As Mobile Device Management platforms become more widely adopted, one of the rising challenges is management of data on unmanaged devices. 

There are a few scenarios in which you may choose not to enroll a device or may not be able to enroll a device in MDM:

  • Employees needing to access corporate applications but not willing to enroll into MDM for privacy concerns.
  • Lack of budget for Enterprise Mobility Management licenses for BYOD devices.
  • Joint ventures where employees / subcontractors devices may already be enrolled into another MDM.
  • Consultants / Contractors who may have devices already enrolled into another Mobile Device Management platform.

If you are facing one of these scenarios, then we have good news and great news. The good news is that Mobile Application Management (MAM) is a practical solution for these scenarios. With MAM, instead of placing the controls around the entire device, the controls are placed around the application and it’s data, ensuring that the corporate data is still protected and can be removed at any time. The great news is this can be achieved without enrolling the device in MDM and it can also be achieved even if the device is enrolled in a 3rd party MDM platform.

The most common example we see is where a doctor is working for a hospital that manages the doctor’s devices with Mobile Device Management and the doctor also works part-time in a surgery center or specialty clinic. If the clinic wants to provide the doctor with their proprietary app, that can be done using MAM controls to protect the patient data in the app.

Most Mobile Device Managment vendors have Mobile Application Management capability built into their solution, however, uptake is generally low due to complexity and lack of functionality. However, Microsoft Intune does MAM particularly well and can be overlaid on top of MDM platforms such as AirWatch, MobileIron, MaaS360 or XenMobile.

What is Microsoft Intune?

Intune is the component of Microsoft’s Enterprise Mobility + Security (EMS) solution that manages mobile devices and apps.  Intune integrates directly with Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection. When it is used with Office 365, Intune enables your workforce to be productive on mobile devices while keeping corporate data protected.

Why is Microsoft Intune different?

Unlike other MDM vendors, Microsoft owns the largest and best collaboration suite in the world, Office 365.  Microsoft has built MAM capability directly into each of the mobile office apps (Outlook, Word, Excel, Teams etc) which means we can apply additional security controls to office applications with or without device enrolment in MDM.

Intune Mobile Application Management capability offers:

• Single Sign-on across applications
• Multifactor authentication
• Conditional Access
• Isolation of corporate data from personal data
• Protection of corporate data
• Ability to wipe corporate data from apps
• Digital Rights Management

Conditional Access

Microsoft Intune works side by side with Azure AD conditional access (available in AAD premium plans that are bundled with EM+S) to ensure that your corporate data is being accessed by the right person under safe conditions. Conditional access is enforced after the first-factor authentication has been completed as the authentication attempt is made after a number of user "conditions" are checked and validated. Then the session or request is either blocked, allowed or has additional controls are enforced (such as multi-factor authentication).

Protecting enterprise apps with Intune

The same MAM technology can be applied to internal / enterprise apps. In the example above the clinic would embed the Microsoft ADAL and Intune SDK Libraries in their app during development.

Microsoft Intune SDK

Intune SDK provides the capability to enforce DLP controls, checking device health compliance, ability to remotely wipe corporate data.
Full capability list is available here:

Microsoft ADAL

Microsoft Azure Active Directory Authentication Libraries (ADAL) can be used in your application to leverage Azure AD for authentication, this grants the application a token from Azure AD which can be used to access resources within Azure and enables the capability for conditional access for the application. Microsoft ADAL is also a requirement for proxying application HTTP traffic to the internal network if you are using Azure App Proxy for your intranet/internal network access.


Microsoft is the only vendor that has direct hooks into Office 365 suite of apps and of course there is tight integration with Azure AD. This enables us to apply policies that are linked to users and their apps, not their devices. The Intune SDK allows developers to apply the same polices to custom mobile apps which can then be deployed on any device, with or without MDM. Consequently end-users have a consistent experience and world-class collaboration apps on their personal device.