Last update: 08-04-2016
After my blog post a couple of weeks ago, I got many question related to mobile application management (MAM) without enrollment. That triggered me to create a quick frequently asked questions (FAQ) post. MAM without enrollment is online also referred to as MDM-less MAM, Azure MAM and sometimes even Intune MAM. As MDM-less MAM seems to be the most common used, and the shortest, I’ll start using that in this FAQ.
I’ll try to keep this FAQ as complete and up-to-date as possible. Just to be sure, I’ve added a last update date at the top of this post. That is the date that this content was reviewed the last. Also, if I’m missing some obvious question, please don’t hesitate to contact me and I will add them.
What is MDM-less MAM?
MDM-less MAM can protect company data with or without enrolling devices in a device management solution. It does this by implementing app-level policies, which can restrict access to company resources and keep data within the purview of the company.
Which platforms are supported by MDM-less MAM?
MDM-less MAM supports the following platforms:
- iOS 8.1 and later;
- Android 4 and later.
Which apps are supported by MDM-less MAM?
MDM-less MAM supports the following apps:
- Microsoft Word for iOS;
- Microsoft Excel for iOS;
- Microsoft OneDrive for iOS and Android;
- Microsoft OneNote for iOS;
- Microsoft Outlook for iOS and Android;
- Microsoft PowerPoint for iOS;
- Microsoft Remote Dekstop for iOS and Android;
- Microsoft Managed Browser for iOS and Android.
Which scenarios are supported by MDM-less MAM?
MDM-less MAM supports the following three scenarios:
- Devices that are managed and enrolled in Microsoft Intune;
- Devices that are managed and enrolled in a third-party solution;
- Devices that are not managed by any solution.
Which license do I need to have to use MDM-less MAM?
MDM-less MAM requires a Microsoft Intune license assigned to the end-user. A Microsoft Intune license is also included in an EMS license.
Where can I configure MDM-less MAM?
MDM-less MAM can be configured in the Azure portal.
Does MDM-less MAM affect personal accounts?
No. The restrictions of the MDM-less MAM policies only apply when the end-user signs into a supported app using a company account.
How can I disable the “Offline interval before app data is wiped (days)” MDM-less MAM policy setting?
This specific MDM-less MAM policy setting can be disabled by configuring a value of 0.
What happens when an end-user is targeted with MDM-less MAM policies and MDM MAM policies?
The end-user will be required to enroll the device. After enrollment the MDM-less MAM policies will take precedence in the supported apps.
Why do my end-users receive the message “Your company has required that you must first enable a device PIN to access this application”?
The end-user will receive this message when there is no device PIN configured and the MDM-less MAM policy requires encryption. Without a device PIN there is no use in encrypting the device.
Where can I find the TechNet documentation?
The TechNet documentation about MDM-less MAM is available here: https://technet.microsoft.com/en-us/library/mt627825.aspx
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi. Thanks. Nice write up! I believe you are missing Outlook from the supported apps section? Also, what would be your advice/runsheet for those wanting to move to Azure MAM, but with legacy Intune MAM (and Intune MDM) policies already deployed to users/devices?
thanks
John
Hi John,
Yes, you are correct. The Microsoft Outlook app for iOS and Android was just added recently. I’ve updated it now in the FAQ.
The migration scenario depends on your exact requirements. A good thing to know is that when a user is targeted with MDM-less MAM policies and MDM MAM policies, the MDM-less MAM policies take precedence. However, when a user is targeted with both, the user will still be required to enroll its device.
Regards,
Peter
Sadly, after going down this direction of depending on MAM in a pilot to replace our current EMM solution, we hear from support that MAM controls for apps used for on-premises Exchange, Skype, and SharePoint are “not supported”. Our prior testing shows that MAM controls with an MDM profile work fine in this configuration for iOS and Android pre-V4. Surprisingly our testing with Android V6 show they no longer work and that’s when we got the MS response that MAM is not supported for any apps if not used with O365. They reference the note labeled “Important” for their position that it’s not supported: https://docs.microsoft.com/en-us/intune/deploy-use/protect-app-data-using-mobile-app-management-policies-with-microsoft-intune
True, that’s indeed one of the down-sides of using app management in combination with on-premises services.
Hi Peter
I am having an issue where I have outlook mam policies configured in Azure specifically for non enrolled BYOD devices. Every time the app is launched it prompts for the company portal app to be installed which we do not want for our client. I thought that maybe some configuration policies in the Intune portal were conflicting but any deployments of these have now been removed and the issue remains. Any ideas?
Regards
Iain
Hi Iain,
The Company Portal app is still required on Android device to make it work. However, the user is not required to launch the app or sign in to the app.
Peter
Hi Peter
Thanks so much for the reply and you were right. If only Microsoft knew the answers as quickly as you.
Regards,
Iain
Also Peter do you know why I am able to deploy iOS managed apps to devices groups from the intune console but only to user groups when I try to deploy app package for Android? Both are just links as far as I can see yet devices group is not an option for Android apps, am I missing something?
Regards
Iain
Iain, are you referring to normal app deployments?
Hi Peter
Yes specifically android external links from the play store. It seems I can only deploy to user groups and not device groups but for iOS device groups works. It must be the way with the android apps.
I have read about the android for work tab being added in the Intune console to give more control but it has not appeared in my console yet.
Regards,
Iain
It all depends on the type of app that you are trying to deploy. You can find the expected behavior here: https://docs.microsoft.com/en-us/intune/deploy-use/deploy-apps
Hi Peter
I have a question specifically around the device pin prompt referenced below
Why do my end-users receive the message “Your company has required that you must first enable a device PIN to access this application”?
The end-user will receive this message when there is no device PIN configured and the MDM-less MAM policy requires encryption. Without a device PIN there is no use in encrypting the device.
My question is my test device for iOS does not have a device pin requirement and is not enrolled either. The bit about mdm-less mam policy requiring encryption, what do i change that to so that i am only required to set a pin for the app (outlook in this case)? At the moment it is set to when device is locked.
Many Thanks
Iain
Hi Iain,
Apologies for the late reply. A device pin is required to enable encryption.
Peter