Mobile Application Management (MAM) & Mobile Threat Defense (MTD) Integration

This section is relevant if you use Microsoft Intune Mobile Application Management (MAM) to manage the use of mobile applications in your organization. For more information, see Microsoft Intune App Management.

When you integrate MAM with Harmony Mobile:

For devices managed by Microsoft Intune UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point., it blocks access to Microsoft Office 365 applications if Harmony Mobile detects a device threat above a specific risk level.
For Bring Your Own Device (BYOD), MAM blocks access to Microsoft Office 365 apps unless the Harmony Mobile Protect App is installed on the BYOD device. It automatically prompts the user to download and install the Harmony Mobile Protect App.

Applying the Mobile Application Management (MAM) Policy

00:00: Microsoft Intune Mobile Application Management, also known as MAM, allows organizations to force users to download the Harmony Mobile Protect App if they want to use other apps for example, Microsoft Teams. This is the second part of a three-part video series that shows how to configure MAM policy for an iOS device in the Microsoft Intune Admin Center. As a prerequisite, make sure you watched part one in this three-part series. 00:27: Access the Microsoft Intune admin center. To enable the Mobile Threat Defense Connector for Harmony Mobile, go to Tenant administration and then click Connectors and tokens. 00:38: Go to Mobile Threat Defense and then click Add. From the list, select Check Point Harmony Mobile. 00:43: Set the values for policy and App protection policy evaluation as shown. 00:49: Now, to add a conditional policy for your device, go to Devices and then Conditional access 00:55: Click Policies and then Create new policy 00:58: Enter the policy name. 01:01: Under Users, click users and groups selected. Under Include, select Users and groups. Search and select your Security Group and then click Select. 01:10: Under Conditions, click Conditions selected. Under Device platforms, click Not configured. In the Device platforms window, select Android and iOS and click Done. 01:20: Under Client apps, click Not configured. In the Client apps window, enable the client apps as shown and click Done. 01:27: Under Grant, click controls selected. In the Grant window, select Require app protection policy and the options for multiple controls. Then, click Select. 01:36: Turn on Enable policy and then click Create. 01:39: To create an App protection policy, go to Apps and then App protection policies. Click Create policy and select the iOS iPadOS option. 01:48: In the Basics tab, enter the policy name and click Next. 01:52: In the Apps tab, select the apps for which you want to enforce the MAM policy and click Next. 01:58: In the Data protection tab, enter the values as shown and click Next. 02:02: In the Access requirements tab, enter the values as shown and click Next. 02:07: In the Conditional launch tab, set the Max allowed mobile threat level and click Next. 02:12: In the Assignments tab, click Add Groups, select your Security Group and click Select. After that, click Next. 02:18: Review the policy details and click Create. MAM enforces the App protection policy on your device group. 02:25: This concludes the second part of this video series. Continue with the third part, integrating Microsoft Intune UEM on the Harmony Mobile Administrator Portal for a MAM user group. Thank you for watching the video.

Note - To manage the mobile applications, it is mandatory to enforce the MAM policy on the end-user device.

Configure the MTD connector in Microsoft Intune. See Enabling the MTD Connector in Microsoft Intune Portal.
Go to Connectors and tokens > Mobile Threat Defense.
In the MTD Connector section, click Check Point Harmony Mobile.
Set the Compliance policy evaluation and App protection policy evaluation sections for Android and iOS devices as shown in this screen.
On the Microsoft Intune Admin Center, go to Devices > Conditional Access > Policies.
Click Create new policy.
1. Enter Name as Mobile Threat Defense policy.
2. In the Users and groups section, search and assign the MTD policy to your group.
3. In Conditions:
  - For Device platforms, click Not configured. In the Device platforms window, select Android and iOS and click Done.
  - For Client apps, click Not configured. In the Client apps window, enable the client apps as shown below and click Done.
4. In Grant section, click controls selected and select Require app protection policy and the option for multiple controls as shown.
5. Turn on Enable policy and click Create.
Go to Apps > App protection policies and create a new policy.
1. In the Apps section, select the apps that you want to enforce the MAM policy.
2. In the Conditional launch section, set the Max allowed mobile threat level.
  
  The system blocks access to the selected apps if Harmony Mobile detects a device threat above the Max allowed mobile threat level.
3. In the Assignments section, click Add Groups, select your security group and click Select.
4. Click Next.
5. Click Create.
  
  MAM enforces the App protection policy on your device group.

Configuring the Harmony Mobile Administrator Portal

Prerequisite

Configure Microsoft Intune integration on Harmony Mobile Administrator Portal. See Configuring the Harmony Mobile Administrator Portal UEM Integration Settings.

To configure MAM integration:

In the Harmony Mobile Administrator Portal, go to Settings > Integrations > Microsoft Intune > Edit.

In the Synchronization section, add the MAM group in both Groups and MAM Groups.

The MAM policy is enforced on these device groups.

Best Practice - Use separate device groups for Microsoft Intune UEM managed devices and MAM devices.

Note - Make sure not to sync the MAM group to the Android Enterprise Groups section.