iManage Work Mobility for Intune version 10.25.0 and later includes support for Microsoft Intune MAM (Managed App) Tunnel. This MAM Tunnel uses the MSAL SDK from Microsoft that, when enabled, intercepts all network traffic from a managed app and routes it through a secure tunnel, providing a Per-App VPN experience for iManage Work Mobility for Intune.

When configured, iManage Work Mobility for Intune automatically detects that MAM Tunnel is required based on the Intune Managed App configuration and transparently routes traffic through the tunnel. This allows organizations to:

  • Enforce secure, app‑level VPN access to iManage Work without requiring a full device VPN.

  • Dynamically switch to a tunnel‑enabled Entra App registration only for tenants that have configured MAM Tunnel.

How it works

When MAM Tunnel is configured for use with the iManage Work Mobility app:

  • All network traffic from iManage Work Mobility for Intune is intercepted and sent through the Microsoft Tunnel MAM gateway, providing Per‑App VPN for the app only.

  • The app uses Intune app configuration to detect whether MAM Tunnel is required. If the required MAM Tunnel keys are present, the app:

    • Computes an internal requireMAMTunnel flag as true.

    • Switches to a tunnel‑enabled Entra App Client ID during Intune enrollment.

    • Establishes the MAM Tunnel connection before the user signs in to iManage Work.

  • If MAM Tunnel is not configured (no Tunnel keys), the app:

    • Uses the existing Entra App Client ID.

    • Follows the current production sign-in flow without any change for users or administrators.

    • Does not require additional Intune or Entra configuration.

The login flow includes:

  • Baseline Intune sign‑in with the standard Entra App.

  • If MAM Tunnel is required, a one‑time re‑enrollment for the Tunnel Entra App occurs. After the tunnel is connected, the iManage Work sign‑in occurs.

  • Automatic re‑authentication when the MAM Tunnel token expires (approximately every 60 minutes), using Microsoft Authentication Library (MSAL) or Microsoft Authenticator.

Intune configuration requirements

MAM Tunnel support is available only when iManage Work Mobility for Intune is deployed as a Managed App (MAM). It isn't supported for Managed Device (MDM)‑only configurations.

The following standard Intune policy settings are required:

  • IntuneMAMUPN: {{userprincipalname}}

  • IntuneMAMOID: {{userid}}

  • web_authentication_mode:

    • 0 WkWebView: all authentication must occur within the app; external browsers or ASWebAuthenticationSession are not routed through the tunnel.

    • 4 Microsoft Edge browser: all authentication must occur within Microsoft Edge; requires Edge to be set up for a tunnel as well.

  • Tunnel settings in Intune app configuration:

    • Use Microsoft Tunnel for MAM: Yes

    • Connection Name: Any user‑facing string (displayed to users in the full release)

    • Tunnel Site: A configured Microsoft Tunnel site

When these Microsoft MAM Tunnel keys are present in Intune app configuration:

  • com.microsoft.tunnel.server_address

  • com.microsoft.tunnel.site_id

  • com.microsoft.tunnel.connection_name

  • com.microsoft.tunnel.connection_type

the app automatically treats MAM Tunnel as required and switches to the tunnel‑enabled Entra App registration. The app only enables MAM Tunnel and the tunnel‑enabled Entra App when the required Microsoft tunnel configuration keys are present in Intune.

If these keys aren't present, the app continues to use the standard sign-in flow with no change.

Entra / Microsoft Tunnel permission setup

To enable MAM Tunnel in your tenant, administrators must:

  1. Install Microsoft Graph PowerShell.
    See: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0

  2. Download and run the Microsoft‑provided PowerShell script for the Microsoft Tunnel Gateway service principal, as documented here:
    https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-mam-ios#microsoft-tunnel-gateway-service-principal
    (script link: https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-conditional-access#provision-your-tenant)

    The script:

    • Adds the Microsoft Tunnel Gateway service principal to your tenant

      • App ID: 3678c9e9-9681-447a-974d-d19f668fcd88

      • Name: Microsoft Tunnel Gateway

    • Requires Graph permissions to manage app registrations and service principals. If the script fails to provision the service principal, run:
      Connect-MgGraph -Scopes "Application.ReadWrite.All"

  3. After the script completes successfully (Successfully provisioned the Service Principal for Microsoft Tunnel Gateway), grant admin consent to the tunnel‑enabled Entra App used by iManage Work Mobility for Intune MAM Tunnel using:
    https://login.microsoftonline.com/organizations/adminconsent?client_id=16f735fd-5828-4b8f-8504-7f14659ed7a1