Managing Office mobile apps without MDM

Microsoft announces significant new capabilities in the November Microsoft Intune service update that will be rolled out globally over the next few weeks.

In this blog post I would like to show you how can you setup Mobile Application Management (MAM) without installed or enrolled Mobile Device Management (MDM).

This is particularly useful for BYO scenarios where end users don’t want to or can’t enroll their devices for IT management. This capability is also useful in cases where a device is already enrolled in another MDM solution. As part of this month’s service update, Microsoft Outlook, Word, Excel, PowerPoint, and OneDrive will support Intune MAM without enrollment. This new capability is an addition to the existing Intune MAM capabilities that require enrollment into Intune mobile device management (MDM).

Important: Only users that are member of the selected group AND have a Microsoft Intune license assigned, are affected by the mobile application management policy.

Step-by-step setup

This configuration hasn’t to be made in the Intune Admin Portal as usual. It can be configured through the Azure Portal (preview). Navigate in the portal to the Intune module and pin it to your start page:


At this moment, Azure supports to create (standalone) MAM policy for two different platforms:

  • iOS with the following apps:


  • Android supports only OneDrive and Outlook:


I am sure that in the near future these lists will grow.

Policy settings: at this moment there are a few differences between the settings on Android and iOS. These differences are normal because of two completely different platforms.

On Android it’s possible to configure “Prevent Android backups, while on iOS it’s possible to configure “Prevent iTunes and iCloud backups. On Android it’s possible to configure “Block screen capture and Android Assistant, while on iOS it’s possible to configure “Allow fingerprint instead of PIN“:


All of the other settings are the same or at least similar. Here is one additional and very nice setting: “Offline interval (days) before app data is wiped”. This allows the administrator to specify a several days that a device can be offline before the company data is wiped. When the value is set to 0, this setting will be disabled.


After choose the managed application with the defined settings, you have to select the users or groups whom this policy has to be applied for:



This feature does two huge things – First, it reduces the time to deploy Office for iOS with all the protections enterprises need (encryption, copy protections etc.). Second, it means your users don’t have to worry about what you can see on their device, since you aren’t managing the device, just the apps.

Leave a Reply

Your email address will not be published. Required fields are marked *