Mobile Application Management with Microsoft Intune without MDM! Compiled Details.

The Basics

Intune mobile application management refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps for your users.

MAM allows you to manage and protects your organization’s data within an application. With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use.

Intune MAM supports two configurations:

  • Intune MDM + MAM: IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile device management (MDM). To manage apps using MDM + MAM, customers should use Intune in the Microsoft Endpoint Manager admin center.
  • MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM providers. To manage apps using MAM-WE, customers should use Intune in the Microsoft Endpoint Manager admin center. Also, apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers or not enrolled with an MDM at all. For more information about BYOD and Microsoft’s EMS, see Technology decisions for enabling BYOD with Microsoft Enterprise Mobility + Security (EMS).
App Management CapabilityAndroid/Android EnterpriseiOS/iPadOSmacOSWindows 10
Add and assign apps to devices and usersYesYesYesYes
Assign apps to devices not enrolled with IntuneYesYesNoNo
Use app configuration policies to control the startup behavior of appsYesYesNoNo
Use mobile app provisioning policies to renew expired appsNoYesNoNo
Protect company data in apps with app protection policiesYesYesNoNo 1
Remove only corporate data from an installed app (app selective wipe)YesYesNoYes
Monitor app assignmentsYesYesYesYes
Assign and track volume-purchased apps from an app storeNoNoNoYes
Mandatory install of apps on devices (required) 2YesYesYesYes
Optional installation on devices from the Company Portal (available installation)Yes 3YesYesYes
Install shortcut to an app on the web (web link)Yes 4YesYesYes
In-house (line-of-business) appsYes 5YesYesYes
Apps from a storeYesYesNoYes
Update appsYesYesNoYes

In Addition…

The following items within the admin console under apps are related functionality:

  • Microsoft Store for Business: Set up integration to the Microsoft Store for Business. Afterward, you can synchronize purchased applications to Intune, assign them, and track your license usage. For more information, see Microsoft Store for Business volume-purchased apps.
  • Windows enterprise certificate: Apply or view the status of a code-signing certificate that’s used to distribute line-of-business apps to your managed Windows devices.
  • Windows Symantec certificate: Apply or view the status of a Symantec code-signing certificate.
  • Windows side loading keys: Add a Windows side-loading key that can be used to install an app directly to devices rather than publishing and downloading the app from the Windows store. For more information, see Side-load a Windows app.
  • Microsoft Endpoint Configuration Manager: Displays information about the Configuration Manager connector including last successful synchronization time and the connection status. Select a Configuration Manager hierarchy running version 2006, or later to display additional information about it.
  • Apple Business Manager location tokens: Apply and view your iOS/iPadOS volume purchased licenses. For more information, see How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune.
  • Managed Google Play: Managed Google Play is Google’s enterprise app store and sole source of applications for Android Enterprise. For more information, see Add Managed Google Play apps to Android Enterprise devices with Intune.
  • Customization: Customize the Company Portal to give it your company branding. For more information, see Company Portal configuration.

Adding Apps

Adding Apps is not that difficult at all. Intune supports a wide range of app types. The available options differ for each app type. Intune lets you add and assign the following app types:

App typesInstallationUpdates
Apps from the store (store apps)Intune installs the app on the device.App updates are automatic.
Apps written in-house or as a custom app (line-of-business)Intune installs the app on the device (you supply the installation file).You must update the app.
Apps that are built-in (built-in apps)Intune installs the app on the device.App updates are automatic.
Apps on the web (web link)Intune creates a shortcut to the web app on the device home screen.App updates are automatic.
Apps from other Microsoft servicesIntune creates a shortcut to the app in the Company Portal. For more information, see App source setting options.App updates are automatic.

Hey! Here is a link to a lists the specific app types and how you can add them in the Intune Add app pane. I didn’t want to add that large list here.

Understanding licensed apps

In addition to understanding web apps, store apps, and LOB apps, you should also be aware of the destination of volume-purchase-program apps and licensed apps, such as:

  • Apple Volume Purchasing Program for Business (iOS): The iOS/iPadOS App Store lets you purchase multiple licenses for an app that you want to run in your company. Purchasing multiple copies helps you to efficiently manage apps in your company. For more information, see Manage iOiOS/iPadOSS volume-purchased apps.
  • Android Enterprise fully managed work profile: How you assign apps to Android Enterprise fully managed work profile devices differs from how you assign them to standard Android devices. All apps you install for Android Enterprise fully managed work profiles come from the Managed Google Play store. You use Intune to browse for the apps you want and approve them. The app then appears in the Licensed apps node of the portal, and you can manage assignment of the app as you would any other app.
  • Microsoft Store for Business (Windows 10): Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps in the portal. For more information, see Manage apps from Microsoft Store for Business.

Before you add and assign apps

  • When you add and assign an app from a store, your users must have an account with that store to be able to install the app.
  • Some apps or items that you assign might depend on built-in iOS/iPadOS apps. For example, if you assign a book in the iOS/iPadOS store, the iBooks app must be present on the device. If you have removed the iBooks built-in app, you cannot use Intune to reinstate it.

Cloud storage space

All apps that you create by using the software installer installation type (for example, a line-of-business app) are packaged and uploaded to Intune cloud storage. A trial subscription of Intune includes 2 gigabytes (GB) of cloud-based storage that is used to store managed apps and updates. A full subscription does not limit the total amount of storage space.

Requirements for cloud storage space are as follows:

  • All app installation files must be in the same folder.
  • The maximum file size for any file that you upload is 8 GB.

Warning

Windows Line-of-business (LOB) apps, including Win32, Windows Universal AppX, Windows Universal AppX bundle, Windows Universal MSI X, and Windows Universal MSI X bundle, have a maximum size limit of 8 GB per app. All other LOB apps, including iOS/iPadOS LOB apps, have a maximum size limit of 2 GB per app.

**Real Experience** I hit this issue before when trying to deploy a LOB Symantec App to MacOS devices. Every time I tried to deployed the LOB Symantec App, it failed. It turns out that, because this was a LOB business app, there is no icon set by default. So I decided to download from the web and create a .png image file to use a an icon. However, the icon file I was using was 4 GB, which I didn’t pay attention to. After decreasing the icon file down to around 200K, The installation of the LOB Symantec app successfully installed on the Mac.

Apps that are added automatically by Intune

Previously, Intune contained a number of built-in apps that you could quickly assign. Based on Intune customer feedback, we removed this list, and the built-in apps are no longer displayed. However, if you have already assigned any built-in apps, the apps remain visible in the list of apps. You can continue to assign the apps as required.

Installing, updating, or removing required apps

Intune will automatically reinstall, update, or remove a required app within 24 hours, rather than waiting for the 7 day re-evaluation cycle.

Intune will automatically reinstall, update, or remove a required app based on the following conditions:

  • If an end user uninstalls an app that you have required to be installed on the end user’s device, Intune will automatically reinstall the app when this schedule elapses.
  • If a required app install fails or somehow the app is not present on the device, Intune evaluates compliance and reinstalls the app when this schedule elapses.
  • An admin targets an app as available to a user group and an end user installs the app from the company portal on the device. Later, the admin updates the app from v1 to v2. Intune will update the app when this schedule elapses, provided that any previous version of the app is still present on the device.
  • If the admin deploys uninstall intent and the app is present on the device and failed to uninstall, Intune evaluates compliance and uninstalls the app when this schedule elapses.

Note: Using the Windows Company Portal, end users can restart an app installation if the progress seems to have stalled or is frozen. This functionality is allowed if the app installation progress has not changed in two hours.

From the Installed apps page of the Windows Company Portal or the Company Portal website, end users can view the installation status and details for device-assigned required apps. This functionality is provided in addition to the installation status and details of user-assigned required apps.

Uninstall an app

When you need to uninstall an app from user’s devices, use the following steps.

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Apps > All apps > the app > Assignments > Add group.
  3. In the Add group pane, select Uninstall.
  4. Select Included Groups to select the groups of users that are affected by this app assignment.
  5. Select the groups that you want to apply the uninstall assignment.
  6. Click Select on the Select groups pane.
  7. Click OK on the Assign pane to set the assignment.
  8. If you want to exclude any groups of users from being affected by this app assignment, select Exclude Groups.
  9. If you have chosen to exclude any groups, in Select groups, select Select.
  10. Select OK in the Add group pane.
  11. Select Save in the app Assignments pane.

Add apps for each platform technology in Intune

App Management CapabilityAndroid EnterpriseiOS/iPadOSmacOSWindows 10
Add and assign apps to devices and usersYesYesYesYes
Assign apps to devices not enrolled with IntuneYesYesNoNo
Use app configuration policies to control the startup behavior of appsYesYesNoNo
Use mobile app provisioning policies to renew expired appsNoYesNoNo
Protect company data in apps with app protection policiesYesYesNoNo 1
Remove only corporate data from an installed app (app selective wipe)YesYesNoYes
Monitor app assignmentsYesYesYesYes
Assign and track volume-purchased apps from an app storeNoNoNoYes
Mandatory install of apps on devices (required) 2YesYesYesYes
Optional installation on devices from the Company Portal (available installation)Yes 3YesYesYes
Install shortcut to an app on the web (web link)Yes 4YesYesYes
In-house (line-of-business) appsYes 5YesYesYes
Apps from a storeYesYesNoYes
Update appsYesYesNoYes

Policy:

  • App protection policies: Select this option to associate settings with an app and help protect the company data it uses. For example, you might restrict the capabilities of an app to communicate with other apps, or you might require the user to enter a PIN to access a company app. For more information, see App protection policies.
  • App configuration policies: Select this option to supply settings that might be required when a user runs an app. For more information, see App configuration policiesiOS app configuration policies, and Android app configuration policies.
  • iOS app provisioning profiles: iOS apps include a provisioning profile and code that is signed by a certificate. When the certificate expires, the app can no longer be run. Intune gives you the tools to proactively assign a new provisioning profile policy to devices that have apps that are nearing expiration. For more information, see iOS app provisioning profiles.
  • S mode supplemental policies: Select this option to authorize additional applications to run on your managed S mode devices. For more information, see S mode supplemental policies.
  • Policies for Office apps: Select this option to create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern Authentication. You must meet the requirements to use policies for Office apps. For more information about requirements, see Requirements for using the Office cloud policy service. App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services. For related information, see Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise.
  • Policy sets: Select this option to create an assignable collection of apps, policies, and other management objects you’ve created. For more information, see Policy sets.
  • Other:
  • App selective wipe: Select this option to remove only corporate data from a selected user’s device. For more information, see App selective wipe.
  • App categories: Add, pin, and delete app category names.
  • E-books: Some app stores give you the ability to purchase multiple licenses for an app or books that you want to use in your company. For more information, see Manage volume-purchased apps and books with Microsoft Intune.

Additional Options:

App Types:

App typesInstallationUpdates
Apps from the store (store apps)Intune installs the app on the device.App updates are automatic.
Apps written in-house or as a custom app (line-of-business)Intune installs the app on the device (you supply the installation file).You must update the app.
Apps that are built-in (built-in apps)Intune installs the app on the device.App updates are automatic.
Apps on the web (web link)Intune creates a shortcut to the web app on the device home screen.App updates are automatic.
Apps from other Microsoft servicesIntune creates a shortcut to the app in the Company Portal. For more information, see App source setting options.App updates are automatic.

** Note: The display of apps from other Microsoft services is only supported in the Windows Company Portal and the Company Portal website.

App Requirements

  • Users Groups / i.e. Grouped by Role or Function
  • Capabilities for each Group of users
  • Platforms required / device type
  • Configuration policies
  • App protection policies

** MAM without managing the device is useful when:

  • You want to allow users to use their own device (BYOD).
  • You want to provide a one-time pop-up message to let users know that MAM protections are in place, rather than continual device-level notification.
  • You want to comply with policies that require less management capability on personal devices.
    • For instance, you want to manage the corporate data for the apps, rather than manage the corporate data for the entire device.

Who should access to apps:

  • Based on users groups
  • Based on the sensitivity of the data the app contains.
  • Include or exclude certain types of roles within your organization?
    • For example, only certain LOB apps might be required for your sales group, whereas people focused on engineering, finance, HR, or legal might not need to use the LOB apps.
  • How this user group will connect to resources using the app?
  • Will the data that the app accesses live in the cloud or on-premises?
  • How will the users connect to resources by using the app?
  • Apps that require secure access to on-premises data?
    • Intune-managed certificates for access control?
    • Standard VPN gateway or proxy in the perimeter?
      • i.e. such as Azure Active Directory Application Proxy?

** Note: The Intune App Wrapping Tool and App SDK can help contain the accessed data within your line-of-business app, so that it can’t pass corporate data to consumer apps or services.

Objectives

  • Task 1: Determine your objectives
    1. Task: Capture list of apps to provision and deploy.
    2. Task: Determine how you want to secure your devices, and minimize the impact of malicious activity.
      1. Antivirus
      2. Conditional Access
      3. Authentication
        1. Certificates
        2. Multi-factor
    3. Distribution
      1. Group devices by groups and/or tags and scopes
  • Objective: Keep organization data inside the organization

Task: Create a plan to cover different scenarios that impact your organization. Some considerations: