Thursday 1 September 2016

Real world tips for implementing mobile application management without enrollment

MAM without enrollment is a really cool way of protecting corporate data on BYOD devices. Some users simply do not want to enrol their devices in Intune so this gives us IT Pros an alternative management method.

MAM policies can be configured for apps in these scenarios:
  • On devices enrolled in Microsoft Intune: These devices are typically corporate owned devices.
  • On devices enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned devices.
  • On devices not enrolled in any mobile device management solution: These devices are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.
I will walkthrough the solution and offer some real world tips along the way.

Tip #1: MAM policies should not be used in conjunction with third party mobile app management or secure container solutions.

Administrator configuration

Configuration of this solution is carried out in the Azure Portal


Select More Services.


Start to type Intune and select Intune.


The Intune mobile application management blade opens. Select App Policy.


Select Add a policy.


Give the policy a name and choose a platform. I'm choosing Android for now. Highlight Select Required Apps.


Choose the apps that you want to deploy a MAM policy to. Click Select to choose the apps.

Notice that only Microsoft apps are currently available. So how do I allow my users to securely open email attachments - PDFs for example?

Tip #2: No special considerations are required for iOS. Outlook for iOS has an in-app viewer built in.

Tip #3: The RMS Sharing App must be used for opening secure PDFs on Android devices.


Now highlight Configure required settings. There are a number of options to choose from. The default options are sufficient unless you specifically need to change a setting.


Tip #4: If you are familiar with Intune Mobile Application Management you will know that you must create a MAM policy and a Managed Browser policy. In MAM without enrolment they are integrated and there is no Managed Browser policy. There is one setting "Restrict web content to display in the Managed Browser".



Click OK to save your settings.


Click Create to create the policy.


Select App Policy again.


Highlight the policy that you have created.


Select User Groups.


Select Add Users Group to deploy the MAM policy.

User experience (Android)

Download and install the required apps from the Google Play store. Don't forget the RMS Sharing app as discussed above.


I got this error when I tried to open Outlook (now a protected MAM app).

"Before you can use your work account with this app, you must install the free Intune Company Portal app. Tap "Go to store" to continue".

Tip #5: You must install the Company Portal app on an Android device in order to use MAM without enrolment (even though you will not be enrolling the device). This is not the case with iOS.

Click Go to store and install the Company portal app. No further action is required with this app.

Corporate data is now secured by MAM policy. Try it out.

I hope this information was useful. Until next time......

No comments:

Post a Comment