Time for something different. I want to write about the MAM functionality on a Windows 10 bring your own device (BYOD). This device will not be enrolled into MS Intune but based on without enrollment. The app or application will get the protection policies from MS Intune.
To protect the corporate data and to separate the data from the personal data, Windows 10 uses Windows Information Protection (WIP). WIP is supported in MS Intune. So, based on WIP you can protect and manage your corporate data on a Windows 10 BYOD device.
You need an unmanaged Windows 10 device for this practice.
Let’s begin with MAM w/o Enrollment. They are also called MAM-WE, what’s mean: Mobile Application Management Without Enrollment. To test WIP we have to download Office from portal.office.com on the unmanaged Windows 10 device.
Download Office from https://portal.office.com
Click on the Run button to start the download and installation.
Office is installing.
The installation is done. Click Close to close the setup. Microsoft Edge is still open, close this one also.
We got now an unmanaged Windows 10 device with Office 2016 installed. So, we can test the MAM-WE functionality in MS Intune. Let’s continue with the MS Intune portal and from there you go to Mobile Apps – App Protection policies.
Click Add a policy.
Enter a name for the policy. Platform is Windows 10 and Enrollment state is Without enrollment. Click on Protected apps.
Click on the button Add apps.
Select these apps. These apps will also work with corporate data. Click on the Ok button. From here click again on Add app.
Change the option from recommended apps to Desktop apps.
Enter here the Office apps, like Outlook and Word. You need this as PUBLISHER “O=Microsoft Corporation, L=Redmond, S=Washington, C=US” Click on the Ok button. Now do the same for Outlook.
These apps will be protected by MS Intune based on the protection policy. Click on the Ok button. We skip exempt apps, for this not necessary.
Go to Required Settings and click on the Block button. This will block enterprise/corporate data to go outside the protected apps. This means you can’t copy text from the protected app to a unprotected app, like Notepad. Click on the Ok button.
Go to Advanced settings and click on Cloud resources. We have to edit this property. Add a | and after that add this outlook.office365.com. Click on the Ok button (twice) and then on the create button to create the policy.
Click on the created app. Click on Assignments to assign the group.
It’s time to test this policy on an unmanaged Windows 10 Device.
Go to your device and open Outlook. This is the first run for Outlook. You see this window and enter here an email address.
Click on Office 365.
Enter here the password. Click on Sign in.
Maybe the user must verify his login. Click Next.
Click Create PIN.
Enter here the PIN, don’t use simple PIN, like 1234 or 8888.
Enter here the password of the logged in user. Click on the OK button. You can also check the MS Intune -> Device > Azure AD device. The machine will be Azure AD registered.
Deselect Set up Outlook Mobile and click on the Ok button.
Outlook is configured and ready to use. Click on the button Accept and start Outlook
Open Word. Type some text and go to the menu to save this document.
Save this document on a corporate storage, like OneDrive or SharePoint.
So, now is your document protected by Windows Information Protection. Let’s try to copy the text and paste into Notepad. We didn’t make a policy for Notepad, which means that the app is not protected.
You see that notepad is not a protected app and doesn’t allow to paste the text. Let’s try this in Outlook. Copy the text in Word again and try to paste into Outlook.
This action is allowed by WIP. This will work also vice versa. Make a new mail and type some text into it. Then copy the text and paste it into Notepad. You will get the same message as before with Word.
You can do this also with Microsoft Edge and Internet Explorer. They are also protected by WIP.
And if you go to your corporate (web)site, like SharePoint you will see this briefcase icon in the menu. This website is protected by WIP. Losing corporate data is now prevented by the policy.
This is how WIP in Internet Explorer looks like.
If you delete the work/school account from the BYOD device and you try to open the work-related document, you will get like this:
This will also work for Windows 10 Home Edition (1803). I think that the most BYOD windows 10 device are with Windows 10 Home Edition. I want to be sure if WIP also work on a Home Edition device.
So, this is what we did. We made a protection policy to protect corporate data in an app. We tested this on an unmanaged Windows 10 device with Office 2016. First, we saved the document on a corporate space/storage and later we copied the text from the document and paste it into an unprotected application, like Notepad. We did this also for Outlook, Microsoft Edge and Internet Explorer.