One the promises of Mobile Device Management (MDM) and Mobile Application Management (MAM) is the ability to separate the user’s personal data from corporate data. This capability enhances BYOD scenarios as a selective wipe can be performed on a device removing only the corporate data and leaving the personal data intact when a user leaves the organization or a device is retired from corporate use.
In Intune this functionality works in conjunction with MAM. Managed mobile apps are “wrapped” so that any data that they use is stored in a secure container that can be remotely wiped by the management platform.
This month a new conditional access capability has been introduced into Windows Intune that helps achieve this segregation. Conditional access policies can now be enforced preventing email client applications from connecting to Office 365’s exchange Online service unless the application is MAM managed application. This will prevent users from accessing corporate email with an unmanaged email app.