Protecting Corporate Data on Devices using Microsoft Intune MAM Policies (Part 2)
If you would like to read the first part in this article series please go to Protecting Corporate Data on Devices using Microsoft Intune MAM Policies (Part 1).
In part 1 of the multi-part article series, I provided you with an introduction to the fundamentals of Mobile Applications Management (MAM) policies and we also touched on the MAM requirement in terms of licenses need to use the Microsoft Intune service.
In this part 2, we will continue right where we left off in part 1. That is, I will talk about old Microsoft Intune Admin Console and give you an introduction to the next generation management interface used to manage MAM policies in Microsoft Intune.
Managing MAM Policies
Ever since Mobile Applications Management (MAM) policies was introduced in the Microsoft Intune service a few years ago, MAM policies had to be managed from the, yes let’s be honest here, the infamous Silverlight based Microsoft Intune Admin Console shown in Figure 1 below.
Figure 1: MAM Policies in the Intune Admin Console
We all know that most teams at Microsoft as well as third party vendors, that decided to go with a Silverlight based management interface for their application and/or services have since moved to another application framework as Silverlight never became the next big thing in that space.
Microsoft has set the support end date for Silverlight 5 to October 2021, which means they will provide patches and bug fixes as needed, however that doesn’t help much. Popular browsers such as Chrome (unless running an old build) and even the Microsoft Edge browser does not support Silverlight. More information on what browsers are supported can be found here. In my experience Firefox is the most reliable browser, when it comes to launching the Microsoft Intune Admin Console.
The Microsoft Intune service is one of very few services, that still have a Silverlight based management interface. But fear not, the Microsoft Intune team have been busy working on the next generation management interface for their service. The project is known as project Ibiza inside Microsoft and it is at last in its final stages. From the very beginning, the plan has been to move everything under the Microsoft Intune service to the Microsoft Azure portal, which makes perfect sense with the tight integration with Azure Active Directory. In addition, the move to the Azure portal will allow powerful and integrated management of core EMS workflows on a modern service platform that’s extensible using Graph APIs.
The first subset of services in Microsoft Intune that has been moved to the Azure portal is Mobile Applications Management (MAM) policies and conditional access, which is available to all Azure Active Directory tenants. There’s also a public preview program allowing tenants that has signed up to experience the new Microsoft Intune Management Portal prior to general availability. For further details, see this blog post on the official Microsoft Enterprise Mobility and Security Blog.
If you create a new tenant for testing purposes, you will see additional Intune features as shown in Figure 2. If you have an old Intune tenant, you may not see all the blades yet. For a tenant, I created back in December 2016, I did however see all the Intune blades. The thing is Intune tenants are being “migrated” over as I’m writing this. This will occur over the next months.
Figure 2: The new Intune portal with additional blades
The New MAM Portal
To access the new MAM portal in Microsoft Azure, just launch the Azure Portal by going to http://portal.azure.com and once you have logged in, type “Intune” in the search field as shown in Figure 3. A good idea is to pin the Intune portal to the dashboard for easy access going forward.
Figure 3: Searching for Intune in the Microsoft Azure Portal
Since this article series is all about MAM policies, we will focus on the “Manage apps” tile.
Figure 4: Intune Manage apps tile in the new Intune Portal
When clicking on the “Manage apps” title, the “Mobile apps” blade is launched. As you can see, this blade is divided into four sections:
MANAGE This is the place, where you can publish required apps from the respective app stores. This is also the place to handle licensed apps. In addition, we can create configuration as well as protection policies as necessary. Last but not least this is also the place, where we can initiate wipe requests for devices.
MONITOR In this section, we can retrieve discovered apps, check install status for apps, and last but not least check the app protection station for users.
SETUP In this section, we can manage iOS VPP tokens, enable Windows Store for Business in order to access volume-purchased apps with Intune and do the obligatory Company Portal branding.
HELP AND SUPPORT The title of this section should be self-explanatory.
This concludes part 2 of this multi-part article series.