MDM enroll windows 10

Configuring Intune MDM User Scope and MAM User Scope for Windows 10

In a previous blog I wrote about the basics on Windows Information Protection (WIP). If you did not read that post, I suggest you go back and read it for a complete understanding before continuing. If you’re here to learn more about MDM User scope and MAM user scope, then I hope this post will be of add value for you too.

This post is part of a series and in upcoming post I’ll also write about Microsoft Cloud App Security, Limiting Access to Exchange Online or SharePoint on unmanaged devices, and Azure AD Conditional access policies. Combining the power of these tools, will give you the best possible solution to enable a bring-your-own-device scenario. This post will focus on configuring Intune MDM user scope and MAM user scope.

  1. Introduction to Windows Information Protection
  2. Configuring Intune MDM user scope and MAM user scope for Windows 10 (this post)
  3. Windows Information Protection without enrollment (WIP-WE / MAM)
  4. Windows Information Protection with Enrollment
  5. Windows Information Protection User Experience
  6. WIP Learning mode
  7. Set up Azure Rights Management with WIP
  8. Monitoring and collecting WIP audit event logs
  9. Troubleshooting Windows Information Protection
  10. Microsoft Cloud App Security and unmanaged devices
  11. Limiting Access to Sharepoint Online on unmanaged devices
  12. Limiting Access to Exchange Online on unmanaged devices

Prerequisites

Make sure you have all the prerequisites in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above for testing
  • EMS E3 licenses (or at the very least Intune and Azure AD premium P1)

Configuring MDM User Scope and MAM User Scope

There seems to be a lot of confusion when it comes to configuring the MDM users scope or MAM user scope and what these scopes do or which one to use. I hope to shed some light on these setting before we actually configure the WIP-WE (MAM) policy in another post. These settings/scopes only apply to Windows 10 devices. Therefore iOS and Android devices are NOT affected.

To configure your MDM and MAM user scope go to:

Microsoft Intune> Device enrollment> Windows enrollment> Automatic Enrollment

Note: if the MAM Discovery URL is missing,or you’re not sure if it’s correct select “Restore default MAM URLs”

MDM User Scope and MAM User Scope

In this example I’ve set both scopes to Some and selected a user group for the purpose of this blog post.

MDM users scope

The MDM user scope is configured to enable Windows 10 automatic enrollment for management with Microsoft Intune. When users in this scope Azure AD join a device or register a work or school account, the device will automatically enroll into MDM management with Microsoft Intune. When you don’t enable automatic MDM enrollment, you still can enroll the corporate device in Intune manually. In other words; The MDM user scope can be used to roll out automatic MDM enrollment with Microsoft Intune to only a select group of users, giving you the option to perform phased roll-outs of the feature.

The screenshot below shows a device that has been Azure AD joined and automatically MDM enrolled while going through the OOB experience. The join type is Azure AD joined and MDM has been set to Microsoft Intune.

MDM users scope Microsoft Intune

The same thing happens when this user adds a work or school account by going to Windows Setting> Accounts> Access work or school> Connect> Setup a work or school account. The join type will then be Azure AD registered and MDM will again be set to Microsoft Intune.

You can verify MDM policies apply by going to Windows Setting> Accounts> Access work or school> then select your work account and click on the Info button

Windows Setting> Accounts> Access work or school>

Scroll down to the Connection info part and have a look at the configuration. The Management Server Address should be something like this:

Intune Management Server Address

Another way is to use the cmd command dsregcmd /status. The Device State section will show AzureADJoined: YES. There will also be extra information about the device and the tenant.

MDM vs MAM

MAM users scope

When users in this scope add a Work or School Account the device doesn’t get enrolled in Intune but it will be registered in Azure AD. If you have configured Windows Information Protection, only WIP without Enrollment (MAM policy) is applied. However, before creating your WIP-WE policy, you need to set up your MAM provider or the MAM URLs in Azure AD. To enable WIP-WE for Windows 10 devices, the MAM Discovery URL must be configured. Without it the users cannot enroll into MAM management.

The screenshot below shows a device that has been registered in Azure AD but not MDM enrolled in Microsoft Intune. The join type is Azure AD registered and MDM has been set to None. The user registered the device by going to Windows Setting> Accounts> Access work or school> Connect> Setup a work or school account. This device also does not need to be compliant and therefore shows N/A.

MAM users scope

You can verify only MAM policies apply by going to Windows Setting> Accounts> Access work or school> then select your work account and click on the Info button

Windows Setting> Accounts> Access work or school>

Scroll down to the Connection info part and have a look at the configuration. The Management Server Address should be http://wip.mam.manage.microsoft.com:444/checkin

Intune MAM Management Server Address

Another way is to use the cmd command dsregcmd /status. The User state shows WorkplaceJoined: YES. Also note the WorkplaceMdmUrl. This is the MAM discovery URL from your MAM user scope settings.

dsregcmd WorkplaceJoined

Misconceptions about MDM and MAM user scope

Don’t confuse Azure AD domain join or registration with Intune MDM enrollment. They often go hand in hand but don’t need to. You need to figure out, which user’s you need to automatically enroll to MDM so you can control the devices and apps using MDM and which user’s need to enroll only to MAM so you can control the apps they use, but don’t require the device to enroll to MDM. The latter one is obviously for BYOD scenario’s.

What if you have users with corporate devices that need to be MDM enrolled but at the same time, these users have the need to use personal devices (BYOD) as well, without fully MDM enrolling their BYOD in Microsoft Intune. In other words; you want the same user or group of users to be in both the MDM users scope as well as the MAM user scope.

Here is a quote from the Microsoft website:

Microsoft MAM User scope

Simply put; You can have the same user or group of users in both the MAM User scope and MDM user scope. If you don’t have a specific use case for it like a phased rollout or a pilot, you can set both these scopes to All Users and be done with it. You will however need to understand the impact of this kind of setup.

Identifying devices as corporate-owned

The real question you should ask yourself is how and when a device is identified as corporate or personal. For a Windows 10 device to be identified as corporate it needs to be;

  • Azure AD Joined (OOBE / Windows AutoPilot / User driven)
  • Enrolled with a DEP account
  • Set as corporate in the device properties (in Intune, after enrollment)

Corporate device

If a user is in both the MAM user scope and MDM user scope and the device is Azure AD Joined it will be identified as corporate and the device will automatically enroll in Intune.

Personal device

If a user is in both the MAM user scope and MDM user scope and the user adds a work or school account, the device will be workplace joined (Azure AD registered) and NOT automatically enrolled in Intune

Reasons to only manage the apps (MAM)

You might have a specific reason to only manage the apps with MAM. Obviously MAM without MDM enrollment is very popular for organizations that support BYOD and here are some of the reasons I come across when implementing Information Security and enabling a bring-your-own-device scenario.

Pilot:

Needless to say but you should start with a contained pilot user group.

Phased rollout:

You want to start with a subset of your users before deploying company wide. This way you can target specific departments or regions.

Compliance

You need to comply with policies that require less management capabilities on BYOD.

User experience

Less intrusive or alarming for users.

Different scenarios worked out

I’ve created a table where I also take Windows Information Protection (WIP) policies into account. There are 3 scenario’s (setups) here but feel free to play with your own scenario’s. I’m thinking SETUP 1 is a good solution in many occasions. You will have full control over corporate devices and users will have the option to add a work or school account on a BYO devices and be managed by MAM (WIP-WE) on their personal devices.

If you or the users need more control on BYOD, then the users can also enroll only in device management. In this case the user will have to enroll twice. First Adding a work or school account will Azure AD register the device, and followed by enrolling only in device management will also MDM enroll with Microsoft Intune.

Click on the image to open the original file

MDM enroll Windows 10 devices

*enroll only in device management will obviously MDM enroll the device in MS Intune so auto enrollment is not applicable here.

Final thoughts

I didn’t think I could come up with this much to write about the MDM user scope and MAM user scope but I had fun writing it and hope it will be of value. If you have any thought you would like to share with me and other readers then please leave a comment below. While I wrote this post to the best of my knowledge I’m still human and make mistakes. If you happen to see an error then please let us know.

Next steps

Go ahead and read about Windows Information Protection without enrollment.

More reading material

6
Leave a Reply

avatar
5 Comment threads
1 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
PatrickRuben ReisJesse VaughtIanOktay Sari Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
FultonZ
Guest
FultonZ

Hi,

I just want to pass on my appreciation and thanks for creating these documents.
I have read a lot of guides, step-by-steps and documentation regarding Microsoft InTune.

Your explanation and application on both MDM and MAM is by far the clearest and easiest to follow.

Keep up the great work,

cheers,

FultonZ.

Ian
Guest
Ian

thanks buddy – great explanation on the MDM and MAM scope.

Jesse Vaught
Guest
Jesse Vaught

In your screenshot under MAM users scope I see a device that is Azure AD Joined but the MDM is none. This is the scenario I am running into. On these particular devices I selected “this device belongs to my organization” but for some reason they didn’t get enrolled. I’m thinking it’s because at the time, I did not have MDM enabled on the tenant yet.
Can you address this third scenario – aad joined but mdm none. How can I get these joined devices to enroll in MDM?
By the way, I love the article – it is very clear!

Ruben Reis
Guest
Ruben Reis

Hi,
There is a reason to my test user BYOD download an file from Onedrive Online, and copy and paste information to Twitter with no problem?
Other thing, in this same user and computer (BYOD) i have configured the Onedrive app with the company user. All files have the briefcase icon using Onedrive Desktop.

Download the same file from Onedrive Online doest not have the icon “Company Owner”
Download the same file from Onedrive Desktop Client with company user, the file have the icon “Company Owner”…

Patrick
Guest
Patrick

Thank you very much! That’s all what needs to be said.