There are many different ways that applications can be made available to your users today. Users can directly install apps from public stores or your mobile device management (MDM) solution can deploy them (either automatically or at the user’s request). For this post, we’ll consider the apps that are installed from a public store to be “unmanaged” and apps that are deployed via your MDM solution (like Microsoft Intune) to be “managed”.
For managed apps, IT has direct control over deployment, ongoing management (such as inventory or updates), and selective wipe of the apps and their associated data. Most mobile devices have OS level controls in place to limit (containerize) the movement of data.
Microsoft Intune supports an additional level of management for managed apps that are integrated with the Intune App SDK or Intune App Wrapping Tool. For these mobile application management (MAM) protected apps, additional controls such as per-app PIN, jailbreak detection, and granular control over data flow can be added.
Depending on the specific data loss prevention (DLP) requirements of your organization, you can chose the right mix of unmanaged, managed and MAM-protected applications for your users.
An unmanaged app is any app available on iOS, Android, Windows, and Windows Phone devices. Intune doesn’t have any control over the distribution, management, or selective wipe of these apps.
A managed app is an app that an Intune admin publishes and deploys in the Intune admin console. All platforms discussed in this post offer some degree of OS level management of corporate apps and their data. By publishing an app in the Intune admin console, you can:
- Deploy the app
- This installs the app on the mobile device. The app can be made available to users to install themselves from the Intune Company Portal. Apps can also be automatically installed when supported by the platform. Apps installed by Intune can be uninstalled. The deployment can be targeted to any Intune user group.
- Manage app updates
- When a new version of a deployed app is released, Intune will allow you update and deploy the newer version of the app.
- Monitor app installation
- You can monitor software deployment status and software adoption.
- Configure “Open-In” management
- On iOS, this allows you to limit operations on corporate data to only managed apps, such as the ability to enforce that corporate email attachments may only be opened in a managed app.
- Selectively wipe the entire app
- Apps that are managed by Intune are removed when a device is retired from management (selective wipe), including all app data.
- See here for more detailed information on selective wipe, as well as platform differences.
Intune MAM provides additional capabilities to protect managed apps by offering an additional layer of data protection. On Android and iOS, Intune allows you to configure MAM policy on managed apps that have incorporated either the Intune App SDK or the Intune App Wrapping Tool for iOS or Android. Apps that leverage the Intune App SDK or Intune App Wrapping Tool are considered MAM-protected apps, and you have the ability to:
- Configure MAM policies
- These policies include app settings to prevent data leakage such as blocking copy/paste, preventing data transfer from a MAM app to an app without MAM policy, preventing backup to cloud storage, preventing Save as, etc.
- These policies help provide secure app access by requiring a PIN/passcode or corporate credentials on a MAM-protected app.
- These policies allow app access to be blocked if a device is not compliant with company policies set by the administrator.
- See here for a more detailed description of these settings.
- Tightly integrate with cloud services
- The Intune App SDK was designed to work with Office 365 and Azure Active Directory (AAD) without requiring any additional infrastructure setup for admins.
- The experience for logging in and authenticating is seamless and consistent across all MAM-protected apps.
- Selectively wipe only the app data
- When a device is retired from management, a selective wipe is performed which will remove all corporate data from the apps protected by Intune MAM on the device, leaving only the app and personal app data behind.
Example Scenario: Managed Email
In this scenario, an organization wishes to protect email attachments to make sure that this corporate content is only accessible in a secure manner where it cannot be leaked to a non-corporate app or location. There are three configuration types to understand in this scenario:
Using only unmanaged apps, you would have no control over these email attachments. They can be opened, saved, and manipulated with any application that supports the file type of the attachment.
Using managed apps, you can deploy applications that are deemed to be safe for corporate use to devices that you wish to protect. You can force the corporate attachments to only be opened in those managed apps. Once the attachment is open in a managed app, the user can freely move and manipulate the data in the attachment to all other apps and/or cloud services.
Using MAM-protected apps with policy, once the email attachment is opened you can configure policy such that the user cannot copy/paste or save the data from the attachment to a non-protected app or cloud service. You can force the corporate attachments to only be opened in a MAM-protected app. This level of protection helps secure data stored in your corporate cloud services, allowing it to only be accessed by this trusted set of protected apps.
This scenario demonstrates how each level of protection builds off of the last, and an organization can flexibly restrict corporate data as they see fit.
For more specific details about Intune MAM, see the TechNet documentation here. This documentation fully illustrates the capabilities of each platform. You can also find the list of apps that currently support Intune MAM here.
– Joey Glocke, Program Manager