MDM enroll windows 10

Configuring Intune MDM User Scope and MAM User Scope for Windows 10

In a previous blog I wrote about the basics on Windows Information Protection (WIP). If you did not read that post, I suggest you go back and read it for a complete understanding before continuing. If you’re here to learn more about MDM User scope and MAM user scope, then I hope this post will be of add value for you too.

This post is part of a series and in upcoming post I’ll also write about Microsoft Cloud App Security, Limiting Access to Exchange Online or SharePoint on unmanaged devices, and Azure AD Conditional access policies. Combining the power of these tools, will give you the best possible solution to enable a bring-your-own-device scenario. This post will focus on configuring Intune MDM user scope and MAM user scope.

  1. Introduction to Windows Information Protection
  2. Configuring Intune MDM user scope and MAM user scope for Windows 10 (this post)
  3. WIP without enrollment (WIP-WE / MAM)
  4. Windows Information Protection with Enrollment
  5. Windows Information Protection User Experience
  6. WIP-WE User Experience – WIP Without MDM enrollment
  7. Set up Azure Rights Management for WIP
  8. WIP Without Enrollment Selective Wipe
  9. Troubleshooting Windows Information Protection
  10. Monitoring and collecting WIP audit event logs
  11. WIP Learning mode
  12. Limiting Access to SharePoint Online on unmanaged devices
  13. Limiting Access to Exchange Online on unmanaged devices

Prerequisites

Make sure you have all the prerequisites in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above for testing
  • EMS E3 licenses (or at the very least Intune and Azure AD premium P1)

Configuring MDM User Scope and MAM User Scope

There seems to be a lot of confusion when it comes to configuring the MDM users scope or MAM user scope and what these scopes do or which one to use. I hope to shed some light on these setting before we actually configure the WIP-WE (MAM) policy in another post. These settings/scopes only apply to Windows 10 devices. Therefore iOS and Android devices are NOT affected.

To configure your MDM and MAM user scope go to:

Microsoft Intune> Device enrollment> Windows enrollment> Automatic Enrollment

Note: if the MAM Discovery URL is missing,or you’re not sure if it’s correct select “Restore default MAM URLs”

MDM User Scope and MAM User Scope

In this example I’ve set both scopes to Some and selected a user group for the purpose of this blog post.

MDM users scope

The MDM user scope is configured to enable Windows 10 automatic enrollment for management with Microsoft Intune. When users in this scope Azure AD join a device or register a work or school account, the device will automatically enroll into MDM management with Microsoft Intune. When you don’t enable automatic MDM enrollment, you still can enroll the corporate device in Intune manually. In other words; The MDM user scope can be used to roll out automatic MDM enrollment with Microsoft Intune to only a select group of users, giving you the option to perform phased roll-outs of the feature.

The screenshot below shows a device that has been Azure AD joined and automatically MDM enrolled while going through the OOB experience. The join type is Azure AD joined and MDM has been set to Microsoft Intune.

MDM users scope Microsoft Intune

The same thing happens when this user adds a work or school account by going to Windows Setting> Accounts> Access work or school> Connect> Setup a work or school account. The join type will then be Azure AD registered and MDM will again be set to Microsoft Intune.

You can verify MDM policies apply by going to Windows Setting> Accounts> Access work or school> then select your work account and click on the Info button

Windows Setting> Accounts> Access work or school>

Scroll down to the Connection info part and have a look at the configuration. The Management Server Address should be something like this:

Intune Management Server Address

Another way is to use the cmd command dsregcmd /status. The Device State section will show AzureADJoined: YES. There will also be extra information about the device and the tenant.

MDM vs MAM

MAM users scope

When users in this scope add a Work or School Account the device doesn’t get enrolled in Intune but it will be registered in Azure AD. If you have configured Windows Information Protection, only WIP without Enrollment (MAM policy) is applied. However, before creating your WIP-WE policy, you need to set up your MAM provider or the MAM URLs in Azure AD. To enable WIP-WE for Windows 10 devices, the MAM Discovery URL must be configured. Without it the users cannot enroll into MAM management.

The screenshot below shows a device that has been registered in Azure AD but not MDM enrolled in Microsoft Intune. The join type is Azure AD registered and MDM has been set to None. The user registered the device by going to Windows Setting> Accounts> Access work or school> Connect> Setup a work or school account. This device also does not need to be compliant and therefore shows N/A.

MAM users scope

You can verify only MAM policies apply by going to Windows Setting> Accounts> Access work or school> then select your work account and click on the Info button

Windows Setting> Accounts> Access work or school>

Scroll down to the Connection info part and have a look at the configuration. The Management Server Address should be http://wip.mam.manage.microsoft.com:444/checkin

Intune MAM Management Server Address

Another way is to use the cmd command dsregcmd /status. The User state shows WorkplaceJoined: YES. Also note the WorkplaceMdmUrl. This is the MAM discovery URL from your MAM user scope settings.

dsregcmd WorkplaceJoined

Misconceptions about MDM and MAM user scope

Don’t confuse Azure AD domain join or registration with Intune MDM enrollment. They often go hand in hand but don’t need to. You need to figure out, which user’s you need to automatically enroll to MDM so you can control the devices and apps using MDM and which user’s need to enroll only to MAM so you can control the apps they use, but don’t require the device to enroll to MDM. The latter one is obviously for BYOD scenario’s.

What if you have users with corporate devices that need to be MDM enrolled but at the same time, these users have the need to use personal devices (BYOD) as well, without fully MDM enrolling their BYOD in Microsoft Intune. In other words; you want the same user or group of users to be in both the MDM users scope as well as the MAM user scope.

Here is a quote from the Microsoft website:

Microsoft MAM User scope

Simply put; You can have the same user or group of users in both the MAM User scope and MDM user scope. If you don’t have a specific use case for it like a phased rollout or a pilot, you can set both these scopes to All Users and be done with it. You will however need to understand the impact of this kind of setup.

Identifying devices as corporate-owned

The real question you should ask yourself is how and when a device is identified as corporate or personal. For a Windows 10 device to be identified as corporate it needs to be;

  • Azure AD Joined (OOBE / Windows AutoPilot / User driven)
  • Enrolled with a DEP account
  • Set as corporate in the device properties (in Intune, after enrollment)

Corporate device

If a user is in both the MAM user scope and MDM user scope and the device is Azure AD Joined it will be identified as corporate and the device will automatically enroll in Intune.

Personal device

If a user is in both the MAM user scope and MDM user scope and the user adds a work or school account, the device will be workplace joined (Azure AD registered) and NOT automatically enrolled in Intune

Reasons to only manage the apps (MAM)

You might have a specific reason to only manage the apps with MAM. Obviously MAM without MDM enrollment is very popular for organizations that support BYOD and here are some of the reasons I come across when implementing Information Security and enabling a bring-your-own-device scenario.

Pilot:

Needless to say but you should start with a contained pilot user group.

Phased rollout:

You want to start with a subset of your users before deploying company wide. This way you can target specific departments or regions.

Compliance

You need to comply with policies that require less management capabilities on BYOD.

User experience

Less intrusive or alarming for users.

Different scenarios worked out

I’ve created a table where I also take Windows Information Protection (WIP) policies into account. There are 3 scenario’s (setups) here but feel free to play with your own scenario’s. I’m thinking SETUP 1 is a good solution in many occasions. You will have full control over corporate devices and users will have the option to add a work or school account on a BYO devices and be managed by MAM (WIP-WE) on their personal devices.

If you or the users need more control on BYOD, then the users can also enroll only in device management. In this case the user will have to enroll twice. First Adding a work or school account will Azure AD register the device, and followed by enrolling only in device management will also MDM enroll with Microsoft Intune.

Click on the image to open the original file

MDM enroll Windows 10 devices

*enroll only in device management will obviously MDM enroll the device in MS Intune so auto enrollment is not applicable here.

Final thoughts

I didn’t think I could come up with this much to write about the MDM user scope and MAM user scope but I had fun writing it and hope it will be of value. If you have any thought you would like to share with me and other readers then please leave a comment below. While I wrote this post to the best of my knowledge I’m still human and make mistakes. If you happen to see an error then please let us know.

Next steps

Go ahead and read about Windows Information Protection without enrollment.

More reading material

5 4 votes
Article Rating

Oktay Sari

CTO | Microsoft WI MVP | Likes to work on Creative #Cloud solutions | P-TSP | #Microsoft365 | #EMS | Father | #Diver | #RC Pilot & #Magician in spare time

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

22 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
FultonZ
FultonZ
1 year ago

Hi,

I just want to pass on my appreciation and thanks for creating these documents.
I have read a lot of guides, step-by-steps and documentation regarding Microsoft InTune.

Your explanation and application on both MDM and MAM is by far the clearest and easiest to follow.

Keep up the great work,

cheers,

FultonZ.

Ian
Ian
1 year ago

thanks buddy – great explanation on the MDM and MAM scope.

Jesse Vaught
Jesse Vaught
1 year ago

In your screenshot under MAM users scope I see a device that is Azure AD Joined but the MDM is none. This is the scenario I am running into. On these particular devices I selected “this device belongs to my organization” but for some reason they didn’t get enrolled. I’m thinking it’s because at the time, I did not have MDM enabled on the tenant yet. Can you address this third scenario – aad joined but mdm none. How can I get these joined devices to enroll in MDM? By the way, I love the article – it is very… Read more »

Ruben Reis
Ruben Reis
1 year ago

Hi,
There is a reason to my test user BYOD download an file from Onedrive Online, and copy and paste information to Twitter with no problem?
Other thing, in this same user and computer (BYOD) i have configured the Onedrive app with the company user. All files have the briefcase icon using Onedrive Desktop.

Download the same file from Onedrive Online doest not have the icon “Company Owner”
Download the same file from Onedrive Desktop Client with company user, the file have the icon “Company Owner”…

Patrick
Patrick
1 year ago

Thank you very much! That’s all what needs to be said.

trackback

[…] Configuring MDM user scope and MAM user scope […]

trackback

[…] Configuring MDM user scope and MAM user scope […]

trackback

[…] Configuring Intune MDM User Scope and MAM User Scope for Windows 10https://allthingscloud.blog/configuring-intune-mdm-user-scope-and-mam-user-scope/ […]

Mahesh
Mahesh
7 months ago

Hi Oktay , Thank you very much for such article it was clear about mam and mdm scope. Much appreciated

FultonZ
FultonZ
2 months ago

Hi Oktay,

I have a query which i’m hoping you can help me with currently have a my windows 10 computer joined to my personal Azure AD.

I know need to connect to my works data which resides in SharePOint.

When i connect OneDrive to my work SharePoint the files don’t have the application policy applied( i.e. the suitcase and file owner doesn’t display on the files).

Two questions.

Can i register my computer/account with my work, while being joined to personal AzureAD?

How do i enforce all connection to SharePoint/OneDrive have application protect applied?

thanks in advance,

Fulton.

hemant
hemant
2 months ago

This is super good! all that i have been trying to comprehend

hemant
hemant
2 months ago
Reply to  hemant

However I do have a question, with the setup 1 indicated in the image, its not very clear on what is meant by “Add work or school account” and “Enroll only in device management”—
should this be interpreted as two separate scenarios or 2 steps of the same scenario

extenue
extenue
1 month ago

Thank you very much , very nice article , simple but efficient , easy to understand

Omar
Omar
1 month ago

Thanks a million for your posts. I have benefited a lot from them (Thanks for all your efforts). One question: I have a user who is a member of both scopes (MDM and MAM). I have created a WIP policy without enrolment. The issue I am having is: The moment I joined my test VM to work or school account (Without joining the device to Azure AD), the device is automatically added to MDM (Which I don’t want this to happen). How can I avoid this? My main objective is to allow users to have the ability to use their… Read more »

Clive Foster
Clive Foster
10 days ago

Only article that even comes close to explaining this topic in a way that makes sense.