More in control of mobile app management without enrollment

Earlier this year I did my first post about the ability to use mobile app management without enrollment. This week I want to continue on that specific subject. The main trigger for that is  the app reporting ability that was added during the April update of Microsoft Intune. In this post I want to show how this new feature can help with being more in control of the usage of mobile app management policies for mobile app management without enrollment (also known as MDM-less MAM).

Wipe requests

Before showing the app reporting ability, to monitor the managed apps that are used by a user, I’ll start with a little information about wipe requests. Not only will that show the added value for managed apps, it’s also useful for adding information to the app reporting overview.

The real added value of a wipe request is when a device is lost or stolen, or when an employee leaves the company. At that moment a wipe request can be used to make sure that company app data is removed from the device.

To selectively remove company app data, follow the next 9 steps. Once the request is completed, the next time the app runs on the device, company data is removed from the app.

1 In the Azure portal navigate to Intune mobile application management > Settings to open the Settings blade;
2 Wipe_RRIn the Settings blade, click Wipe requests to open the Wipe requests blade;
3 In the Wipe requests blade, click New wipe request to open the New wipe request blade;
4 In the New wipe request blade, click Select the user to open the Select user blade;
5 In the Select user blade, select the specific user and click Select to return to the New wipe request blade. The users that are shown, are all the available users in the Azure AD. Not just licensed users, or targeted users;
6 Back in the New wipe request blade, click Select the device to open the Select device blade;
7 In the Select device blade, select the specific device and click Select to return to the New wipe request blade. The devices that are shown, are all the devices that are used by the selected user to access managed apps.
8 Back in the New wipe request blade, click OK to return to the Wipe requests blade. This will immediately sent the new wipe request, without asking for an additional verification;
9 The Wipe requests blade will now show a status overview of all the wipe requests that have been sent to the selected users and their devices, including the status of those wipe requests. The status will be either complete, or pending, and will be listed for every app that was used by the selected user on the selected device.

App reporting

After configuring mobile app configuration policies, or sending wipe requests, it’s possible to monitor the compliance status in the Azure portal. This includes information about the users affected by the policy, the compliance status, and any issues that end-users might be experiencing. Basically it allows the administrator to search for the compliance status for a specific user.

MAM_UserStatusIt actually already starts with an User status tile in the Intune mobile application management blade. That tile already shows a quick summary of the compliance status. It shows the total number of users within the company that uses apps associated with policies, it shows the number of users that are using apps in the company context (MANAGED BY POLICY) and it shows the number of users that are using the apps associated with policies, but are not targeted by the company policies (NO POLICY).

To use app reporting for a specific user, follow the next 5 steps.

1 In the Azure portal navigate to Intune mobile application management > Settings to open the Settings blade;
2 Users_ARbUIn the Settings blade, click Users to open the App reporting blade;
3 In the App reporting blade, click Select user to open the Select user blade;
4 In the Select user blade, select the specific user and click Select to return to the App reporting blade. The users that are shown, are all the available users in the Azure AD. Not just licensed users, or targeted users;
5 The App reporting blade will now show a clear overview of the selected user and the status of every app that is targeted at the selected user. The next paragraph includes a couple of clear examples.

Administrator reporting experience

Now it’s time to have a look at the experience for the administrator. More importantly, let’s have a look at what the app reporting capability will bring to the administrator. I will show what the administrator will see before and after sending a wipe request. Basically, the administrator will see one of the following 3 statuses for every app and device combination for the specific user.

  1. Not checked in – This means that the policy was deployed to the user, but the app has not been used in the company context since then;
  2. Checked in – This means that the policy was deployed to the user and the app has been used in company context at least once;
  3. Wipe pending – This means that the app has been used in company context at least once, but the administrator has sent a wipe request after that.
Before wipe request After wipe request
MAM_AppReporting MAM_WipeReporting

More information

For more information about sending wipe request and app reporting for mobile app management policies, please refer to the following articles:

Frequently asked questions about mobile application management without enrollment

Last update: 08-04-2016

After my blog post a couple of weeks ago, I got many question related to mobile application management (MAM) without enrollment. That triggered me to create a quick frequently asked questions (FAQ) post. MAM without enrollment is online also referred to as MDM-less MAM, Azure MAM and sometimes even Intune MAM. As MDM-less MAM seems to be the most common used, and the shortest, I’ll start using that in this FAQ.

I’ll try to keep this FAQ as complete and up-to-date as possible. Just to be sure, I’ve added a last update date at the top of this post. That is the date that this content was reviewed the last. Also, if I’m missing some obvious question, please don’t hesitate to contact me and I will add them.

What is MDM-less MAM?

MDM-less MAM can protect company data with or without enrolling devices in a device management solution. It does this by implementing app-level policies, which can restrict access to company resources and keep data within the purview of the company.

Which platforms are supported by MDM-less MAM?

MDM-less MAM supports the following platforms:

  • iOS 8.1 and later;
  • Android 4 and later.

Which apps are supported by MDM-less MAM?

MDM-less MAM supports the following apps:

  • Microsoft Word for iOS;
  • Microsoft Excel for iOS;
  • Microsoft OneDrive for iOS and Android;
  • Microsoft OneNote for iOS;
  • Microsoft Outlook for iOS and Android;
  • Microsoft PowerPoint for iOS;
  • Microsoft Remote Dekstop for iOS and Android;
  • Microsoft Managed Browser for iOS and Android.

Which scenarios are supported by MDM-less MAM?

MDM-less MAM supports the following three scenarios:

  1. Devices that are managed and enrolled in Microsoft Intune;
  2. Devices that are managed and enrolled in a third-party solution;
  3. Devices that are not managed by any solution.

Which license do I need to have to use MDM-less MAM?

MDM-less MAM requires a Microsoft Intune license assigned to the end-user. A Microsoft Intune license is also included in an EMS license.

Where can I configure MDM-less MAM?

MDM-less MAM can be configured in the Azure portal.

Does MDM-less MAM affect personal accounts?

No. The restrictions of the MDM-less MAM policies only apply when the end-user signs into a supported app using a company account.

How can I disable the “Offline interval before app data is wiped (days)” MDM-less MAM policy setting?

This specific MDM-less MAM policy setting can be disabled by configuring a value of 0.

What happens when an end-user is targeted with MDM-less MAM policies and MDM MAM policies?

The end-user will be required to enroll the device. After enrollment the MDM-less MAM policies will take precedence in the supported apps.

Why do my end-users receive the message “Your company has required that you must first enable a device PIN to access this application”?

The end-user will receive this message when there is no device PIN configured and the MDM-less MAM policy requires encryption. Without a device PIN there is no use in encrypting the device.

Where can I find the TechNet documentation?

The TechNet documentation about MDM-less MAM is available here: https://technet.microsoft.com/en-us/library/mt627825.aspx