Hi Community,

This will be the 3th of 3 guides on how to setup MAM (Mobile Application Management) in Intune. In this 3th part i will cover Windows.

We’ll explore how to protect company data on unmanaged Windows devices using Microsoft Intune. For simplicity, We’ll establish guardrails to ensure company information remains secure while still allowing personal access to organizational data for productivity.

We’ll use Mobile Application Management (MAM) for unmanaged devices, often referred to as personal or BYOD (Bring Your Own Device) devices. These are devices over which your IT staff has no control over their settings.

What Is MAM (Mobile Application Management)?

Mobile Application Management (MAM) is a type of security management focused on controlling and securing mobile applications used within an organization. It involves provisioning, configuring, and managing mobile apps on both company-provided and personal devices.

Key features of MAM include:

• App Configuration: Setting up app-specific policies and configurations.
• Data Protection: Ensuring that sensitive organizational data within apps is secure and not leaked.
• Access Control: Managing who can access specific apps and data.
• App Updates: Keeping apps up-to-date with the latest features and security patches.

MAM is particularly useful for organizations that need to secure data on personal devices without requiring full device management. This allows employees to use their own devices for work while ensuring that corporate data remains protected.

Combining App Protection policies with Conditional access policies you can create a secured application environment for your users without the need of managing the complete device. With MAM configured you don’t need to “fully” enroll your device Intune.

Implementing MAM has these benefits:

• Enhanced Data Security – Provides a layer of security for organization data on unmanaged devices by setting policies to control how company data is accessed and shared within apps.
• Increase Flexibility – Give your users access to company data such as Outlook, Excel etc. without having to enroll their devices under management.

App Protection Policies

As stated in my 2 previous articles, iOS and Android we used the 3 pre-defined levels of app protection, for Windows this is somewhat different. Windows conditional launch settings are labeled as Health Checks for instance. However we still have the 3 pre-deficed levels.

• Level 1 enterprise basic data protection:
  Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios. The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.

• Level 2 enterprise enhanced data protection:
  Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. These recommendations don’t assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and requiring a minimum operating system version.

• Level 3 enterprise high data protection:
  Level 3 is the data protection configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described. This configuration expands upon the configuration in Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and adding mobile threat detection.

As the above table indicates, all changes to the App Protection Policies should be first performed in a preproduction environment to understand the policy setting implications. Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Roll out to production may take a longer amount of time depending on the scale of impact regarding the change. If there’s no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.

To ensure that only apps supporting App Protection Polices access work or school account data, Microsoft Entra Conditional Access policies are required.

I have already created the 3 levels of security in JSON files, you can download them here:

• Level 1
• Level 2
• Level 3

Just unzip the JSON files and you can import them in Intune.

The full Microsoft article is here.

Data protection framework using app protection policies - Microsoft Intune

Learn how App Protection Policies (APP) ensure an organization’s data remains safe or contained in a managed app, regardless of whether the device is enrolled.

How To Setup MAM

First we need to block BYOD (Bring your own device) enrollment. This can be done by going to the intune portal – Devices – enrollement – Windows – Device Platform restriction

Here click all users and in the next screen properties.

Click edit and setup personally owned Windows (MDM) to block

Set up Windows Security Center

To ensure that unmanaged devices accessing our company data are secure, we should set up the Windows Security Center.

Go to Tenant Administration – Connectors and Tokens – Mobile Threat Defense – Add – Windows Security Center

Setup the Conditional Access Policies

I will begin with the creation of the 2 Conditional Access Policies, after the Conditional Access Policies i will go further with the App Protection policy and I will conclude with the user experience.

Require App protection CA Policy

Go to the Intune Portal – Endpoint Security – Conditional access – Policies – Create new Policy (Yes you can go via the Azure or Entra Portals but I will stick in the Intune Portal)

Microsoft has some guideline to name your Conditional Access policy, you can find this here. You can use this if you want, not mandatory.

Conditional Access framework and policies - Azure Architecture Center

Get a detailed description of a recommended Conditional Access framework and a starting point for policies.

Name your policy, according to the guidelines above, or just give it a name that is clear to you. E.g. MAM for Windows.

Select the group or user that best fits your needs.

Select Target resources such as “Cloud Apps” or specifically “Office 365.”

Set the Conditions targeting the Device Platform, as this will tell us the platform the user is signing in from. In this case Windows.

Under Client apps, select Browser, in our app protection policy we have set Edge as the protected app.

Now, go to Access Controls and specify the requirements to get access. I have chosen Grant access by Requiring app protection policies to be in place.

Now go to Session and enable the use Conditional Access App Control – select Block downloads (Preview)

Switch the policy to on and click create. Now you have configured the Conditional Access policy. Let’s go to the next Conditional Access Policy.

Allow Web Access CA Policy

Now we are going to block non-corporate devices from accessing anything, just the browser. We will do this by means of requiring compliance. as MAM uses API’s to configure the browser we cannot just do a block, this will not work here so we will grant but we will require compliance which will block BYOD.

Go to the Intune Portal – Endpoint Security – Conditional access – Policies – Create new Policy (Yes you can go via the Azure or Entra Portals but I will stick in the Intune Portal)

Microsoft has some guideline to name your Conditional Access policy, you can find this here. You can use this if you want, not mandatory.

Conditional Access framework and policies - Azure Architecture Center

Get a detailed description of a recommended Conditional Access framework and a starting point for policies.

Name your policy, according to the guidelines above, or just give it a name that is clear to you. E.g. MAM for Windows Block BYOD.

Select the group or user that best fits your needs.

Select Target resources such as “Cloud Apps” or specifically “Office 365.”

Set the Conditions targeting the Device Platform, as this will tell us the platform the user is signing in from. In this case Windows.

Now we want to let the browser though.

Exclude corporate device with the filter.

Under Grant, select require device to be marked compliant.

Switch the policy to on and click create. Now you have configured the 2nd Conditional Access policy. Let’s go to the next App Protection Policy.

Configure the App Protection policy – MAM Policy

If you have imported the JSON files for the MAM polices into your Intune environment the MAM policies are already there, you can always create your own MAM policies of course, i will continue this guide from the ones that i have configured according to the Microsoft Framework.

I will use the Level 2 MAM policy in this guide.

In the Intune portal go to Apps – App protection, here the 3 app protection policies are in place.

The settings in this MAM policy correspond to the settings that Microsoft offers in the Data Framework.

Data protection framework using app protection policies - Microsoft Intune

Learn how App Protection Policies (APP) ensure an organization’s data remains safe or contained in a managed app, regardless of whether the device is enrolled.

For me these MAM settings are OK, you can always change them to your needs if you want. I consider this as Microsoft best practice. If you are happy with the MAM settings assign this policy to a group of your choice, in my case this is the pilot user group.

In this MAM policy you can see that the targeted public app is Edge. We don’t have any other choice while configuring the app protection policy. I’m hoping to get more apps here in the future.

User Experience

I will show you the “setup” for Edge and some copy paste and download attempts and also i will try to get to e.g. outlook.office.com with Chrome instead of Edge. Here we go.

Let’s try to access our company resources with Chrome – office.com. Immediately we get the message that this is not possible and that we need to use Edge.

Now lets do the same in Edge. Now we get the message that we need to sign into Edge with our work account. Click Switch Edge profile.

Click sign in to sync data, now a new Edge profile with your company credentials will be created.

Sign in with you company credentials.

Now a VERY important thing. Uncheck the box Allow my organization to manage my device and click OK, DON’T click No sign in to this app only.

This is what microsoft says about this:

The full article on this is here:

 

Conditional Access - Require app protection policy for Windows - Microsoft Entra ID

Create a Conditional Access policy to require app protection policy for Windows.

 

After the sign in you will be presented with this screen, click Done.

Now we have to wait untill Edge finishes. This can take a few minutes so be patient and don’t click cancel.

When it’s done click continue.

And we are in!

If you click on the top left corner you can see your Work profile in Edge.

Now to the cool stuff of downloading and copy pasting. I will test some stuff in Outlook Web Access

Let’s try to copy some text from a mail.  As soon as you click copy you will be presented by this message:

Now let’s try to download one of the attachements. As soon as you click download you will be presented by this message:

Now let’s say that this user tries to install the Office apps from the corporate license onto his personal machine, i don’t think so 😉

Now let’s try to connect Onedrive. Now we get the message that says that our device needs to be compliant:

You can also check the App Protection status on the monitor page in Intune:

Retire the Device

Now let’s say my consultancy project with this customer is ending and they want to remove the company data from my device. Normally for an enrolled device you would go to the device in the Intune portal and do a retire.

However because this is a personal device and this device is NOT enrolled in Intune the device it will not show up in the lntune device list.

The device will show in the Office 365 portal under devices – active devices – app managed.

This concludes the last part of guides of the MAM series.

I hope you find this article helpful, And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!