In this post I will discuss on the difference between MDM user scope vs MAM user scope. At first the looks quite confusing and sometimes can create conflict for the desired settings we are looking for personal owned devices (BYOD – Bring Your Own Devices) vs Corporate owned device.
To understand the seamless Intune enrollment process, we must need to understand the difference between MDM user scope and MAM user scope.
In a nutshell, if I have to explain this: MDM user scope (Mobile Device Management) is used for Device enrollment which is specifically used for Corporate devices which are Azure AD join or Hybrid Azure AD join while MAM user scope (Mobile Application Management) is used for BYOD devices which applies Windows Information Protection (WIP) policies. For BYOD device, this doesn’t mean that you can’t enroll the device, it can certainly be done – but we should not be doing it for personal devices as we don’t want to manage personal devices. If you disable MAM user scope, BYOD device will also get enrolled if MDM user scope enabled and making the device lightly managed. To be precise, we should enable both MDM and MAM user scope if we have combination of corporate and personal devices.
Let’s understand the setting individually first and then I will combine the settings together to see the impact on devices.
What is MDM user scope
Mobile Device Management (MDM user scope ) is used to enroll the device in Intune through which it can be fully managed. This setting tells which users are allowed to enroll the device into Intune and responsible for automatic MDM enrollment.
Devices with Azure AD join or hybrid Azure AD join are treated as corporate device.
We can find this setting while navigating to Microsoft Endpoint Manager admin center, go to Home > Windows > Windows enrollment and click on Automatic Enrollment. This setting is available on Azure portal as well, for that navigate to Azure Active Directory > Mobility (MDM and MAM)
We can see MDM user scope has 3 options to select:
- None: Disable the MDM user scope
- Some: Set the option for specific group / groups
- All: Enable MDM user scope for all users
Once set to Some or All, it allows set of users / all users to automatically enroll the device to Intune.
With this we are enabling MDM auto-enrollment for AAD joined devices / Hybrid Azure AD joined devices and Bring Your Own Devices (BYOD)
What is MAM user scope
Mobile Application Management user scope is valid for BYOD (Bring your Own Devices) scenario only. With MAM user scope you can use Windows Information Protection (WIP) policies to apply on devices to restrict the applications. This setting is not meant for enrolling the device. As the device is not enrolled, organization is not having control on seeing your personal files, they can’t deploy any apps though they can control the corporate / work profile related applications and policies as part of MAM user scope.
MAM is the option for users who don’t want to enroll their personal devices, but still wanted to use organization resources / apps such as Office 365, teams etc.
Devices with workplace join (Azure AD registered) are treated as personal device.
When MAM is used for application management without enrollment (also known as MAM-WE), we are just managing apps for work profile without getting it enrolled with Intune MDM. Hence, protecting organization’s data within an application which prevents accidental copying of data from work profile to personal profile.
MAM is available for following platforms:
However, MAM user scope is only valid for Windows Devices. We can still manage the applications using MAM using App protection policies and App configuration policies.
MAM user scope also has 3 similar settings to apply ie. None, Some and All.
Another point to note down is:
- For BYOD devices, MAM user scope policy will always take precedence over MDM user scope policy if both are enabled for user. This means device will not be enrolled in Intune.
- For Corporate devices, MDM user scope policy will always take precedence.
Note: Microsoft is deprecating Windows Information Protection (WIP). Microsoft will continue to support WIP on supported versions of Windows but new versions of Windows won’t include new capabilities for WIP. Check Announcing sunset of Windows Information Protection for more details. Microsoft is recommending to explore Microsoft Purview Data Loss Prevention (DLP) which is deeply integrated with Microsoft Purview Information Protection to protect sensitive data.
Difference between MDM user scope and MAM user scope
What will be the differences if multiple combinations of MDM user scope and MAM user scope is applied ? Lets discuss:
|MDM user scope||MAM user scope||Azure AD Joined devices (Corporate)||Azure AD registered devices (Personal)|
Above mentioned table is for reference.
For Azure AD Joined devices, MDM user scope will be taking precedence for corporate device, hence irrespective of MAM user scope. Device will always get enrolled.
But for Azure AD Registered device, this can be a different behaviour as shown in the table. Let’s cover 2 scenarios:
Scenario 1: With both MDM user scope and MAM user scope enabled.
Login to Windows 10, navigate to Start > Settings > Accounts > Access work or school and click on Connect.
As I have to perform Azure AD Registered state, provide email address.
Provide username and wait for device to get registered.
We can see the device got Azure AD registered with windows sign.
Click on the info, the biggest difference you will see for MAM enrollment is “Managed by mddprov account” showing along with “Areas managed by mddprov account”. This means the device is provisioned using Mobile Application Management. For more details on mddprov account check the link.
Open Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ User Device Registration \ Admin. On right pane, we can see the message:
The registration status has been successfully flushed to disk.
Join type: 5 (WORKPLACE)
Join type with number 5 is Azure AD registered or workplace join
You can verify workplace join with MAM policies applied through command dsregcmd /status:
When we login to Azure portal, device is showing as Azure AD registered.
While we login to MEM Admin Center, we can’t find the device as enrolled device.
Scenario 2: With MDM user scope enabled and MAM user scope disabled.
This time we made the following change:
MDM user scope: All
MAM user scope: None
Note: As there is no MAM user scope specified. We are expecting to MDM user scope kicking in and enrolling the device even though it is a personal owned device.
Once again go to Access work or school, click on Connect and perform the Azure AD registered process by providing email address.
Once registration completes, we can again see the windows sign (not the briefcase sign) which is an indication of Azure AD registration.
However, when we click on Info, we can see info as “Managed by <companyname> along with “Areas managed by <companyname>
Event viewer is still showing as “Join type: 5 (WORKPLACE)”.
In Azure Portal > Azure Active Directory > Devices, we see some slight changes this time. Join Type is still showing “Azure AD registered” but MDM authority is showing as “Microsoft Intune” as well. Which means it got enrolled as well.
We can verify the enrollment of device by logging on to MEM Admin center.
We can see device listed here and Managed by Intune.
As we did Azure AD registered (not Azure AD Join), the device is showing Ownership as “Personal”.
And for personal devices, organization is not able to see the applications installed on it. The list is empty. This is a scenario of lighty managed device.
See below how a corporate owned device with Azure AD joined (enrolled device) will show all discovered apps:
When to enable both, ie MDM user scope and MAM user scope
I would say, this should be the ideal scenario as in current scenario we have corporate owned devices and personal own devices as well where we have Office 365, teams and apps installed.
When both are enabled, personal owned devices will not get enrolled in Intune. Which means organization is not able to touch your personal data, they don’t have visibility on what you do or what you have. Though they have full control on work profile related content which can be wiped. Organization can control how you use work profile applications and can impose restrictions and policies on it, but this won’t apply on your personal device.
The same is applicable for your Windows device as well if they are just Azure AD registered when both MDM user scope and MAM user scope is enabled. It won’t enroll to Intune.