![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Mobile Management | Enrollment Android
This guide explains the differences between MDM and MAM, what IT teams can expect when supporting them, and the types of issues end users are most likely to experience.
Next: Enrolling Android Devices with Intune
Enrolling Android Devices with Intune
Android devices can be managed through Microsoft Intune in two ways: Mobile Device Management (MDM) or Mobile Application Management (MAM). Both approaches protect company data, but they deliver very different user experiences.
This guide explains what users will see in each scenario and what IT should check to confirm the device is working as expected.
User Experience: MDM vs MAM
| MDM (Device Enrollment) | MAM (App Protection Policies) | |
|---|---|---|
| Scope | Whole device is enrolled and managed. | Only corporate apps are managed. |
| Setup | Requires installing Intune Company Portal and approving permissions. | No enrollment — protections apply once user signs into Microsoft apps. |
| Controls | Passcode, encryption, OS compliance, app deployment, work profile (on BYOD). | In-app restrictions like app PIN, copy/paste control, corporate data wipe. |
| What users notice | Prompts to grant device permissions, set passcode, enable encryption. Work apps may appear in a separate “Work” profile. | Microsoft apps ask for PIN/biometrics; data restricted inside apps; corporate data can be wiped without affecting personal apps. |
Enrollment Process – MDM
Steps users complete:
-
Install Intune Company Portal from Google Play.
-
Sign in with corporate account (MFA may be required).
-
Approve requested permissions (device admin, notifications, storage, etc.).
-
Device may create a Work profile (BYOD) or be fully managed (corporate-owned).
-
Set or update device passcode if prompted.
-
Enable encryption if required (usually automatic on modern devices).
-
Wait for corporate apps to appear in the Work profile or device home screen.
What users will see:
-
Intune app requesting multiple permissions.
-
A “Work” tab in the app drawer/Play Store for corporate apps (if using a work profile).
-
Security prompts for passcode or encryption setup.
-
Possible restrictions (blocked settings, required updates).
IT checkpoints:
-
Device shows in Intune under the user’s account.
-
Compliance status updates shortly after enrollment.
-
Corporate apps appear in Work profile (BYOD) or across device (corporate-owned).
Setup Process – MAM
Steps users complete:
-
Install required Microsoft apps (Outlook, Teams, OneDrive, etc.) from Google Play.
-
Sign in with corporate account.
-
Accept prompts for app PIN/biometric setup.
-
Use apps normally, with protections applied to corporate data.
What users will see:
-
App prompts to set a PIN or use device biometrics.
-
Work data is separated from personal data — e.g. Outlook cannot save attachments to personal storage.
-
Company data wiped from apps if access is removed, while personal data stays intact.
IT checkpoints:
-
Confirm App Protection Policy is assigned to the user.
-
Verify the user is signed into supported Microsoft apps.
-
Check Conditional Access rules if sign-in is blocked.
Common Failure Points
-
MDM:
-
User denies permissions during setup in the Company Portal.
-
Work profile creation fails due to device limitations or OS version.
-
Compliance not reporting quickly, blocking access to apps.
-
-
MAM:
-
Users confused about copy/paste or save restrictions.
-
Repeated PIN reset prompts inside apps.
-
Attempting to use native Mail/Calendar apps instead of Outlook.
-
IT Support Focus
-
For MDM, confirm device enrollment is complete, permissions are granted, and the Work profile (if BYOD) is functioning.
-
For MAM, confirm app protection policies are applied and the user is using the correct Microsoft apps.
-
Reassure users that personal apps and data are untouched — only corporate apps and data are managed or removed.