Organizations that run a loose and decentralized environment and want to restrict organizational oversight on employee devices SHOULD implement Mobile Application Management (MAM) for company applications and data at a minimum.
In some business environments, there may be a desire to provide as much personal control over mobile devices as possible. This is common in environments that rely on a bring your own device (BYOD) strategy. Employees should be left to personally control their underlying operating system and personal resources, but still need to use company applications and access company data. This creates a need for businesses to assert control over their resources without taking control over the computer account, such as in a Mobile Device Management (MDM) strategy. An alternative management solution called Mobile Application Management (MAM) has arisen to address this need.
While an MDM strategy places central control of devices in the organization’s hands, an MAM strategy moves a layer up and places control of company applications in the organization's hands, while leaving overall control of the operating system and other applications to the employee personally. MAM allows employees to install and use company-specific apps while keeping their devices unenrolled from any sort of MDM profile. The apps that are installed under the company’s authority remain monitored and controlled by its administration.
One of the most straightforward Mobile Application Management solutions is Microsoft Intune App Management. Microsoft allows organizations to set up a “Company Portal” for employees to choose and install applications from a pre-selected catalog. Think of this as a company-owned and managed App Store. After the apps are installed, employees are directed to connect their work email address to the selected applications. Attaching their company accounts to the applications places them under the control and monitoring of the company's Intune solution, while the rest of the device remains under the control of the employee’s personal account.
A common scenario where MAM would be useful is if an organization wanted to allow users to install Office 365 apps on any device they use to do their work on the go. The organization does not want the overhead of managing entire devices or seizing control away from employees, so they simply upload the Office 365 apps to the Company Portal for the employees to install and use for work purposes. Granular security and configuration settings can be set for the Office 365 Suite, but the controls will strictly be placed on those apps and not on other resources on the device. MAM is often then combined with security controls like Data Loss Prevention (DLP) and Conditional Access to prevent data leakage and the introduction of cyber threats stemming from other areas on the employee's device.