Mobile application management without enrollment

At the end of last year Microsoft introduced the very nice feature of mobile application management without the requirement of device enrollment. What makes it even better is that it can also be used in combination with third-party mobile device management and it can be used in combination with Microsoft Intune mobile device management. In this blog post I’ll go through the configuration options, I’ll go through the configuration steps and I’ll go through the end-user experience.

Configuration in the Azure portal

Now let’s start with the configuration of this type mobile application management policies. The first difference, with the normal mobile application management policies, is that the configuration is done through the Azure portal. The rest of the configuration experience is also completely different. However, the configuration options are pretty similar.

Different configuration options

The mobile application management policies in the Azure portal, contain four different configuration parts. These four parts together are the targeted mobile application management policy. Let’s go through these four parts and see how they fit together.

1 iOSMAMPolicy_GenThe first configuration part is General. The General part is pretty straight forward, it has a required field for the Name of the mobile application management policy and an optional field for the Description of the mobile application management policy. This is the same or iOS and Android.

iOSMAMPolicy_UserGroupsThe second configuration part is User groups. The User groups part is normally the part that’s configured the last. It simply can’t be done earlier, as it’s basically the deployment of the mobile application management policy to the users. Every group available in the Azure AD can be selected here. This is the same for iOS and Android.

3 iOSMAMPolicy_TargetedAppsThe third configuration part is Targeted apps. The Targeted apps part is used to select the mobile apps that will be managed by the mobile application management policy. At this moment, only OneDrive is available for Android and OneDrive, Excel, PowerPoint and Word are available for iOS. In the near future this list will grow.

iOSMAMPolicy_PolicySettingsThe fourth configuration part is Policy settings. The Policy settings part is used to define the behavior of the mobile applications. This is divided in two categories of settings, Data relocation settings and Access settings. Data relocation settings are applicable to data movement in and out of the apps and Access settings determine how the end-user accesses the apps.

At this moment there are a few differences between the settings on Android and iOS. These differences are caused by simple fact that these two are completely different platforms. On Android it’s possible to configure Prevent Android backups, while on iOS it’s possible to configure Prevent iTunes and iCloud backups. On Android it’s possible to configure Block screen capture and Android Assistant, while on iOS it’s possible to configure Allow fingerprint instead of PIN.

All of the other settings are the same, or at least similar, for Android and iOS. Also, most of the settings are the same as the normal mobile application management policy settings. However, there is one additional, and very nice, setting. That’s the setting Offline interval (days) before app data is wiped. This allows the administrator to specify a number of days that a device can be offline before the company data is wiped. When the value is set to 0, this setting will be disabled.

Important: Only users that are member of the selected group AND have a Microsoft Intune license assigned, are affected by the mobile application management policy.

Basic steps

After getting familiar with the different configuration options, it’s time to look at the creation and the deployment of a mobile application management policy. The following twelve straight forward steps will guide anyone through the configuration and deployment.

1 In the Azure portal navigate to Intune mobile application management > Settings to open the Settings blade;
2 In the Settings blade, click App policy to open the App policy blade;
3 In the App policy blade, click Add a policy to open the Add a policy blade;
4 In the Add a policy blade, provide a Name for the policy, select the Platform and click Apps to open the Apps blade.
5 In the Apps blade, select at least one app and click Select to return to the Add a policy blade;
6 Back in the Add a policy blade, click Settings to open the Settings blade;
7 In the Settings blade, configure the Data relocation settings and the Access settings and click OK to return to the Add a policy blade;
8 Back in the Add a policy blade, click Create to create the policy and to return to the App policy blade;
9 Back in the App policy blade, click the <NewPolicy> to open the <NewPolicy> blade;
10 In the <NewPolicy> blade, click User groups to open the User groups blade;
11 In the User groups blade, click Add user group to open the Add user group blade;
12 In the Add user group blade, select an user group and click Select to save the changes and to return to the User groups blade.

End-user experience

Now it’s time to have a look at the end-user experience. When an end-user is targeted with a mobile application management policy and wants to use one of the configured apps, the end-user will get the messages below after providing company credentials. The first message will show after the initial configuration and the second message will show after removing the configuration again.

Initial configuration Removal configuration
IMG_0007 IMG_0009

More information

For more information about mobile application management, the supported apps and even more, please refer to:

12 thoughts on “Mobile application management without enrollment”

  1. How does this apply to Intune hybrid and restricting access to all unmanaged devices? Would you have a MAM policy for the Intune Hybrid apps then another MAM policy via the Intune/Azure policy for all unmanaged devices targeting All Users?

  2. Hi Peter,

    Any idea if it is possible to restrict access to as an example email for unmanaged apps? I want to use MAM for BYOD`s so the users can access corporate data on the way, but I don`t them to use third-party/ build in apps which are unmanaged.

    Kind regards,


  3. Hello Peter,

    Can we use MAM-WE for Windows mobile phones as well?
    If yes than it will be only support to BYOD devices or else it can support to COD devices??
    Kindly update.

    Thank you!


  4. Peter

    So if we are currently using the Azure intune /sccm hybrid , i take it this article is our only option so we dont have to re-enroll our devices?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.