Intune: Deploy Apps To Unenrolled Mobile Devices

In case you missed it, last month Microsoft released a great new feature: You can now deploy apps to mobile devices without needing the device enrolled!

To make use of this feature, your Intune tenant must be migrated to the new Azure portal experience – If you don't see the intune bits in your Azure portal, check the office365 messaging centre because it's possible your migration is blocked due to a blocking configuration and it might need some work from you to complete.

To deploy an app to the Enterprise App Store simply select an existing app in the Azure Portal (Microsoft Intune > Mobile Apps – Apps) then assign the app to an Azure AD user group as Available with or without enrollment.

Now users in that assignment group can go to on any of their devices and install the application without needing the device to be enrolled in Intune.

User Experience

Update 19/10/2017 : Now (as of October 2017) you can optionally use the company portal app on Android to download and install your company LOB apps. The company portal app has been updated so that it wont prompt users to enroll if a LOB app is configured to not require enrollment.

User goes to and signs in with corporate credentials

User sees the curated list of work apps that have been published as Ávailable with or without enrolment

For apps linked to the public stores, users click "View in Store" option.

Line of business (LOB) apps that have been uploaded to the store can be installed directly.


If your testing this with a device that has been previously enrolled in MDM via the company portal app you might get an error when trying to install the app: "The device is no longer available."

All you have to do is clear the browser cookies or use in-private mode to get around this.

Comments (8)

  1. Mark RIley says:

    We’ve deployed an LOB app without enrollment, but it the installation is not reflected in the portal. We are trying to test the ability to selectively wipe the app. Is it correct that we should see they app in the portal with ability to selectively wipe from the unenrolled device

    1. Hi Mark,
      There currently isn’t any report showing downloads from unenrolled devices.
      Selective wipe for the app is only available if your app is integrated with the intune sdk . Similarly, if you integrate the sdk into your app, or wrap it with the intune app wrapping tool, you will be able to get usage
      (user check-in) reports in addition to the app protection benefits.

  2. Hi.

    I’ve assigned the app “pages” (apple Inc) to user groups in Intune. I’ve checked the Azure AD group and the members are all there. However, when a user logs on to the Company Portal app, there are no available apps there. What have I missed?

    1. Hey Daniel,

      “when a user logs on to the Company Portal app”. Please note that the option to download apps on unenrolled devices is limited to the web browser experience (Except in the case of Android where it is now possible to browse and download within the Company Portal mobile app.

  3. Hi,

    We have successfully deployed an iOS LOB app in the company portal but after downloading the app in the device and login in with valid user credentials we are getting the error “Account Not Set Up” – “This app has not been set up for you to use. Contact your IT administrator for help.”, and the applications closes after that.
    Any clue of what could be happening?

    Many thanks

    1. Hi Javier,
      That message sounds like the App has been wrapped with the Intune App Wrapping tool but you have not assigned any App Protection Policies to the user. If thats the case, you just need to go create an App protection policy for the LOB app and then assign it to your users.

      1. Hi Scott,

        Thanks for your answer, the application has been wrapped actually with Cordova Plugin and there is also already an App Protection Policy in place for the user. So I really don’t know what else could be checked.

        Best regards

Skip to main content