How to Enable Intune MAM without Enrollment along with Conditional Access

Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune. First one is the traditional way of MDM management and the second way is the light management of apps which are installed on Android devices via Intune. We have discussed the Android MDM management options and end user experience in the previous post here.

Video – End-user experience of Android Device MAM WE – Here

Mobile Application Management (MAM) Without Enrollment (WE) is the light weight way of management option for Android devices. This option has some advantages over full MDM management options. For example, if a consultant’s device has already enrolled to a 3rd part EMM solution, but he wanted to have access to client’s corporate mail access on his mobile device for a very short period then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM enabled applications are protected with MAM policies.

Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.

How to Enable Intune MAM without Enrollment along with Conditional Access 2

The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to same user groups. I would use avoid using same user group for both the policies or you could use the exclude groups options. I would avoid deploying MDM CA policy to user groups whenever possible rather I would deploy MDM CA policy to device groups. Otherwise, we should have different MDM CA user group and MAM WE CA user group with unique users in both the groups and that is going to be little tricky.

How to Enable Intune MAM without Enrollment along with Conditional Access 3

Each MAM enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember these types (MAM WE) of policies can’t be deployed to Device Groups. With app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deployed to MAM WE user groups.

How to Enable Intune MAM without Enrollment along with Conditional Access 4

 End User Experience :-

The video here will provide you the Intune MAM WE real time end user experience.

Reference :-

  • How to assign apps to groups with Microsoft Intune – here
  • Protect app data using app protection policies with Microsoft Intune – here

Sharing is caring!

13 thoughts on “How to Enable Intune MAM without Enrollment along with Conditional Access”

  1. Can you enforce MFA for MAM WE without also imposing it to MDM users? For example, if we want to enable MAM for specific apps such that users who are no enrolled with Intune can access these apps but require MFA for extra protection, where users that are enrolled are not required MFA – is this possible?

  2. Nice blog!

    How can the applications be deployed on to the user device without enrollment? We are considering using Mobile Center Azure for this. For testing purpose can we side load the application as well? If so, do we still need to upload the app to Intune to assign the application with specific profile?

    I this article –

    they mention “you can’t deploy apps to the device. The user has to get the apps from the store.” Can this be a private store?

    • I don’t whether it supports Windows mobile devices. MAM-WE for Windows is Windows Information Protection (WIP). I don’t whether WIP is supported for Windows mobile devices…I will try to check and post here

  3. Do we need to set a MDM authority to use MAM-WE and conditional access.
    If not, how will Intune know which user has installed an app that need to be managed.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.