Intune MAM: Managing Corporate Data on BYOD
In 2019 the use of Bring-your-own-device (BYOD) is becoming more and more prevalent in the modern workspace. End-users now expect to be able to use their own devices for both business and personal use. They expect a seamless user experience as well. The question that is raised by system admins now is: “how do we protect our sensitive corporate data on our user’s personal devices effectively?”.
Ultimately, users do not want their organisation to impose on their personal data. For IT Admins, there is a requirement to ensure that all corporate data accessed is maintained securely on the application level without directly managing the device. And if an employee leaves, ensuring that sensitive corporate data is wiped, is critical to avoiding any data breaches. So, how can you keep everyone happy?
For those looking to give staff the option access corporate data securely on personal devices; Intune Mobile Application Management (MAM) is a viable solution.
What is Intune MAM?
Intune MAM allows users within any given organisation to access corporate data from their personal mobile devices (iOS, Android, Windows etc.) without having these devices directly managed by the organisation. On an organisational level, Intune MAM allows admins to control how data is protected within the applications installed on that mobile device. Controls and restrictions that can be set within Intune MAM include:
- Preventing data backups
- Preventing ‘Save-As’
- Preventing printing and screen capturing
- Preventing copy, cut, paste functionality within the applications targeted
- Enforcing Application PIN
Intune can manage a range of apps at a granular level
Through the Intune Mobile Application Management portal, administrators can specify which applications to protect. As you would expect, MAM has extensive controls to manage the Office 365 applications suite of tools.
Admins now have the control to provide a seamless and secure Office experience, without compromising on end-user productivity. Granular data controls within Office apps can be enabled and enhanced conditional access policies for SharePoint, Skype and Exchange can be enforced with relative ease. Intune Managed Apps also extend to third-party applications such as Citrix, SAP, Adobe and Box for those that way inclined.
All devices are registered into Azure
With Intune MAM, all devices (personal or otherwise) are registered into Azure without Mobile Device Management (MDM); so, the devices themselves are not managed by the organisation. Instead, devices registered are associated with individual user accounts. This enables administrators to track devices registered to every user and perform protection audits on a regular basis.
It is also important to note that Intune MAM can work alongside MDM if there are several devices managed by an organisation. This enables protection of corporate data within applications (MAM), as well as protection of devices (MDM) in case admins wish to send remote wipe, lock or reset passcodes, etc.
When the time comes to remove sensitive data from specific applications, App Selective Wipe requests can be initiated directly from Azure Portal. These can take up to 30 minutes to be actioned. What does App Selective Wipe do? Well, it deletes all corporate data that is being accessed on the mobile device and reports back successes or failures. These wipe requests recognise every app that the user is signed into and attempts to wipe all corporate data in one go.
Why you should use Intune MAM
Dramatically decrease costs
By utilising Microsoft’s Intune MAM, you can significantly cut down on costs of providing corporate devices to all staff members. All sensitive corporate data can be securely accessed from users’ personal devices through the Intune platform.
Reduce the risk of lost or stolen data
Previously, if an employee had a corporate device lost or stolen, there was significant risk to sensitive data being compromised. These days, if a device is lost, stolen, or if a staff member leaves the company, corporate data can be remotely removed from the device without interfering with personal data. Everyone is happy.
Reduce the red tape
Let’s face it, we all hate excessive red tape in the workplace. A MAM solution will help to reduce the complexity of terms and conditions between staff and the organisation by removing the need to have devices totally managed.
Greater control over corporate data
As corporate data is being accessed on user devices, admins can have greater control over what can be done with said data. Intune also affords admins the ability to prevent data leakage outside of controller applications.
Our tips for managing your security set up within corporate applications:
To make sure that your Intune MAM deployment is successful, here’s a few tips that you should adhere when deploying a set of new policies to your user base.
Before undertaking a mass rollout of organisational application management policies, take the time to understand your user base and the technology. Make sure your policies are thoroughly tested with pilot users. Take the time to consider how different users need to access data on mobile devices. People work in different ways, and some users will need higher levels of access that others. Make sure that your MAM polices are correctly targeted to the desired application and user groups.
MAM policies should always be applied with the correct conditional access controls; ensuring that MFA is used to register devices; blocking native clients and ensuring that only devices which are compliant can get access to the core applications. Take the time to ensure that MAM policies are applied with the correct device compliance controls; ensuring that all devices are running specific versions of iOS/Android OS; and meet other defined criteria before being allowed access to the corporate applications.
Take an agile approach to managing your data. Your teams should be providing reactive support. Make sure that all App Selective Wipe requests are actioned quickly by your service desk when a staff member leaves the company or loses a device. Hold weekly reviews of your MAM service. These reviews should include proactive checks of audit logs, checks of users targeted for the service and review of any unsuccessful App Selective Wipe requests, etc. It seems simple, but you’d be surprised.
Motor Giant's Production Line Rolls Faster with SharePoint Ensuring the NHS is equipped to weather the coronavirus storm remains a crucial part of the UK Government’s strategy, including meeting its critical need for ventilators. Having been called upon by Microsoft...read more
The ‘Power Platform’ is a collective term for three Microsoft products: Power BI, Power Apps and Power Automate. These three products provide businesses with the ability to easily surface, manipulate, automate and analyse data in conjunction with using Office 365 and...read more
Modernising Desktop Management - Microsoft 365 Apps for enterprise In the second part of this series, I outlined how Windows 10 is different to its predecessors. It has introduced a new servicing model, along with a new deployment methodology, and even a new licensing...read more