MAM and Intune: Sandboxing Corporate Data 1

MAM and Intune: Sandboxing Corporate Data

In line with all of Microsoft’s products, Intune is designed to deliver top security for corporate data while optimizing user productivity. In this case, we’re focusing specifically on mobile devices and their apps. Intune is Microsoft’s Enterprise Mobility + Security (EMS) component that manages that area. Let’s take a look at the difference between mobile device management (MDM) and mobile app management (MAM) with Intune. In particular, I’d like to highlight the isolation of corporate and personal data for mobile security. You can learn more about Intune and MAM on Microsoft’s website as well.

Mobile Device Management (MDM) and Intune


MAM and Intune: Sandboxing Corporate Data 2


Intune uses the protocols or APIs available in each mobile operating system for device-oriented tasks. These include:

  • Enrolling and creating an inventory of devices
  • Configuring devices to meet configuration standards and compliance policies
  • Providing certificates and Wi-Fi/VPN profiles for corporate access
  • Removing corporate data from devices

Mobile App Management (MAM) and Intune


MAM and Intune: Sandboxing Corporate Data 3


App management, on the other hand, assumes these kinds of tasks related to mobile apps:

  • Assigning employees mobile apps
  • Configuring apps with standard settings
  • Controlling and sandboxing the use of corporate data
  • Removing corporate data from apps
  • Keeping apps updated
  • Tracking app usage and reporting on inventory

Isolation of Corporate and Personal Data

One of the things I want to point out here is the useful method of isolating or “sandboxing” the corporate from the personal. This keeps a user’s personal information out of corporate IT awareness, protecting the user’s privacy. That means when using Intune MAM policies for protection, IT can’t delete your personal photos.


Screenshot of Intune MAM protection policies.


Likewise, this app management can restrict the use of corporate data (such as by blocking copying and pasting or saving) and remove corporate data from the mobile app when necessary (called selective wipe or corporate wipe). By associating an Azure AD identity with Intune MAM policies, the OS automatically sorts and isolates the two data sets.

Closing Thoughts on MAM with Intune


Diagram of services that integrate with Microsoft Intune for Mobile Device and Application management.


If you want to allow your users to securely access corporate data on personal devices, then MAM with Intune is the solution you’ve been looking for. Users can sign in to their devices with their personal identity and create a sandboxed area for corporate data.

MAM policies only apply to apps that are protected by your IT organization. Certain apps, such as Outlook and OneDrive, allow both corporate and personal profiles to coexist. If a selective wipe command is sent via Intune, then it only removes the work profile. It’s mobile management that makes sense and works well for personal devices.

For a different kind of data management—one where you want to consolidate rather than sandbox—see our article on streamlining and improving your view of your company’s customers.

Leave a Comment