With the end of Windows Information Protection (and with it App Protection for Windows devices), I wanted to take a look at the best way of securing data on a BYOD machine with the tools currently available (at the time of writing this article).
For the tests, I used a freshly imaged Win11 22H2 device logged in with a personal Microsoft account with a checkpoint applied prior to any Teams/Web logins. I also cleared any device details from Azure AD between tests.
I have also left my Intune tenant completely unlocked, in reality you would want to block Personal Devices from enrolling before doing anything else (screenshot at the bottom)
Before any tests, I looked at Endpoint DLP, but that was immediately ruled out as it requires devices to be onboarded and I can’t see that sitting well on personal machines (Link)
One other thing to note (thanks to David in the comments), both tests 2 and 3 will attempt to escrow bitlocker keys to Azure AD which isn’t ideal for personal devices!
The first test was logging into MS Teams with the “Sign in to this app only” option
As expected, this didn’t create any AzureAD device objects:
Or anything in Intune
It also allowed me to do pretty much anything I liked, I can download files, copy and paste text, pretty much anything, not ideal!
As a test, I deployed a Conditional Access policy to block non-corporate devices:
Which worked as expected, but stops BYOD pretty much completely
For this one, I unticked the box, but allowed Sign-In to all apps
This does create an Azure AD object, but not an Intune one
Even though it’s AAD registered, that’s it, it turns on SSO for other M365 apps, but you’re still free to do as you please.
Testing the CA policy gave a different error, but still blocked (as expected)
For this test, I ticked the box to allow my organisation to manage the device
My MDM/MAM scopes are set as default so this enrols into the WIP service, great for Android and iOS, now useless for Windows
On login I was prompted to Use Windows Hello as my policy is set globally
The device was displayed in Azure AD, but not in Intune so no compliance policy and therefore no access with the CA policy applied (and a different error again):
Teams was, again, completely unlocked and I could do what I wanted.
So far, no good, the extra tick box is literally just forcing Windows Hello
How to block
We’ve established that blocking access to data via the installed app doesn’t work, but what about the web apps?
For this I configured a Defender for Cloud Apps policy using Conditional Access App Control to block downloads when using the web application.
I also configured two Conditional Access policies.
The first is set to Block Downloads on All Cloud Apps using App control:
The second blocks non-web based apps completely on un-managed devices:
When logging into Teams I am presented with:
And when using the web browser, if I try to download:
You’ll notice on the Teams Message it suggests adding via work or school, to block that, set your Intune Enrollments to block Personal Devices
Hopefully this has been of some use!