Yes, thats true, the device does not receive a policy.
But a user can easily manual create a mail account on the device to sync to eas.
He sees all the information in the mailaccount from the policy on a managed device (exchange server address, username, domain)
So he has all the information to create an acccount be himself. without knowing of mobile management the this other device sync the company mails
Is this a security leak? How do you solve this?