Microsoft Mobile Application Management (MAM): Protecting sensitive business data on mobile devices

In today's working world, mobile devices are indispensable. Employees use smartphones, tablets, and laptops to work productively from anywhere. But how can you organize this as an employer - especially in terms of security? How can you protect company data when employees use their own devices? Should employees carry around two smartphones? Or is it possible to implement "BYOD - Bring Your Own Device" without compromising security?

Every company and organization should answer these questions individually for themselves and their employees. But when it comes to security, there are no compromises to be made. Microsoft customers can rely on two proven concepts that we use at Baggenstos and which we will present in two articles: Today, we will be looking at Microsoft Mobile Application Management (MAM), i.e. the management of mobile applications. In the next blog post, we will be looking at Microsoft Mobile Device Management (MDM), i.e. the management of mobile devices.

Microsoft Intune

It’s one service that covers and manages both areas: Microsoft Intune is the cloud-based solution for managing and securing mobile devices and applications. It allows companies to manage both devices and apps to protect corporate data.

One of the key features of Intune is Microsoft Mobile Application Management (MAM). It enables the protection and management of corporate data at the app level without requiring full device management - as would be the case with Mobile Device Management (MDM).

As a rule of thumb: MAM is particularly suitable for BYOD devices (Bring Your Own Device) of employees, while MDM is intended for company-owned devices that are to be centrally managed. Both approaches allow companies to ensure that sensitive information remains protected within business-relevant apps, regardless of whether the devices are private or company-owned.

The benefits of Mobile Application Management (MAM) for companies

1. Protect corporate data without managing the device

Not all employees want to integrate their private devices into a Mobile Device Management (MDM) system. MAM allows companies to manage and protect specific apps without having access to the entire device. This also ensures the privacy of employees in all other applications.

2. Selective data control in app

With MAM, organizations can enforce policies for enterprise apps, such as:

• Preventing data leakage: Companies can control whether content from enterprise apps can be copied and pasted into personal apps.
• Encrypting enterprise data: Data in business apps remains encrypted.
• Wiping enterprise data: If an employee leaves the company, only the enterprise data can be removed from the app without wiping the entire device.

3. Unterstützung von BYOD («Bring Your Own Device»)

Many companies use BYOD strategies, where employees use their own devices for work. MAM allows for secure use of enterprise apps on these devices without compromising the privacy of employees.

How does MAM work in practice?

Microsoft Intune offers MAM policies that can be applied to Microsoft 365 apps (like Outlook, Teams, or OneDrive) and third-party apps. Administrators can centrally manage and customize these policies to meet the security requirements of the company.
Hier einige beispielhafte MAM-Richtlinien:

• Access control: Employees must log in to company apps using a PIN or biometric authentication.
• Data control: Company data can only be stored or shared in specific apps.
• Deletion on inactivity: Company data is automatically deleted if an app is not used for a certain period of time.

Baggenstos' experience with MAM

Of course, Windows laptops have always been easy to manage centrally in a Microsoft environment. However, smartphones and tablets running Android and iOS have been a challenge in the past. With the integration of Microsoft Intune, our customers can now manage and secure all endpoints, whether Windows, iOS/iPadOS, or Android (and to a limited extent, macOS) centrally. This allows them to implement security policies uniformly, manage devices and apps efficiently, and protect corporate data from unauthorized access. Our customers benefit from a comprehensive solution that offers flexible and secure device and app management.

Conclusion

Microsoft MAM is the ideal solution for companies that want to protect their data without having full control over their employees' devices. It offers the perfect balance between security and user-friendliness - a crucial factor for modern, flexible work environments.
Companies that already use Microsoft 365 or Microsoft Intune should include MAM as an important addition to their IT security strategy to effectively minimize data loss and security risks.

This is the first part of our two-part series on securely managing mobile devices and applications. The second part will focus on "Microsoft Mobile Device Management" (MDM) where the entire device is managed in the cloud.

Source and further links

• What is Microsoft Intune app management?
• Video «MDM vs MAM: What’s the Difference?» (3:56 min.) and associated Blog post about the same topic (both English) about the commonalities and the four crucial differences between MDM and MAM.