MDM and MAM
A key task of any Administrator is to protect and secure an organization’s resources and data on user devices in their organization. This task is device management. Users receive and send email from personal accounts, browse websites from home and from restaurants, and install apps and games. These users are also employees and students. On their devices, they want to access work and school resources, such as email and OneNote, and access them quickly. As an administrator, your goal is to protect these resources, and provide easy access for users across their many devices, all at the same time.
Device management enables organizations to protect and secure their resources and data, and from different devices.
Using a device management provider, organization can make sure that only authorized people and devices get access to proprietary information. Similarly, device users can feel at ease accessing work data from their phone, because they know their device meet their organization’s security requirements. As an organization, you might ask – What should we use to protect our resources? The answer is Microsoft Intune.
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization. Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization data stays protected, and can isolate organization data from personal data.
Some key tasks of any MDM or MAM solution are to:
- Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune.
- Set rules and configure settings on personal and organization-owned devices to access data and networks.
- Deploy and authenticate apps on devices — on-premises and mobile.
- Protect your company information by controlling the way users access and share information.
- Be sure devices and apps are compliant with your security requirements.
Manage devices (MDM)
In Intune, you manage devices using an approach that’s right for you. For organization-owned devices, you may want full control on the devices, including settings, features, and security. In this approach, devices and users of these devices “enroll” in Intune. Once enrolled, they receive your rules and settings through policies configured in Intune. For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more.
For personal devices, or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. In this approach, give users options. For example, users enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.
Manage apps (MAM)
Mobile application management (MAM) in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices, and personal devices.
When apps are managed in Intune, administrators can:
- Add and assign mobile apps to user groups and devices, including users in specific groups, devices in specific groups, and more.
- Configure apps to start or run with specific settings enabled, and update existing apps already on the device.
- See reports on which apps are used, and track their usage.
- Do a selective wipe by removing only organization data from apps.
An integrated approach to protection
Intune is part of Microsoft’s Enterprise Mobility + Security (EMS) suite. Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access. It also integrates with Azure Information Protection for data protection. It can be used with the Microsoft 365 suite of products. For example, you can deploy Microsoft Teams, OneNote, and other Microsoft 365 apps to devices. This feature enables people in your organization to be productive on all of their devices, while keeping your organization’s information protected with policies you create.
Intune integrates with Azure AD to support a wide range of access control scenarios. For example, require mobile devices to meet organizational standards defined in Intune, such as email or SharePoint, before accessing online resources. Likewise, you can block access to services so that they are only available to a specific set of mobile applications. For example, you can only allow access to Exchange Online from Outlook or Outlook Mobile.
Microsoft Intune Device – from $2.00 licenses/month
Microsoft Intune – from $6.00 licenses/month
Enterprise Mobility + Security E3 – from $8.80 licenses/month