One of the key features of Microsoft Intune is its MAM capabilities.
Intune MAM enables us to apply policies to supported corporate applications such as Outlook, Microsoft Teams, or other Office or third-party apps, to protect company data and prevent data leakage.
The key feature of Intune MAM is that it can also work on devices that are not MDM-managed by Intune. This feature, the support for the “without enrolment” scenario is especially useful in the Bring-Your-Own-Device landscape.
Intune MAM has been available for Android and iOS for ages. Previously, Intune MAM was also available for the Windows platform, in the form of Windows Information Protection (WIP). But then, Microsoft drew the curtains over it by announcing the deprecation of WIP.
Though WIP was far from a perfect solution, it at least allowed us to protect company apps and data even on Windows devices that weren’t enrolled, similar to what we can do on iOS and Android.
However, with the deprecation of WIP, MS did not announce any real replacement. Instead, they just recommended exploring Microsoft Purview Information Protection and Data Loss Prevention for data protection needs.
Post WIP, for BYOD Windows scenario, to ensure data security and protection, you would either have to leverage solutions such as Endpoint DLP and Sensitivity Labels or make peace with leveraging Conditional Access session control using app-enforced restrictions for a limited browser-only access from a BYOD Windows device.
Multiple options, and different licensing requirements, but both lacked the native Windows functionality as a solution. It is difficult to understand why or how Microsoft can pull off fantastic MAM features on Android and iOS, but then fail miserably to bring in the same feature parity for their very own Windows.
To be honest, we haven’t seen any work from MS to improve the Windows BYOD management features and functionalities.
But then, MS announced the (re-)introduction of Intune MAM for Windows. Here in this blog post, let us explore what Intune MAM for Windows has to offer and what the user experience is like.
Table of Contents
Intune MAM for Windows
With Intune MAM for Windows, you can enable protected MAM access to organization data via Microsoft Edge on personal Windows devices that are not enrolled or MDM-managed by Intune.
Intune MAM on Windows utilizes four main components and they are:
- Microsoft Edge (The browser client which will be used to access org data)
- Intune App Protection Policy (To secure org data and ensure the client device is healthy)
- Windows Defender (Windows Security Center integration to detect local health threats on personal Windows devices)
- Conditional Access (To ensure MAM policy is enforced before granting access to protected service)
Prerequisites
As of writing this, Intune MAM for Windows requires
- Windows 10 build 19045.3636, KB5031445 or later, and Windows 11 build 10.0.22621.2506, KB5031455 (22H2) or later. This includes the supporting changes for Microsoft Intune (2309 release), and Windows Security Center (v 1.0.2310.2002 and later).
- License that includes Microsoft Intune and at least Entra ID Premium P1
- Unmanaged Windows personal device (unlike MAM for Android and iOS which also supports managed devices)
- Only Microsoft Edge is supported. (Microsoft Edge v117 stable branch or later for Windows 10 and v118.0.2088.71 or later for Windows 11)
Configuring Intune MAM for Windows
The configuration of MAM for Windows contains three actions, and they are explained below.
Action 1: Configuring MTD Connector in Intune for Windows Security Center
Open the Microsoft Intune Admin portal and navigate to Tenant admin > Connectors and tokens > Mobile Threat Defense, and from there click on Add, select Windows Security Center, and click on Create.
Once the Windows Security Center connector is created, you will see 1 active connector under the MTD connectors list but the status for it will show as Not set up. The status will remain as same until the first user uses MAM for Windows.
Action 2: Configuring App Protection Policy for Windows
Open the Microsoft Intune Admin portal and navigate to Apps > App protection policies, from there click on Create policy, and select Windows (not Windows Information Protection!).
On the Basics page, provide the basic policy information like Name and Description (optional) and click Next.
On the Apps page, select Microsoft Edge and click Next.
On the Data protection page, specify the required data protection settings and click Next.
On the Health Checks page, specify the required access requirements – that includes the option in the device conditions to configure the threat level of the device – and click Next.
On the Scope tags page, specify the required scope tags and click Next.
On the Assignments page, specify the required assignment and click Next.
On the Review + create page, click Create.
Action 3: Configuring Conditional Access for Intune MAM for Edge on Windows
We need to configure the following sections to meet the minimal required assignments.
- Users and groups: Select the Users that should be assigned with this policy
- Target resources: Select Cloud apps > Select apps > Office 365 as the service to be protected and assigned with this policy
- Conditions: Select at least the following conditions that should be used as additional filters for the assignment of this policy
- Device platforms: Select Yes > Select device platforms > Windows for the applicable platform.
- Client apps: Select Yes > Browser for the applicable client app.
On the Access controls section, configure the following for the minimal required access control section.
- Grant: Select Grant access > Require app protection policy for requiring app protection with this policy
For Enable policy, turn it On to enable this policy, and then finally, select Create to create this policy.
Check End-User Experience
Unlike Android and iOS, MAM for Windows only works if the device is unmanaged. Thus with the three main components configured, the final piece that is required to test Intune MAM for Edge on Windows is an unmanaged Windows device running a supported version of Windows and Edge.
Let’s assume we have a user having his personal Windows device which meets the software requirement to test Windows MAM. On that device, the user is running the Microsoft Edge browser with a personal profile configured and tries to access outlook.office365.com with his work account credentials.
Because of the CA policy we created earlier, user will get to see this.
The user needs to click on Switch Edge mobile button. The user will get the following prompt. The user needs to click on the Sign in to sync data button.
A credential prompt will follow this.
The subsequent prompt will ask for device registration. Here, it must be ensured that the check box that says “Allow my organization to manage my device” must be unchecked before clicking on OK.
If all goes well, the device will get registered successfully.
Once the registration process is complete, you will find Edge doing the MAM-enrollment process.
As the enrolment process completes, you will get the Continue button.
Now using this profile on the Edge that is associated with the work account, the user will be able to access protected services.
So lets now check to see if the MAM restrictions are enforced? As expected, the copy/paste action is being blocked as was configured in the MAM policy.
Also as tested, print functionality is being blocked as was configured in the MAM policy.
Further, an attempt to download attachments is also prevented as configured in the MAM policy.
But because MAM policy applies at the application level, as such, the protections as enforced are not limited to the CA-protected service only, when accessed from the work profile. The protection is applied to any website that you browse in Edge using the work profile that is targeted with the Intune MAM policy.
This means you cannot cut/copy/paste from a normal Google search if you are doing it from the Work Profile associated with Edge which is protected with Intune MAM.
So while the CA policy ensures that protected services like O365 can be accessed from a browser of a Windows device only with MAM enforcement in place, the MAM policy in itself that applies to the Microsoft Edge work profile ensures that the actions we do within the realm of the work profile remain isolated, thereby preventing data leakage to outside of the profile.
The user, though, can still use the personal profile on Microsoft Edge which by default has no restrictions enforced.
Troubleshooting Intune MAM for Edge on Windows
Open the Microsoft Edge browser and switch to the work profile to which the MAM policy is applied and navigate to edge://edge-dlp-internals/ as shown below. You will get to see an overview of the enabled features and applied MAM policy.
You also have the MamLog and MamCache.json located at C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data location to help you in troubleshooting Intune MAM for Edge on Windows.
Conclusion
Conclusion
For the time being, I cannot understand what is it that is new, in the name of MAM for Windows, that is being offered by Microsoft in terms of user experience!
Intune MAM on Windows, the solution, as it is in its current form, is limited to browser-only access and this is not something new that we are getting. This limited browser-only experience was already possible using Conditional Access Session controls app-enforced restrictions. Yes, we do get some added restrictions with this new policy in the form of profile-based isolation, but at the end of the day, it’s a web-only experience.
It’s always sad to see that Windows, despite being Microsoft’s own OS, has always been lacking in terms of MAM protection when compared to what Microsoft has to offer for Android and iOS.
However, with this new Intune MAM for Edge on Windows, MS at least made an effort to bring parity toward the BYOD solution for Windows. From here, expanding the application scope of client apps for the Windows MAM policy would be very useful and a much-needed addition.