What BYOD options of deployment do I have with Intune

Brass Contributor

Hi all,

We are in the process of looking at allowing users using their own laptops, mobile phones and/or tablets.


I am unsure what options in Intune I have to allow access to company data and/or apps. We do currently use Intune MDM for iOS devices and a small number of Android mobile phones. (both are company owned devices).


I am aware of MDM and MAM but unsure which one I want to use for personal devices. Those devices could be Windows 10 home laptops, Personal Android mobiles, Android tablets, iPhones or iPads.


Can I use MDM and MAM simultaneously or do we have to pick one or the other? 


MAM as I understand it allows me to protect apps/data on devices that are not managed via Intune in supported applications where i can do rules such as do not allow to save or copy files from Onedrive to the local device.


MDM is mobile device management where they can either be corporately enrolled or a user can enroll his/her own device.


3 Replies


Can I use MDM and MAM simultaneously, or do we have to pick one or the other?


- You can use both. MDM will give you the option to enforce PIN code on the Devices, push configurations like WiFi settings, send out required apps, etc. MAM can be used in addition to this to make sure how Company data is opened and handled.


MDM is mobile device management where they can either be corporately enrolled or a user can enroll his/her own Device.


- This is correct, and you can also create Compliance Policies that these devices must meet. If they fail, you can restrict access to company data from these devices. I've done this with Conditional Access. 


There is also a very active community for anything Intune related over at Reddit.


Hi there,


I think i got a step closer to understanding it. I do have a slightly different question, perhaps you know the answer?


I get requests to allow apps with Azure AD such as Samsung Mail. I changed last week that we are blocking legacy protocols using Conditional Access. I also did a test of App Protection Policies in Intune which is nice because i can protect company data.


But i am guessing Samsung mail use ActiveSync so should be blocked but if it uses modern authentication but is not included in app protection policies in Intune it seem we want to block that.


Do you know anything here? the goal is for me NOT to get the requests in the first place for random apps people want to use :) I want people to use apps we can protect

Hi, we are working on the same thing as you, not allowing legacy protocols and applications not supporting App Protection Policies. I'm not sure what you're looking for with your question (sorry, I'm not native English speaking), but you want the end-users to get some message of what application they must use?