Mobile Application Management (MAM)

The biggest challenge for BYOD devices is data security and leakage, a common method to enforce data protection is through Exchange ActiveSync and/or Mobile Device Management (MDM) tools such as AirWatch, Intune and others.

Both ActiveSync and MDM comes with the option of device wipe and enforcing device PIN. If the device is lost or the employee is terminated, the company could remote wipe the device to protect its data. While device wipe is great from the company’s perspective, it is almost always met with resistance from the employees because everyone fears the company has the power to wipe their personal data such as photos and contacts from their own personal devices.

What are the options when users do not use MDM:

Option 1: block access if not using a managed device, which makes sense from a security perspective but not so good from a productivity perspective.

Option 2: allow user to access using a thin client, for example OWA for email where the user enters the OWA URL into their browser and then their credentials, the email is stored on the server rather than on the client. The risk with this approach is:

  1. on a personal device many users do not use PIN or encrypt the device, anyone may be able to access the device if stolen
  2. user often saves the credential on their personal device so they don’t have to enter the password each time, this will also allow unauthorised users to see the previously browsed sites such as OWA.
  3. while Multifactor Authentication (MFA) can be enabled, if the smart phone is the 2nd factor, effectively the phone factor is bypassed when the same device is compromised.

Option 3: utilise Mobile Application Management (MAM). The security policy is applied at the application level instead of the device level. Data wipe will now be performed at the application level (AKA selective wipe). This will remove the corporate data while leaving the personal data intact.

MAM with Microsoft Intune allows a company to control:

  • cut/copy/paste restrictions
  • prevent “save as”
  • prevent cloud backup
  • jailbroken or rooted devices
  • PIN requirement
  • selective wipe of the application data

The screenshot below illustrates some of the security options available:


Some of MAM supported apps are show below, for the complete list go to Microsoft Intune Partners page.



To deploy Intune MAM, users will need either Intune or EMS licenses.

It is also possible to deploy both Intune MDM and MAM at the same time. A scenario for this is to allow corporate devices to be managed by MDM, and offering BYOD users a choice between MDM and MAM.

Microsoft TechNet has further information on Intune MAM

How you can protect app data

Create and deploy mobile app management policies with Microsoft Intune

End user experience