Intune: MAM Policies For On-Premise Exchange

Mobile application management (MAM) policies are an exciting way to manage devices. It’s a relatively new feature that Microsoft Intune has been featuring for a while now, even calling the process “no enrollment management.” That’s because the best part about MAM management is that users do not have to enroll their device. With the Microsoft ecosystem, when a user authenticates into a compatible Microsoft MAM-enabled mobile app, the MAM policies will automatically kick in, without the user having to do anything else. Mobile apps like Outlook can be protected to require PIN, prevent copy-paste, and even be completely wiped from a device without impacting any personal data.

Before this month, there was a huge catch with Intune MAM. It was only possible for companies utilizing Exchange Online. As of this month however, Microsoft has made MAM policies available for on-premises Exchange mailboxes. They released a blog post this month proposing the next steps and how they expect it to work:


  1. Exchange on-premises setup. Exchange Server 2016 and 2013 supported. All other versions of Exchange must be completely removed from the environment.
  2. Active Directory Synchronization. Active Directory synchronization of the entire on-premises directory with Azure Active Directory, via Azure AD Connect.
  3. Exchange hybrid setup: Requires full hybrid relationship between Exchange on-premises with Exchange Online.
  4. Intune setup: Both cloud-only and hybrid deployments of Intune are supported (MDM for Office 365 is not supported).
  5. Office 365 licensing
  6. EMS licensing