Home

MDM and MAM together for iOS and Android

%3CLINGO-SUB%20id%3D%22lingo-sub-744521%22%20slang%3D%22en-US%22%3EMDM%20and%20MAM%20together%20for%20iOS%20and%20Android%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744521%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20I%20can%20relay%20what%20I%20am%20trying%20to%20understand%20well%20and%20thank%20you%20to%20anyone%20for%20going%20through%20my%20post.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20searched%20and%20read%20numerous%20posts%20-%20but%20just%20trying%20to%20get%20a%20very%20clear%20understanding.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EScenario%3A%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3EA%20client%20of%20100%20or%20so%20users%20has%2050%25%20corporate%20mobile%20phones%20that%20are%20already%20in%20use%3C%2FP%3E%3CP%3Eand%2050%25%20BYOD%20users%20with%20mobile%20phones%3C%2FP%3E%3CP%3EThe%20client%20wants%20MDM%20for%20corp%20and%20MAM%20for%20BYOD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3ECorp%20Mobile%3A%3C%2FU%3EThe%20client%20wants%20MDM%20enabled%20for%20corp%20phones%20that%20forces%20the%20users%20to%3A%3C%2FP%3E%3COL%3E%3CLI%3EEnrol%20their%20phone%20into%20Intune%20MDM%20through%20company%20portal%3C%2FLI%3E%3CLI%3EForces%20them%20to%20use%20Outlook%20app%20for%20email%20(remove%20ActiveSync%20entirely)%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CU%3EBYOD%3A%3C%2FU%3EThe%20client%20wants%20MAM%20to%20protect%20corp%20data%20and%20force%20anyone%20to%3A%3C%2FP%3E%3COL%3E%3CLI%3EUse%20Outlook%20only%20for%20mail%20and%20build%20a%20protection%20policy%20around%20that%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuestion%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThey%20grey%20area%20for%20me%20is%20how%20we%20force%20enrolment%20of%20corporate%20mobiles%20%26amp%3B%20only%20prompt%20users%20with%20their%20own%20BYOD%20devices%20to%20use%20outlook%20app%20on%20their%20mobile%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BTo%20achieve%20this%2C%20do%20we%20need%20to%20need%20to%20do%20the%20following%20so%20that%20we%20have%20have%20both%20MDM%20and%20MAM%20in%20co-existence%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EUpload%20all%20the%20corporate%20owned%20devices%20IMEI%20or%20Serial%20Numbers%3A%3C%2FLI%3E%3CLI%3EBlock%20personal%20devices%20from%20enrolling%20so%20only%20devices%20with%20the%20IMEI%20or%20Serial%20numbers%20uploaded%20into%20Intune%20can%20enrol%20into%20MDM%3C%2FLI%3E%3CLI%3ESet%20APP%20Protection%20Policies%20%2B%20Conditional%20access%20Polices%26nbsp%3B%20for%20Outlook%20for%20BYOD%20devices%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CLI%3EEnsure%20corp%20devices%20HAVE%20to%20enroll%20and%20that%20BYOD%20devices%20don't%20but%20ensure%20BYOD%20have%20to%20have%20Protection%20on%20their%20outlook%20app.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EIs%20there%20any%20conflict%20that%20will%20occur%20if%20a%20device%20in%20MDM%20enrolled%20and%20then%20wants%20to%20use%20outlook%20on%20their%20corp%20device%3F%26nbsp%3B%20Or%20do%20we%20have%20to%20set%20the%20user%20assignment%20very%20precise%20i.e.%20only%20apply%20MDM%20to%20users%20who%20have%20a%20corp%20device%3F%26nbsp%3B%20(After%20writing%20this%20I%20feel%20like%20the%20user%20assignment%20is%20going%20to%20be%20key%20here)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-744521%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754318%22%20slang%3D%22en-US%22%3ERe%3A%20MDM%20and%20MAM%20together%20for%20iOS%20and%20Android%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754318%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3B%20overall%20there%20is%20no%20problem%20in%20coexistence%20in%20MDM%20and%20MAM.%20What%20won't%20cause%20any%20conflicts%20in%20iOS%2C%20however%20you%20need%20to%20check%20that%20with%20Android%20Enterprise%20(MAM%20policies%20and%20work%20profile%20is%20overlaping%20based%20on%20my%20understanding).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20are%20correct%2C%20about%20resticting%20personal%20devices%20enrollement%20and%20allowing%20only%20corp%20devices%20to%20be%20registered.%20With%20that%20only%20corproate%20devices%20will%20be%20enrolled.%3C%2FP%3E%3CP%3EHowever%20there%20is%20no%20way%20(at%20least%20i%20don't%20know%20that)%20to%20say%20%22%20these%20devices%20must%20be%20enrolled%2C%20but%20these%20don't%22.%20You%20can%20specify%20that%20through%20CA%20policy%20for%20specific%20users%2C%20but%20the%20same%20user%20can%20have%20both%20corp%20and%20byo%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Adam Weldon-Ming
Occasional Contributor

Good morning!

 

I hope I can relay what I am trying to understand well and thank you to anyone for going through my post.

I have searched and read numerous posts - but just trying to get a very clear understanding.

 

Scenario: 
A client of 100 or so users has 50% corporate mobile phones that are already in use

and 50% BYOD users with mobile phones

The client wants MDM for corp and MAM for BYOD

 

Corp Mobile: The client wants MDM enabled for corp phones that forces the users to:

  1. Enrol their phone into Intune MDM through company portal
  2. Forces them to use Outlook app for email (remove ActiveSync entirely)

BYOD: The client wants MAM to protect corp data and force anyone to:

  1. Use Outlook only for mail and build a protection policy around that

 

Question

They grey area for me is how we force enrolment of corporate mobiles & only prompt users with their own BYOD devices to use outlook app on their mobile

 

 To achieve this, do we need to need to do the following so that we have have both MDM and MAM in co-existence:

 

  1. Upload all the corporate owned devices IMEI or Serial Numbers:
  2. Block personal devices from enrolling so only devices with the IMEI or Serial numbers uploaded into Intune can enrol into MDM
  3. Set APP Protection Policies + Conditional access Polices  for Outlook for BYOD devices

  4. Ensure corp devices HAVE to enroll and that BYOD devices don't but ensure BYOD have to have Protection on their outlook app.

Is there any conflict that will occur if a device in MDM enrolled and then wants to use outlook on their corp device?  Or do we have to set the user assignment very precise i.e. only apply MDM to users who have a corp device?  (After writing this I feel like the user assignment is going to be key here)

Thanks

Adam

1 Reply

@Adam Weldon-Ming  overall there is no problem in coexistence in MDM and MAM. What won't cause any conflicts in iOS, however you need to check that with Android Enterprise (MAM policies and work profile is overlaping based on my understanding).

 

You are correct, about resticting personal devices enrollement and allowing only corp devices to be registered. With that only corproate devices will be enrolled.

However there is no way (at least i don't know that) to say " these devices must be enrolled, but these don't". You can specify that through CA policy for specific users, but the same user can have both corp and byo device.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies