Mobile Application Management (MAM) uses App protection policies that ensure an organization’s data remains safe or contained in a managed app, meaning that the University protects how users can access and store University data on their personal phones and tablets.
Mobile Application Management makes it possible to manage data in an application without managing your device. Enrollment requires adding your work account (user@ua.edu) to the policy associated with your device type. (ios/android). Once enrolled, any protected applications that use your O365 ua.edu account, like Outlook and Teams, will be protected with specific policies that protect UA data.
These policies do NOT apply to any personal accounts in Microsoft Applications. For example, these policies do not touch your personal email in your Outlook application, only your ua.edu account.
The Onboarding process looks different depending on if you have an iOS or Android device type.
Upon enrollment of an Android device, you will be prompted to install the Company portal app. Then you will be asked to create a four-digit pin for your protected application.
Upon enrollment of an iOS device, you will be asked to create a four-digit pin for your protected application.
For both devices, you will see a notification prompt that says, “Your IT Administration is now helping you protect work or school data in this app.”
Both Android and iOS users will also need to download Microsoft’s mobile authenticator app. Using the app, a user can sign in to their personal or work/school Microsoft account without using a password. You’ll use a fingerprint, face recognition, or a PIN for security. Download, and learn more about Microsoft Authenticator here: https://www.microsoft.com/en-us/security/mobile-authenticator-app
Frequently Asked Questions
What data can my company see?
UA can only see that you have a mobile device enrolled, the device type (iPhone/Android), and the names of protected applications (Outlook/Teams).
Why do we need MAM?
To protect user privacy while maintaining the security of UA data, UA has opted to use MAM to protect UA data. UA data could be exposed in the event of theft, loss, or unauthorized access to your device. Mobile Application Management lets UA control how UA data is accessed on mobile devices. For example, you must create a pin, which protects the UA data in protected applications (many banking apps also take this approach). MAM also enforces policies that control the way UA data is stored. For example, restricting backup of data to a personal account (i.e., iCloud).
My job doesn’t require special protection of data?
Everyone has information in their email that could pose a risk to the university—for example, vendor information, software we use, FERPA or HIPPA data.
App Permissions for Android Users?
The Company Portal App is required on the device for Android users to receive App Protection Policies. The Company Portal requests app permissions to allow the application to access information on your device for workflow integration and to improve the user experience. However, the permissions can be denied, and the app will still work as intended to protect UA data. For a detailed explanation of permissions and what they do, see below.
During setup, the app will ask you to grant permissions to:
1. Allow Company Portal to make and manage phone calls
2. Allow Company Portal to access your contacts
3. Allow Company Portal to access photos, media, and files on your deviceThis can seem invasive since the messaging seems counterintuitive to maintaining your privacy and sounds like Your Employer/Microsoft DO have access to those things. However, those messages are stock messages from Google (Android) and can’t be changed to reflect the actual permission requests.
Here are the actual permissions granted when you approve those messages:
1. Allow Company Portal to make and manage phone callsThis allows you to use the company portal app to place a call to the helpdesk from within the company portal app. Your Employer/IT Company/Microsoft cannot make or manages phone calls. Google and Apple control the message text and cannot be changed.
2. Allow Company Portal to access your contactsThis allows you to add your work account to your phone and sync the contacts that reside in Outlook. Your Employer/IT Company/Microsoft cannot access your contacts. Google and Apple control the message text and cannot be changed.
3. Allow Company Portal to access photos, media, and files on your device.
By accepting this prompt, users allow their device to write data logs to the device’s SD card. This also enables those logs to be moved using a USB cable.
Your Employer/IT Company/Microsoft cannot access users’ photos, media, and files. The message text is controlled by Google and Apple and cannot be changed.
None of those requests need to be approved to continue installing and using the Company Portal App. You may select deny on all of them, and it will continue to function as intended.
Can UA wipe my device?
Prior to MAM, the only option UA had available to remove data was to wipe your entire device. With MAM, UA can selectively wipe only UA data from your phone.
Helpful Links for more information about MAM.
https://learn.microsoft.com/en-us/mem/intune/apps/mam-faq
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy