How to use Intune app protection without MDM enrollment
Intune app protection allows IT admins to control devices without enrolling them in an MDM or UEM platform. Here's what IT pros can do with the feature.
BYOD organizations don't always need to enroll their devices in a mobile device management or unified endpoint management platform. In those cases, Microsoft Intune app protection can fill the need.
When organizations force BYOD endpoints to enroll in mobile device management (MDM), the users may find other ways to be productive or just refrain from using their personal device for work purposes. Intune app protection secures the enterprise apps and data, while ensuring devices still have the capabilities end users need.
Intune app protection without MDM enrollment
App protection in Intune can manage apps that support the Intune SDK without the need for MDM on the device. Instead, IT can secure personal devices with app protection mobile application management policies.
IT pros, for example, can prohibit end users from sharing or copying corporate data to personal apps. IT can also lock down the app with a PIN, fingerprint or corporate identity and control how complex the PIN needs to be. IT can see a complete list of options for Apple iOS and Google Android.
App protection policies can control a number of Microsoft Apps that natively support the Intune SDK. Most of these apps are available for both iOS and Android, but a few are currently available for one OS.
IT pros can use app protection policies to protect the corporate data of the app using an Intune feature called multi-identity. This enables multiple accounts -- such as a corporate policy-managed account and a personal account -- to coexist within one app. In Microsoft Outlook for Android and iOS, for example, IT can configure private email accounts and corporate email accounts. Microsoft Intune will only manage the corporate email account.
A variety of third-party vendors are starting to adopt the Microsoft Intune SDK, as well. IT can integrate the Intune SDK into line-of-business (LOB) apps manually or through app wrapping. App wrapping the LOB app allows IT to manage an entire app without enrollment, but wrapping does not support multi-identity apps.
When using app protection without MDM enrollment, IT must use conditional access -- which is a feature of Azure Active Directory -- to make sure users are only using the Intune managed apps instead of, for example, the native mail app of Android or iOS. Rather than check if a device is compliant, IT can check if the client apps are approved to use conditional access.
IT can check against a list of approved Microsoft apps to make sure the app is trusted.
Intune recently added the ability for IT to require the app protection policy before users can access the app and its data, although this feature is still in preview and only available for the Microsoft OneDrive and Outlook apps. There could be multiple reasons that an app protection policy is not active, however, including a lack of Intune licenses, timeouts or lack of the app protection policy targeting.