Enabling employees to access corporate resources securely from their personal devices is a top priority for most businesses. Tunnel for MAM (Mobile Application Management) offers a solution that extends the Microsoft Tunnel VPN gateway to support Android and iOS devices without the need for device enrollment in the Intune Suite.

This innovative approach empowers users to use their own devices for both work and personal endeavors, ensuring secure access to on-premises resources while maintaining privacy and control over their personal devices.

Secure Access for Unenrolled Mobile Devices

A standout feature of Microsoft Tunnel for MAM is its ability to provide secure access for mobile users on devices that are not enrolled with Intune. This capability allows sysadmins to set up app configuration policies specifically for Microsoft Edge and Microsoft Defender.

For Microsoft Edge, an app configuration policy can be configured to support identity-switch. This enables the VPN Tunnel to automatically connect when the user signs in or switches to a Microsoft Work or School account and disconnects when switching to a personal account. Similarly, for Microsoft Defender, an app configuration policy is required to configure it as the tunnel client app on the device.

How It Enhances Endpoint Management

Integrating Tunnel for MAM into your endpoint management strategy can significantly bolster your business’ security framework. It aligns with a Zero Trust framework by providing secure network access from unmanaged devices.

When combined with MAM, the Tunnel for MAM offers flexibility for end-users, allowing them to work securely and efficiently without enrolling their devices in a Mobile Device Management (MDM) system. This not only simplifies the adoption of Bring Your Own Device (BYOD) policies but also embraces hybrid work trends without compromising data security.

Key Benefits of Tunnel for MAM

  1. Secure Access to Corporate Data: Tunnel for MAM provides mobile access to corporate resources while applying security policies and protecting data through Intune. This ensures that sensitive information remains secure even when accessed from personal devices.
  2. Flexibility for End Users: Employees can work efficiently without the need to enroll their devices. This flexibility allows users to retain control over their personal devices while still accessing necessary work resources securely.
  3. Enable BYOD Policies: Businesses can embrace BYOD policies without compromising security. This reduces the need for purchasing company-owned devices, making it a cost-effective solution.
  4. Enabling Work from Anywhere:
    • End-users retain control of their personal devices.
    • No MDM device enrollment required, keeping company data protected.
    • Supports the adoption of a BYOD program, facilitating a more dynamic and flexible work environment.

Deployment of Tunnel for MAM

Deploying Tunnel for MAM involves several key steps:

  1. Activate or Deploy Trial Licenses: Begin by activating or deploying some trial licenses to get started with Tunnel for MAM.
  2. Configure Apps:
    • Microsoft Edge: Configure an app configuration policy to support identity-switch. This ensures the VPN Tunnel automatically connects when the user signs in or switches to a Microsoft Work or School account and disconnects when switching to a personal account.
    • Microsoft Defender: Set up an app configuration policy to configure Microsoft Defender for Endpoint as the tunnel client app on the device.

By following these steps, groups can quickly and effectively deploy Tunnel for MAM, ensuring secure access to corporate resources for their mobile workforce.


Microsoft Tunnel for MAM in the Intune Suite represents a significant advancement in mobile security and flexibility. By enabling secure access to corporate data on unenrolled devices, it supports a robust BYOD strategy and enhances endpoint management.

Businesses can now confidently embrace hybrid work trends, providing employees with the tools they need to work from anywhere without compromising security. With Tunnel for MAM, both IT departments and end-users can experience the benefits of a secure, efficient, and flexible mobile work environment.

To learn more and jumpstart your journey with the Intune Suite, check out and apply to the Intune Suite Pilot Program here: https://www.mobile-mentor.com/intune-suite-pilot/

Amplifying efficiency and security

The Intune Suite Guide

Learn about features and strategies such as:

  • Endpoint Privilege Management: elevate user access privileges as needed

  • Enterprise App Management: discovery, packaging, deployment and patching of Windows apps

  • Cloud PKI: publish and distribute certificates from Intune without complex PKI

  • Tunnel for MAM: secure access to LOB apps from unmanaged mobile devices

  • Advanced Analytics: predict which machines, applications and users will have issues

  • Remote Help: unlock the seamless interface between the service desk agent and end-user

Andrew Reade