MAM is becoming an increasingly popular Intune implementation. Especially for smaller organizations that don’t provide corporate cell phones but still want to allow employees access to company email and data from their personal devices. Manually configuring MAM for organizations can be slightly time consuming, so I’ve created a script that creates and assigns everything needed for an Android/iOS MAM deployment. For more details on manually configuring MAM, see this blog post – Protect Company Data on Personal iOS/Android devices using Intune Mobile Application Management (MAM) – SMBtotheCloud.
I use the same baseline App Protection policies for all my MAM deployments. I also always target MAM to a pilot group of employees before rolling it out to larger subsets of users. In most situations, these app protection policies are sufficient, but you may need to edit some settings based on the organizational needs or the experience of the pilot group.
The script is available on GitHub and does the following:
- Creates a security group named “MAM_PilotGroup”
- Creates two managed app device filters for Unmanaged Android and Unmanaged iOS devices
- Creates App Protection Policy with common settings for Android and iOS Platforms and assigns the policies to the MAM_PilotGroup security group along with the filter to only include unmanaged devices
- Creates a conditional access policy targeting the MAM_PilotGroup security group to require an app protection policy for unmanaged iOS and Android Devices. The policy is in the “Off” state upon creation.
Simply run the script. It will check for the require modules and install them, if necessary, then prompt for authentication to your tenant. A log will be placed in the c:\temp directory of the device where the script is run. All you’ll need to do after the script is executed is add users to the MAM_PilotGroup security group and turn on the Conditional Access policy.
Here’s the script in action: