Introducing Mobile Application Management (MAM) support for Microsoft Flow Mobile Application
We have recently shipped a new version of the Microsoft Flow mobile application for Apple iOS and Android that supports Microsoft Application Management (MAM) without device enrollment. Using MAM allows IT administrators to create and enforce mobile data policies to safeguard company data.
Why is this important?
Whether a customer has adopted a Bring Your Own Device (BYOD) strategy or is providing employees with a corporate phone, they are looking for more control over the data that resides on a mobile device. Organizations may want to restrict how data moves on the device and ensure the data is removed, should the employee leave the organization.
What is MAM?
MAM allows organizations to create policies that govern how an application is used within a tenant. This can include enforcing app data encryption, limiting the ability to copy/extract data to only approved applications or enforcing a PIN on a device can be implemented.
Does my device need to be enrolled?
Intune MAM without enrollment does not require a user to enroll their device in Intune MDM. However, the Company Portal application needs to be installed on the device to enforce policies. A user does not need to sign-in to the company portal application for MAM to function. The Company Portal application can be downloaded from the Apple and Android app stores.
What version of the Microsoft Flow mobile app is required?
Version 2.31.0 of the app is required. Our deployments for iOS have reached 100% coverage to all regions. For Android, we are staging our rollout so there may be a delay in this version of the app being available.
How can I setup a MAM policy?
An administrator can create polices from the Azure portal. For the purpose of this blog post, we will create an App protection policy that enforces a flow user to require a pin when using the Microsoft Flow mobile application.
• Ensure the appropriate application is selected based upon the platform that you are trying to target. If you do not find it in the list of apps, search for it by typing in the appropriate value into the Bundle ID field. Click the Add button to add this application as a required app and then click Select to complete this configuration.
- We now need to define our policy that will impose specific application behaviors by clicking on Configure required settings.
- Within the Configure require settings experience, there are 3 areas that we need to configure: Data relocation, Access requirements and Conditional launch.
- Let’s start with the Data relocation settings. Since the flow app is not used to generate local data, we can use the default policy.
Note: This policy has been used as an example. Please modify to meet your organization’s needs.
• Next, we are going to focus on Access requirements and can establish a policy like the one below. Once we are done configuring our Access requirements we can click on the Ok button.
Note: When testing you can lower the Recheck the access requirements after (minutes) setting to reduce the amount of time you need to wait for a prompt.
To select an Azure AD group(s), click on Select groups to include and then select the appropriate group. For this purpose, I have created an Azure AD group and included members for whom I want these policies applied to.