Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

MAM without enrollment.

%3CLINGO-SUB%20id%3D%22lingo-sub-2597204%22%20slang%3D%22en-US%22%3EMAM%20without%20enrollment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597204%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22style-scope%20yt-formatted-string%22%3EHi%20All%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22style-scope%20yt-formatted-string%22%3EIn%20my%20environment%2C%20AirWatch%20is%20used%20as%20the%20MDM%20solution%20for%20corporate%20Devices.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22style-scope%20yt-formatted-string%22%3EI%20understand%2C%20Intune%20MAM%20policies%20will%20apply%20for%20user%20identity%20not%20for%20device%20identity.%20Assume%20a%20scenario%2C%20whereas%20the%20same%20user%20in%20my%20organization%20is%20having%20both%20corporate%20and%20BYOD%20device%2C%20So%20if%20apply%20a%20MAM%20policy%20to%20a%20user%2C%20will%20it%20apply%20to%20the%20managed%20apps%20in%20both%20corporate%20and%20BYOD%20device%20%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22style-scope%20yt-formatted-string%22%3EIf%20yes%2C%20is%20there%20any%20way%20where%20I%20can%20deploy%20the%20separate%20MAM%20policies%20with%20different%20data%20protection%20settings%20to%20control%20the%20managed%20apps%20in%20both%20corporate%20and%20BYOD%20device%20used%20by%20the%20same%20user%20identity%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2597204%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2598105%22%20slang%3D%22en-US%22%3ERe%3A%20MAM%20without%20enrollment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2598105%22%20slang%3D%22en-US%22%3EYou%20can%20connect%20Airwatch%20as%20MDM%20provider%20to%20Azure%20AD.%20I%20don't%20know%20if%20devices%20are%20created%20in%20Azure%20AD%20when%20you%20do%20that.%20But%20if%20that's%20the%20case%2C%20you%20might%20be%20able%20to%20create%20a%20group%20with%20all%20Airwatch%20managed%20devices%20to%20assign%20one%20app%20protection%20policy%20and%20create%20one%20app%20protection%20policy%20for%20all%20devices%20and%20exclude%20the%20Airwatch%20managed%20devices%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597850%22%20slang%3D%22en-US%22%3ERe%3A%20MAM%20without%20enrollment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597850%22%20slang%3D%22en-US%22%3EAs%20far%20as%20I%20understand%20the%20%22managed%22%20vs.%20%22unmanaged%22%20distinction%20applies%20to%20Intune%20Managed%20Devices%20only.%20You%20can%20deploy%20the%20MAM%20policy%20to%20any%20users%20regardless%20of%20MDM.%20However%2C%20being%20a%20third%20party%20MDM%2C%20your%20options%20to%20filter%20multiple%20MAM%20policies%20maybe%20limited.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597539%22%20slang%3D%22en-US%22%3ERe%3A%20MAM%20without%20enrollment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597539%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F620702%22%20target%3D%22_blank%22%3E%40Rudy_Ooms%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34391%22%20target%3D%22_blank%22%3E%40Nathan%20Blasac%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20your%20response.%20I%20have%20rephrased%20my%20question.%20Please%20provide%20your%20inputs.%3CBR%20%2F%3EActually%20the%20devices%20provided%20to%20users%20by%20my%20company%20are%20enrolled%20in%20AirWatch%20not%20in%20intune.%20My%20users%20BYOD%20devices%20are%20also%20not%20enrolled%20in%20Intune.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20this%20case%2C%20How%20can%20we%20apply%20two%20separate%20App%20protection%20policies%20to%20the%20same%20user%20identity%20configured%20in%20the%20device%20provided%20by%20company%20and%20his%20own%20device.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597531%22%20slang%3D%22en-US%22%3ERe%3A%20MAM%20without%20enrollment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597531%22%20slang%3D%22en-US%22%3EMy%20blog%20about%20this%20topic%20(managed%20vs%20unmanaged)%20will%20show%20you%20what%20you%20will%20need%20to%20know%20and%20configure%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F03%2Fthe-chronicles-of-mam%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F03%2Fthe-chronicles-of-mam%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597454%22%20slang%3D%22en-US%22%3ERe%3A%20MAM%20without%20enrollment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597454%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20indeed%20separate%20MAM%20policies%20by%20targetting%20%22Managed%22%20and%20%22Unmanaged%22%20devices%20from%20within%20the%20app%20protection%20policy.%20Further%2C%20if%20you%20have%20two%20competing%20policies%20on%20the%20same%20user%2C%3C%2FP%3E%3CP%3EI%20ran%20into%20a%20similar%20request.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fnathanblasac.com%2Fhow-to-enforce-a-particular-application-protection-mam-policy-managed-vs-unmanaged-devices-71eb9cb219c8%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fnathanblasac.com%2Fhow-to-enforce-a-particular-application-protection-mam-policy-managed-vs-unmanaged-devices-71eb9cb219c8%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All,

 

In my environment, AirWatch is used as the MDM solution for corporate Devices.

 

I understand, Intune MAM policies will apply for user identity not for device identity. Assume a scenario, whereas the same user in my organization is having both corporate and BYOD device, So if apply a MAM policy to a user, will it apply to the managed apps in both corporate and BYOD device ?

 

If yes, is there any way where I can deploy the separate MAM policies with different data protection settings to control the managed apps in both corporate and BYOD device used by the same user identity?

5 Replies

You can indeed separate MAM policies by targetting "Managed" and "Unmanaged" devices from within the app protection policy. Further, if you have two competing policies on the same user,

I ran into a similar request.

 

https://nathanblasac.com/how-to-enforce-a-particular-application-protection-mam-policy-managed-vs-un...

 

My blog about this topic (managed vs unmanaged) will show you what you will need to know and configure
https://call4cloud.nl/2021/03/the-chronicles-of-mam/
@Rudy_Ooms_MVP @Nathan Blasac

Thank you for your response. I have rephrased my question. Please provide your inputs.
Actually the devices provided to users by my company are enrolled in AirWatch not in intune. My users BYOD devices are also not enrolled in Intune.

In this case, How can we apply two separate App protection policies to the same user identity configured in the device provided by company and his own device.
As far as I understand the "managed" vs. "unmanaged" distinction applies to Intune Managed Devices only. You can deploy the MAM policy to any users regardless of MDM. However, being a third party MDM, your options to filter multiple MAM policies maybe limited.
You can connect Airwatch as MDM provider to Azure AD. I don't know if devices are created in Azure AD when you do that. But if that's the case, you might be able to create a group with all Airwatch managed devices to assign one app protection policy and create one app protection policy for all devices and exclude the Airwatch managed devices