Skill 4.2: Implement Mobile Application Management
Using Microsoft Intune, you can implement Mobile Application Management (MAM) to assign, configure, update, secure, and monitor your users’ apps. In addition to using MAM to manage app usage on your users’ devices, you can also implement a number of security features that can help secure corporate data on those devices. These features include Data Loss Prevention (DLP) policies and Windows Information Protection (WIP).
This skill covers how to:
- Plan and implement App Protection policies
- Plan and implement App Configuration policies
- Secure data in Microsoft 365
Plan and Implement App Protection policies
You can use managed apps to enforce the following behaviors in your users’ apps:
- Restrict Copy and Paste
- Restrict Save As
- Specify a managed browser for opening web links
- Define app-level conditional access
- Enable multi-identity use
- Apply data loss prevention (DLP) policies to devices that are enrolled or not enrolled
- Provide app protection both with and without device enrollment
The precise details of management options vary based on the type of device being managed. Table 4-5 identifies the key functions.
TABLE 4-5 Management options in Intune MAM
Management function | Android | iOS/iPadOS | macOS | Windows 10 |
Add and assign apps to devices and users | Yes | Yes | Yes | Yes |
Assign apps to devices not enrolled with Intune | Yes | Yes | No | No |
Use app configuration policies to control the startup behavior of apps | No | Yes | No | No |
Use mobile app provisioning policies to renew expired apps | No | Yes | No | No |
Protect company data in apps with app protection policies | Yes | Yes | No | No |
Remove only corporate data from an installed app (app selective wipe) | Yes | Yes | No | Yes |
Monitor app assignments | Yes | Yes | Yes | Yes |
Assign and track volume-purchased apps from an app store | No | No | No | Yes |
Mandatory install of apps on devices (required) | Yes | Yes | Yes | Yes |
Optional installation on devices from the Company Portal (available installation) | Yes | Yes | Yes | Yes |
Install shortcut to an app on the web (web link) | Yes | Yes | Yes | Yes |
In-house (line-of-business) apps | Yes | Yes | Yes | Yes |
Apps from a store | Yes | Yes | No | Yes |
Update apps | Yes | Yes | No | Yes |
To implement app protection policies, open the Microsoft Endpoint Manager admin center and sign in as a global admin. Navigate to the Apps node, as displayed in Figure 4-39. Under Policy, select the App Protection Policies node.
Figure 4-39 The Apps node in the Microsoft Endpoint Manager admin center