The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

BYOD in the workforce: MDM and MAM with Microsoft Intune

Black Duck Editorial Staff

Mar 31, 2022 / 4 min read

According to recent research, the average household has 25 connected devices, an increase from 11 in 2019. This widespread adoption, along with a global pandemic, has changed the way we operate and communicate, both personally and professionally.

Many industries are adapting to remote work, enabled by technology that makes possible remote patient consultation and monitoring, virtual classes, and food ordering and tracking via mobile devices. Additionally, many organizations have adapted to a bring-your-own-device (BYOD) environment as workers want to perform their tasks at home and in the office seamlessly, without switching devices. This movement toward a device-dependent workforce requires security teams to take a closer look at how they’re managing and securing the data they collect and the devices they use.

Whether it’s a personal or corporate-owned device, security teams need to enforce corporate data access and productivity rules on mobile devices through mobile device management (MDM) and mobile application management (MAM).

The difference between MDM, MAM, EMM, and UEM

MDM is a way of securing mobile devices such as smartphones and tablets, whereas MAM secures the applications on those devices that are used to access organizational data, such as Outlook, SharePoint, and OneDrive. MDM software is typically designed to support one or more operating systems such as iOS and Android. It maintains a device profile, which allows companies to track, lock, secure, encrypt, and wipe the devices remotely as needed. The software also installs agents on the devices to query and fetch the device status.

Enterprise mobility management (EMM) focuses on application, content, and identity management on the devices, whereas MDM focuses solely on the device security. But EMM cannot support platforms such as Windows and iOS, so unified endpoint management (UEM) was created as a centralized management solution providing multiplatform support, eliminating the need for multiple solutions. It’s important to note that the security and confidentiality of the data accessed through any of these solutions is only as good as their implementation.

MDM at work

Devices include MDM software either through vendor-specific programs from the manufacturer or by manual enrollment using a token, QR code, email, or SMS. There are several MDM software options on the market, such as VMWare Workspace One, Microsoft Intune, Citrix Endpoint Management, MobileIron, and SimpleMDM. MDM software sends a set of commands to enrolled devices through APIs built in operating systems. It collects details from enrolled devices like hardware and software details, installed and configured applications, security status, location, etc., and it manages the applications running on the devices, allowing, blocking, or removing them depending on preconfigured settings.

Compliance restrictions from standards such as HIPAAGDPR, and PCI are enforced through policies. Devices can be centrally managed and maintained, and policies are applied to devices in bulk. Automation makes it easier to track, encrypt, secure, and wipe the devices.

MAM at work

Devices are not required to enroll in MAM software. Corporate apps are pushed into enterprise app stores, and employees can install and download them on their BYOD devices. Apps are run in secure containers to keep personal and corporate data separate.

One significant way that MAM is different than MDM is that MAM does not need control over the device. MAM ensures that sensitive data is not sent or copied to other applications. Employees using their own devices feel more at ease with MAM, as it has less control over their entire device than MDM software.

Microsoft Intune for MDM and MAM

Microsoft Intune is a cloud-based service focusing on MDM and MAM. It can enforce policies onto devices to ensure that data does not cross organizational boundaries. It supports devices including laptops, mobile devices, and tablets, and it enforces policies and provides protection to data whether or not a device is enrolled. One major advantage of Microsoft Intune is its integration with Azure Active Directory and Office 365 applications. When integrated with Azure Active Directory, it controls who has access and what they have access to.  Office 365 applications such as Outlook, OneDrive, SharePoint, Teams, etc. are used by many organizations, including mobile apps on personal devices, so corporate policies must be applied consistently on those devices as well.

Security control configurations required for Microsoft Intune enrollment

There are five important security controls to configure when using Microsoft Intune.

  • Role-based access control. It is important to secure the access to the Intune admin portal and delegate access to only authorized users, such as IT admins and SCCM admins. Unless required, do not delegate a Global Admin role to users.
  • Enrollment restrictions. Intune restricts the device types that can be enrolled and the number of devices allowed per person. The maximum number of devices allowed per person is 15, but that number can be lowered to reduce the risk of enrolling unwanted or rogue devices.
  • Compliance policies. Intune can enforce compliance policies such as detection of jailbroken devices, weak passwords, unwanted applications, and operating systems that have not been updated. It is recommended to enforce these policies to make sure the devices are complaint.
  • App protection policies. Intune app protection policies make sure that any data accessed from applications is protected and not leaked. It creates a container for applications to securely access the data, and separates personal data from company data. Intune app protection policies apply to both Android and iOS apps and is a great way to implement security for MAM.
  • Conditional access. Conditional access is an Azure Active Directory feature, and it can be used to specify conditions on which access to apps or services can be denied or granted. Conditional access policies, when used in conjunction with device-based and app-based compliance policies, ensure unsecure or noncompliant devices and apps are not granted access into your estate.

Conclusion

MDM and MAM is an important security technology for both the remote and BYOD workforce. Microsoft Intune can be configured to provide security controls that ensure MDM and MAM has complete coverage.

Learn how to accelerate and scale your application security testing with on-demand resources and expertise from Black Duck. Our cloud configuration services include identifying misconfigurations around Microsoft Intune and other MS related applications.

Continue Reading

Explore Topics