In a previous blog I wrote about the basics on Windows Information Protection (WIP). If you did not read that post, I suggest you go back and read it for a complete understanding before continuing. If you’re here to learn more about MDM User scope and MAM user scope, then I hope this post will be of add value for you too.
This post is part of a series and in upcoming post I’ll also write about Microsoft Cloud App Security, Limiting Access to Exchange Online or Sharepoint on unmanaged devices, and Azure AD Conditional access policies. Combining the power of these tools, will give you the best possible solution to enable a bring-your-own-device scenario. This post will focus on configuring Intune MDM user scope and MAM user scope.
- Introduction to Windows Information Protection
- Configuring Intune MDM user scope and MAM user scope for Windows 10 (this post)
- Windows Information Protection without enrollment (WIP-WE / MAM)
- Windows Information Protection with Enrollment
- Windows Information Protection User Experience
- WIP Learning mode
- Set up Azure Rights Management with WIP
- Monitoring and collecting WIP audit event logs
- Troubleshooting Windows Information Protection
- Microsoft Cloud App Security and unmanaged devices
- Limiting Access to Sharepoint Online on unmanaged devices
- Limiting Access to Exchange Online on unmanaged devices
Make sure you have all the prerequisites in place;
- Intune enabled as the MDM authority
- Windows 10 1703 and above for testing
- EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
Configuring MDM User Scope and MAM User Scope
There seems to be a lot of confusion when it comes to configuring the MDM users scope or MAM user scope and what these scopes do or which one to use. I hope to shed some light on these setting before we actually configure the WIP-WE (MAM) policy in another post. These settings/scopes only apply to Windows 10 devices. Therefore iOS and Android devices are NOT affected.
To configure your MDM and MAM user scope go to:
Microsoft Intune> Device enrollment> Windows enrollment> Automatic Enrollment
Note: if the MAM Discovery URL is missing,or you’re not sure if it’s correct select “Restore default MAM URLs”
In this example I’ve set both scopes to Some and selected a user group for the purpose of this blog post.
MDM users scope
The MDM user scope is configured to enable Windows 10 automatic enrollment for management with Microsoft Intune. When users in this scope Azure AD join a device or register a work or school account, the device will automatically enroll into MDM management with Microsoft Intune. When you don’t enable automatic MDM enrollment, you still can enroll the corporate device in Intune manually. In other words; The MDM user scope can be used to roll out automatic MDM enrollment with Microsoft Intune to only a select group of users, giving you the option to perform phased rollouts of the feature.
The screenshot below shows a device that has been Azure AD joined and automatically MDM enrolled while going through the OOB experience. The join type is Azure AD joined and MDM has been set to Microsoft Intune.
The same thing happens when this user adds a work or school account by going to Windows Setting> Accounts> Access work or school> Connect> Setup a work or school account. The join type will then be Azure AD registered and MDM will again be set to Microsoft Intune.
You can verify MDM policies apply by going to Windows Setting> Accounts> Access work or school> then select your work account and click on the Info button
Scroll down to the Connection info part and have a look at the configuration. The Management Server Address should be something like this:
Another way is to use the cmd command dsregcmd /status. The Device State section will show AzureADJoined: YES. There will also be extra information about the device and the tenant.
MAM users scope
When users in this scope add a Work or School Account the device doesn’t get enrolled in Intune but it will be registered in Azure AD. Therefore only WIP without Enrollment (MAM policy) is applied. However, before creating your WIP-WE policy, you need to set up your MAM provider or the MAM URLs in Azure AD. To enable WIP-WE for Windows 10 devices, the MAM Discovery URL must be configured. Without it the users cannot enroll into MAM management.
The screenshot below shows a device that has been registered in Azure AD but not MDM enrolled in Microsoft Intune. The join type is Azure AD registered and MDM has been set to None. The user registered the device by going to Windows Setting> Accounts> Access work or school> Connect> Setup a work or school account. This device also does not need to be compliant and therefore shows N/A.
You can verify only MAM policies apply by going to Windows Setting> Accounts> Access work or school> then select your work account and click on the Info button
Scroll down to the Connection info part and have a look at the configuration. The Management Server Address should be http://wip.mam.manage.microsoft.com:444/checkin
Another way is to use the cmd command dsregcmd /status. The User state shows WorkplaceJoined: YES. Also note the WorkplaceMdmUrl. This is the MAM discovery URL from your MAM user scope settings.
Misconceptions about MDM and MAM user scope
Don’t confuse Azure AD domain join or registration with Intune MDM enrollment. They often go hand in hand but don’t need to. You need to figure out, which user’s you need to automatically enroll to MDM so you can control the devices and apps using MDM and which user’s need to enroll only to MAM so you can control the apps they use, but don’t require the device to enroll to MDM. The latter one is obviously for BYOD scenario’s.
What if you have users with corporate devices that need to be MDM enrolled but at the same time, these users have the need to use personal devices (BYOD) as well, without fully MDM enrolling their BYOD in Microsoft Intune. In other words; you want the same user or group of users to be in both the MDM users scope as well as the MAM user scope.
Here is a quote from the Microsoft website:
Simply put; You can have the same user or group of users in both the MAM User scope and MDM user scope. If you don’t have a specific use case for it like a phased rollout or a pilot, you can set both these scopes to All Users and be done with it. You will however need to understand the impact of this kind of setup.
Identifying devices as corporate-owned
The real question you should ask yourself is how and when a device is identified as corporate or personal. For a Windows 10 device to be identified as corporate it needs to be;
- Azure AD Joined (OOBE / Windows AutoPilot / User driven)
- Enrolled with a DEP account
- Set as corporate in the device properties (in Intune, after enrollment)
If a user is in both the MAM user scope and MDM user scope and the device is Azure AD Joined it will be identified as corporate and the device will automatically enroll in Intune.
If a user is in both the MAM user scope and MDM user scope and the user adds a work or school account, the device will be workplace joined (Azure AD registered) and NOT automatically enrolled in Intune
Reasons to only manage the apps (MAM)
You might have a specific reason to only manage the apps with MAM. Obviously MAM without MDM enrollment is very popular for organizations that support BYOD and here are some of the reasons I come across when implementing Information Security and enabling a bring-your-own-device scenario.
Needless to say but you should start with a contained pilot user group.
You want to start with a subset of your users before deploying company wide. This way you can target specific departments or regions.
You need to comply with policies that require less management capabilities on BYOD.
Less intrusive or alarming for users.
Different scenarios worked out
I’ve created a table where I also take WIP policies into account. There are 3 scenario’s (setups) here but feel free to play with your own scenario’s. I’m thinking SETUP 1 is a good solution in many occasions. You will have full control over corporate devices and users will have the option to add a work or school account on a BYO devices and be managed by MAM (WIP-WE) on their personal devices.
If you or the users need more control on BYOD, then the users can also enroll only in device management. In this case the user will have to enroll twice. First Adding a work or school account will Azure AD register the device, and followed by enrolling only in device management will also MDM enroll with Microsoft Intune.
*enroll only in device management will obviously MDM enroll the device in MS Intune so auto enrollment is not applicable here.
I didn’t think I could come up with this much to write about the MDM user scope and MAM user scope but I had fun writing it and hope it will be of value. If you have any thought you would like to share with me and other readers then please leave a comment below. While I wrote this post to the best of my knowledge I’m still human and make mistakes. If you happen to see an error then please let us know.
Go ahead and read about Windows Information Protection without enrollment (I’m working on this post. Come back soon)
More reading material
- MDM enrollment of Windows-based devices
- Set up enrollment for Windows devices
- Identify devices as corporate-owned
- Configure the MAM provider