you want them to – for example, a cheap windows device in a reception area displaying marketing information or employee surveys.
How does Intune give my users a self-service experience?
Across all device types, you can create an Intune company portal app to give your users a self-service experience.
Users log in to the portal and see the applications available to them. You might have 15 corporate apps, 5 of which all users need. Automatically push the five out, making the other ten visible. With one click, your users can select and securely download the other apps they want.
And if a user loses their personal iPhone, they can access the portal on their Windows device, select the app and decommission it themselves. They don’t need to contact their IT team to securely remove company data from their lost phone, although IT can do this too.
What is Conditional Access?
Conditional Access is part of the Azure AD Premium suite and encompasses the Microsoft 365 suite. It enables you to apply your policies; the conditions around how your users sign in and access company information.
For example, if a user attempts to sign in using an iPhone that is not identified as a corporate device, conditional access will permit this if – and only if, the application has Intune policies applied.
With conditional access, you can look at who is accessing your systems, where and how they’re accessing them, and have confidence that the appropriate policies are assigned:
And you have options for protecting specific datasets:
And you can have another layer of control on corporate devices.
In summary, Intune deploys and monitors the condition and the compliance of your applications and your devices. And using conditional access, you can permit or deny access to your corporate data.