With the release of Windows 10 Creators Update there have been many enhancements to Windows 10. For this post, I’ll focus on an expanded feature that is only available in version 1703 (i.e. Creators Update).
In Windows 10 version 1607 we released Windows Information Protection where devices that are enrolled with Microsoft Intune (or SCCM) may receive policies that protect corporate application content from data leaks. In Windows 10 1703 (i.e. Creators Update) a new feature called Mobile Application Management or MAM is available. If you’re familiar with MAM policies for Intune for iOS and Android we’ve brought similar functionality to Windows 10 Creators Update for non-managed devices. This means that non-managed devices such a home user PC with Creators Update can access corporate data without risking data leakage because the MAM policy will prevent cutting and copying data to unmanaged applications.
- Intune licenses
- Global Admin for Azure Active Directory
- Windows 10 Creators Update (any version)
- Navigate to portal.azure.com from a browser
- Select Azure Active Directory
- Select Mobility (MDM and MAM)
- Add or select Microsoft Intune
Verify the settings look similar to those in the image below. Add a group as well to make sure the policies flow to the proper individuals:
Note: if the MAM Discovery URL is missing, select “Restore default MAM URLs”
From the Azure portal locate the Intune Mobile Application Management (MAM) service. It will look similar to the following:
Select “App Policy” and “Add a policy” at the top. Give the policy a name and select Windows 10 under Platform.
Now we need to configure what apps the MAM policy will apply to. Do this by selecting “Allowed apps” and then “Add app” at the top of the blade:
Fortunately, many Microsoft applications are already published to select from, for the purposes of this post I’m going to select Microsoft Edge, Notepad, and IE11. The apps in this list are what we call “enlightened apps” where they know about MAM policies. Refer to the links at the end of this post for how non-enlightened apps are supported.
Note: For custom apps, desktop apps, etc. that need to be added, information about these apps is easily found using App Locker via the local policy editor on the device where the apps are installed. More details: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip
After selecting apps from the list, in my case Notepad, Edge, and IE11 we now need to configure the behavior of when protected data is moved from those apps to non-protected environments (e.g. WordPad).
Select “Required settings” from the policy. The only change I made is to select “Allow Overrides” which means the user will be prompted when they attempt to relocate corporate data outside of the managed app (very similar to how MAM works with iOS and Android):
Now move to “Advanced settings” where there are a number of options to further restrict and identify boundaries. For this post I’ll keep it simple by adding a cloud resource as a network boundary, in this case SharePoint Online and turn on “Show the enterprise data protection icon” for the protected enlightened apps:
Note: Once service and client are configured, you may encounter site access issues, to remediate, add the Value “|/*AppCompat*/” (no quotes) string to the end of the URL string, more details here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip
Once the boundaries are set and saved, we need to assign the policy to a group of users. Feel free to create any group you want in Azure AD, I created one called MAM-WE_Users:
Note: users may be dynamically assigned to Azure AD groups as well for auto assignment to apps, licenses, etc., more details here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-with-advanced-rules
The end user will need to attach their non-managed (e.g. personal) Windows device with Creator Update to their workplace by selecting “Settings” then “Access work or school” and then “Connect” as shown below.
Note: Non admin users may enroll in MAM.
The user will then be prompted to sign on to their corporate account (i.e. O365, Azure AD, Intune, etc. if available) account as shown below (do not join Azure AD or local AD, typically this is performed only for corporate issued/owned devices).
To summarize, there are two steps, add your email and select next.
Once the account is verified, and the device is registered, select the account and the Info:
The “Info” button will show the last time the device had a successful sync. Also make sure the Management Server Address is populated. Keep this in mind as we’ll refer to this process after we have the MAM policy set up.
End User Experience
Because I’m protecting “.cbenterprisemobility.sharepoint.com” and selected both IE11 and Edge (they’re both enlightened apps) when I navigate to them we see a little briefcase icon show up. When I navigate away from this site, the briefcase will go away.
For example, when I download a file from SharePoint Online, it will contain a little briefcase on the file icon as well as state the ownership of the file in “File ownership” column. Additionally, the MAM policy can use either a custom EFS certificate or and Azure Information Protection template (RMS) to protect files.
When I open the file in a managed app (i.e. Notepad) and because the file is protected by policy, the app shows it’s managed by displaying a briefcase icon on the app itself:
Clicking on the briefcase icon we see the following:
When I attempt to cut, copy, and even open the file in an unmanaged app such as WordPad I receive the following prompt. I can choose to give access in which case that action is logged to event viewer or cancel. This prompt may be hidden from the user completely by changing the policy in Intune. Separate policies may also be created and targeted at specific groups of users as well. For example maybe you want to allow Executives to override as shown below and block certain users such as contractors, etc.
Closer look at the prompt:
If you need to change the file ownership, I right click on a file and change the file ownership to Personal if needed:
That’s all, we configured Mobile Application Management for a non-managed or domain enrolled Windows 10 client and successfully protected corporate content from leaking outside of corporate sanctioned applications.
- First place to look is to make sure the settings are correct and sync’s are successful under Windows 10 Settings/Accounts/Access work or school
- Next steps are to look in event viewer under: Application and Services Logs/Microsoft/Windows/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
- MAM policies also land under: c:windowssystem32AppLocker folder and you can open the “policy” files in notepad.
- You’ll also find the MAM policy settings populated under the following registry keys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagercurrentdevice
- When adding apps to protect, the prepopulated apps should be adequate, however if you’re adding protected apps by hand make sure the format is correct or the MAM policy will not take effect on that app.
- When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade. More details here: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management
With all the data theft that happens daily, it’s better to have increased security for non-managed devices than simply guessing if your data is secure from those devices. Whether your users have iOS, Android, or Windows devices, Intune MAM will protect all three.
Another option is to block unmanaged devices completely and Azure Active Directory Premium with or without Intune will address this scenario via Conditional Access.
For additional details about MAM with and without MDM as well as supporting desktop and custom apps, please refer to: