I hope I can relay what I am trying to understand well and thank you to anyone for going through my post.
I have searched and read numerous posts - but just trying to get a very clear understanding.
Scenario: A client of 100 or so users has 50% corporate mobile phones that are already in use
and 50% BYOD users with mobile phones
The client wants MDM for corp and MAM for BYOD
Corp Mobile: The client wants MDM enabled for corp phones that forces the users to:
Enrol their phone into Intune MDM through company portal
Forces them to use Outlook app for email (remove ActiveSync entirely)
BYOD: The client wants MAM to protect corp data and force anyone to:
Use Outlook only for mail and build a protection policy around that
They grey area for me is how we force enrolment of corporate mobiles & only prompt users with their own BYOD devices to use outlook app on their mobile
To achieve this, do we need to need to do the following so that we have have both MDM and MAM in co-existence:
Upload all the corporate owned devices IMEI or Serial Numbers:
Block personal devices from enrolling so only devices with the IMEI or Serial numbers uploaded into Intune can enrol into MDM
Set APP Protection Policies + Conditional access Polices for Outlook for BYOD devices
Ensure corp devices HAVE to enroll and that BYOD devices don't but ensure BYOD have to have Protection on their outlook app.
Is there any conflict that will occur if a device in MDM enrolled and then wants to use outlook on their corp device? Or do we have to set the user assignment very precise i.e. only apply MDM to users who have a corp device? (After writing this I feel like the user assignment is going to be key here)
@Adam Weldon-Ming overall there is no problem in coexistence in MDM and MAM. What won't cause any conflicts in iOS, however you need to check that with Android Enterprise (MAM policies and work profile is overlaping based on my understanding).
You are correct, about resticting personal devices enrollement and allowing only corp devices to be registered. With that only corproate devices will be enrolled.
However there is no way (at least i don't know that) to say " these devices must be enrolled, but these don't". You can specify that through CA policy for specific users, but the same user can have both corp and byo device.