Protecting Corporate Data on Devices using Microsoft Intune MAM Policies (Part 1)
We live in a time where users within an organization expect to be able to access corporate data not only using their PC or laptop, but also using their mobile device(s) and/or tablet(s). For most organizations, this has only been possible for e-mail data. To access Word files, PowerPoint presentations, Excel spreadsheets, OneNote workbooks, Dynamics CRM data, you would usually need to establish a VPN connection to the corporate network.
There are organizations that have made this type of data available using third party Mobile Device Management (MDM) solutions for years, but I have see many organizations, where the end users simply e-mailed the respective files to themselves to access them from a device.
For a quick walk down memory lane of MDM solutions, check out my Mobile Device Management Then and Now article.
Not only do end users within the respective organization expect to be able to access corporate data not only using their PC or laptop, but also using their mobile device and/or tablet. A good portion of the end users also expect it to be possible from any device. With that I mean, they want access from their company owned and/or managed device(s), but also from their private devices inside the household. The challenge here is that most organizations that already have an MDM solution such as Microsoft Intune in place requires the device(s) to be enrolled to access corporate data.
So how can we make corporate data available on any device in an easy fashion without the requirement of enrollment, while at the same time avoiding compromising device, application and data security? Well, say hello to Mobile Applications Management (MAM) policies part of the Microsoft Intune service.
Let’s get going.
Fundamentals of Mobile Applications Management (MAM)
Let’s start with the fundamentals of Mobile Applications Management (MAM). So, what is MAM? In a nutshell, MAM is a set of policies that lives under the Microsoft Intune MDM service.
With MAM policies, we can secure corporate data at the app layer on devices, so that they adhere to the compliance and security policies within the organization. We can do things such as restrict cut, copy and paste operations within the apps managed in MAM and we can even set a PIN for the apps. We can even do this such as force URLs contained in e-mails, files and the like to open in a managed browser.
The cool thing about this is that we can have this control without requiring a giving device to enroll in Intune, which means that the end users can use almost any device to access corporate data. Because we can set a PIN on the app layer, the end user can for instance also use a device shared among the family members in the household without security being compromised. Some of you probably think, what if I have a private (consumer) account and a corporate account configured in the OneDrive app? Wouldn’t this compromise the security of corporate data by making is accessible to other users using the device? Nope. MAM policies have logic implemented, that can differentiate between, in this case, corporate OneDrive data and the private data in the consumer version of OneDrive. This basically means that you can set the cut, copy and paste restrictions on the data under the corporate OneDrive account, while not changing behavior for your consumer data and actions.
As mentioned OneDrive was just an example. This of course applies to all apps managed via MAM. I will take you through the steps and end user experience in much more detail later.
Mobile application management (MAM) Requirements
There are some important requirements, you should be aware of to be able to use MAM policies. So as some of you know, there is a free Office 365 MDM service, that can be utilized for users you have in an Office 365 tenant. Although, this service has a rather comprehensive feature set (when taking into consideration it’s free), it does not include MAM.
Before you can use MAM policies, you need to have the proper licenses in place. When it comes to licensing, the organization needs to have an Intune license assigned to each user using the service. Intune comes with the Microsoft Enterprise Mobility + Security (EM+S) suite (both E3 and E5). You can find more information here. In addition, if you do not plan to get the EM+S for now, you can buy stand-alone licenses. More information on the stand-alone license option here.
Licenses is one thing. Device models and types another. Before you rush out and buy Intune licenses, you should ensure that MAM supports the devices used in your organization. For most, this should be an issue as both iOS (8.0 and later) and Android (Samsung KNOX Standard 4.0 and higher) devices are supported. However, in case you have Windows Phone users, bear in these are not supported by MAM. Yes, they are supported by Microsoft Intune just not MAM.
More information about Microsoft Intune device requirements in general can be found here.
This concludes part 1 of this multi-part article series.