Mobile Application Management (MAM) & Mobile Threat Defense (MTD) Integration

This section is relevant if you use Microsoft Intune Mobile Application Management (MAM) to manage the use of mobile applications in your organization. For more information, see Microsoft Intune App Management.

When you integrate MAM with Harmony Mobile:

Applying the Mobile Application Management (MAM) Policy

00:00: Microsoft Intune Mobile Application Management or MAM allows organizations to force users to install the Harmony Mobile Protect app before accessing corporate apps or resources, such as Microsoft Teams, on their mobile devices. This video demonstrates how to configure a MAM policy for an iOS device in the Microsoft Intune Admin Center. As a Prerequisite, ensure users and devices are already configured in the Microsoft Intune Admin Center.

00:28: Access the Microsoft Intune admin center. To enable the Mobile Threat Defense Connector for Harmony Mobile, go to Tenant administration and then click Connectors and tokens.

00:39: Go to Mobile Threat Defense and click Create. From the list, select Check Point Harmony Mobile.

00:45: Set the values for ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. policy and App protection policy evaluation as shown.

00:51: Now, to add a conditional policy for your device, go to Devices and then Conditional access

00:57: Click Policies and then Create new policy

01:00: Enter a name for your policy.

01:03: Under Users or agents, click users and agents selected. Under Include, select Users and groups. Search and select your Security Group and then click Select.

01:12: Under Conditions, click Conditions selected. Under Device platforms, click Not configured. In the Device platforms window, select Android and iOS and click Done.

01:22: Under Client apps, click Not configured. In the Client apps window, enable the client apps as shown and click Done.

01:29: Under Grant, click controls selected. In the Grant window, select Require app protection policy and the option for multiple controls. Then, click Select.

01:38: Turn on Enable policy and then click Create.

01:41: To create an App protection policy, go to Apps , Protection and click Create. Then, select the platform.

01:48: In the Basics tab, enter the policy name and click Next.

01:52: In the Apps tab, select the apps for which you want to enforce the MAM policy and click Next.

01:58: In the Data protection tab, enter the values as shown and click Next.

02:02: In the Access requirements tab, enter the values as shown and click Next.

02:07: In the Conditional launch tab, under Device conditions, set the Max allowed mobile threat level and click Next.

02:14: In the Assignments tab, click Add Groups, select your Security Group and click Select. After that, click Next.

02:20: Review the policy details and click Create. MAM enforces the App protection policy on your device group.

02:27: Thank you for watching the video.

Note - To manage the mobile applications, it is mandatory to enforce the MAM policy on the end-user device.

  1. Configure the MTD connector in Microsoft Intune. See Enabling the MTD Connector in Microsoft Intune Portal.

  2. In the Microsoft Intune Admin Center, go to Tenant administration > Connectors and tokens.

  3. Go to Mobile Threat Defense and click Create.

  4. In the MTD Connector section, click Check Point Harmony Mobile.

  5. Configure the Compliance policy evaluation and App protection policy evaluation settings for Android and iOS devices as shown in this screen.

  6. Go to Devices > Manage devices > Conditional access > Policies.

  7. Click New policy.

    1. Enter Name as Mobile Threat Defense policy.

    2. In the Users or agents section, search and assign the MTD policy to your group.

    3. In Conditions:

      1. For Device platforms, click Not configured.

        In the Device platforms window, select Android and iOS and click Done.

      2. For Client apps, click Not configured.

        In the Client apps window, enable the client apps as shown below and click Done.

    4. In Grant section, click controls selected and select these:

      1. Require app protection policy

      2. For multiple controls - Require one of the selected controls

      3. Click Select.



    5. Turn on Enable policy and click Create.

  8. Go to Apps > Protection > Create and select the platform.

    1. In the Basics tab, enter a name for your app protection policy.

    2. Click Next.

    3. In the Apps tab, select the apps that you want to enforce the MAM policy.

    4. Go to Conditional launch tab > Device conditions and add the Max allowed mobile threat level setting.

      The system blocks access to the selected apps if Harmony Mobile detects a device threat above the Max allowed mobile threat level.

    5. In the Assignments tab, under Included groups, click Add groups.

    6. Search and select your security group.

    7. Click Next.

    8. Review and create the policy.

      MAM enforces the App protection policy on your device group.

Configuring the Harmony Mobile Administrator Portal

Prerequisite

Configure Microsoft Intune integration on Harmony Mobile Administrator Portal. See Configuring the Harmony Mobile Administrator Portal UEM Integration Settings.

To configure MAM integration:

  1. In the Harmony Mobile Administrator Portal, go to SettingsIntegrations > Microsoft IntuneEdit.

  2. In the Synchronization section, add the MAM group in both Groups and MAM Groups.

    The MAM policy is enforced on these device groups.

    Best Practice - Use separate device groups for Microsoft Intune UEM managed devices and MAM devices.

    Note - Make sure not to sync the MAM group to the Android Enterprise Groups section.