Getting started with Microsoft Tunnel for Mobile Application Management for Android

This week is a follow-up on the post of last week. While last week the focus was on iOS/iPadOS devices, this week the focus is on Android devices. Some parts might overlap with that post of last week, but those parts are definitely needed for the completeness of the story and the configuration. So, in general, the focus is still on Microsoft Tunnel for Mobile Application Management (Tunnel for MAM). As mentioned last week, Tunnel for MAM is one of the features that was released at the beginning of March as part of the Intune Suite add-ons. Tunnel for MAM itself, is available as part of the new Microsoft Intune Plan 2 license. The great thing about Tunnel for MAM is that it makes it possible to provide access to on-premises resources, on unmanaged devices. And often, those unmanaged devices are equal to personal-owned devices.

Tunnel for MAM provides IT with the flexibility to make an app, with on-premises interaction, available on personal-owned devices. And all of that without requiring the user to enroll that specific device, but still enforcing secure access and guaranteeing full privacy. It provides all the strong capabilities that were already available via Microsoft Tunnel, like modern authentication, single sign-on, and conditional access, to access on-premises apps and resources on unmanaged devices. This post will zoom-in on using Microsoft Edge for accessing an on-premises hosted website. Mainly focused on enabling that functionality, and not focused on using Tunnel for MAM versus using the Azure AD Application Proxy. This post will end by showing the user experience with Tunnel for MAM for Android devices.

Important: This post assumes that Microsoft Tunnel is already up-and-running. To get started, refer to this post.

To configure Tunnel for MAM for Android devices, and using Microsoft Edge for accessing on-premises resources, the following profiles and policies can be used, each with their own purpose (including a link to more details in this post):

Note: Tunnel for MAM on Android requires the Company Portal app and the Microsoft Defender for Endpoint app.

Configuring an app protection policy for Microsoft Edge

When looking at applying the different app configuration policies, it all starts with an app protection policy. That policy is used for providing the required data protection for any corporate data, but also, even more important in this scenario, it establishes a path for delivering the app configuration policy to an unmanaged device. It basically creates the MAM channel that can then also be used for applying app configuration policies. The following ten steps walk through the basics of creating an app protection policy for Microsoft Edge on unmanaged Android devices.

  1. Open the Microsoft Intune admin center portal navigate to Apps App protection profiles
  2. On the Apps | App protection policies blade, click Create policy > Android
  3. On the Basics page, specify a valid name to distinguish the profile from other similar profiles and click Next
  4. On the Apps page, as shown below in Figure 1, provide at least the following information and click Next
  • Target to apps on all device types: Select No to enable targeting to specific device types
    • Device types: Select Unmanaged to target this policy only to unmanaged devices
  • Target policy to: Select Selected apps to make it possible to select a specific app
  • Public apps: Select Select public apps > Microsoft Edge as the app to protect
  1. On the Data protection page, configure the required data protection settings and click Next
  2. On the Access requirements page, configure the required access requirements and click Next
  3. On the Conditional launch page, configure the required app conditions and device conditions and click Next
  4. On the Scope tags page, configure the required scope tags and click Next
  5. On the Assignments page, configure the required assignment by selecting the applicable user group and click Next
  6. On the Review + create page, review the configuration and click Create

Configuring an app configuration policy for Microsoft Defender Endpoint

When looking at providing Tunnel for MAM functionality, it all starts with an app configuration policy for Microsoft Defender for Endpoint. The Microsoft Defender for Endpoint app is used on Android devices for providing the VPN-functionality, and the app configuration policy is used for configuring that app to enable Tunnel for MAM. The configuration of that app configuration policy for Microsoft Defender for Endpoint is pretty straight forward. The following seven steps will walk through the process of creating that policy, including the available configuration options.

  1. Open the Microsoft Intune admin center portal navigate to Apps App configuration policies
  2. On the Apps | App configuration policies blade, click Add > Managed apps
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name to distinguish the policy from other similar policies
  • Description: (Optional) Provide a valid name to further distinguish the policy from other similar policies
  • Device enrollment type: (Grayed out) Managed apps
  • Target policy to: Select Selected apps to make it possible to select a specific app
  • Public apps: Select Select public apps > Microsoft Edge as the app to configure
  1. On the Settings page, provide at least the following information and click Next
  • Skip the General configuration settings section
  • In the Microsoft Tunnel for Mobile Application Management settings section, as shown below in Figure 2, configure
    • Use Microsoft Tunnel for MAM: Select Yes to use Microsoft Tunnel for MAM
    • Connection name: Specify a valid name for the connection that will show on the device
    • Microsoft Tunnel site: Select Select a Site and select the Tunnel site that should be used
    • Root Certificate: (Optional) Select Root certificate and select the trusted certificate profile that should be used
    • Automatic configuration script: (Optional) Specify an url for the proxy auto-config (PAC) file
    • Address: (Optional) Specify the address of a proxy that the traffic should be routed through
    • Port Number: (Optional) Specify the port number that relates to the proxy address
  1. On the Scope tags page, configure the applicable scope tags and click Next
  2. On the Assignments page, configure the required assignment by selecting the applicable user group and click Next
  3. On the Review + create page, review the configuration and click Create

Note: At this moment of writing Tunnel for MAM for Android doesn’t support the use of trusted root certificates.

Configuring an app configuration policy for Microsoft Edge

When looking at providing Tunnel for MAM functionality, it’s also important to look at an app configuration policy for Microsoft Edge. That policy is used for configuring the identity switch functionality Microsoft Edge, to ensure that the VPN-functionality is not available in the personal profile. That configuration is achieved by using a new key value pair.

  • key: com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly
  • value: True

The configuration of that app configuration policy for Microsoft Edge, is pretty straight forward. The following seven steps will walk through the process of creating that policy, including adding that new key-value pair.

  1. Open the Microsoft Intune admin center portal navigate to Apps App configuration policies
  2. On the Apps | App configuration policies blade, click Add > Managed apps
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name to distinguish the policy from other similar policies
  • Description: (Optional) Provide a valid name to further distinguish the policy from other similar policies
  • Device enrollment type: (Grayed out) Managed apps
  • Target policy to: Select Selected apps to make it possible to select a specific app
  • Public apps: Select Select public apps > Microsoft Edge as the app to configure
  1. On the Settings page, provide at least the following information and click Next
  • In the General configuration settings section, as shown below in Figure 3, configure
    • Specify com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly as Name and True as Value to enable the identity switch support to Microsoft Edge
  • In the Edge configuration settings section configure any Microsoft Edge specific configurations not related to Tunnel
  1. On the Scope tags page, configure the applicable scope tags and click Next
  2. On the Assignments page, configure the required assignment by selecting the applicable user group and click Next
  3. On the Review + create page, review the configuration and click Create

Experiencing Microsoft Tunnel for Mobile Application Management with Microsoft Edge

After applying the different parts of the configuration, the behavior and the experience will change for the user in Microsoft Edge. For a functional experience, this does require the Company Portal app and the Microsoft Defender Endpoint app to be available on the device. The Company Portal app only needs to be installed, but the Microsoft Defender Endpoint app needs be installed, signed in, and connected. Once that’s all in place, the rest of the change in user experience is all in the details.

Now let’s have a closer look at the user experience that starts with the Company Portal app already installed on the device, as that was already required for using managed apps. The small details make it clear for the user when Tunnel for MAM is connected. At least, when knowing what to look for. When the user initially opens Microsoft Edge, and signs-in, Tunnel for MAM will not be connected and the internal resources will not be available (as shown below in Figure 4). The user will be notified that Microsoft Defender must be installed. Once the Microsoft Defender Endpoint app is installed, the notification will change to Microsoft Tunnel not being connected (as shown below in Figure 5). That requires the user to open the Microsoft Defender Endpoint app, and signing in to that app by selecting their corporate credentials. After that the user will see a different notification. That notification will tell the user that Microsoft Edge is trying to get the information about Microsoft Tunnel (as shown below in Figure 6).

That requires the user to open the Microsoft Defender Endpoint app, and connecting the configured VPN connection. Once Microsoft Tunnel is connected in the Microsoft Defender Endpoint app, Microsoft Edge notifies the user about that connection and makes the shield with the user icon blue (as shown below in Figure 7). That enables the user to connect to internal apps and resources (as shown below in Figure 8). The grey shield with the cross indicates that it’s an HTTP site. The VPN connection is only available for the corporate profile of the user, when the identity switch is configured. As soon as the user switches to a personal profile, Tunnel for MAM will automatically disconnect and notify the user (as shown below in Figure 9).

More information

For more information about Tunnel for MAM for Android devices, refer to the following docs.

2 thoughts on “Getting started with Microsoft Tunnel for Mobile Application Management for Android”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.