Every good organization manages its devices with Microsoft Intune and provides the necessary security, but what about data on unmanaged devices that you have no control over, known as Bring-Your-Own-Devices? How do you deal with this as an organization? Do you block access to data via Conditional Access policies, or do you simply ignore it? Many customers do not really consider this approach and have no control over company data on unmanaged Windows devices. Mobile Application Management for Windows is the solution here. Take control of your data on unmanaged devices now!
In my blog post “Protect your corporate data on unmanaged devices with Mobile Application Management in Microsoft Intune.” I already showed you how to do this on Android Enterprise and iOS devices. In this blog post, I will show you how to do this for Windows using Microsoft Intune.
MDM Hardening
First thing we need to do is to block the enrollment of personal devices to avoid devices being enrolled during the MAM process.
Go to Microsoft Intune admin center | Devices | Enrollment | Device platform restrictions and make sure personally owned devices are blocked from enrollment into Microsoft Intune.
Windows Security Center
The Windows Security Center connection gives App Protection Policies a trusted, local device health signal on unmanaged devices. Microsoft Intune uses that signal in Conditional Access to decide whether to grant a protected session (e.g., in Microsoft Edge) and to enforce health-based policy actions, without requiring the device to be enrolled in Microsoft Intune.
Go to Microsoft Intune admin center | Tenant administration | Connectors and tokens | Mobile Threat Defense and choose Create. At the option, select the Mobile Threat Defense connector to setup choose for Windows Security Center, and select Create.
You’ll notice that the Status will show Not set up; this will change to Enabled once the first MAM enrollment takes place.
Conditional Access
The first thing we need for our configuration is a Conditional Access policy. With this policy, we make it mandatory to use an App Protection Policy to access our data.
Go to Microsoft Entra admin center | Entra ID | Conditional Access and choose Create new policy.
Create a policy with the following settings, and choose Create.
- Name: CA-USR-WIN-RequireAppProtectionPolicy
- Assignment | Users or agents (preview): Include | All Users or Specific User Group; Exclude | Breakglass Accounts
- Assignment | Target Resource: Select resources | Office 365
- Assignment | Conditions: Device Platform | Windows; Client apps | Browser
- Access Controls | Grant: Grant Access | Require app protection policy | Require all the selected controls
- Enable Policy: On
App Protection
Go to the Microsoft Intune admin center | Apps | Windows | Protection and choose Create and choose Windows.
Give the following settings, and choose Next.
- Name: WIN – USR – App Protection Policy
- Description: App Protection Policy for Mobile Application Management on unmanaged Windows Devices.
On the Apps screen, choose Select apps and go for Microsoft Edge (it’s the only option). Then choose Next.
In the Data Protection screen, choose the following settings, and choose Next.
For Health Checks, configure the following, and choose Next.
At the Assignment screen, choose the user group you want to assign the App Protection policy to. In my case, I chose the group with all my licensed users in it. Select your group and choose Next.
Review your settings in the next screen and choose Create.
Our App Protection policy is ready to use.
User Experience
When we open Google Chrome on an unmanaged device, and try to go to https://www.microsoft365.com. After signing in, we will get this message below. Notice the Launch in Edge button.
If we now launch Microsoft Edge on the same device and sign in on https://www.microsoft365.com. You’ll receive a different message saying you need to sign in to your Edge profile with your Work Account. Choose Switch Edge profile.
In the next screen, choose Sign in to sync data to get started.
Next screen, choose Yes. In the Allow your organization to manage your device make sure to choose No to avoid your device being enrolled in Microsoft Intune. If you configured the platform restrictions, this will fail anyway.
Now let’s set up our profile. Do you notice the title and URL in the profile screen that opened up? This means your Mobile Application Management setup is active. Choose Continue to get started.
You just need to Turn on sync in the browser, and you are ready to go!
Admin Experience
What can you do as an administrator to follow up on this? If we now go to the overview of our App Protection policy, we see that one user has checked in on Microsoft Edge.
If we now check our Windows Security Center status, you’ll see that our status is set to Enabled.
By enabling Mobile Application Management for Windows, you restrict access to data via a managed browser such as Microsoft Edge and block this access from other browsers on unmanaged devices. In my honest opinion, this feature should be enabled by default once you start using Microsoft Intune.
