In this series:

In this guide as part of the series on Intune standalone I’m going to run through setting up MAM-WE, that’s Microsoft Application Management Without Enrollment. We’ll dispense with device management and enrolment into Intune, and instead secure the company data within the applications being used by the user, preferably Microsoft Outlook, which this guide focuses on. We’ll achieve this using the Azure Conditional Access and Intune App Protection features.

Let’s set a few things up in the lab, I’ve written the guide to follow on from the previous guide.

Key objectives for this guide would be:

  • Target Users of iOS and Android devices with MAM-only policy with no MDM management or enrolment
  • Protect company data on the supported devices
  • Control targeting to specific users (our test user)

To get things going let’s create an AAD group for our MAM only test users so that we get some control over company data protection using MAM.

Azure Active Directory Group

In the previous guide we created a group called Intune_Managed_Mobile as a target for the MDM and MAM policies, since we’re working towards the MAM only scenario we’ll create a new group and call it Intune_Unmanaged_Mobile.

  • Open the Azure Portal
  • Select Azure Active Directory, then Groups
  • Select New group
  • For Group type keep as or Select Security
  • For Group name enter Intune_Unmanaged_Mobile
  • For Membership type keep as or Select Assigned
  • Finally select Create

Go ahead and add the test user to this group, make sure the test user is not a member of a group targeted for MDM+MAM.

Conditional Access Policies

We only really need a single Conditional Access policy to cover the MAM BYOD unmanaged device scenario for demo purposes, in this policy we need to untick Require device to be marked as compliant so that the device is not enrolled into MDM, there are other policies that could be added such as disabling legacy authentication\ActiveSync so that non-MFA applications are blocked, refer to the previous guide to see some examples.

We’ll call the policy:

  • CA – iOS & Android – Unmanaged

As I said above there are additional policies that you could create, such as to enforce MFA or block legacy authentication, you can find the additional policies in the previous guide here and shortly I’ll go over creating a basic MFA conditional access policy.

CA – iOS & Android – Unmanaged

  • Open the Azure Portal
  • Visit Microsoft Intune > Conditional Access
  • Select New Policy
  • For Name Enter CA – iOS & Android – Unmanaged
  • Under Assignments Select Users and Groups
  • Select Select users and groups and tick Users and Groups
  • Select Select, find the Intune_Unmanaged_Mobile group and select Select, Select Done
  • Select Cloud apps or actions
  • Select Select apps
  • Select Select and then find and select Office 365 (preview) (the name will most likely change over time …), select Select, select Done
  • Select Conditions
  • Select Device platforms
  • Select Yes to Apply policy to selected device platforms
  • Select Select device platforms and tick Android and iOS and then select Done
  • Select Client apps (Preview) (the name will most likely change …), select Yes to Configure and then tick Browser, Mobile apps and desktop clients, Modern authentication clients and Other clients, select Done, select Done
  • Under Access Controls select Grant
  • Select Grant Access and then tick Require multi-factor authentication and Require approved client app, then select Select
  • Select On for Enable policy and then Select Create

For illustration purposes here’s what that new Conditional Access policy looks like:

Users and Groups

Cloud apps or actions

Conditions – Device platforms

Conditions – Cloud apps (Preview)

Access controls – Grant

That is the Conditional Access policy needed to get MAM-WE going. We won’t create Device Configuration or Compliance policies as we are not managing the device through MDM enrolment, instead we’ll go straight to the fun stuff, MAM and app protection.

And here’s an example Conditional Access policy for you to add to enable MFA. I’ve kept this separate from the other policies and apply it to the AAD group I use to license users for Intune.

CA – Require MFA

  • Open the Azure Portal
  • Visit Microsoft Intune > Conditional Access
  • Select New Policy
  • For Name Enter CA – Require MFA
  • Under Assignments Select Users and Groups
  • Select Select users and groups and tick Users and Groups
  • Select Select, find your Intune licensing group and select it, mine is called Intune_Users, once found select Select, Select Done
  • Select Cloud apps or actions
  • Select Select apps
  • Select Select and then find and select Office 365 (preview) (the name will most likely change over time …), select Select, select Done
  • Select Conditions
  • Select Device platforms
  • Select Yes to Apply policy to selected device platforms
  • Select Select device platforms and tick Android and iOS and optionally Windows then select Done
  • Select Client apps (Preview) (the name will most likely change …), select Yes to Configure and then tick Browser, Mobile apps and desktop clients, Modern authentication clients and Other clients, select Done, select Done
  • Under Access Controls select Grant
  • Select Grant Access and then tick Require multi-factor authentication then select Select
  • Select On for Enable policy and then Select Create

For illustration purposes here’s what that new Conditional Access policy looks like:

Users and Groups

Cloud apps or actions

Conditions – Device platforms

Conditions – Cloud apps (Preview)

Access controls – Grant

App Configuration Policies

Although optional for now, we can setup a single App Configuration policy and configure Outlook, its not configured in this guide and we are building it out so that it can be tweaked later on by those interested.

The App Configuration policy will be called:

  • Android – iOS – Unmanaged – BYOD – Outlook

Android – iOS – Unmanaged – BYOD – Outlook

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Client apps > App configuration policies and Select Add and then Managed apps
  • For Name Enter Android – iOS – Unmanaged – BYOD – Outlook
  • For Public app Select Select public apps, from the list select Microsoft Outlook for both Android and iOS then Select Select
  • Select Next twice
  • Under Selected groups Select Select groups to include
  • Find the Intune_Unmanaged_Mobile group and Select Select
  • Select Next and finally Select Create

For illustration purposes here’s what that new App Configuration policy looks like:

Now the app protection policies need to be created.

App Protection Policies

We have two app protection policies one for each respective platform.

  • Android – Unmanaged – BYOD
    • Protects applications on Android
  • iOS – Unmanaged – BYOD
    • Protects applications on iOS

Android – Unmanaged – BYOD

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Client apps > App protection policies and Select Add
  • Select Create policy and Select Android
  • For name Enter Application policy for Android and Select Next
  • For Target to apps on all device types Select Yes
  • Under Public apps Select Select public apps
  • From the list Select Outlook and Select Select
  • Select Next
  • Under Data Transfer for Backup org data to Android backup services Select Block
  • For Send org data to other apps Select Policy managed apps
  • For Save copies of org data Select Block
  • For Allow user to save copies to selected services Select OneDrive for Business and SharePoint
  • For Receive data from other apps Select All apps
  • For Restrict cut, copy, and paste between other apps Select Policy managed apps with paste in
  • Under Encryption for Encrypt org data Select Require
  • For Encrypt org data on enrolled devices Select Require
  • Under Functionality for Sync app with native contacts app Select Block
  • Select Next
  • For PIN for access Select Require
  • For PIN type select Numeric
  • For Simple PIN either select Allow or Block depending on how easy you want the PIN to be
  • For Select minimum PIN length select 6
  • For App PIN when device PIN is set Select Require
  • And finally for Recheck the access requirements after (minutes of inactivity) set this high for production or keep as the default of 30 minutes
  • Select Next and Next again
  • Under Selected groups Select Select groups to include
  • Find the Intune_Managed_Mobile group and Select Select
  • Select Next and finally Select Create

For illustration purposes here’s what that new Application Protection policy looks like for Android:

And here’s the iOS equivalent.

iOS – Unmanaged – BYOD

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Client apps > App configuration policies and Select Add
  • Select Create policy and Select iOS/iPadOS
  • For name Enter Application policy for iOS and Select Next
  • For Target to apps on all device types Select Yes
  • Under Public apps Select Select public apps
  • From the list Select Outlook and Select Select
  • Select Next
  • Under Data Transfer for Backup org data to iTunes and iCloud backups Select Block

  • For Send org data to other apps Select Policy managed apps

  • For Save copies of org data Select Block

  • For Receive data from other apps Select All apps

  • For Restrict cut, copy, and paste between other apps Select Policy managed apps with paste in

  • Under Encryption for Encrypt org data Select Require
  • Under Functionality for Sync app with native contacts app Select Block
  • Select Next
  • For PIN for access Select Require
  • For PIN type select Numeric
  • For Simple PIN either select Allow or Block depending on how easy you want the PIN to be
  • For Select minimum PIN length select 6
  • For App PIN when device PIN is set Select Require
  • And finally for Recheck the access requirements after (minutes of inactivity) set this high for production or align it with the same value used for Android of 30 minutes
  • Select Next and Next again
  • Under Selected groups Select Select groups to include
  • Find the Intune_Managed_Mobile group and Select Select
  • Select Next and finally Select Create

For illustration purposes here’s what that new App Protection policy looks like for iOS:

With all that done let’s try to add the test users Office365 mailbox to Outlook.

To carry on check out Part 6 in the guide here: