This chapter covers Mobile Device Management (MDM) and Mobile Application Management (MAM), two critical technologies for securing mobile devices in enterprise environments. For the SY0-701 exam, this topic falls under Domain 4: Security Operations, specifically Objective 4.5: Implement and maintain mobile device management (MDM) and mobile application management (MAM). Understanding the differences between MDM and MAM, their deployment models, and common security policies is essential for the exam and for real-world security operations. This chapter provides a deep dive into the mechanisms, components, and best practices for implementing these technologies.
Jump to a section
Imagine a company issues a uniform to every employee. The uniform must be worn during work hours, but employees can wear whatever they want after hours. Now, the company wants to ensure the uniform is always clean and presentable, but they cannot control what employees wear underneath. This is like Mobile Device Management (MDM) for corporate-owned devices: the company has full control over the device, can enforce policies, wipe it, and monitor it. Now, imagine the company instead allows employees to wear their own clothes but provides a company-branded vest that must be worn over them. The vest contains the company logo and a badge that grants access to the building. The company can enforce rules on the vest (e.g., it must be worn, it cannot be altered), but has no control over the underlying clothing. This is Mobile Application Management (MAM): the company manages only the corporate apps and data on a personal device, not the device itself. The vest is the managed app container, and the underlying clothes are the personal apps and data. The company can wipe the vest (remove corporate data) without affecting the employee's personal wardrobe. Mechanistically, MAM uses app wrapping or SDK integration to create a secure container that enforces policies like encryption, copy/paste restrictions, and remote wipe at the app level, while MDM uses device-level APIs to enforce policies like passcode complexity, full device encryption, and remote wipe of the entire device.
What is Mobile Device Management (MDM)?
Mobile Device Management (MDM) is a security solution that enables organizations to centrally manage, monitor, and secure mobile devices such as smartphones, tablets, and laptops. MDM is typically deployed in a corporate-owned, personally enabled (COPE) or company-owned (CO) model where the organization has full control over the device. The primary goal of MDM is to enforce security policies, manage device configurations, and protect corporate data.
MDM solutions work by installing a management profile or agent on the device. This agent communicates with an MDM server, typically via HTTPS (port 443) using RESTful APIs. The server pushes policies to the device, such as password complexity, encryption requirements, and application whitelists/blacklists. The device reports its compliance status back to the server. Common MDM platforms include Microsoft Intune, VMware Workspace ONE, and Jamf Pro.
How MDM Works Mechanically
Enrollment: The device is enrolled into the MDM system. This can be done via a user self-service portal, a corporate provisioning process, or through Apple Business Manager (ABM) or Android Enterprise. During enrollment, a management profile is installed that grants the MDM server privileges to configure device settings.
Policy Push: The administrator defines policies on the MDM console. Policies are pushed to the device via the MDM agent. Examples include:
Requiring a passcode of at least 6 characters with alphanumeric complexity.
Enforcing full-disk encryption (e.g., FileVault on macOS, BitLocker on Windows).
Configuring VPN settings for corporate network access.
Whitelisting or blacklisting specific applications.
Disabling device features like camera, Bluetooth, or screen capture.
Compliance Monitoring: The device periodically checks in with the MDM server to report its status. If a device becomes non-compliant (e.g., passcode not set, jailbroken/rooted), the MDM can take actions such as blocking access to corporate resources, sending alerts, or remotely wiping the device.
4. Remote Actions: Administrators can perform remote actions like: - Remote Lock: Locks the device to prevent unauthorized access. - Remote Wipe: Erases all data on the device, restoring it to factory settings. This is typically used for lost or stolen devices. - Selective Wipe: Removes only corporate data and applications, leaving personal data intact. This is more common in BYOD scenarios with MAM.
Key Components of MDM
MDM Server: The central management console where policies are defined. It communicates with devices via push notifications or scheduled check-ins.
Device Enrollment Program (DEP): Apple's service for automated, over-the-air enrollment of corporate-owned devices. Similar services exist for Android (Android Enterprise Zero-Touch) and Windows (Windows Autopilot).
Mobile Device Management Profile: An XML or JSON configuration file installed on the device that contains the policies. For iOS, this is a .mobileconfig file; for Android, it is a Device Policy Controller (DPC) app.
Compliance Policies: Rules that define acceptable device state. For example, requiring a minimum OS version, disabling developer mode, or checking for root/jailbreak detection.
What is Mobile Application Management (MAM)?
Mobile Application Management (MAM) is a security approach that focuses on managing and securing individual applications on a mobile device, rather than the entire device. MAM is typically used in Bring Your Own Device (BYOD) environments where the organization does not have full control over the device but needs to protect corporate data within specific apps.
MAM works by creating a secure container or wrapping the application with security policies. This container isolates corporate apps and data from personal apps and data. The organization can enforce policies such as:
Requiring a PIN or biometric authentication to open the app.
Preventing copy/paste of data from corporate apps to personal apps.
Encrypting data stored by the app.
Remotely wiping corporate data from the app without affecting personal data.
How MAM Works Mechanically
App Wrapping: The organization takes a standard app (e.g., Microsoft Outlook) and wraps it with a security layer. This wrapping process injects code that enforces policies at runtime. Alternatively, MAM can use an SDK that developers integrate into the app during development.
Policy Assignment: Policies are assigned to the wrapped app via an MDM or MAM server. For example, a policy might require the app to use a specific encryption algorithm (AES-256) for data at rest.
Containerization: The wrapped app stores its data in a secure container, which is encrypted and isolated from the device's file system. This container can be wiped independently.
Conditional Access: MAM can integrate with identity providers (e.g., Azure AD) to enforce conditional access policies. For example, the app might require a compliant device (not jailbroken) and multi-factor authentication (MFA) before granting access to corporate email.
Key Components of MAM
App Wrapper: A tool that injects security code into an existing app without modifying its source code. Examples include Microsoft Intune App Wrapping Tool for iOS and Android.
MAM SDK: Software development kit that developers integrate into their apps to enable MAM features. The SDK provides APIs for policy enforcement, data encryption, and conditional launch.
Managed App Configuration: Allows administrators to configure app-specific settings (e.g., server URLs, email signatures) that are pushed to the app.
Multi-Identity Support: Some MAM solutions support multiple identities within a single app, allowing users to switch between personal and corporate accounts with different policies.
MDM vs. MAM: Deployment Models and Use Cases
Corporate-Owned Devices: MDM is the primary choice. The organization has full control, so it can enforce device-level policies like full encryption, remote wipe, and application blacklisting. MAM may be used in addition to manage specific corporate apps.
BYOD: MAM is preferred because it allows the organization to protect corporate data without invading the employee's personal space. MDM can be too intrusive for personal devices.
COPE: A hybrid approach where the organization owns the device but allows some personal use. MDM is used for device-level management, and MAM can be used for corporate apps to ensure data separation.
Security Threats Addressed by MDM/MAM
Data Leakage: MAM prevents data from being copied from corporate apps to personal apps or shared via unauthorized channels.
Lost or Stolen Devices: MDM enables remote lock and wipe to prevent unauthorized access to corporate data.
Malware: MDM can enforce application whitelisting to prevent installation of malicious apps. MAM can restrict app installation to managed apps only.
Jailbreaking/Rooting: Both MDM and MAM can detect if a device has been jailbroken or rooted and take actions such as blocking access or wiping data.
Unencrypted Data: MDM can enforce device encryption (e.g., FileVault, BitLocker, Android full-disk encryption). MAM can enforce app-level encryption.
Real-World Examples and Commands
Microsoft Intune (MDM/MAM)
To create a device compliance policy in Intune, an administrator uses the Azure portal or PowerShell cmdlets. For example, the following PowerShell script creates a compliance policy for iOS requiring a passcode:
New-IntuneCompliancePolicy -Platform iOS -DisplayName "iOS Passcode Policy" -PasscodeRequired $true -PasscodeMinimumLength 6 -PasscodeMinutesOfInactivityBeforeLock 5To create an MAM app protection policy for Android:
New-IntuneAppProtectionPolicy -Platform Android -DisplayName "Android App Protection" -AppSharingFromPolicy AllowNone -DataEncryption $true -PinRequired $trueJamf Pro (MDM for Apple devices)
Jamf Pro uses configuration profiles. A typical iOS configuration profile for passcode policy is a .mobileconfig file like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.jamf.passcode.1</string>
<key>PayloadUUID</key>
<string>...</string>
<key>PayloadDisplayName</key>
<string>Passcode Policy</string>
<key>allowSimple</key>
<false/>
<key>forcePIN</key>
<true/>
<key>maxFailedAttempts</key>
<integer>10</integer>
<key>minLength</key>
<integer>6</integer>
</dict>
</array>
</dict>
</plist>Android Enterprise
Android Enterprise uses a Device Policy Controller (DPC) app. Policies are set via the Google Admin console or MDM. For example, to enforce encryption, the admin sets a policy in the console, which is pushed to the DPC.
Standards and Protocols
Apple Push Notification service (APNs): Used by MDM servers to send push commands to iOS devices. APNs uses TLS on port 5223.
Google Cloud Messaging (GCM) / Firebase Cloud Messaging (FCM): Used for Android devices.
OMA DM (Open Mobile Alliance Device Management): A standard protocol for device management, used by many MDM solutions. It uses XML-based messages over HTTP or HTTPS.
SCEP (Simple Certificate Enrollment Protocol): Used for automatically enrolling devices with digital certificates for authentication and VPN.
Exam-Specific Details
For SY0-701, know that:
MDM manages the entire device; MAM manages only apps.
MDM is for corporate-owned; MAM is for BYOD.
Common MDM policies: passcode, encryption, remote wipe, application whitelist/blacklist.
Common MAM policies: app PIN, data encryption, copy/paste restrictions, selective wipe.
Key acronyms: BYOD, COPE, CO, CYOD (Choose Your Own Device).
Understand that MAM can be used without MDM, but often they are used together.
Know that containerization and app wrapping are MAM techniques.
Be aware that MDM can detect jailbroken/rooted devices and take action.
Enroll Device into MDM
The first step in implementing MDM is enrolling the device. For corporate-owned devices, enrollment can be automated using Apple Business Manager (ABM) or Android Enterprise Zero-Touch. For user-owned devices, the user typically installs a management profile or an MDM agent app. During enrollment, the device registers with the MDM server and receives a unique device ID. The server may also install a certificate for future authentication. The enrollment process should be logged in the MDM console, showing the device model, OS version, and enrollment date. A common mistake is not using automated enrollment, leading to manual errors and unmanaged devices.
Define and Push Policies
After enrollment, the administrator defines security policies based on organizational requirements. Policies are created in the MDM console and pushed to devices. For example, a passcode policy might require a 6-digit PIN and device lock after 5 minutes of inactivity. The policy is sent as a configuration profile (iOS) or via the DPC (Android). The device applies the policy and reports compliance. Logs show the policy assignment and any failures (e.g., device unable to enforce encryption due to hardware limitations). A common mistake is setting overly restrictive policies that reduce user productivity, leading to shadow IT.
Monitor Compliance
Devices periodically check in with the MDM server to report their compliance status. The server compares the device's state against the defined policies. For example, if a device has a jailbreak detected, it becomes non-compliant. The MDM can trigger automated actions like sending an alert to the admin, blocking access to corporate resources (via conditional access), or initiating a remote wipe. Compliance reports are generated, showing the status of all devices. A common mistake is not setting up compliance alerts, so violations go unnoticed until an incident occurs.
Perform Remote Actions
When a device is lost, stolen, or non-compliant, administrators can perform remote actions. For lost devices, remote lock prevents access, and remote wipe erases all data. For BYOD, selective wipe removes only corporate apps and data. The action is initiated from the MDM console and sent via push notification. The device executes the command and sends an acknowledgment. Logs record the action, including the time and the user who initiated it. A common mistake is performing a full wipe on a BYOD device, erasing the user's personal data, which may lead to legal issues.
Implement MAM for BYOD
For BYOD devices, MAM is implemented to manage corporate apps without controlling the entire device. The organization deploys wrapped versions of apps or uses MAM-enabled apps (e.g., Microsoft Outlook with Intune MAM). Policies are assigned to these apps, such as requiring a PIN to open the app, encrypting data, and preventing copy/paste to personal apps. The MAM server communicates with the apps to enforce policies. Logs show app usage and policy violations. A common mistake is assuming MAM alone provides device-level security, such as detecting jailbreaks, which requires MDM.
Scenario 1: Lost Corporate Laptop with Sensitive Data
An employee reports their company-issued laptop lost. The SOC analyst immediately checks the MDM console (e.g., Microsoft Intune). The device last checked in 30 minutes ago from a location near the employee's last known location. The analyst initiates a remote lock and then a remote wipe. The MDM sends the wipe command via push notification. The device acknowledges the wipe and erases all data, including BitLocker-encrypted drives. The analyst confirms the wipe in the logs. A common mistake is not having a remote wipe capability enabled for all devices, or failing to test the wipe process beforehand. The correct response is to first lock the device to prevent access, then wipe after confirming it cannot be recovered.
Scenario 2: BYOD User with Compromised Personal Device
An employee uses their personal Android phone to access corporate email via Outlook. The MAM policy requires a PIN and detects that the device is rooted (via root detection). The MAM policy blocks access to corporate email and sends an alert to the SOC. The analyst reviews the alert and contacts the employee, instructing them to remove the root or use a compliant device. The analyst can also perform a selective wipe of corporate data from the Outlook app via the MAM console. A common mistake is wiping the entire device, which would delete personal data. The correct response is to use selective wipe to remove only corporate data.
Scenario 3: Insider Threat via Data Leakage
An employee attempts to copy sensitive financial data from a corporate app (e.g., Salesforce) to a personal note-taking app on their BYOD iPhone. The MAM policy has a data transfer restriction that prevents copy/paste from managed to unmanaged apps. The employee is unable to complete the action. The MAM logs record the attempted violation. The SOC receives an alert about the blocked copy attempt. The analyst investigates and finds a pattern of similar attempts, escalating to HR for insider threat investigation. A common mistake is not enabling data loss prevention (DLP) policies in MAM, allowing data leakage to go undetected.
What SY0-701 Tests on MDM/MAM
The exam focuses on understanding the differences between MDM and MAM, their use cases, and common policies. Key sub-objectives include:
Implementing MDM for corporate-owned devices.
Implementing MAM for BYOD.
Enforcing policies such as passcode, encryption, remote wipe, and application control.
Understanding containerization and app wrapping.
Knowing the acronyms: BYOD, COPE, CYOD, CO.
Common Wrong Answers and Why
MAM is a type of MDM: This is false. MAM is a separate technology that manages apps, not devices. Candidates confuse them because they often work together.
MDM cannot detect jailbroken devices: Actually, MDM can detect jailbreak/root via compliance policies. Some candidates think only MAM can do this.
Remote wipe in MAM wipes the entire device: No, MAM selective wipe removes only corporate data from managed apps.
App wrapping is only for Android: App wrapping is available for both iOS and Android.
Specific Terms and Values
BYOD: Bring Your Own Device
COPE: Corporate-Owned, Personally Enabled
CYOD: Choose Your Own Device
CO: Corporate-Owned
MDM: Mobile Device Management
MAM: Mobile Application Management
App wrapping: Injecting security code into an app
Containerization: Isolating corporate data in a secure container
Selective wipe: Removing only corporate data
Remote wipe: Erasing all data on the device
Common Trick Questions
Question: "Which technology should be used to enforce a passcode on a corporate-owned device?" Answer: MDM. But a trick might say MAM because it also enforces a PIN for apps. The key is corporate-owned implies device-level control.
Question: "An employee wants to use their personal device for work. Which technology minimizes privacy invasion?" Answer: MAM. A trick might suggest MDM with a selective wipe, but MDM still manages the device.
Question: "Which action removes only corporate data?" Answer: Selective wipe. Remote wipe removes everything.
Decision Rule for Eliminating Wrong Answers
On scenario questions, first determine if the device is corporate-owned or personal. If corporate-owned, MDM is the primary answer. If personal, MAM is preferred. For actions involving data removal, if the scenario mentions "corporate data only," choose selective wipe. If it says "all data," choose remote wipe. For policies like passcode, if it's for the device, it's MDM; if it's for an app, it's MAM.
MDM manages the entire device; MAM manages only apps.
MDM is for corporate-owned devices; MAM is for BYOD.
Common MDM policies: passcode, encryption, remote wipe, application whitelist/blacklist.
Common MAM policies: app PIN, data encryption, copy/paste restrictions, selective wipe.
App wrapping and containerization are MAM techniques.
Selective wipe removes only corporate data; remote wipe removes all data.
Key acronyms: BYOD, COPE, CYOD, CO.
MDM can detect jailbroken/rooted devices via compliance policies.
MAM can work independently of MDM.
Microsoft Intune, VMware Workspace ONE, Jamf Pro are common MDM platforms.
These come up on the exam all the time. Here's how to tell them apart.
MDM (Mobile Device Management)
Manages the entire device (OS, settings, apps).
Used for corporate-owned devices (COPE, CO).
Can enforce device-level policies like passcode, encryption, remote wipe.
Can detect jailbreak/root and block device access.
More intrusive; can view device location, installed apps, etc.
MAM (Mobile Application Management)
Manages only specific applications and their data.
Used for BYOD and personal devices.
Enforces app-level policies like app PIN, data encryption, copy/paste restrictions.
Can detect jailbreak/root within the app context.
Less intrusive; does not access personal apps or device settings.
Mistake
MAM is a subset of MDM and cannot work without MDM.
Correct
MAM can function independently without MDM. For example, Microsoft Intune MAM can be used without enrolling the device in MDM. MAM manages apps via app wrapping or SDK, whereas MDM manages the device. They can be used together but are not dependent.
Mistake
Remote wipe in MDM removes only corporate data on BYOD devices.
Correct
Remote wipe in MDM erases all data on the device, including personal data. For BYOD, selective wipe should be used to remove only corporate data. MAM also supports selective wipe at the app level.
Mistake
App wrapping modifies the source code of the application.
Correct
App wrapping does not modify source code; it injects a security layer around the app binary. This is done by repackaging the app with additional libraries. The app's functionality remains unchanged.
Mistake
MDM can enforce MAM policies.
Correct
MDM and MAM are separate. MDM enforces device-level policies; MAM enforces app-level policies. However, some MDM solutions include MAM capabilities, but they are distinct functions. The exam treats them as separate.
Mistake
Jailbreak detection is only possible with MAM.
Correct
Both MDM and MAM can detect jailbroken/rooted devices. MDM uses compliance policies to check for jailbreak indicators, while MAM uses SDK-based detection within the app. Both can block access or wipe data.
MDM (Mobile Device Management) manages the entire mobile device, enforcing policies like passcodes, encryption, and remote wipe at the device level. MAM (Mobile Application Management) manages only specific applications, enforcing policies within those apps, such as requiring a PIN to open the app or preventing copy/paste of corporate data. MDM is typically used for corporate-owned devices, while MAM is used for BYOD to minimize privacy intrusion.
Yes, MAM can function independently of MDM. For example, Microsoft Intune offers MAM without device enrollment. This allows organizations to protect corporate data in apps on personal devices without managing the entire device. However, combining MDM and MAM provides more comprehensive security.
Selective wipe removes only corporate data and applications from a device, leaving personal data intact. Remote wipe erases all data on the device, restoring it to factory settings. Selective wipe is used in BYOD scenarios to protect corporate data without affecting the user's personal information. Remote wipe is used for lost or stolen corporate-owned devices.
App wrapping is a process that injects a security layer into an existing mobile application without modifying its source code. The wrapped app can then enforce MAM policies such as requiring authentication, encrypting data, and restricting data sharing. This allows organizations to secure third-party apps or in-house apps quickly.
Common MDM policies include: requiring a device passcode (with length and complexity rules), enforcing device encryption (e.g., FileVault, BitLocker), configuring VPN settings, whitelisting or blacklisting applications, disabling device features (camera, Bluetooth), and setting maximum failed login attempts before wipe.
Containerization is a technique that isolates corporate apps and data from personal apps and data on the same device. The corporate data is stored in an encrypted container that can be managed separately. This ensures that if the device is compromised or the employee leaves, corporate data can be wiped without affecting personal data.
MDM uses compliance policies that check for common indicators of jailbreaking or rooting, such as the presence of certain files (e.g., Cydia on iOS, Superuser on Android), modified system partitions, or the ability to run unauthorized code. If detected, the MDM can block access to corporate resources or trigger a remote wipe.
You've just covered Mobile Device Management (MDM/MAM) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?