The strict answer to your question "can I apply no policy?" is no.
So next we have to look at what the user thinks the policy is. Does he not want to get the security pop-up when adding the account? The don't enable any of the options that cause that pop-up.
The individual settings within ActiveSync policies fall in to two categories: those that affect only the mail client, and those that affect the whole device. Only the ones that affect the whole device result in a security prompt.
To make your user happy, create another ActiveSync policy just for him and apply it. Provided that you don't configure anything that requires system-level security changes, such as password rules and remote wipe, then he won't get the security prompt when the account is set up on the tablet.
Update to make my answer closer to reality:
If the device supports remote wipe, there is no way to suppress the security prompt for remote wipe.
- During the initial ActiveSync setup, Exchange asks the client "do you support remote wipe?"
- If the device supports remote wipe, Exchange requires it.
- If the device does not support remote wipe, then the "Allow non-provisionable devices" option is consulted.
- If checked, the device is allowed.
- If not checked, the device is denied a partnership. The phone will either return an error or just show an empty inbox.
There is no way to stop Exchange from asking if it supports remote wipe.
Update after you posted the pic:
You are not going to be able to get rid of that security prompt.
My Android phone will only display the security prompt for capabilities requested by the assigned policy. If the policy changes, I'll get a new prompt.
My boss's phone will display the security prompt with all of the security features it supports. When the policy changes, she does not get a new prompt.
So you are fighting two problems, neither of which you will be able to change:
- There is no way to stop Exchange from asking a device if it supports remote wipe.
- It appears that your device prompts for all of the security capabilities it supports, regardless of what the Exchange server asks for.
Right click the user mailbox in the EMC and choose properties, then Mailbox Features, highlight Exchange ActiveSync and choose Properties.
Exchange Powershell:
Get-CASMailbox -Identity <mailboxID> | fl name, active*
that will provide you "better" info, but if you want just the policy
Get-CASMailbox -Identity <mailboxID> | fl name, ActiveSyncMailboxPolicy
Best Answer
Further research and trial-and-error troubleshooting has confirmed that, if as stated in my question the solution must not result in using a non-stock e-mail app on the Galaxy S5 phone, it's not possible to use the fingerprint scanner without disabling the password requirement on the Exchange Server. So the answer is, "it can't be done" (without using a different e-mail app).