Security and Flexibility: Benefits of Mobile App Management for Nonprofits Using Personal Devices

Understanding MAM as an Alternative to MDM

Both Mobile Device Management (MDM) and Mobile Application Management (MAM) serve important security purposes, with different approaches:

• Application vs. Device Focus: MAM secures specific work applications, while MDM provides a framework for managing enrolled devices.
• Enrollment Requirements: MAM can be implemented without requiring device enrollment, offering flexibility for personal device users.
• Security Scope: MAM applies security policies at the application level, focusing on protecting organizational data within those applications.
• Management Approach: MAM allows organizations to manage work-related applications independently from the device itself.

Why Nonprofits Benefit from MAM

Nonprofit work often happens beyond office walls, making MAM particularly valuable for these organizations:

Field Mobility and Accessibility

Your team needs secure access to information whether they're at community events, donor meetings, or working remotely. MAM enables this mobility with appropriate security controls.

Protecting Sensitive Information

When handling donor records, financial data, and beneficiary information, security is essential. MAM ensures this data remains protected within managed applications on personal devices.

Budget-Friendly Security

Resource constraints are real in the nonprofit sector. MAM provides effective security without requiring substantial infrastructure investments—especially when implemented through Microsoft's nonprofit program offering free Business Premium licenses.

Simplified Management

With MAM, IT teams can focus on securing specific applications and the organizational data within them, which can streamline security management for organizations with limited resources.

The Bottom Line

Mobile Application Management offers nonprofits a practical approach to securing organizational data on personal devices. Through Microsoft Intune and nonprofit licensing programs, organizations can implement this approach cost-effectively.

By adopting MAM, nonprofits create an environment where security and flexibility work together supporting both organizational data protection needs and staff mobility in today's increasingly mobile work environment.

Step-by-Step Guide to Add MDM to Personal BYOD Devices without MDM

Overview

This guide provides steps to configure Microsoft Intune Mobile Application Management (MAM) for Bring Your Own Device (BYOD) scenarios, allowing organizations to protect corporate data at the app level without enrolling devices into Mobile Device Management (MDM). For this example, we will be configuring an iOS device.

Prerequisites

• Microsoft Intune subscription (Nonprofits have access to Intune through their 10 free Business Premium licenses offered by Microsoft’s nonprofit program).
• Microsoft Entra ID (formerly Azure AD).
• Supported apps (e.g., Microsoft 365 apps like Outlook, Teams, OneDrive) that integrate with Microsoft Intune App Protection Policies.
• Users must have the appropriate Intune license assigned.

Step 1: Access the Microsoft Intune Admin Center

• Go to Intune Admin Center.
• Sign in with your admin credentials.

Step 2: Configure App Protection Policies

• In the left navigation pane, select Apps > App protection policies.
• Click + Create policy.

   

Basics

1. 1. Select the platform (iOS/iPadOS or Android) for which you want to create the policy.
   2. Enter a Name (e.g., "BYOD MAM Policy – iOS").
   3. Enter an optional Description.
   4. Click Next.

       

Step 3: Define Policy Settings

Apps

1. 1. Target the policy to your choice (All Apps, All Microsoft Apps, Core Microsoft Apps). If you'd like to choose specific apps only, keep the selection as Selected apps and follow steps 2-4 below.
      
      
   2. Choose Public apps.
   3. Select Microsoft apps you want to protect (e.g., Outlook, OneDrive, Teams, etc.).
   4. Select Custom Apps (if applicable).
   5. Click Next.

Data Protection

1. 1. Set policies as desired such as:
      • Block backing up or data to iTunes and iCloud backups. 
      • Restrict sending org data to policy managed apps.

         

      • Restrict cut, copy, paste between apps (e.g., allow only with approved apps).
      • Encrypt app data.
      • Block third-party backup services.
      • etc.
   2. Configure additional settings based on your organization's security needs.
   3. Click Next.

Access Requirements

1. 1. Configure access requirements such as:
      • Blocking Simple PIN for access.
      • Fingerprint or Face ID.
      • Recheck access requirements after idle timeout.
      • Etc.
   2. Click Next.

Conditional Launch

1. 1. Set conditions for app usage such as:
      • Minimum OS version.
      • Wipe data after consecutive failed PIN attempts.
   2. Click Next.

Step 4: Assign the Policy

• Under Assignments, choose:
• All users or Specific groups (e.g., a BYOD security group).

   

• Click Next and Review + Create the policy.

Step 5: Exclude Devices from Device Management (Optional)

If you want to ensure this is for MAM-only devices (non-enrolled BYOD):

• Under Devices > Enrollment restrictions in Intune Admin Center:
• Choose the device you want to restrict 

  (Windows, Android, macOS, iOS) 

  
• Create or edit a Device Type Restriction.
• Block personal device enrollment, if applicable.
• This ensures users can only use corporate apps with MAM policies and not enroll their personal devices into full MDM.

   

Step 6: Inform End Users

• Inform users they will access corporate data through approved apps that enforce app-level protections (e.g., Outlook for iOS with MAM policy applied).
• Users will not need to enroll their personal devices in Intune but will be prompted to sign into apps with corporate credentials and comply with MAM policies.

Step 7: Monitor & Review

• Go to Apps > Monitor > App protection status in Intune Admin Center.
• Review logs and reports to monitor:
• Policy deployment status.
• App protection compliance.
• Any issues users may encounter with BYOD access.

   

Best Practices

• Regularly review and update your app protection policies based on evolving threats and business needs.
• Combine MAM with Conditional Access to ensure only compliant apps and users can access corporate data.