Intune MAM vs MDM: What's the Difference?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey Matt Sussman here and today we're going to talk about managing mobile devices and the data on mobile devices using MDM mobile device management and mobile application management with Microsoft Intune but before we get started you're watching so spend productive cloud the best source to help you stay up to date on Microsoft productivity and security tools don't be a rockstar in your IT career and also please take a moment and subscribe to this channel and click that Bell icon so you get notified whenever I upload a new video well hey let's jump onto Microsoft Intune and take a look at this so what is Microsoft Intune anyway well it allows you to manage mobile devices and even Windows 10 computers and Mac computers as well in addition to managing mobile applications on mobile devices now it's part of Microsoft 365 and Microsoft Intune could do many different things by the scope of this video we're just going to talk about mobile device management and mobile application management but before we get started let's take a quick look at the documentation first now as you see some other videos like the autopilot videos for Windows that uses Microsoft Intune and Microsoft Intune does a lot of different things and here you can see on this website some of the different things that it does do but what I do want to do is call your attention to the technical documentation when it comes to deploying these products especially in tuned and configuring it I really don't want you to have to reinvent the wheel and try to go through this on your own please follow the documentation it's actually quite good it'll walk you through everything from what's new and in tune and all the new features all the way down to how-to guides so how to actually set this thing up how to enroll devices how to manage devices how to manage those ABS well we're going to talk through all this in this video but please check out the documentation it could really help you I'll put a link down the description so you can get easy access to this okay let's go ahead and jump into the Intune portal and talk about how to configure this okay so here we are inside the Microsoft Azure portal and we clicked on into and we're inside the Intune administration pane here or blade as we call it and so for mobile application management let's start there first I'm going to click on client apps now to configure this obviously I'm going to use the Intune portal here in Azure and then once I click on client apps I'm going to then click on app protection policies and here you can see I already have some policies built out so let me show you a policy here I've already created for iOS apps and if I go to general here you could see whether or not I want to target this to all app types and you could read more about what that means now if I click on assignments this is how I assign it to groups of users so the protection policy does not actually go into effect until it's been assigned to a group of users so if this is not working for you make sure you have it assigned to that group here you can see I have it signed to a security group for sales and marketing now I can drop this down here and choose excluded groups as well so maybe VIPs in the company but I'll let you play with that on your own targeted apps this is where I get this policy to which apps so here you can see here you can see rather I have it being applied to many different apps now what I want to show you here is Microsoft Outlook and so we do have it being a sign there and also to Microsoft team so in the demo here in just a moment I'll show you what this looks like when I go into properties this is why I go to configure the protection policy of the app and so if I click on data protection we could start here by blocking backups to iTunes and iCloud now this is not for the device this is just for the app again this is perfect for personal devices and it really simplifies the way you handle this now under send org data and receive or orga data this is where I could do things like being able to prevent data from leaving this app so by clicking that share icon and then receive data is where I can prevent other apps from sinning data to this app so again when you click that share icon from a third-party app and trying to get it into something like outlook and so here you can see I have a policy manage apps set to open in and share filtering and so I'll show you what that means here in just a moment and there's many different options you can you can choose from here I do have an exemption so maybe if I email you an address to a restaurant and you want to copy that address out and paste it into your GPS application we could do that here although do that your own risk because that means I could copy any data out of Outlook and paste into my GPS application so be careful with that restrict cut copy paste I could do that as well and so we're gonna keep that as blocked here for now and I could do a character limitation and all sorts of fun stuff require encryption in the app maybe a disabled contact sync here with the device itself and then prevent printing from the app and a few other things once I have my data protection policy configured I'm going to come into access requirements and then from here I'm gonna configure how do I want the user to actually access the app well I can actually assign a pin so when they launch the app they have to unlock the app with a pen now this is not for the device only for the app here I could choose to do an alphanumeric pin a passcode number of digits I can even require their full credentials here to be entered to unlock it but here I could also disable biometrics which i think is pretty interesting as well I can figure out some some pretty interesting use cases here for disabling biometrics but I love this because I can allow a pass could only firm my app because after all there might be a sensitive data in my company app so this is where I go to configure that once I get done with that I click on conditional launch and this is where I can specify how do I want this app to be launched so if they type in that passcode wrong then I can have it reset or I could have it wipe the data out of the app not the device I could have it also block access after a minute or however a period of time when it's been offline or if it's been offline let's say for three days next time they go to open that app just wipe the data and that way if it gets lost or stolen or what-have-you we're protected there under device conditions this is pretty cool I have it set to jailbroken and rida devices so if the device has been jailbroken or rooted the app will check for that and in this case it's gonna block access to the app that's pretty cool and then I can configure this here also on minimum OS versions and I can even scope it down to a model of a device so once I have my policy configured here and everything assigned to my end-users it's now time to test so let's flip over there to that I Oh s device and I'll show you what this looks like ok let's take a look at mobile application management protection policy in action here so I'm going to tap on the outlook app now this is my personal device my company does not own it and here you can see I have a personal email account tied to this so just to prove to you here this is a personal email account now if I come in here and tap on the home screen and choose and I also have a gmail account at it here as well if I choose to add a new email account we're gonna add an email account and we're going to go ahead and log in here with our corporate credentials whoops if I can spell there we go and then we're gonna use Microsoft Authenticator here to authenticate my identity and then now the account has been added now look what happens it prompts me and says your organization is protecting data in this app you got to restart it to continue and so that's the app protection policy and Intune kicking in so we're gonna tap on ok it kicks us out and then we tap on outlook again and now it's gonna let us in now when I do this there's that policy kicking in there's a pin that we required so I already configured a pin for word that's also installed in the app so I'm just use that same pin to unlock outlook that's super secret here so don't tell anybody and then once I'm in the app there's one more change we need to make here so let's go ahead and tap on ok and then relaunch the app now once I'm in the app you'll start to see my office 365 account be pulled down and there's my mailbox so let's scroll down here let's find an email with an attachment in it so here's one from from Alex and let's go ahead and open up that email attachment and of course it's in preview mode I can I can work with it here but let's take that data in this attachment in Outlook and let's try to exfiltrate it so I'm going to tap on copy here after I highlight it and let's go into an app that my company does not control well my company does not control the reminders app and so I'm gonna go ahead and tap on a new reminder here and then we're gonna paste that data into the reminders app so let's go ahead and paste stopped in my tracks notice it says organizations data cannot be pasted here I don't have a choice I cannot cut or copy and paste that data out of the outlook or a managed app it's stuck in the app so let's take this a step further let's tap on the share icon up here and let's choose share file via notice I can't send it to a third-party app it's all blanked out here if I tap on more I can only send it to a managed app so in this case outlook if I tap open in I can open in a word that's a managed app if I tap on more I don't have any other options here except for teams that's a managed app but any of those third-party apps that are personal I can't put the data in that app so there's no way to get the data out of Outlook that's the point so if I tap on share again let's choose save to account here let's try to exfiltrate this Word document so I'm gonna try to put it into my personal Google account my Google Drive right so let's go ahead and tap on Google boom stopped my tracks save not allowed your corporate policy does not allow you to save files to this location I can't get it out and noticed local storage is also not listed only onedrive that's the approved location so as you can see folks there's no way for me to get the data out of this managed app now I can't stop you from taking a photo of it right but you can take a screenshot but now we might want to talk about managing the entire device using mobile device management versus just mobile application management now on Android devices I can configure a policy with mam to prevent it from allowing screenshots but that's another story we could we could talk about that more later or you could read in the documentation ok so that's a high-level overview of mobile application management now let's take a look at mobile device management ok so let's talk about mobile device management but actually you know what before we do I want to address one thing because I'm sure some of you are wondering what's it like when I want to wipe only the corporate data out of that managed app and leave the personal data alone well let me show you what I'm talking about here so let's take a look at Microsoft Intune and go into the client apps blade and then from here me to click on apps elective wipe and I'm gonna create a new wipe request and go ahead and choose my user here and choose select then we're gonna choose the device now she has multiple devices so we're just gonna choose both and click on select and then click on create and then it's gonna it's going to create that request so let's give this about fifteen to thirty minutes or so and then we will check the device and we'll see if it's actually wipe the date or not off of the outlook app any other managed app so let's give this a few moments and come back okay let's take a look at wiping the corporate data off of just the managed apps so we're going to log into outlook here and tap on it and when it launches it's going to ask me for my passcode but look what's happening it's checking my organization's data requirements for the app and this is where that selective wipe command was sent from in tune so give this just a moment there it is your organization has removed its data associate with the app to continue you must restart the app to reconnect your organization just sign back in so at this point the data is actually removed from the app and the apps taken back to the factory defaults and so if I tap on OK it exits and let's launch outlook again and that's odd yeah you're not supposed to see that but there you go and so now there's my personal email account it's still there it's still intact if I tap on the home icon here there's my gmail account as well that's still there's my personal email is there but yet my corporate data has been removed and that corporate account has been removed I apologize I don't know what that one message was I think that was just kind of left over from the selective wipe there but as you could see the user impact for this is minimal so if I was terminated from the company or I just wanted to stop getting email my phone that wife can be sent and then it only wipes the data from Mike Azure Active Directory corporate credentials and nothing else and so obviously office 365 is Azure ad and it would wipe that data everything else stays on yeah same thing with Word or onedrive or any of these other microcell to apps so that's what the selective wipe looks like inside mobile application management now let's take a look at mobile device management okay now let's talk about mobile device management now just a quick caution I could literally spend all day talking about this and maybe even a few days because there's so much to it so I'm just going to kind of breeze through this at a high level give you an idea and kind of inspire you around the art of the possible and then we'll take a look at a demo of what the experience is like and rolling a device into into an MDM so let's take a look at the admin portal here for a moment and we're gonna go into in tune we're gonna click on device enrollment and so in order to enroll my iOS or Android device into in tune I have to configure enrollment so let's go ahead and do this for Apple devices and so the first thing I need to do is create a push certificate now this is really easy to do I walk through this wizard here in the blade and it will have me actually go out to Apple's website generate that that CSR and then here I can download it and then go out and actually create the certificate and then upload that certificate here now once I upload the certificate I'm now able to manage iOS devices and Apple devices now notice there are some bulk enrolment methods I can use the Apple device enrollment program or the Apple configurator tool and these are great for like educational institutions or I need to do multiple devices at the same time but in this case we're talking just about personal devices that maybe employees want to enroll in MDM so they can get access to their corporate resources so we're gonna ignore some of these bulk enrolment methods for now but in another video we'll go through those now I could also go through and configure a compliance policy so once it's enrolled how do I make sure it stays enrolled and stays compliant well I can create a policy here for my devices and notice I have multiple OSS here I could choose from and I can go ahead and create a policy that says require it to have a a managed email profile as an example but so my favorite ones are blocked jailbroken devices if I'm using a third-party a threat protection provider I can also figure that integration and then choose which level I want to be to have that set to so that way if the device does get malware on it it places it out of compliance and it automatically loses access to all their corporate applications and resources if I go to do device properties here I could specify the minimum OS version I'm actually starting to see this used quite a bit because especially with Android devices and even with iOS devices and some of the latest security patches out there like Spector and meltdown I'm starting to see companies starting to use this and even with Android devices prevent them from installing you know custom roms or anything like that and if I go to system security this is where I can require a pass could actually unlock the device and then I can choose which apps are actually going to be restricted and then if any of these settings in here get changed then it will automatically place the device out of compliance and then as part of it going out of compliance it loses access to corporate resources I'll show you what that looks like here in just a few moments but that's the compliance policy and then once I create the compliance policy now I need to go through and configure my my actual configuration policy how do I want these devices to behave so I click on profiles here you can see I have a lot of profiles for Windows but let's create a profile for iOS now this does require the question of what are you trying to accomplish by doing MDM so maybe you want to push out a VPN client maybe you want to configure an email profile maybe you want to push out certificates configure Wi-Fi on those devices maybe I want to restrict how that how the device behaves maybe disable screenshots turn into kiosk mode disable some the built-in apps whatever you want to do to your heart's content it's possible here with in tune and MDM so if we go back a few blades once we have those device configuration profiles configured I can then go out and push applications to the device so once it gets enrolled I could push an application and so here if I come in and choose either add add a new app from when the app stores or a custom line-of-business app or I can choose a existing app like Outlook if I go to assignments this is where I can choose how do I want that app to be assigned this is where you go to push it out and so if I click on ad group and choose assignment type this is where I could say required and then when the device gets enrolled it also pushes the app when the device gets unenrolled it removes the app simple as that and then you do have some other options here based on your flexibility in a nutshell folks this is MDM inside Microsoft Intune now I'm not doing it justice okay so there's a lot more to it and in future videos I'll go through some more of this with you but once we get the enrollment policy set up we have a compliance policy set up we have some configuration properties here set then it's time to start testing so let's take a few moments and look at the experience of an end user enrolling into into NIM diem through company portal and then from there I'll show you what the unenroll meant experiments looks like so let's take a look okay let's take a look at mobile device management so on my device here I've downloaded and installed the company portal app now this is just one way out of other ways to be able to enroll a device in MDM this is common for end users that this might be their personal device they want to get it unrolled so I've installed the company portal app and I've logged in and when I tap on devices here in just a moment it's gonna check to see if my device is managed and it knows now that it's not managed and so it's gonna walk me through the process of enrolling it so when I tap on begin now this is really important it's gonna tell the end-user what their company can see and not see there's not a way in Intune for me to look up calm web history and personal data so it's really important that we surface this the end user to help build that trust between them and IT now we can see model and serial number and apps that are installed in the OS details and that sort of thing but not personal data so if I tap on continue here it's now going to download the management profile that is required to to manage the device within tune so give this just a moment here to download and we will start to install it after that okay now that it's downloaded let's go ahead and go into settings and pull a profile under general and there's a management profile so if we tap on it and choose to install type in our super secret passcode here and install that management profile it's gonna go through and install it and it's going to enroll into a certificate so it can be managed by Intune now this is generic for the for the iOS SDK here that we use so it does say that the administrator can collect personal data in tune can't so just to call that out there for you but if I tap on install tap on trust now it's going to enroll the device into NDM now that it's enrolled in the certificate and the management profile has been installed let's go back to company portal and tap on continue and what it's gonna do next as check the device against that compliance policy that I talked about and then it's also going to ask me is this my own device or is this a corporate owned device I'm just gonna choose personal and shoes continue and so here you can see the other devices that are being managed by in tune and look at that now it's pushing out an application and so word is already installed so now it's just asking Kim to take control of words I'm gonna tap on manage it's gonna push out PowerPoint so I tap on install and I think there's a couple other apps we may be pushing out here as well that it may ask before but here's those other machines that in tune is also managing now this is my lab that's why you see a bunch of virtual machines here now that I'm enrolled into in tune I have access to the company portal app you can see support information is here I did have kind of a company app store there to install line of business apps I have some notifications here and let me know what's going on and at that point my device is now being managed by Intune now if I wanted to restrict screenshots or turn off the camera or anything like that of course I could do that with that MDM profile that configuration profile now to unenroll the device I could do one of two things I can either go into general and into settings there and remove that profile or I can go into company portal tap on devices open up the device here I can see it sync appliance but if I tap on the ellipsis and I choose to remove device it's now going to unenroll it and then you'll see in just a moment that any apps that were installed are now deleted so you can see there are powerpoints now deleted and outlook stays because that was there to begin with my personal email and if I go to settings here notice the profile it's gone so now my device is unenrolled and then it's back to just be my personal device so that's a little bit about indium in in Microsoft Intune well that's all the time we have for today I hope you enjoyed this video on the differences between into mobile device management versus into mobile application management just remember MDM is for controlling the entire device and pushing apps and VPN and Wi-Fi configurations restrictions and in Manas for controlling just the app and the data in your app and not the whole device so we'll have some additional videos that will link to down the description around what else you could do within tuned to mobile devices such as conditional access so stay tuned if you have any questions or comments let me know down below and the YouTube channel here and we'll catch you all later thank you have a great day
Info
Channel: Matt Soseman
Views: 18,656
Rating: undefined out of 5
Keywords: intune, microsoft, mdm, mam, mobile device management, app, app protection policy, enrollment, enroll, azure, active directory, ad, azure ad, azure active directory, outlook, teams, managing data, wipe, matt soseman, compliance, security, cyber, cyber security, protecting devices, iphone, ipad, ios, android, windows, mac, apple, office, office 365, o365, microsoft 365, m365, 365
Id: 8BvFqXM8J3o
Channel Id: undefined
Length: 23min 24sec (1404 seconds)
Published: Sat Jun 29 2019
Related Videos
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Marty Lobdell - Study Less Study Smart
PierceCollegeDist11
15M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
What Is Microsoft Intune? (Microsoft Endpoint Manager)
Harry Lowton
33K
Getting MicroMDM working and working with MicroMDM
MacAdmins Conference
9.3K
Former CIA Officer Will Teach You How to Spot a Lie l Digiday
Digiday
14M
The REAL story About the Crash that Killed Concorde! | Air France flight 4590
Mentour Pilot
4.3M
S02E17 - Microsoft Intune and Autopilot Quick Start Guide (2020 Edition) - (I.T)
Intune Training
28K
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
13M
S01E02 - Setting up Windows Autopilot with Microsoft Intune - (I.T)
Intune Training
127K
How Crash Bandicoot Hacked The Original Playstation | War Stories | Ars Technica
Ars Technica
2.9M
Hands-on Workspace ONE. - Episode 06 - The one with Office365
Fondo
497
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.