As mobile devices (which include laptops, Macs, iPads and Android devices) have become an increasing security risk, many companies have explored different ways of managing them. Mobile Device Management (MDM) has become a standard method of securing mobile endpoints -- but it has several failings, especially when it comes to modern security threats. Mobile Application Management (MAM) is a newer approach to securing mobile devices, and one that often yields far superior results.

MDM vs. MAM: How Are They Different?

An MDM (Mobile Device Management) solution secures the device itself. Often, an employee or contractor will have an "agent" or application that lives on their device, ensuring that it is updated with the most up-to-date security information. On the cloud or server-side, the company will be able to connect with these agents and ensure that they are working as they should. The organization's Azure Intune Tenant or security server will be notified if a device appears to have fallen out of date or been breached and will be able to revoke authorization to that device until the issue has been resolved.

A MAM (Mobile Application Management) solution secures the application that is used to access corporate data. Rather than installing something on the device itself, the cloud or server that provides company-related information and authenticates users is secured on the cloud or server-side. Users will need to go through an authentication process to even connect to data, and none of the data will ever be hosted on the device itself.

Why a MAM Solution is Better

When it comes to MDM vs. MAM, MAM solutions are more advanced in a few ways:

Better control over corporate data. When corporate data is downloaded to a native device -- such as through email inboxes or instant messaging services -- it automatically becomes as vulnerable as that device. MAM prevents corporate data from ever leaving the organizational boundaries.

The separation between personal and private data. For an employee, the ability to keep their data on their device while still safely accessing corporate data is essential. With an MDM solution, an employee could find their device bricked or wiped for security issues. This will not happen with MAM.

Adherence to regulatory standards. Many new regulatory standards -- especially in Asia, Europe, and North America -- require that employers not exert a substantial amount of control over an employee's device. Many MDM solutions will run afoul of this, while MAM solutions will not.

A reduced amount of IT work. IT professionals under an MDM solution need to manage and maintain not only their servers but also the status of the endpoint devices. With a MAM solution, IT professionals need only concern themselves with the security of their business data.

So how do you deploy MAM solution?

Microsoft Intune MAM supports two configurations:

• Intune MDM + MAM: IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile device management (MDM). To manage apps using MDM + MAM, customers should use the Intune console in the Azure portal at https://portal.azure.com.

• MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT, administrators, to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM providers. To manage apps using MAM-WE, customers should use the Intune console in the Azure portal at https://portal.azure.com. Also, apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers or not enrolled with an MDM at all.

App protection policies

App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data or a set of actions that are prohibited or monitored when the user is inside the app.

Examples of app protection policies? See the Android app protection policy settings and iOS app protection policy settings for detailed information on each app protection policy setting.

Is it possible to have both MDM and MAM policies applied to the same user at the same time, for different devices? For example, if a user could be able to access their work resources from their MAM-enabled machine, but also come to work and use an Intune MDM-managed device. Are there any caveats to this idea?

If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device.

You can also apply a MAM policy based on the managed state. So, when you create an app protection policy, next to Target to all app types, you'd select No. Then do any of the following:

• Apply a less strict MAM policy to Intune managed devices and apply a more restrictive MAM policy to non-MDM-enrolled devices.

• Apply a MAM policy to unenrolled devices only.

For more information, see How to monitor app protection policies

For additional details, see https://docs.microsoft.com/en-us/intune/apps/mam-faq