Frequently asked questions about mobile application management without enrollment

Last update: 08-04-2016

After my blog post a couple of weeks ago, I got many question related to mobile application management (MAM) without enrollment. That triggered me to create a quick frequently asked questions (FAQ) post. MAM without enrollment is online also referred to as MDM-less MAM, Azure MAM and sometimes even Intune MAM. As MDM-less MAM seems to be the most common used, and the shortest, I’ll start using that in this FAQ.

I’ll try to keep this FAQ as complete and up-to-date as possible. Just to be sure, I’ve added a last update date at the top of this post. That is the date that this content was reviewed the last. Also, if I’m missing some obvious question, please don’t hesitate to contact me and I will add them.

What is MDM-less MAM?

MDM-less MAM can protect company data with or without enrolling devices in a device management solution. It does this by implementing app-level policies, which can restrict access to company resources and keep data within the purview of the company.

Which platforms are supported by MDM-less MAM?

MDM-less MAM supports the following platforms:

  • iOS 8.1 and later;
  • Android 4 and later.

Which apps are supported by MDM-less MAM?

MDM-less MAM supports the following apps:

  • Microsoft Word for iOS;
  • Microsoft Excel for iOS;
  • Microsoft OneDrive for iOS and Android;
  • Microsoft OneNote for iOS;
  • Microsoft Outlook for iOS and Android;
  • Microsoft PowerPoint for iOS;
  • Microsoft Remote Dekstop for iOS and Android;
  • Microsoft Managed Browser for iOS and Android.

Which scenarios are supported by MDM-less MAM?

MDM-less MAM supports the following three scenarios:

  1. Devices that are managed and enrolled in Microsoft Intune;
  2. Devices that are managed and enrolled in a third-party solution;
  3. Devices that are not managed by any solution.

Which license do I need to have to use MDM-less MAM?

MDM-less MAM requires a Microsoft Intune license assigned to the end-user. A Microsoft Intune license is also included in an EMS license.

Where can I configure MDM-less MAM?

MDM-less MAM can be configured in the Azure portal.

Does MDM-less MAM affect personal accounts?

No. The restrictions of the MDM-less MAM policies only apply when the end-user signs into a supported app using a company account.

How can I disable the “Offline interval before app data is wiped (days)” MDM-less MAM policy setting?

This specific MDM-less MAM policy setting can be disabled by configuring a value of 0.

What happens when an end-user is targeted with MDM-less MAM policies and MDM MAM policies?

The end-user will be required to enroll the device. After enrollment the MDM-less MAM policies will take precedence in the supported apps.

Why do my end-users receive the message “Your company has required that you must first enable a device PIN to access this application”?

The end-user will receive this message when there is no device PIN configured and the MDM-less MAM policy requires encryption. Without a device PIN there is no use in encrypting the device.

Where can I find the TechNet documentation?

The TechNet documentation about MDM-less MAM is available here: https://technet.microsoft.com/en-us/library/mt627825.aspx

Share

14 thoughts on “Frequently asked questions about mobile application management without enrollment

  1. Hi. Thanks. Nice write up! I believe you are missing Outlook from the supported apps section? Also, what would be your advice/runsheet for those wanting to move to Azure MAM, but with legacy Intune MAM (and Intune MDM) policies already deployed to users/devices?

    thanks
    John

  2. Hi John,

    Yes, you are correct. The Microsoft Outlook app for iOS and Android was just added recently. I’ve updated it now in the FAQ.

    The migration scenario depends on your exact requirements. A good thing to know is that when a user is targeted with MDM-less MAM policies and MDM MAM policies, the MDM-less MAM policies take precedence. However, when a user is targeted with both, the user will still be required to enroll its device.

    Regards,
    Peter

  3. Sadly, after going down this direction of depending on MAM in a pilot to replace our current EMM solution, we hear from support that MAM controls for apps used for on-premises Exchange, Skype, and SharePoint are “not supported”. Our prior testing shows that MAM controls with an MDM profile work fine in this configuration for iOS and Android pre-V4. Surprisingly our testing with Android V6 show they no longer work and that’s when we got the MS response that MAM is not supported for any apps if not used with O365. They reference the note labeled “Important” for their position that it’s not supported: https://docs.microsoft.com/en-us/intune/deploy-use/protect-app-data-using-mobile-app-management-policies-with-microsoft-intune

  4. Hi Peter

    I am having an issue where I have outlook mam policies configured in Azure specifically for non enrolled BYOD devices. Every time the app is launched it prompts for the company portal app to be installed which we do not want for our client. I thought that maybe some configuration policies in the Intune portal were conflicting but any deployments of these have now been removed and the issue remains. Any ideas?

    Regards

    Iain

  5. Hi Peter

    Thanks so much for the reply and you were right. If only Microsoft knew the answers as quickly as you.

    Regards,

    Iain

  6. Also Peter do you know why I am able to deploy iOS managed apps to devices groups from the intune console but only to user groups when I try to deploy app package for Android? Both are just links as far as I can see yet devices group is not an option for Android apps, am I missing something?

    Regards

    Iain

  7. Hi Peter

    Yes specifically android external links from the play store. It seems I can only deploy to user groups and not device groups but for iOS device groups works. It must be the way with the android apps.

    I have read about the android for work tab being added in the Intune console to give more control but it has not appeared in my console yet.

    Regards,

    Iain

  8. Hi Peter

    I have a question specifically around the device pin prompt referenced below

    Why do my end-users receive the message “Your company has required that you must first enable a device PIN to access this application”?

    The end-user will receive this message when there is no device PIN configured and the MDM-less MAM policy requires encryption. Without a device PIN there is no use in encrypting the device.

    My question is my test device for iOS does not have a device pin requirement and is not enrolled either. The bit about mdm-less mam policy requiring encryption, what do i change that to so that i am only required to set a pin for the app (outlook in this case)? At the moment it is set to when device is locked.

    Many Thanks

    Iain

Leave a Comment