Intune MAM

Manage BYOD with Intune MAM Without Enrollment

Last Updated on April 2, 2020 by Oktay Sari

In this topic we’ll have a look at how to manage BYOD with Intune MAM to enable a bring-your-own-device (BYOD) scenario for your organization without the need to fully enroll devices into MDM. BYOD will raise some concerns about devices and applications that are being used by employees to access corporate data.

Therefore we need to protect corporate data on iOS and Android devices using Microsoft Intune app protection policies while making sure employees can be productive on devices they prefer. App protection policies work independent of any MDM solution. If you want to manage Windows 10 BYOD scenario’s without enrollment to MDM read my blog  Windows Information Protection without enrollment.

Protecting company data with App Protection Policies

Microsoft Intune supports the following Mobile Application Management (MAM) scenarios manage BYOD:

  • Fully enrolled in Intune (company owned devices).
  • Managed by a third-party MDM solution (company owned devices).
  • Devices not managed by any MDM solution (BYOD).

App protection policies only work for Office mobile apps that connect to Office 365 services. Apps that connect to on-premises Exchange, Skype for Business,or SharePoint are not supported. Furthermore, Windows devices are not supported in the MAM without enrollment scenario’s but you can use Windows Information Protection (WIP) to do the same for Windows 10 devices.

The difference between MDM and MAM

While Intune MDM protects at the device level, Intune MAM and App Protection policies protect at the application level. For example, with MDM you can force a PIN to access the device or fully encrypt the device, and with MAM you can require a PIN before users can access their corporate e-mail. with MDM enrolled devices you can also manage Windows updates and push software like Office 365 ProPlus.

Configuring Intune MAM without enrollment

Let’s have a look at how to configure Intune MAM without enrollment and App Protection Policies. When all is in place, we’ll also have a look at the end user experience on a mobile device.

App Protection Policies

Configure Intune App Protection policies before using app-based conditional access policies. App Protection Policies can be accessed and configured from two places:

  • Intune>Mobile Apps>App Protection Policies
  • Intune App Protection>App Policy

Choose the blade you prefer and click on Add Policy:

Intune App Protection policy

Fill in the blanks, choose a platform and click on Apps; Select required apps and choose the apps you want to protect.

Intune Add Apps to App Protection Policy

Now click on Settings; Configure required settings. There are two sections with settings to configure. Data relocation and Access.

Data Relocation

When you use apps without restrictions, corporate data can accidentally or knowingly be saved on for example personal Dropbox accounts causing data loss. You can use app protection policies to restrict data relocation to untrusted resources that are owned by the individual users. In the example below, you can see the Data relocation settings.

Intune App Protection Policy

Info: The Allow app to transfer data to other apps will affect the the behavior of web content and only allow URL’s to open in the Intune Managed Browser. That is why I also set the Restrict web content to display in the Managed Browser setting to Yes. You can read more about this here.

Access settings

Then there are Access policies you can configure to enforce settings like PIN for access and Block screen captures. Configure the settings to your liking and click on OK and finally click on Create.

Back on the App Protection Policy blade, click on your newly created policy and assign it to the right user group.

Assign App Policy to User group

Now that you’ve created your first App Protection Policy, go ahead and create another one for iOS devices. The policies only take effect when users in assigned groups check in using protected applications.

Have a look at the status of the app policy for a user in the App protection user report that is available in the Intune App Protection area:

Intune App Protection user report

App Based Conditional Access Policies.

We can only protect company data on MAM enabled or MAM aware applications. Native apps on iOS and Android are not MAM aware and therefore need to be denied access to corporate e-mail and data.

Navigate to >Azure>Intune App Protection. Below the Conditional Access section click on Exchange Online>Allowed Apps. Select “Allow apps that support Intune app policies” and click on Save.

Intune App based conditional access

Continue and click on Restricted User Group>Select group, and select the user groups the policy applies to. If need be, you can even Exclude some of the users but personally I would go for all users.

Intune Exchange Online restricted users group

Back on the Intune App Protection Blade do the same for Sharepoint Online.

Remove company data without touching personal data

For the final part in this blog let’s have a look at selective wipe and BYOD. When you manage BYOD with Intune, you’ll have the option to selectively wipe corporate data. When a device has gone missing or when the user leaves the company and there is no need to access data anymore, you can remove corporate data from the mobile device, without ever touching personal data. Once initiated, the device begins the removal process and upon completion, all corporate data is deleted. When a device is MDM enrolled a full wipe is also possible.

Navigate to >Intune App Protection>Wipe requests and click on New wipe request.

Intune New selective wipe request

Click on User; Select the user and find the user. Click on Select.

Intune New Wipe request

Next click on Device; Select the device. A list of devices registered for the user will show. Select the device you want to wipe and click on Select.

Intune Selective Wipe

After selecting user and registered device, click OK to start the wipe process. The screen will show the apps and wipe status. Upon completion, the list will be empty again.

Intune wipe pending


Before you delete a user from Azure Active Directory, make sure you Remove corporate data or fully wipe all devices registered with that user. If you delete users with managed devices, you can no longer issue factory reset or remove corporate data.

When the wipe request has finished you can also delete the device from Azure AD. Go to >Intune>Devices>Azure AD Devices. Search the device and delete it.

This concludes the Administration part in the Azure portal. Now let’s have a look at the user experience from A to Z.

User Experience

Remember we setup App Based Conditional Access for Exchange online and Sharepoint? In this example we’ll have a look at how the native e-mail client responds after adding a corporate account. I’ll skip the part where you configure the account. Go ahead and configure an account on your mobile and try to login and read your e-mail.

User Experience; Native e-mail application

Intune Conditional Access Native app not allowedAs you can see, Conditional Access rules are very easy to setup and deploy to your organization. You have effectively restricted access to corporate e-mail using the native e-mail client. Conditional access can ensure that only authenticated users, and approved apps, have access to your corporate data. In this case users need to download the Microsoft Outlook App to read corporate e-mail.

User experience; Managed Apps

Go ahead and install Microsoft Outlook. Once the app is installed, configure your corporate e-mail account. You will be forwarded to the Office 365 portal to login. Once logged in, you will see the following message “Help us keep your device secure





Intune MAM works together with (and relies on) the Intune Company Portal App. You should be familiar with it because you also need this to MDM enroll devices to Intune. There is one difference though. Since we’ll be managing applications only and without enrollment, the user does not need to sign in within the Company Portal App. For MAM, the Company Portal app just needs to be installed on the device. The Microsoft FAQ provides a little more info.

    Intune Login to your account     Install Intune Company App


Click on Get the app and install the Intune Company Portal app. Once the app is installed you can continue with Microsoft Outlook. This time the app will request you to register your device to continue. Once registered, Outlook will open and you can access corporate e-mail.

Intune register your device      Intune Microsoft Outlook allowed

User Experience; App Protection Policies

In most cases Microsoft Outlook will show a message about IT protecting your corporate data. It might take a little longer but when you restart the app, your data is protected.

Intune protects your data

The app protection policies you configured are now enforced. One of the settings we configured was under the Data relocation section:

Setting: Restrict cut, copy, and paste with other apps

Value: Policy managed apps with paste in.

This setting restricts data from managed apps to be copied to unmanaged apps and prevents data relocation. Let’s see how this looks like for the end user.









Open any e-mail, select some text, right click and copy te text to your clipboard. For this example I’ll use the native Note app on Android and try to paste the data there:

Your organization’s data cannot be pasted here”. You are not allowed to do so. When you copy data between managed apps, it will allow you to continue without restrictions.

Intune Microsoft Outlook MAM      Intune MAM Microsoft Outlook protection

This applies to all managed apps. When a user tries to copy/paste a word document from Onedrive for Business to dropbox, he or she will receive a similar notification.

User Experience; Selective Wipe

In the final step we’ll have a look at the user experience when an administrator initiates a selective wipe for a device. In most cases, it will only take minutes for the device to start removing corporate data. Administrators can also disable logins to make sure the user can’t login, unless the account is re-enabled. The user can now continue to use the apps for personal data and e-mail.

Intune User Device selective wipe      Intune MAM User account lock


In this blog we have setup Intune app based conditional access and app protection policies to manage BYOD with Intune and prevent corporate data from leaking when it is accessed by users on personal devices. The users do not have to fully MDM enroll their devices, which is more appealing as they don’t need to allow 100% control over their own devices by corporate IT.

More about managing BYOD with Intune:



Conditional Access policies for Intune are now available in Azure AD. Read more about this change update.

4.4 7 votes
Article Rating

Oktay Sari

#Microsoft365 | #Intune |#MEM | #Security | Father | #Diver | #RC Pilot & #Magician in spare time | Microsoft MVP

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
Bill Neumann
Bill Neumann
6 years ago

I’m not sure you’re correct about needing to target MAM iOS and Android BYOD users in the Azure AD Configure (MDM and MAM) area. Once you create an application protection profile, you have to make an Assignment for the policy to take affect. That’s done on a policy by policy basis and would seem to be the better place to set MAM scope. Thoughts?

Robert Milner
Robert Milner
6 years ago

Hi Oktay, thanks for writing this article it was extremley useful. However, I am running into a small issue at the App Based Conditional Access Policies section. When I click on Exchange Online under conditional access, I get a message that says: “App based conditional access is now a capability of Azure Active directory (Azure AD) that enables you to control how authorized users access your cloud and client apps. While the purpose is still the same, the release of the new Azure AD portal has introduced significant improvements to how app based conditional access works. The conditional access policies… Read more »

Robert Milner
Robert Milner
6 years ago
Reply to  Oktay Sari

Hi Oktay,

Thanks for replying.

Something very strange is happening, as I have just tested it with our live tenancy and I get the screens as expected (as per your previous screenshots), but my new test O365 tenancy which I setup a month ago doesn’t allow me to configure this.

I tweeted about this, but the responses back haven’t helped but the screenshot of what I get is on there:

6 years ago

Just wondering if others experience “an error occurred” in Outlook after the Device Registration process takes place. This happens to me and it seems like a time-sensitive matter where retrying right away doesn’t help, but retrying in about 20 minutes the issue is resolved. Every time for me.


[…] when trying to open a URL? Then I hope this post helps a little. In a previous post I wrote about managing BYOD devices with Intune MAM policies and I suggest you read that if all this is new to […]

5 years ago

Hello – I’ve set up app protection policies and conditional access policies to only allow exchange 365 access through outlook on BYOD devices using MAM (not fully enrolled in MDM). But I’m not able to figure out how to remove or selectively wipe company data. I seem to only be able to do that for fully enrolled devices in MDM. Am i missing something?

John Fisher
John Fisher
5 years ago

Well written, managing corporate data is easy with BYOD solution like MobiLock Pro, which requires no IT knowledge!

5 years ago

Hello, First of all thanks for this very detailled and usefull article. I have a question about Windows 10. You write that MAM cannot be used for Windows 10 like on Android or IOS and you speak about WIP. Is always true at this time in January 2019 ? i can’t find any informations about how to managae BYOD Windows 10 device. We plan to allow BYOD device for remote work at home in my companiy and i want to use MAM instead of MDM that it too intrusive. Do i need to use WIP only ? Do you know… Read more »

4 years ago

hi Oktay,
how to enable different policies for the same user? depending on what he chooses.
for ex, if he choose personal ~~ i want the personal byo policies to get applied to him
if he chooses corporate, he must get the corporate device policies applied to him

Adam Idan
Adam Idan
3 years ago

Can this be done for Company Portal on windows devices? I am trying to run Company Portal on non-enrolled BYOD


[…] 5. Manage BYOD with Intune MAM Without Enrollment – […]

1 year ago

Can we get this process updated for the new Endpoint Manager? Some of these are a bit off and I am getting held up implementing this.

1 year ago

Thanks so much for this! it’s really helped me get started, only question I have is regarding assignments. Will it conflict if I use the same BYOD group for iOS, Android, AND WIP?