Intune Mobile Application Management Without Enrollment for BYOD Users
Microsoft Intune supports Mobile Application Management (MAM) for BYOD devices. By configuring Lookout as your Mobile Threat Defense (MTD) solution, you can control access to corporate resources without requiring users to enroll their devices in Intune MDM.
Deploying Mobile Application Management Without Enrollment enforces Lookout MTD on unmanaged personal devices without enrolling the device in the Mobile Device Management platform and taking control of the device. Protected devices can access corporate applications, while they are secure and free from malware, insecure networks, and in a posture that meets corporate and regulatory standards.
This process describes at a high level how Lookout and Intune enforce Mobile Application Management Without Enrollment:
- User attempts to access a protected application using their corporate credentials from an unmanaged device.
- User follows the prompt to download and install Microsoft Company Portal/Microsoft Authenticator as a broker app.
- User follows the prompt to register their device with Intune. This requires only a button click and does not install a management profile on the device.
- Intune identifies the device as non-compliant because Lookout is not installed.
- User follows the prompt to download and install Lookout. Lookout relies on the user’s corporate credentials to authenticate the Lookout client.
- When Lookout determines the device is secure, Lookout automatically notifies Intune which grants the user access to the protected application.
- When Lookout detects a new threat on the device, Lookout notifies Intune which temporarily revokes the user’s access to the protected application until the issue is resolved.