Part 11 – Configure Microsoft Intune – Mobile Application Management Without Enrollment

This time I want to write a blog post about MAM on an unmanaged Windows 10 device. I saw some questions about this functionality on the World Wide Web and mostly was the question based on the support of Windows 10 editions, like Pro and Home edition. That was for me the trigger to try this feature with Microsoft Intune and Windows 10 Home Edition.

What does Windows Information Protection do?

Windows 10 has since the release of 1607 new feature called Windows Information Protection (WIP). WIP will be used for protecting corporate data within an app or desktop application.  This will prevent data loss on a BYOD device. WIP works also on a managed Windows 10 device, so it’s not only depending on a BYOD concept.  What WIP does is making a container which will be used for corporate data only. Because of this will separate WIP the personal data from the corporate data. Within WIP you can, as IT admin, make policy to prevent data loss. This can be done by Microsoft Intune, but also with Group Policy (GPO).  Within the policy, you can allow or block copy/paste corporate data to an unmanaged app or desktop application. The user cannot accidentally paste sensitive corporate data in his or her personal email or website. WIP will block this action.

More information on https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

Alrighty then, let’s begin!

Let’s begin with MAM w/o Enrollment. They are also called MAM-WE, what means Mobile Application Management Without Enrollment. To test WIP we have to download Office from portal.office.com on the unmanaged Windows 10 device.

Download Office from https://portal.office.com

Click on the Run button to start the download and installation.

Office is installing.

The installation is done. Click Close to close the setup. Microsoft Edge is still open, close this one also.

We got now an unmanaged Windows 10 device with Office 2016 installed. So, we can test the MAM-WE functionality in MS Intune. Let’s continue with the MS Intune portal and from there you go to Mobile Apps – App Protection policies.

Click Add a policy.

Enter a name for the policy. Platform is Windows 10 and Enrollment state is Without enrollment. Click on Protected apps.

Click on the button Add apps.

Select these apps. These apps will also work with corporate data. Click on the Ok button. From here click again on Add app.

Change the option from recommended apps to Desktop apps.

Enter here the Office apps, like Outlook and Word. You need this as PUBLISHER “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

Click on the Ok button. Now do the same for Outlook.


These apps will be protected by MS Intune based on the protection policy. Click on the Ok button. We skip exempt apps, for this not necessary.


Go to Required Settings and click on the Block button. This will block enterprise/corporate data to go outside the protected apps. This means you can’t copy text from the protected app to an unprotected app, like Notepad. Click on the Ok button.


Go to Advanced settings and click on Cloud resources. We have to edit this property. Add a | and after that add this outlook.office365.com. Click on the Ok button (twice) and then on the create button to create the policy.


Click on the created app. Click on Assignments to assign the group.

It’s time to test this policy on an unmanaged Windows 10 Device.


Go to your device and open Outlook. This is the first run for Outlook. You see this window and enter here an email address.


Click on Office 365.


Enter here the password. Click on Sign in.

Maybe the user must verify his login. Click Next.

Click Yes.

Click Create PIN.

Enter here the PIN, don’t use a simple PIN, like 1234 or 8888.

Click Next.

Enter here the password of the logged in user. Click on the OK button. You can also check the MS Intune -> Device > Azure AD device. The machine will be Azure AD registered.

Deselect Set up Outlook Mobile and click on the Ok button.

Outlook is configured and ready to use. Click on the button Accept and start Outlook

Open Word. Type some text and go to the menu to save this document.

Save this document on a corporate storage, like OneDrive or SharePoint.

So, now is your document protected by Windows Information Protection. Let’s try to copy the text and paste into Notepad. We didn’t make a policy for Notepad, which means that the app is not protected.

You see that notepad is not a protected app and doesn’t allow to paste the text. Let’s try this in Outlook. Copy the text in Word again and try to paste into Outlook.

This action is allowed by WIP. This will work also vice versa. Make a new mail and type some text into it. Then copy the text and paste it into Notepad. You will get the same message as before with Word.

You can do this also with Microsoft Edge and Internet Explorer. They are also protected by WIP.

And if you go to your corporate (web)site, like SharePoint you will see this briefcase icon in the menu. This website is protected by WIP. Losing corporate data is now prevented by the policy.

This is how WIP in Internet Explorer looks like.

If you delete the work/school account from the BYOD device and you try to open the work-related document, you will get like this:

This will also work for Windows 10 Home Edition (1803). I think that the most BYOD windows 10 device is with Windows 10 Home Edition. I want to be sure if WIP also works on a Home Edition device. So, I have used the Home edition for this blog post.

Final

So, this is what we did. We made a protection policy to protect corporate data in an app. We tested this on an unmanaged Windows 10 device with Office 2016. First, we saved the document on a corporate space/storage and later we copied the text from the document and paste it into an unprotected application, like Notepad. We did this also for Outlook, Microsoft Edge, and Internet Explorer. This is how Windows Information Protection works on a Windows 10 device.

This is it. Thanks for reading my blog post about MAM-WE in combination with Windows Information Protection. If you have any questions or comments about MAM-WE and WIP or maybe Microsoft Intune related, don’t hesitate to contact me by email or by posting a comment here below. I am also active on social media and some community forums, like Technet forum, Yammer, and Techcommunity.

Good luck! Take care now, bye bye then…

Advertisements

8 thoughts on “Part 11 – Configure Microsoft Intune – Mobile Application Management Without Enrollment

  1. Nathan

    Sir,
    I have some question hope you can and will answer.
    1)Does WIP only encrypt files/data on the user device?
    2)Can files also become encrypted on a file share by WIP?
    3)What happens when an app is not on the allow list and tries to open/save a file on a configured Cloud Resource?
    4)What happens when an un-enlighted app tries to open/save a file from a configured Cloud Resource?
    5)Is it possible to add a fileshare to WIP is adding only domain name sufficient?
    6)If user1 saves a WIP protected document on a fileshare can user2 open it?

    1. Hi Nathan,

      Thanks for the comment and questions. They are good questions 🙂
      Of course, I will answer your questions. That’s the reason why I have a blog 😉

      Let’s begin:
      1) WIP encrypt only corporate files. It does not depend on the user device.
      2) Yes, if you have specified the share location, like IPv4 range of domain name. Read this article ( https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune#choose-where-apps-can-access-enterprise-data ) The article has used the old Intune Console screenshots, but the explanation is still the same.
      3) This file will not be protected/encrypted by WIP. The file will be protected when a user, who has WIP enabled, opened that file and save it on the Cloud resource. Then at that moment, WIP will encrypt the file.
      4) The user cannot open the file. The user gets a message which says it cannot open the file.
      5) I’m not sure about that. There are many ways to add the share location as Cloud resource/Network perimeter, like IPv4/IPv6 ranges, Network domains, and Protected domains.
      6) Nope, if you implemented WIP, you have to do it Enterprise widely. So, every user must have WIP enabled, otherwise the user2 cannot open the file from a file share.

      There are some limitations with WIP: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/limitations-with-wip
      And in this article, you can read some test scenarios about WIP: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip

  2. Nathan

    Thank you Albert for answers and reply, not every blogger give a resonse on questions 🙂
    1) I thought WIP encrypted data only on the client pc of the user, so you say what you configure in Network Boundary (cloud resource/ipv4 etc) there files will be encrypted?
    2) Clear answer
    3) Maybe I was not totally clear, What happens when an app that is NOT added to the allow list in the policy, tries to open/save a protected file on a configured Cloud Resource/Protected domain?
    4} Clear
    5) Clear
    6) Clear

    7) Exempt app means you can add an un-enlighted app to allow access to the corp data/network boundary/cloud resource?

    1. Hi Nathan,

      No problem at all… 🙂 That is a shame for the blogger then… 🙂

      The answers:
      1) Yes and no, you are right with encryption. This will be done on the user’s device. But, you have to set a “protected perimeter” So, only the file which will be saved in that perimeter will be encrypted by Windows.
      3) When an app which is not added as an allowed app, then the app can not open the protected file. If the app saves a new file on the Cloud resource, then the app will be automatically encrypted because of the perimeter (Cloud Resource).
      7) Yes, that’s is correct. With the exempt app, you create an exclusion in the policy for that specific app. They are allowed to bypass the WIP restrictions and access your corporate data.

      If you have more questions, don’t hesitate to ask!

  3. Nathan

    A shame indeed sharing is caring
    1) So if i create a new file and save it on sharepoint online it will be encrypted (with suitcase icon)
    ? And if i download a file from sharepoint online it will be encrypted on my harddisk?

    1. 1) that is correct.

      Not yet, after you have opened the file with an enlightenment application and save it. Then the file will be encrypted by WIP. If the file is not been protected by WIP already.

  4. Nathan

    Ok totally clear. Thanks you so much for your time and answers! And please keep on blogging, awesome content!

    1. That is great! Thanks a lot, I will do! Cheers 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: