App protection experience with Intune MAM and SEP Mobile

After you have integrated Intune MAM with SEP Mobile, the devices used by the targeted group's members are evaluated for access to corporate data on targeted apps through Intune app protection.
App protection on iOS devices
Prerequisites
Download and install the following apps on your device:
  • SEP Mobile app
  • Install Microsoft Authenticator
  • Install a MAM-enabled app (Outlook)
End user experience
1. User has downloaded and installed SEP Mobile, MAM-enabled app (Outlook), and Microsoft Authenticator. Make sure user has installed SEP Mobile before opening Outlook.
2. User opens Outlook.
3. User is prompted to provide corporate credentials for Outlook.
4. User authenticates Outlook through Microsoft Authenticator.
5. User is directed to Microsoft login page to register the device.
6. After user provides credentials, the device registration process gets complete.
7. After the registration user is redirected to Outlook.
8. User opens Outlook.
9. App protection policy is now enforced.
10. "Help us keep your device secure" page is displayed with a button to register the device. This is the device registration page. User must register the device to use SEP Mobile.
11. User clicks Open.
12. User successfully signs in to SEP Mobile app.
13. User selects the Azure AD account and proceed with the SEP Mobile installation.
14. User completes the SEP Mobile enrollment steps.
15. User goes back to Outlook and opens the app again.
16. User can now access emails through Outlook.
Troubleshooting iOS devices
If an iOS device is evaluated as non-compliant by SEP Mobile, MAM-enabled app access will be blocked for that device.
To resolve this issue, users can use the
Recheck Status
button to quickly re-sync with Intune and make sure things are unblocked as soon as SEP Mobile marks the device as complaint.
Recheck Status button is available on the below screen:
Known limitations
  • Intune checks every 30 minutes for a block request from the Intune MAM service, therefore it can take up to 30 minutes to block a non-compliant device.
  • During this period, the MAM-enabled app will be accessible even if the device is marked as non-compliant in SEP Mobile.
  • If the MAM-enabled app access is blocked on the non-compliant iOS device and Intune has not synced yet, there is no way that the user can request a re-sync process to unblock the app access before the regular sync schedule.
App protection on Android devices
Prerequisites
Download and install the following apps on your device:
  • SEP Mobile app
  • Company Portal
  • MAM enabled app (Outlook)
End user experience
1. User has downloaded and installed SEP Mobile, Company Portal, and MAM-enabled app (Outlook). Make sure user has installed SEP Mobile before opening Outlook.
2. User opens Outlook and provides corporate credentials for the app.
3. User is directed to Microsoft login page to register the device.
4. User completes the Outlook login flow.
5. Check for the compliance based on entered credentials.
6. User provides credentials again to register the device.
7.  Once user enters credentials, "Help us keep your device secure" page is displayed with a button to register the device. This is the device registration that is required to use SEP Mobile.
8. After the registration user needs to open the app again.
9. User might have to switch back to Outlook and check for access.
10. User clicks Launch to proceed with the SEP Mobile login.
11. User completes the SEP Mobile activation flow.
12. User successfully signs in to SEP Mobile and can access emails through Outlook.
Troubleshooting Android devices
User launches Outlook but access blocked by policy based on evaluated device threat level.
You can try the following:
  • Launch SEP Mobile.
  • Recheck Status
  • Remove Account
  • Close App
The Recheck option is available on the below screen.