MAM without enrollment and Outlook mobile app

It has been a long time that I have posted a blog on my blogsite. So, it is time to do a blogpost. It was for me confusing about the Outlook for iOS and Android app and that’s why I made this post to clarify this.  Maybe you ran to a problem with Mobile Application Management (MAM) in Microsoft Intune for the Outlook for iOS and Android app. I was one of them and could can’t get the correct information from the Internet how about the support within the Outlook app and the Native mail app on iOS, Android and Window 10.

We got 2 different scenarios at this moment. We got an Exchange 2016 version which running on-premise. The second one is that we got have an Exchange Online which is running in the Cloud.  So how do you manage a BYOD as in MAM based on these 2 different scenarios?

App protection policies for Office Mobile apps will work only if they are connected to Office 365 services. App protection policies will not work in the Office Mobile apps if you are using a on-premise Exchange, Skype for Business or SharePoint.

With an Exchange on-premise you got less functionality than if you are using a Exchange Online environment. Within Microsoft Intune you have the option to choose for Conditional Access (CA), App Protection policies (MAM) and Email Profiles.

Then you got 2 different apps to get your email on your mobile device (BYOD) You got the Outlook App (which is available for iOS and Android) and you have got the system app, called the native mail app. The functionality is 1-on-1 not the same with the Outlook app and the native mail app. Of course is this depending on which kind of Exchange version you are using at the moment.

Microsoft Intune has an Exchange Connector to connect your Exchange on-premise with Microsoft Intune. This is required if you want to use Conditional Access (CA). I’m not going further with the configuration of the Exchange connector in this blogpost.

App Protection Policies

Outlook app will support these policies. Native mail app doesn’t support the App Protection Policies, only the managed apps which are compatible with Mobile Application Management (Intune SDK has to be integrated in the app). With App Protection policies you can limit some functions within the app, like copy/paste to an un-managed app. Save the attachments to a local storage and so on.

This function can be done without enrollment of the device into Microsoft Intune. The only thing is required for this function is, for IOS is that you have to install the Microsoft Authenticator App and for Android you have to install Microsoft Intune Company App. You don’t have to login in the app.

Outlook for iOS and Android app: Only if you have Office 365/Exchange Online the policies will work on the BYOD device based on Mobile Application Management.

Native mail app: App Protection Policies doesn’t support native mail apps. Mobile Application Management will not work for native mail apps.

Email profile auto-setup: 

Email profile auto-setup will not work in Outlook app, but works only in the native mail app. Except for the older versions of Android and based on which is enrolled. In Android you got 2 different type of MDM, the traditional and Android for Work. Email profile will work only if you Android devices are managed with Android for Work and not on the traditional way of managing.  The only way to use email profiles is, is to enroll your device in MDM. MAM will not work.

NOTE: Since January (2018) the Outlook for iOS and Android app supports email profile push from Microsoft Intune.  Link:

Outlook for iOS and Android app: Email profile will work, but only if the device is enrolled in Microsoft Intune. This will be MDM and not MAM (without enrollment) if you are using Office365 account push is not needed. The account information will be discovered automatically.

Native mail app: Only if the device is enrolled. Based on MAM will it not work.

Conditional Access: 

If you want to use CA you have to enroll your devices into Microsoft Intune and your Microsoft Intune must have a connection with your Exchange on-premise environment. Based on the condition of the device CA you can grant access to the sources.  With Exchange Online you can force the user to use the Outlook App in place the Native mail app. If the user is setting up his mail account in the native mail app, the user will get a message that he must download and use the Outlook App to get his mail. This can be done with MAM without Enrollment, but only for Exchange Online and you have to use modern authentication( is enabled by default)

Outlook for iOS and Android app: Only if you are using Office 365 then you can use Conditional Access in MAM without enrollment. This is only available if Microsoft Intune is connected to Exchange online environment.

Native mail app: It will only work if the device is enrolled in Microsoft Intune. This will not work with MAM without enrollment.

Selective Wipe:

Within Microsoft Intune you have the option to do a (remote) wipe on a device. There are 2 different wipes. You got a selective wipe and a full wipe. Selective wipe means that Microsoft Intune will only remove corporate data (the personal data will be intact) from the device and full wipe means that Microsoft Intune will reset the device to his factory defaults. To use selective wipe you have to setup email profile in Microsoft Intune. You have just read the email profile section above. Selective wipe in MAM without enrollment will not work. You have to enroll the device into Microsoft Intune. This means also that you can’t use the Outlook app, but only the Native mail app.

I have read on Microsoft Docs that all managed apps  will support selective wipes based on MAM without Enrollment. If you have send the request to do a wipe, the data will be wiped if the user opens the app.

Outlook for iOS and Android app: Based on MAM without enrollment you can do a selective wipe for the app. The data will be wiped from that specific app. For Outlook only the corporate mail will be removed and the personal mailbox will be intact on the device.

Native mail app: only if the device is enrolled. Then you can do a selective wipe or full wipe. The selective wipe will not remove only the mail but everything with corporate related will be removed from the device.

Best of both worlds is that you have to use MDM with MAM policies if you are not using Exchange Online but only the on-premise version. 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.