Introduction

iOS and Android are the most common platforms for mobile endpoints 📲. Of course, also those endpoints need corporate apps, security policies and need to fulfill compliance requirements and more. Management via Microsoft Intune is a common way for organizations to control and monitor their mobile devices easily from the cloud.

This post discovers foundational theoretical principles in the mobile endpoint management world and describes solution concepts and important considerations.

Motivation for mobile management

Why you should manage mobiles via Intune:

  • 🛣️ Standard setup and experience of iOS and Android smartphones and tablets
  • 🔐 Ensure security and protect data
  • 🔖 Deploy corporate apps needed for work
  • 🔭 Monitor your mobile devices on compliance, health and system status

 

Platforms

iOS and Android are foundational different operating systems, but they all run on mobile device factors like smartphones, tablets or within other appliances. Let's wrap up the key differences, because they also have an impact on how the management works:

iOS 🍎 Android 🪅
Vendor Proprietary mobile operating system developed by Apple, offering a consistent user experience across all Apple devices Open-source platform developed by Google, allowing for greater customization by manufacturers and developers
Ecosystem More unified hardware and software ecosystem More flexibility and diversity in the hard- and software
OS Offers a more streamlined and uniform user interface, with limited customization options Offers greater flexibility in terms of customization, allowing users to personalize their device's interface, install custom ROMs, and access system files.
Services iCloud Google Services (on most Android devices)
Apps App Store is the exclusive marketplace for iOS apps (except in the European Union) Play Store and sideloading of apks
Management Requires Apple Push Notification Certificates and Management Profile Requires Managed Google Play
💡
Multiple Android versions are supported by Intune. Android Enterprise is the go-to platform. Android Open Source Project (AOSP) is fully open source and does not include Google Mobile Services (GMS) or any other proprietary software.

 


Concepts

Let's jump into some concepts that are important to understand to define your mobile journey!

MDM & MAM

First, we need to understand the difference between:

  • Mobile Device Management (MDM)
  • Mobile Application Management (MAM)
MDM MAM
Management of the Device App only
Enrollment via Company Portal or from device setup like:

🍎 iOS = Apple Automated Device Enrollment
🪅 Android = Android Enterprise
Open the app, register the device to Entra, and install broker app:

🍎 iOS = Authenticator App
🪅 Android = Company Portal
End user effort User enrollment (no device reset) takes a few steps from
Company Portal to register device and install management profile
Just sign into the app, register the device and restart the app
Configuration options All options can be configured Not possible -> use app configuration profiles, that are app based
Security options Apply system security baselines or configurations Apply data protection, access requirements and conditional launch
Compliance options Apply Intune compliance policies Check access requirements
App deployment ✅ Supported 🚫 Not supported
Retirement Retire, wipe, delete the whole device Wipe app data only via Intune portal
Conditional Access ✅ Supported: Require compliant device (requires compliance policies) ✅ Supported: Require App Protection Policy

 

When to use what?

Reality shows, that MAM is sufficient for 90% of the use cases, as standard workers often just need access to the core Microsoft apps like Teams, Outlook and the whole office suite.

🗒️
Check the following page to see supported apps for MAM.

What are the reasons to manage with MDM?

  • Protecting the whole device and apps that are not supported by MAM
  • Device is corporate-owned any only for corporate purposes, or even a single use / Kiosk device type
  • Deploy apps
  • Configure more/all system aspects and security
  • Defender for Endpoint onboarding is needed
  • Certificate deployment, VPN or network connection configuration built-in

What are the reasons to manage with MAM?

  • Users with personally-owned devices want to access corporate data securely, no enrollment wanted
  • Simple & light management with less effort

 

Ownership

Ownership of the device is another important factor to decide which and to which extent the management of the device makes sense. A device can either be corporate or personal owned. Probably you don't want to manage these devices equally and apply more strict policies to corporate-owned devices. Also, a personal device is usually not intended to be fully managed, monitored and restricted, because it is not a corporate resource. The differences on the platforms for MDM are the following:

iOS 🍎

  • Corporate owned
    • Device Enrollment: More control over the whole the device
    • Automatic Device Enrollment: Supervision allows for additional over everything - control over the device and its configuration - learn more
  • Personally owned
    • User enrollment (Account driven): monitor and configure basic system

Android 🪅

  • Corporate owned with work profile or fully managed: full control over the device and its configuration, with optional separation between personal and work profile
  • Personally owned with work profile: a separate work profile is installed and all settings, apps and data will reside in just this work container

ℹ️
Check out this docs article to get an overview of what data you can (not) see on an enrolled devices.

 


Access control: Conditional Access

To control access for both MDM or MAM, you should implement a Conditional Access policy that validates the access requests to any Microsoft 365 service is coming from a managed device or app. Read more about Conditional Access

Access grant options

From a technical perspective there are the following grant controls which ensure an access is secured by either MAM or MDM. (some are only applicable to certain OS types) This is included in the grant option and should be set to "require one of the selected controls".

Policy design

This Conditional Access Policy require MAM or MDM would look like this:

Configuration
Users Include: All
Exclude: Break Glass admin
Target resources Office 365

+ any other app that should only be accessible from a managed mobile
Conditions Device platforms: Android, iOS

Client apps: Mobile apps and desktop clients
Grant -Require device to be marked as compliant
-Require app protection policy

>Require one of the selected controls

 

Additional: Protecting apps accessed from the browser

You may now ask how to protect Microsoft 365 or other apps from browser access. The answer is: Conditional Access App Control (read my dedicated blog post about it) with Microsoft Defender for Cloud Apps to control the browser session on any device.

This is allows you to monitor or control app access and set granular policies through Defender for Cloud Apps such as restricting cut/copy paste, require elevated authentication (MFA), secure up- and downloads or other activities. Read the Microsoft docs

 


Overview

Describe the management aspects

Disclaimer: MDM and MAM are not fulfilling all data protection requirements. Management of the device or app is only a security measurement and reinforcement. In terms of data protection, you should always strive for Azure Information Protection.

 

MDM 📱

Mobile Device Management includes to configure system aspects, apps and data on the device-level. In a nutshell MDM allows to:

  • Enroll the whole or user part device into Intune - corp data is isolated and separated from personal area (both platforms)
  • Apply system settings, policies and profiles, including security
  • Verify with compliance policies
  • Deploy apps

 

Enrollment

Enrollment is the process to connect your device with Intune and make it manageable. The enrollment includes a authentication part, which is backed by Entra ID. Before you can enroll, you should check out the MDM authority and enrollment restrictions.

iOS 🍎

Android 🪅

 

Configuration

Configuration includes settings in policies that define system behavior, look & fees and more. In Intune we mainly use the Settings Catalog or Templates for this.

 

Security

Security is first of all defined by the platform security - so which security features and measures the platform, including hardware and OS provide. Check out Apple Platform Security guide and Android Enterprise Security for more information.

To ensure security with Intune, you should focus on system security settings, provided through configuration. Select a security framework and apply the recommended policies. (More about Intune security)

 

Compliance

Compliance policies are essential to ensure that devices which access corporate resources meet security and system requirements. Compliance policies are audit only and should be combined with Conditional Access to define the access. They check device health and system security. Actions for noncompliance can be defined, such as send a push or email notification, lock or retire the device. Read my post on Intune compliance

 

App deployment

Apps are the reason why we want mobile devices. With Intune we can centrally deploy, install automatically silent or make available apps from different sources.

iOS 🍎

  • (Apple) Store app
  • Web clip
  • Web link
  • Built-In app
  • Line-of-business app
  • Apple Volume Purchase Program (VPP) - acquire Apps directly from Apple Business Manager and deploy to devices without needing an Apple ID

Android 🪅

  • Android store app
  • Managed Google Play app
  • Web link
  • Built-In app
  • Line-of-business app
  • Android Enterprise system app

 


MAM 📥

Mobile Application Management does only control configurations, look & feel within an app. It is important to mention, that MAM is independent of the underlying device. In short it includes:

  • Configure app settings
  • Protect data in the app
  • Define access and launch conditions of the app

 

App protection

App protection policies are here to protect corporate data in managed apps and is part of Microsoft's MAM solution. These are available for iOS/iPadOS, Android and Windows 10 and later. These policies are usually applied when the device is not corporate managed and also hold personal data. The danger is that corporate data could be exfiltrated to other workloads on the device. App protection policies consists of three sections:

  • Data protection - the protection, settings and functions in the corporate app or for sharing with other apps
  • Access requirements - defines how to corporate app must be started
  • Conditional launch - sets actions when certain requirements are not met

To adapt this service, I would recommend the Data protection framework using app protection policies from Microsoft, which is graded in three levels: Level 1 enterprise basic data protection, Level 2 enterprise enhanced data protection, Level 3 enterprise high data protection.

 

App configuration

App configuration policies have the capability to define settings and look in a corporate app that was deployed to an Intune managed device or has the Intune app SDK integrated or was wrapped. These can help to improve and streamline the user experience.

 


Getting started

If you want to start your mobile journey with Intune, I recommend you to get as much hands-on experience as possible. The technical part is not everything, don't forget about gathering requirements from your business to equip them with the right mobile setup. Ask these questions to identify which mobile device setup would be right:

General

  • Is the device corporate or personal owned?
  • Which OS is used?
  • Which corporate apps should be accessed? are the Intune MAM supported?

MDM

  • What device is desired? (low/medium/high-end) (form-factor)
  • Which OS is desired/needed?
  • For what is the device used? (corporate only/personal/kiosk)
  • Which security baselines should be used?

MAM

  • Which apps do you want to protect with MAM?
  • How much should security and usability be balanced?

 

Prerequisites

The Apple Push Notification system (APNs) certificate must be renewed anually. If it expires, you need to re-enroll all devices.

 

Start with Intune management

After you collected your use cases and requirements and know what's possible you can start with a proof-of-concept implementation of policies for mobiles. Please ensure you meet all the prerequisites and have your Intune tenant settings configured correctly. I would generally follow these steps:

  1. Define the use case
  2. Choose an enrollment option - get overview here
  3. Plan for configuration and compliance policies and app deployment
  4. Implement policies
  5. Pilot the proof-of-concept
  6. Feedback collection and prepare to roll out
  7. Roll out use case / provide to end users
ℹ️
End user guides are recommended to ensure the enrollment and operations are handled correctly and everything is understandable for employees.

 


powered by

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.