Today, IT is expected to support users who work from anywhere, at any time and on any device. That flexibility, however, must be balanced with strong security measures to ensure corporate data is always protected.
To provide this balance, IT administrators rely on tools such as mobile device management (MDM) and mobile application management (MAM). MDM governs the entire device, while MAM controls only specific applications.
Using MDM and MAM in Microsoft Intune
Intune, Microsoft's unified endpoint management tool, supports both MDM and MAM and is often used by organizations invested in the Microsoft ecosystem, particularly those that use Windows devices and support BYOD. MDM provides comprehensive device management across Windows, macOS, iOS/iPadOS and Android, with limited support for Linux. MAM, by comparison, is primarily supported on iOS/iPadOS and Android, with limited functionality on Windows, primarily in Microsoft Edge. This difference in platform support highlights a core distinction between MDM and MAM: MDM provides broad device-level management, whereas MAM offers app-specific management, primarily on mobile platforms.
Using Intune for MDM
MDM is most commonly used for corporate-owned devices issued for business use, where the organization controls both the device and its data. Platform-specific provisioning tools such as Android Zero Touch, Apple Business Manager or Windows Autopilot can be used to automatically configure devices during initial setup.
During enrollment, IT applies required security policies, installs corporate apps and enforces standard device configurations. Once complete, the device is ready for use with full access to corporate resources. The device will be managed by Intune and IT admins continue to update configurations, deploy apps and perform remote actions, such as locking or wiping the device if it is lost or stolen. For the user, setup typically involves signing in to their work account and following the onscreen prompts.
Using Intune for MAM
MAM is commonly used in BYOD scenarios, where organizations apply controls only to specific apps that access corporate data -- such as email clients, browsers and other applications – rather than manage the entire device.
Users can enable MAM by signing in to a supported app with their work account, which enrolls the app in Intune. IT can then enforce policies such as data protection, access controls and configuration settings within that app. These controls apply only to the user's work account and associated data; personal accounts and data within the same app remain unaffected.
Once configured, the app provides secure access to corporate data. IT admins can manage and update app policies and perform remote actions, including selectively removing corporate data from the app, if necessary. Setup is limited to the user signing in and following the on-screen instructions.
Differences between MDM and MAM in Microsoft Intune
Both MDM and MAM are designed to protect corporate data, but they differ significantly in how they are used and implemented within Intune.
The biggest difference between MDM and MAM is the management scope. MDM applies to the entire device, whereas MAM is limited to specific apps and the user's work account within those apps. Because of this, each approach applies security controls differently, resulting in distinct user experiences.
With MDM, IT provides the user with a fully managed device experience. Devices are configured with network settings, security policies and required apps, enabling users to quickly access the tools they need to work productively and securely.
MDM provides broad device-level management, whereas MAM offers app-specific management, primarily on mobile platforms.
With MAM, IT provides a managed application experience rather than full device control. Supported apps are configured to enable users to securely access corporate data while enforcing policies on data sharing and authentication. Although this limits how data can be used outside of the app, it creates a streamlined user experience.
Organizations can also combine MDM and MAM on the same device to provide layered protection of corporate data. Even on fully managed devices, certain apps can pose data-sharing risks. In this case, MAM can provide an additional data protection layer, controlling how corporate data is accessed, stored and shared within those applications.
Choosing between MDM and MAM in Intune
Deciding whether to use MDM or MAM in Intune depends on several factors, with device ownership often being the most important. For personal, employee-owned devices, organizations might not be able to manage users' devices due to privacy considerations or regulatory constraints. MDM can provide visibility into device activity and permit actions such as a full device wipe, which might include personal data. In these cases, MAM might be more appropriate, as it lets users remain productive while allowing the organization to control and protect corporate data without managing the entire device.
Corporate-owned devices, by contrast, are typically managed with MDM, which provides IT with full control over device configurations, security and lifecycle management. This also ensures devices can be reassigned after an employee leaves the organization.
Business requirements can also influence the decision between MDM and MAM. Some cases require secure connectivity to corporate networks or support for specific apps, which might necessitate full device management. In those cases, organizations typically prefer to issue corporate-owned devices. When that is not possible, some platforms support MDM-based separation between personal and work profiles.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert.
