Microsoft MAM - FAQ
We just want to answer a few of the questions we've received from associates regarding our new Microsoft Mobile Application Management (MAM) and the results of enrolling your phone. These are reasonable questions, and we hope this more detailed information will help you understand and feel comfortable with this requirement.
Why do we need MAM?
As mentioned earlier, an I.T. audit by our parent company identified mobile devices as a point of weakness in protecting R.C. Willey company data, vendor data, and (most critically) personal, private information of associates, and customers. If devices become lost or stolen, or if an associate simply leaves the company, we are at risk of sensitive data being pulled from those mobile devices.
We strongly encourage everyone to take full advantage of the Microsoft tools provided to you by the Company, including Teams for communication and collaboration. The audit mentioned above means that we can no longer provide you access to these applications without the added security of MAM.
What do I need to do to continue to access my email and documents on my phone?
Enrolling your phone involves installing Microsoft applications and using them to access Microsoft 365 email and documents. Microsoft Applications have the ability to check login conditions and protect RC Willey information. The process differs slightly depending on what type of phone you have. IT will send instructions.
Have we ever done this before at RC Willey?
Yes. We used MDM when we were on Google for our email. When you set up your account on your phone, you had to install the Google Device Management App as part of the process. It allowed us to do the same things that Microsoft MAM allows us to do. We feel that the Microsoft MAM solution is a much less intrusive solution than Google was, or than Sophos would have been.
What does Microsoft MAM allow RC Willey to do?
- See phone model and OS version information
- Prevent office login unless phone and account security is in place
- Limit Microsoft 365 logins to Microsoft Apps only
- Prevent access to RC Willey data from other applications
What does Microsoft MAM NOT allow RC Willey to do?
- Install, change, or remove any application
- Force you to set a device passcode
- Locate your phone
- Factory reset or wipe your phone.
- See which apps you've installed on your phone
- View or record web history, or wifi, or data traffic
- View data or activity for any apps, such as personal account information
- View or copy any photos or other files from your phone
- View or record any call audio, information, or history
- View or copy texts or other instant messages
Is this a permanent thing? Can I get control of my phone back?
Keep in mind, too, that enrollment is NOT permanent. You have the ability to unenroll your phone at any time, or request that we unenroll it for you. If you unenroll your phone, you will, however, lose access to your RC Willey Microsoft 365 email and documents on that phone.
Can RC Willey really not see my personal information? I've seen or used MDM before that could do anything on a phone.
There are two modes of deployment for any MDM solution (in Microsoft terms):
- Personal (AzureAD Registered, or Conditional Access)
- Corporate-owned (InTune Enrolled)
We are using the Personal (AzureAD Registered, or Conditional Access) model at RC Willey.
The InTune Enrolled deployment model would absolutely allow us to have complete control of the device. We could do all the things on the "NOT allow" list." It allows much deeper control because we are the original owner from the very beginning, and we get all the control of a device owner. Deploying this way would require that we wipe the device and enter or scan our Microsoft code during device setup.
The Personal deployment model cannot physically do any of the items on the "NOT allow" list. Think of our MAM (personal) as checks that are performed whenever you attempt to log into your RC Willey account. Microsoft 365 (AzureAD) checks at each login that certain conditions are met and if they are, the login is allowed. If not, access is denied. All of this happens in Microsoft 365 in the cloud, and not on your device. This is why it's called "Conditional Access."
Can RC Willey convert my personal device to corporate-owned after I enroll, and see my personal data?
We cannot convert a device from the Conditional Access to the Intune Enrolled model without physically having and wiping the device (or without you installing and logging into the proper application.
Will RC Willey track my location and wipe my phone?
No. Conditional Access does not let us do either. If you lose your phone, let us know and we will tell AzureAD to not allow login from that device anymore.
We hope this additional information is helpful. We are happy to answer any questions you may have.