Deployment guide: Mobile Application Management (MAM) for unenrolled devices in Microsoft Intune

MAM for unenrolled devices uses app configuration profiles to deploy or configure apps on devices without enrolling the device. When combined with app protection policies, you can protect data within an app.

MAM for unenrolled devices is commonly used for personal or bring your own devices (BYOD). Or, used for enrolled devices that need extra security. MAM is an option for users who don't enroll their personal devices, but still need access to organization email, Teams meetings, and more.

MAM is available on the following platforms:

This article provides recommendations on when to use MAM. It also includes an overview of the administrator and user tasks. For more specific information on MAM, go to:

Microsoft Intune app management
Data protection for Windows MAM

This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.

Before you begin

For an overview, including any Intune-specific prerequisites, see Deployment guidance: Enroll devices in Microsoft Intune.

MAM

Use for personal or bring your own devices (BYOD). Or, use on organization-owned devices that need specific app configuration, or extra app security.

Feature	Use this enrollment option when
You want to configure specific apps, and control access to these apps, such as Outlook or Microsoft Teams.	✅
Devices are personal or BYOD.	✅
You have new or existing devices.	✅
Need to manage a few devices, or a large number of devices (bulk enrollment).	✅
Devices are associated with a single user.	✅
Devices are managed by another MDM provider.	✅
You use the device enrollment manager (DEM) account.	✅
Devices are owned by the organization or school.	❌

MAM administrator tasks

This task list provides an overview. For more specific information, see Microsoft Intune app management.

Be sure your devices are supported.
In the Intune admin center, add your apps or configure your apps. When the apps are on the device, the apps are considered "managed" by Intune. After you add or configure the app, create an app protection policy. For example, create a policy that allows or blocks features within the app, such as copy and paste.
Tell users how to get different apps. For example, you can:
- Direct users to the Company Portal web site at portal.manage.microsoft.com . When they sign in with their organization credentials, they see a list of apps, including required apps. They can get apps from this site.
- Have users download and install the Company Portal app from the app store. Once authenticated, users can install apps, including required apps.
MAM end user tasks

The specific tasks depend on how you tell users to install the apps.
- To install the apps, users can:
  - Go to the app store, and download the Company Portal app. Open the Company Portal app, and sign in with their organization credentials ( user@contoso.com ). The Company Portal app authenticates the user. Users see a list of available apps, including required apps.
  - Go to the Company Portal web site at portal.manage.microsoft.com , and sign in with their organization credentials ( user@contoso.com ). After users sign in, they see a list of available apps, including required apps.
  - Go to the app store, and download the apps they need. This option is for users who don't want to use the Company Portal app or web site. End users might also have to buy the app.
  Related articles
  - Android enrollment guide
  - iOS/iPadOS enrollment guide
  - Linux enrollment guide
  - macOS enrollment guide
  - Windows enrollment guide

Deployment guide: Mobile Application Management (MAM) for unenrolled devices in Microsoft Intune

Before you begin

MAM

MAM administrator tasks

MAM end user tasks

Related articles