Frequently asked questions about mobile application management without enrollment

Last update: 08-04-2016

After my blog post a couple of weeks ago, I got many question related to mobile application management (MAM) without enrollment. That triggered me to create a quick frequently asked questions (FAQ) post. MAM without enrollment is online also referred to as MDM-less MAM, Azure MAM and sometimes even Intune MAM. As MDM-less MAM seems to be the most common used, and the shortest, I’ll start using that in this FAQ.

I’ll try to keep this FAQ as complete and up-to-date as possible. Just to be sure, I’ve added a last update date at the top of this post. That is the date that this content was reviewed the last. Also, if I’m missing some obvious question, please don’t hesitate to contact me and I will add them.

What is MDM-less MAM?

MDM-less MAM can protect company data with or without enrolling devices in a device management solution. It does this by implementing app-level policies, which can restrict access to company resources and keep data within the purview of the company.

Which platforms are supported by MDM-less MAM?

MDM-less MAM supports the following platforms:

  • iOS 8.1 and later;
  • Android 4 and later.

Which apps are supported by MDM-less MAM?

MDM-less MAM supports the following apps:

  • Microsoft Word for iOS;
  • Microsoft Excel for iOS;
  • Microsoft OneDrive for iOS and Android;
  • Microsoft OneNote for iOS;
  • Microsoft Outlook for iOS and Android;
  • Microsoft PowerPoint for iOS;
  • Microsoft Remote Dekstop for iOS and Android;
  • Microsoft Managed Browser for iOS and Android.

Which scenarios are supported by MDM-less MAM?

MDM-less MAM supports the following three scenarios:

  1. Devices that are managed and enrolled in Microsoft Intune;
  2. Devices that are managed and enrolled in a third-party solution;
  3. Devices that are not managed by any solution.

Which license do I need to have to use MDM-less MAM?

MDM-less MAM requires a Microsoft Intune license assigned to the end-user. A Microsoft Intune license is also included in an EMS license.

Where can I configure MDM-less MAM?

MDM-less MAM can be configured in the Azure portal.

Does MDM-less MAM affect personal accounts?

No. The restrictions of the MDM-less MAM policies only apply when the end-user signs into a supported app using a company account.

How can I disable the “Offline interval before app data is wiped (days)” MDM-less MAM policy setting?

This specific MDM-less MAM policy setting can be disabled by configuring a value of 0.

What happens when an end-user is targeted with MDM-less MAM policies and MDM MAM policies?

The end-user will be required to enroll the device. After enrollment the MDM-less MAM policies will take precedence in the supported apps.

Why do my end-users receive the message “Your company has required that you must first enable a device PIN to access this application”?

The end-user will receive this message when there is no device PIN configured and the MDM-less MAM policy requires encryption. Without a device PIN there is no use in encrypting the device.

Where can I find the TechNet documentation?

The TechNet documentation about MDM-less MAM is available here: