In this blog, we will focus on the device enrollment process in Intune, explain the differences between Mobile Device Management (MDM) and Mobile Application Management (MAM), and discuss the distinctions between managing corporate and personal devices.
1.Configuring MDM and MAM User Scope
let’s start with the significant prerequisite when managing our devices with Intune: the MDM scope!
Prerequisite for Windows 10 Intune Enrollment -AADJ and AADR
- Azure active directory & Intune subscription, setup, and configuration needs to be completed
- Admin User needs to be created, and appropriate License/access needs to be assigned for enrollment
- Configure MDM User scope for Auto-enrollment
As you have noticed in the prerequisites to enroll a device into Intune, the MDM scope has to be configured so that your devices can automatically enroll.
First, some background information about these scopes. When talking to customers, I sometimes feel there is some confusion about the MDM and MAM user scope. Many people think that these scopes also apply to iOS and Android devices, but that’s definitely not the case!
Please note: These scopes only apply to Windows Devices! NOT your IOS or Android devices.
So, if we need to manage our AADJ or AADR devices and enroll them into Intune, we need to configure these scopes!
1.1 MDM users scope
When you configure the MDM (Mobile Device Management) user scope, you ensure Windows AUTOMATIC Enrollment is enabled for device management with Microsoft Intune. There are three options to configure this MDM user scope.
None – MDM automatic enrollment disabled
Some – Select the Groups that can automatically enroll their Windows devices.
All – All users can automatically enroll their Windows devices
When the MDM scope is configured, Entra Joined or Entra Registered devices automatically enroll in MDM management with Microsoft Intune.
Please note: When you configure this scope to “none” it doesn’t mean you can’t enroll a device into Intune, you still can enroll the corporate device in Intune manually.
So putting all the pieces together, the MDM user scope can be used to automatically enroll devices into MDM enrollment with Microsoft Intune. You can define the scope to only a select group of users. This possibility will give you the option to perform phased Intune roll-outs.
1.2 MAM users scope
First some background information about MAM (Mobile Application Management). Intune MAM refers to a full set of features to help you to configure, secure, push/publish, monitor, and update mobile apps for your users.
When you configure the MAM Scope, users in this scope who add a Work or School Account to the device aren’t getting enrolled in Intune but will only be registered in Entra.
MAM allows you to manage and protect the corporate data within an application instead of managing the whole device. So when you configure MAM without (Intune Device) enrollment (MAM-WE), a corporate application that contains sensitive data can be managed on almost any device, including personal BYOD devices.
As an example: If you have configured Windows Information Protection (WIP), only WIP without Enrollment (MAM policy) is applied. To enable WIP without (Intune device) enrollment for Windows 10 devices, the MAM Discovery URL must be configured. If you don’t configure it, users can’t enroll into MAM management.
To be clear MAM Scope = WIP for Windows 10!
So are we going to choose MDM or MAM or maybe both? When making a choice, you will need to remember this important note below:
So, let’s transform the above text into a nice overview!
I am also mentioning if the device is corporate or not, here is why!
So, let’s take a closer look at the difference between corporate and personal devices.
2. Corporate vs Personal
Did you notice the sentence “For Corporate devices in the picture from the last part?
Let me explain what it would take to make a device corporate. The device needs to be:
- Enrolled with a Device Enrollment Manager
- Enrolled with Windows Autopilot
- The device is registered with Windows Autopilot but isn’t an MDM enrollment only option from Windows Setting
- Device IMEI number is listed in the Device Enrollment -> Corporate Device Identifiers
- Enrolled with a provisioning package
- The device enrolls through GPO or automatic enrollment from Configuration Manager for co-management.
So even when a device has performed an Entra Join and “marked” as corporate, it doesn’t mean it could enroll into Intune
Please Note: Only devices that were enrolled with a GPO, will show up as Corporate. If a user performs the enrolment manually at the device, then it will be marked as a Personal Device
And do you know what’s funny? When changing an AADR personal enrolled device to corporate, Intune would convert that device into an Autopilot device if you configured an Autopilot profile to “convert all targeted devices to autopilot “
For “Personal Devices“. So, what makes a device personal? The user adds a work or school account, becoming a workplace-joined device.
So, to be clear: You can add a user to both groups who are in the MDM AND MAM scope, but when doing so, a user with a personal BYOD will automatically be pushed to MAM, and the device will NOT be managed with Intune and will never be compliant! (Maybe that’s a good thing?)
I almost forgot to mention that you could also change the device category ourselves after enrollment.
Conclusion
In conclusion, managing devices with Intune hinges on appropriately configuring MDM and MAM user scopes. The MDM scope allows automatic enrollment of Windows devices into Intune for comprehensive management and can be configured for all users, specific groups, or disabled. Conversely, the MAM scope focuses on securing corporate data within applications, particularly useful for BYOD scenarios.
It’s essential to distinguish between corporate and personal devices. Corporate devices often require stricter controls and are typically enrolled through methods like Windows Autopilot. Personal devices are usually workplace-joined and managed at the application level via MAM.
By understanding and configuring these scopes, organizations can effectively manage devices and secure corporate data, providing both flexibility for users and robust protection for company assets.
Hey Rudy. Excellent post. I was always under the impression that the MAM scope should be set to NONE if you have MDM scope set to All Users, so that you can manage personal devices too (Auto enroll). Does anyone actually use WIP?
Anyway, I am currently facing a scenario where we want to block personal Windows devices from being enrolled into Intune (as you say it may be a good thing) using platform device type restriction in Intune that blocks Personally owned Windows (MDM) but according to Microsoft’s Documentation (https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set#blocking-personal-windows-devices), “Intune marks devices going through the following types of enrollments as corporate-owned, and blocks them from enrolling (unless registered with Autopilot) because these methods don’t offer the Intune administrator per-device control:
Automatic MDM enrollment with Microsoft Entra join during Windows setup. (So User driven OOBE)
Automatic MDM enrollment with Microsoft Entra join from Windows Settings. (user driven)”
Which means all our corporate machines, must be Autopilot machines (also not a bad thing).
What I am understanding from your post however, is that we don’t need to create this platform device type restriction, but rather switch the MAM scope to All users too so that BYOD devices do NOT MDM enroll. Is this correct?