More in control of mobile app management without enrollment

Earlier this year I did my first post about the ability to use mobile app management without enrollment. This week I want to continue on that specific subject. The main trigger for that is  the app reporting ability that was added during the April update of Microsoft Intune. In this post I want to show how this new feature can help with being more in control of the usage of mobile app management policies for mobile app management without enrollment (also known as MDM-less MAM).

Wipe requests

Before showing the app reporting ability, to monitor the managed apps that are used by a user, I’ll start with a little information about wipe requests. Not only will that show the added value for managed apps, it’s also useful for adding information to the app reporting overview.

The real added value of a wipe request is when a device is lost or stolen, or when an employee leaves the company. At that moment a wipe request can be used to make sure that company app data is removed from the device.

To selectively remove company app data, follow the next 9 steps. Once the request is completed, the next time the app runs on the device, company data is removed from the app.

1 In the Azure portal navigate to Intune mobile application management > Settings to open the Settings blade;
2 Wipe_RRIn the Settings blade, click Wipe requests to open the Wipe requests blade;
3 In the Wipe requests blade, click New wipe request to open the New wipe request blade;
4 In the New wipe request blade, click Select the user to open the Select user blade;
5 In the Select user blade, select the specific user and click Select to return to the New wipe request blade. The users that are shown, are all the available users in the Azure AD. Not just licensed users, or targeted users;
6 Back in the New wipe request blade, click Select the device to open the Select device blade;
7 In the Select device blade, select the specific device and click Select to return to the New wipe request blade. The devices that are shown, are all the devices that are used by the selected user to access managed apps.
8 Back in the New wipe request blade, click OK to return to the Wipe requests blade. This will immediately sent the new wipe request, without asking for an additional verification;
9 The Wipe requests blade will now show a status overview of all the wipe requests that have been sent to the selected users and their devices, including the status of those wipe requests. The status will be either complete, or pending, and will be listed for every app that was used by the selected user on the selected device.

App reporting

After configuring mobile app configuration policies, or sending wipe requests, it’s possible to monitor the compliance status in the Azure portal. This includes information about the users affected by the policy, the compliance status, and any issues that end-users might be experiencing. Basically it allows the administrator to search for the compliance status for a specific user.

MAM_UserStatusIt actually already starts with an User status tile in the Intune mobile application management blade. That tile already shows a quick summary of the compliance status. It shows the total number of users within the company that uses apps associated with policies, it shows the number of users that are using apps in the company context (MANAGED BY POLICY) and it shows the number of users that are using the apps associated with policies, but are not targeted by the company policies (NO POLICY).

To use app reporting for a specific user, follow the next 5 steps.

1 In the Azure portal navigate to Intune mobile application management > Settings to open the Settings blade;
2 Users_ARbUIn the Settings blade, click Users to open the App reporting blade;
3 In the App reporting blade, click Select user to open the Select user blade;
4 In the Select user blade, select the specific user and click Select to return to the App reporting blade. The users that are shown, are all the available users in the Azure AD. Not just licensed users, or targeted users;
5 The App reporting blade will now show a clear overview of the selected user and the status of every app that is targeted at the selected user. The next paragraph includes a couple of clear examples.

Administrator reporting experience

Now it’s time to have a look at the experience for the administrator. More importantly, let’s have a look at what the app reporting capability will bring to the administrator. I will show what the administrator will see before and after sending a wipe request. Basically, the administrator will see one of the following 3 statuses for every app and device combination for the specific user.

  1. Not checked in – This means that the policy was deployed to the user, but the app has not been used in the company context since then;
  2. Checked in – This means that the policy was deployed to the user and the app has been used in company context at least once;
  3. Wipe pending – This means that the app has been used in company context at least once, but the administrator has sent a wipe request after that.
Before wipe request After wipe request
MAM_AppReporting MAM_WipeReporting

More information

For more information about sending wipe request and app reporting for mobile app management policies, please refer to the following articles:

Share

Leave a Comment