More information regarding options for configuring the MDM and MAM user scopes

This article is created to provide you more info and resources to assist you in choosing the right options for configuring the MDM and MAM user scopes to suit your business needs.

This is Part 7a of a 13 part series.

=====================================================================

Welcome to part 7a of my thirteen part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune, from initial DNS config up to Autopilot and application deployment. This series gives you all the knowledge you need for you to successfully deploy a basic Intune / Endpoint Manager environment.

Initial Tenant and Intune Configuration
1. Configure DNS and CNAME - Link 
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming - Link
3. Enable Conditional Access and MFA (Multi factor authentication) - Link - This Article
4. Configure Conditional Access Terms of Use - Link 
5. Company Terms and Conditions - Link 
6. User and Device Groups, and Device Categories - Link
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment - Link
7a. More information regarding options for configuring the MDM and MAM user scopes - Link - This Tutorial
8. Enrollment Status Page - Link
9. Enrollment Restrictions - Link
10. Deploying Microsoft 365 apps (Office apps) - Link
11. Enable Microsoft Store for Business and publish the Company Portal app - Link
12. Assign Company Portal app - Link 
13. Test autopilot via register online - Link

If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on 
How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link

==================================================================

Summary -
To ensures that both Corporate devices and BYOD devices are protecting corporate data, configure the MAM and MDM user scopes to target either

All - All
or
Some - Some  (ensuring the same groups are targeted)



BYOD and Windows Information Protection
The best option for implementing WIP is to configure as below -

The same user groups are targeted in BOTH the MDM scope and the MAM scope
The same user groups are targeted in BOTH WIP with Enrollment and WIP without Enrollment


More information is in this article
Configuring Intune MDM User Scope and MAM User Scope for Windows 10 - Link

BYOD management by MDM (not MAM)
If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM: configure the MDM user scope to All (or Some, and specify a group) and configure the MAM user scope to None (or Some, and specify a group – ensuring that users are not members of a group targeted by both MDM and MAM user scopes).


=======================================================================

More information and resources -

MDM -
Use MDM auto-enrollment to manage enterprise data on your employee's Windows devices. MDM auto-enrollment will be configured for AAD joined devices and BYOD scenarios

MAM - (Used only for BYOD)
Use MAM auto-enrollment to manage enterprise data on your employees Windows devices. MAM auto-enrollment will be configured for BYOD scenarios.

Restrictions -
You can restrict automatic enrollment to specific groups so that your rollout is controlled and staggered.
This would be ideal if you want to restrict enrollment to DEM - Device Enrollment Managers. - Link




MDM Scope - Link -
MDM scope must be set to an Azure AD group that contains user objects -

For corporate devices
The MDM user scope takes precedence if both MDM and MAM user scopes are enabled. The device will get automatically enrolled in the configured MDM.

Windows BYOD devices -
If both the MDM and MAM user scope are enabled for all users (or the same group of users), the MAM user scope will take precedence. The device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you have configured them.

For Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you have configured them.

Enrollment Methods Explained - Link


Resources -
Configuring Intune MDM User Scope and MAM User Scope for Windows 10 - Link

Windows 10 enrollment methods - Link
Intune Guide Post 3 – Configure MDM Authority User Scope MAM User Scope - Link

Intune MAM vs MDM: What's the Difference? - YouTube - Link
 
Docs - Link
Intune.Training - Microsoft Intune and Autopilot Quick Start Guide - YouTube - Link -

===============================================================

Check out all my tutorials - Link 

Highlights include - 
13 part series on how to perform the initial Tenant and Intune Configuration - Link 

1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online

===============================================================

 

About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry