Add app configuration policies for managed apps without device enrollment

You can use app configuration policies with managed apps that support the Intune App SDK, even on devices that are not enrolled.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Choose the Apps > App configuration policies > Add > Managed apps.

  3. On the Basics page, set the following details:

    • Name: The name of the profile that will appear in the portal.
    • Description: The description of the profile that will appear in the portal.
    • Device enrollment type: Managed apps is selected.
  4. Choose either Select public apps or Select custom apps to choose the app that you are going to configure. Select the app from the list of apps that you have approved and synchronized with Intune.

  5. Click Next to display the Settings page.

  6. The Settings page provides options that are displayed based on the app that you're configuring:

    • General configuration settings - For each general configuration setting that the app supports, type the Name and Value.

      Intune App SDK-enabled apps support configurations in key/value pairs. To learn more about which key-value configurations are supported, consult the documentation for each app. Note that you can use tokens that will be dynamically populated with data generated by the application. To delete a general configuration setting, choose the ellipsis () and select Delete. For more information, see Configuration values for using tokens.

    • Outlook configuration settings - Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. For more information, see Outlook for iOS and Android - General app configuration scenarios.

    • S/MIME - Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification that allows users to send and receive digitally signed and encrypted emails.

      • Enable S/MIME - Specify whether or not S/MIME controls are enabled when composing an email. Default value: Not configured.
      • Allow user to change setting - Specify if the user is allowed to change the setting. S/MIME must be enabled. Default value: Yes.

    For information about Outlook app configuration policy settings, see Deploying Outlook for iOS and Android app configuration settings.

  7. Click Next to display the Assignments page.

  8. Click Select groups to include.

  9. Select a group in the Select groups to include pane and click Select.

  10. Click Select groups to exclude to display the related pane.

  11. Choose the groups you want to exclude and then click Select.


    When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as an excluded group.

  12. Click Next to display the Review + create page.

  13. Click Create to add the app configuration policy to Intune.

Configuration values for using tokens

Intune can generate certain tokens and send them to the managed application. For example, if your app configuration can use an email setting, you can add a dynamic email by using a token. Type the name expected by the app in the Name field, and then type {{mail}} in the Value field.

Intune supports the following token types in the configuration settings. Other custom key/value pairs are not supported.

  • {{userprincipalname}}—for example,
  • {{mail}}—for example,
  • {{partialupn}}—for example, John
  • {{accountid}}—for example, fc0dc142-71d8-4b12-bbea-bae2a8514c81
  • {{userid}}—for example, 3ec2c00f-b125-4519-acf0-302ac3761822
  • {{username}}—for example, John Doe
  • {{PrimarySMTPAddress}}—for example,


The {{ and }} characters are used by token types only and must not be used for other purposes.

Next steps

Continue to assign and monitor the app as usual.