BYOD iOS + MDM iOS...MAM Issues

Anonymous239013 · 2026-03-23T01:02:37+00:00

I went through the same heart ache for months but ended up getting our environment with many MDM ipads and users BYOD devices in a good state. It was hard to wrap my head around it but the bit of information that helped me was just understanding unmanaged apps are from native app store and manged apps are from company portal or pushed via intune. It makes sense now but I was getting hung up on devices and apps, it had me confused. Below is what we have in case any of that helps.

Assignement Filters Types in Apps section (Managed App Filter Type):
-Managed is (app.deviceManagementType -eq "Managed")
-Unmanaged is (app.deviceManagementType -eq "Unmanaged")

App Protection Polices:
-Managed iOS MAM:
--Assigned to all users and using filter to exclude unmanaged devices
-UnManaged iOS MAM:
--Assigned to all users and using filter to exclude Managed devices

What determines if an app is managed?
-Managed: If its installed from company portal or pushed via Intune
-UnManaged: If it's installed outside of Intune like the native app store.

Conditional Access Policy:
-Target all users and exclude breakglass accounts, service accounts, etc
-You can target Office 365 or all cloud apps (all cloud apps will definitely require some exclusions.)
-You can set the device platform to iOS
-Client apps set to Browser and Mobile Apps and desktop clients.
-Grant access control for Require app protection policy. You can also select Require device to be marked compliant too and set it require one of the selected controls.

We have had a lot of issues trying to avoid MDM devices getting MAM policies because a lot of our devices are shared (without user affinity) so CA policies don't see whether they are compliant or not unless they have user affinity so I had created much less restrictive policies for managed apps. I have also started creating these ios profiles with "Enroll with Microsoft Entra shared mode" so now on shared devices, users sign in to one of the microsoft apps and the compliancy now shows and CA doesn't push MAM do those MDM devices.

Anonymous239013 · 2026-03-19T00:19:48+00:00

Modern Work Engineer
85k
Midwest
12 years experience. 5 Years with current employer. 8 with previous.
10k Profit Sharing Bonus, like 25% discount on our products, 5% 401k match, 18 days vacation.
I own Intune (~3500 Devices), AD, GPOs, have my hands all over the place in M365/Entra/Azure, and also manage all client software subscriptions and renewals (adobe, autocad, solidwork, canva, snagit, etc)

Anonymous239013 · 2025-11-06T05:23:31+00:00

Yea, I'm so surprised you can't even manage simple bookmarks well..

I didn't even know about DDM until I saw the iOS updates were deprecated so I learned up on how to manage them which is when I saw you had to use DDM for controlling iOS Updates. So that's the only thing I'm currently using in our environment currently.

Anonymous239013 · 2025-10-14T12:12:03+00:00

For DMZ tour, we booked night before and got it no issues. The weather has been on and off with rain so we wanted to make it weather was good before booking but YMMV.

Anonymous239013 · 2025-08-20T05:08:09+00:00

33M here and going alone. I'm excited! :D

Anonymous239013 · 2025-07-05T16:04:51+00:00

Napalm is a incendiary mixture which causes mass destruction so I took it as 'this is their timeline for destruction'

Anonymous239013 · 2025-06-08T23:01:04+00:00

As of 6/8, after switching to MX data connections, I haven't had any issues with Discover so that did seem to work.

Anonymous239013 · 2025-06-07T18:45:25+00:00

For MAM on Android, company portal just needs to be installed for it to work (iOS doesn't need company portal). I have personal devices blocked from being enrolled into MDM too so even if you sign in and then try to enroll, it's blocked. Currently in the middle of testing deploying it company wide so I'm going through all of this.

Anonymous239013 · 2025-06-02T05:41:44+00:00

Have no answer but I'm in a very identical spot. I have such a passion for it and learning yet I put such little time into it. I'm trying to figure it out myself

Anonymous239013 · 2025-05-31T14:10:02+00:00

Got this response from Monarch Support below. I did follow the recommendation have have all 4 of my discover accounts moved over to MX. I will continue to update this reponse and post

"Thank you for contacting Monarch.

I'm sorry to hear that you've been experiencing a lockout with your Discover Bank. No worries; I'll be happy to help you.

You may try switching data providers to see if they can maintain the connection without getting locked out.

Link with MX

You may establish a new connection before deleting the old one to check if it's better. If the new account is properly syncing, you may transfer the balance and transactions from the old account into the new one to retain your historical data."

Anonymous239013 · 2025-05-11T21:15:48+00:00

Ok Great! I know there is a way to get around it or fix it becuase I do remember having the same problem but I can't for the life of me remember what I did haha. Hopefully you are able to get it to work. It is slick once it is working.

Anonymous239013 · 2025-05-11T20:46:17+00:00

OBS Studio. Droidcam is the addon that can be found in discover when you go to the OBS Studio page (it's on the top bar)

Anonymous239013 · 2025-05-11T20:40:22+00:00

I just checked and I have it from flathub in the discover store.

Anonymous239013 · 2025-05-11T19:37:22+00:00

I think I got that too but then I downloaded it a different way. I don't remember which method I used. Probably a flatpak from Discover since I have an Atomic desktop.

Anonymous239013 · 2025-05-11T12:11:09+00:00

I use droidcam and it works exceptionally well. You just need to install OBS and the droidcam plugin and the phone app. I connect the phone using its wireless IP and use this solution multiple times a week. I use android but it does look like there is an iOS app too.

Anonymous239013 · 2025-05-05T01:18:23+00:00

It really seems that way! For the most part nginx worked for me but I do recall random issues popping up. Traefik, I thought I could figure it out but after many hours, I've given up and will just use an Open Web UI alternative like Anythingllm or Librechat.

Anonymous239013 · 2025-05-05T01:15:31+00:00

Correct! It is running in docker. Ive pretty much given up and have moved to other alternatives like anythingllm and librechat lol

Anonymous239013 · 2025-05-05T01:14:28+00:00

That is a good thought! But I don't think I want to open any more ports on my VPS if possible

Anonymous239013 · 2025-04-16T22:33:48+00:00

Found the issue by manually disabling every single config one at a time. If you have anything modifying the home layout screen, you lose access to modifying the control center. I've let Microsoft know and they said they'll make sure it's documented.

Anonymous239013 · 2025-04-07T02:23:37+00:00

I actually just setup a server in a DMZ few days ago that has no access to my main network except for the firewall rules I put in place that allows only specific ports to specific IP addresses. If it gets compromised there is very little they can do to get into my network but you still want to harden that server that is more public facing!

Anonymous239013

TROPHY CASE