MDM VS MAM

Copper Contributor

Hello,

 

Many users in my company are using their private phone to connect to company e-mail etc ...

and they are also using a company laptop for everyday work.

So I want to have full control on their laptop (MDM and MAM) and only MAM on their phone.

How can I do this for a same user?

 

Thanks.

5 Replies

Well, at first there is no MAM capabilities for Windows. There are some things you can do with AIP/WIP, but it's not exactly MAM as it works with mobile devices.

 

Check out information about conditional access policies. You can create policies based on device types and requeire device to be managed for PCs and use of MAM enabled apps for mobiles.

Hi @Eric-Labc,

 

it's exactly what Alexander said you need to look for app-based conditional access for your mobile phones and device-based conditional access for your Windows 10 Laptops that require them to be compliant. See references here:

 

App-based conditional access with Intune
https://docs.microsoft.com/en-us/intune/app-based-conditional-access-intune

 

How To: Require managed devices for cloud app access with conditional access
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices

 

best,

Oliver

@Oliver Kieselbach 

Hello Olivier,

Thanks for the answer.

 

But it is not clear for me.

My case is :

1. the user phone is a personal device, so I have to put user id in MAM group

2. the laptop device is a organistion device, so I have to put user id in MDM group.

 

So how does Intune react if I put the same user id in MDM and MAM group?

How does he know in my case here that I want only MAM for the phone and not MDM?

 

What is confusing me with Intune is that in the security group it's always a reference to user id and not to a device id.

 

Eric.

 

 

 

Hi @Eric-Labc,

 

we are talking here about various different things. First MAM also known an App Protection Policies are totally independent of MDM and they are targeted at apps and user groups and only available for iOS and Android. So have a look at Intune App Protection policies in combination with app-based Conditional Access as mentioned earlier:

 

https://docs.microsoft.com/en-us/intune/app-protection-policy

 

MDM enrollment for Windows 10 can be done manually or via auto-enrollment which needs to be configured. There you have an additional MAM configuration but this is only for Windows 10 MAM also known as WIP - Windows Information Protection.

 

I guess you are talking about iOS, Android and Windows 10 as a combination. Therefore you only have to configure the MDM User Scope and leave the MAM to None (remember this is MAM for Windows 10) otherwise it gets more confusing see here original documentation:

 

Configure MDM User scope. Specify which users’ devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune.

  • None - MDM automatic enrollment disabled

  • Some - Select the Groups that can automatically enroll their Windows 10 devices

  • All - All users can automatically enroll their Windows 10 devices

     Important

     

    For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.

    For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.

Hi Eric, you only need one group for the user as Intune sees if the phone is enrolled or not into MDM. Where you in the MAM policy can adapt the settings to fit both if the phone is enrolled or not.  @Eric-Labc