BYOD at work: MDM and MAM with Microsoft Intune


Mobile device management and mobile application management are essential for securing your organization’s data and IoT devices.

Cybersecurity Live - Boston

According to recent research, the average household has 25 connected devices, up from 11 in 2019. This widespread adoption, coupled with a global pandemic, has changed the way we function and communicate, both personally and professionally.

Many industries are adapting to working remotely, with technology that enables remote patient consultation and monitoring, virtual classes, and food ordering and tracking via mobile devices. Additionally, many organizations have adapted to a bring-your-own-device (BYOD) environment as workers want to perform their home and office tasks seamlessly without switching devices. This shift towards a device-dependent workforce is forcing security teams to take a closer look at how they manage and secure the data they collect and the devices they use.

Whether it’s a personal or company-owned device, security teams must enforce corporate data access and productivity policies on mobile devices through mobile device management (MDM). ) and Mobile Application Management (MAM).

The difference between MDM, MAM, EMM and UEM

MDM is a way to secure mobile devices such as smartphones and tablets, while MAM secures applications on devices used to access organizational data, such as Outlook, SharePoint and OneDrive. MDM software is typically designed to support one or more operating systems such as iOS and Android. It maintains a device profile, which allows companies to remotely track, lock, secure, encrypt and wipe devices as needed. The software also installs agents on devices to query and retrieve device status.

Enterprise mobility management (EMM) focuses on managing applications, content, and identities on devices, while MDM focuses solely on device security. But EMM cannot support platforms like Windows and iOS, that’s why Unified Endpoint Management (UEM) was created as a centralized management solution that provides cross-platform support, eliminating the need multiple solutions. It is important to note that the security and confidentiality of the data accessible via one of these solutions depends on their implementation.

MDM at work

Devices include MDM software either through vendor-specific programs from the manufacturer or through manual enrollment using a token, QR code, email, or SMS. There are several MDM software options on the market, such as VMWare Workspace One, Microsoft Intune, Citrix Endpoint Management, MobileIron, and SimpleMDM. MDM software sends a set of commands to enrolled devices through APIs built into operating systems. It collects details of enrolled devices, such as hardware and software details, installed and configured apps, security status, location, etc., and it manages apps running on devices, authorizing them, blocking or deleting them according to the preconfigured parameters.

Compliance restrictions from standards such as HIPAA, GDPR, and PCI are enforced through policies. Devices can be centrally managed and maintained, and policies are applied to devices in bulk. Automation makes it easier to track, encrypt, secure and wipe devices.

mom at work

Devices are not required to enroll in MAM software. Corporate apps are pushed to corporate app stores, and employees can install and download them to their BYOD devices. Applications run in secure containers to separate personal and work data.

One of the main differences between MAM and MDM is that MAM does not need to control the device. MAM ensures that sensitive data is not sent or copied to other applications. Employees using their own devices feel more comfortable with MAM because it has less control over their entire device than MDM software.

Microsoft Intune for MDM and MAM

Microsoft Intune is a cloud service focused on MDM and MAM. It can enforce device policies to ensure that data does not cross organizational boundaries. It supports devices, including laptops, mobile devices, and tablets, and it enforces policies and provides data protection whether a device is enrolled or not. One of the main benefits of Microsoft Intune is its integration with Azure Active Directory and Office 365 applications. When integrated with Azure Active Directory, it controls who has access and what they have access to. Office 365 applications such as Outlook, OneDrive, SharePoint, Teams, etc. are used by many organizations, including mobile apps on personal devices, so corporate policies must be applied consistently on these devices as well.

Security control configurations required for Microsoft Intune enrollment

There are five important security controls to configure when using Microsoft Intune.

  • Role-based access control. It’s important to secure access to the Intune admin portal and delegate access to only authorized users, such as IT admins and SCCM admins. Unless necessary, do not delegate a global administrator role to users.
  • Registration Restrictions. Intune limits the types of devices that can be enrolled and the number of devices allowed per person. The maximum number of devices allowed per person is 15, but this number can be reduced to reduce the risk of unwanted or malicious devices being enrolled.
  • Compliance Policies. Intune can enforce compliance policies such as detecting jailbroken devices, weak passwords, unwanted apps, and operating systems that haven’t been updated. It is recommended that you apply these policies to ensure that devices are compliant.
  • Application protection policies. Intune app protection policies ensure that all data accessed from apps is protected and not disclosed. It creates a container for applications to securely access data and separates personal data from corporate data. Intune app protection policies apply to Android and iOS apps and are a great way to implement security for MAM.
  • Conditional access. Conditional Access is a feature of Azure Active Directory, and it can be used to specify the conditions under which access to applications or services can be denied or granted. Conditional Access policies, when used in conjunction with device- and app-based compliance policies, ensure that insecure or non-compliant devices and apps are not allowed access to your domain.


MDM and MAM are an important security technology for the remote workforce and BYOD. Microsoft Intune can be configured to provide security controls that ensure MDM and MAM have full coverage.

Learn how to accelerate and scale your application security testing with Synopsys’ on-demand resources and expertise. Our cloud configuration services include identifying configuration errors around Microsoft Intune and other MS-related applications.

Learn more


About Author

Comments are closed.