In June, we released an update to the Microsoft Intune mobile application management (MAM) capabilities for iOS and Android that enables coexistence of policy-managed (corporate) and unmanaged (personal) accounts in a single app – this new feature is known as multi-identity. Here’s a high-level example of how this works:
Many users access both corporate and personal email accounts in the Outlook app for iOS and Android. When a user is accessing data in their corporate account, the IT pro needs to be confident that MAM policy management will be applied and help protect this corporate data. However, when a user is accessing a personal email account that data should be outside of IT’s control. Intune achieves this by targeting the management policy to only the corporate account in the application. The multi-identity feature helps solve the data protection problem that organizations are facing with devices and apps that support both personal and work accounts while maintaining the end user’s experience and the privacy of his/her personal data.
How this solution works in more detail
When a user installs and signs into an app that supports multi-identity on an Intune-managed device, Intune will check if the new account matches the enrolled, managed account on the device. If the account is managed, and there is also a MAM policy for the app and the user, then the MAM policy settings protect data in that account. When the user adds personal accounts to the app as well, those accounts will exist outside of Intune management and protection. This enables personal use of the application without compromising corporate protection.
Let’s look at an example with the OneDrive for iOS app:
The IT administrator for Contoso has deployed OneDrive with a MAM policy requiring encryption of app data, a user entered PIN for app launch, and that copied data can only be pasted to managed apps.
Now as an end user on my iPad, I install the OneDrive app from the Intune Company Portal website. I add both my personal OneDrive account as well my Contoso OneDrive for Business account. Because of the MAM policy:
|Contoso OneDrive for Business
|Documents in my OneDrive for Business account are encrypted on my iPad.
|Documents in my personal OneDrive account are not encrypted.
|When I attempt to open my OneDrive for Business account, I am prompted to enter my PIN before I can access the data within.
|When I open my personal OneDrive account, I am never prompted for a PIN.
|Data that I copy from files in my OneDrive for Business account can be pasted to my Contoso email account in my managed Outlook app, but this data cannot be pasted into my personal email account or my consumer cloud storage app.
|Data that I copy from files in my personal OneDrive account can be pasted to my personal email account or to my favorite social networking app.
Ultimately, I can be confident that the work I do with my OneDrive for Business account meets the protection standards that my IT administrator has put in place. Additionally, I am still able to use my personal OneDrive account for storing and sharing files with my friends and family, without encountering restrictions on the functionality I love or IT management of my personal data.
Read more about how this works in the Outlook app here.
See the full list of apps that support MAM and apps that also support multi-identity management on TechNet. You can also learn more about managed mobile productivity with EMS in this video. And don’t forget to submit product feedback and suggestions to the Intune engineering team on the Intune feedback site.
Arianna Schwartz Moshary, Program Manager