Forum Discussion

Eric-Labc's avatar
Eric-Labc
Copper Contributor
Apr 17, 2019

MDM VS MAM

Hello,   Many users in my company are using their private phone to connect to company e-mail etc ... and they are also using a company laptop for everyday work. So I want to have full control on ...
mobile device management (mdm)
Eric-Labc's avatar
Eric-Labc
Copper Contributor
Apr 23, 2019

Oliver Kieselbach 

Hello Olivier,

Thanks for the answer.

 

But it is not clear for me.

My case is :

1. the user phone is a personal device, so I have to put user id in MAM group

2. the laptop device is a organistion device, so I have to put user id in MDM group.

 

So how does Intune react if I put the same user id in MDM and MAM group?

How does he know in my case here that I want only MAM for the phone and not MDM?

 

What is confusing me with Intune is that in the security group it's always a reference to user id and not to a device id.

 

Eric.

 

 

 

Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
Apr 23, 2019

Hi Eric-Labc,

 

we are talking here about various different things. First MAM also known an App Protection Policies are totally independent of MDM and they are targeted at apps and user groups and only available for iOS and Android. So have a look at Intune App Protection policies in combination with app-based Conditional Access as mentioned earlier:

 

https://docs.microsoft.com/en-us/intune/app-protection-policy

 

MDM enrollment for Windows 10 can be done manually or via auto-enrollment which needs to be configured. There you have an additional MAM configuration but this is only for Windows 10 MAM also known as WIP - Windows Information Protection.

 

I guess you are talking about iOS, Android and Windows 10 as a combination. Therefore you only have to configure the MDM User Scope and leave the MAM to None (remember this is MAM for Windows 10) otherwise it gets more confusing see here original documentation:

 

Configure MDM User scope. Specify which users’ devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune.

  • None - MDM automatic enrollment disabled

  • Some - Select the Groups that can automatically enroll their Windows 10 devices

  • All - All users can automatically enroll their Windows 10 devices

     Important

     

    For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.

    For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.