BYOD and MAM for Windows, protecting your data with Intune

With the release of MAM for Windows I thought I would revisit securing your data on BYOD with Windows (previous post here)

In this post we will cover how to fully protect your data so that your Windows users can only access corporate information via a protected browser and keep the data contained.

To make things easier, I’ve also included everything in a PowerShell script here (note: CA policies are disabled for you to manually enable and add exclusions as required)

Updated 15/02/204 with fixes

Device restrictions

The first thing we need to do is block BYOD enrollment via a Device platform restriction policy:

Enable MAM

Now we need to enable MAM by opting into the preview here:

After opting in you will get a new link to access the Intune console and enable the Windows MAM option

In Tenant Administration, click on Connectors and Tokens and then Mobile Threat Defense.

Add a connector for Windows Security Center:

Don’t worry if it displays as unavailable, it will update when used.

Configure MAM

Next, click on Apps and App Protection Policies

Create a new Windows policy (not Windows Information Protection). Select Microsoft Edge and configure as required:

Now we have completed the Intune side, we need to add extra security in Conditional Access

Block anything but web access

First we need to block non-corporate devices from accessing anything but the web app by requiring compliance. As MAM uses APIs to configure the browser, a simple block won’t work here so instead we will grant, but require compliance which is effectively blocking BYOD

We only want O365 here, otherwise we block the API

Add some conditions:

We want to let the browser through on this one, we will protect that on the next policy:

As mentioned, we will exclude corporate devices:

Then require compliance which will automatically block non-corporate devices:

Restrict Web Access

Finally we want to lock down the browser access with a second CA policy

Add some conditions:

This one is important or the policy will fail to create:

Most important of all, we need to require app protection in Grant controls. We will also add compliance here to let through any corporate devices:

As an extra layer of security, you can also Block downloads using Conditional Access App Control in the Session controls:

One thing to note when logging in from here:

Hope this is of use!

43 thoughts on “BYOD and MAM for Windows, protecting your data with Intune”

  1. Thanks Andrew, really useful guide. I’ve found the feature to be a step in the right direction. Is there anything that you were able to do around restricting sites within the managed MAM profile? I know this feature is available for iOS and Android, but I couldn’t find anything for Windows app protection. In my testing, it still allowed me to copy data within the work container/profile to untrusted sites e.g., personal mail etc.

  2. No luck, I’m afraid.
    I have noticed that if I change the CA policy’s grant to be either compliant or require APP (so it could also allow managed devices through), the failures are that the device isn’t compliant.. It seems the app protection policy isn’t applying, despite confirming its deployed and targeting the user.
    If set in grant to only require APP, the failure is that required APP is not satisfied.

      • Yes. And I can even tell that the APP is actually working since when I’m in that work profile in Edge, I tried to download a file (since I have it restricted in policy), and I get pop-up that the organization has blocked downloads.

  3. Awesome article, thank you!

    Been trying to get this setup in our tenant but keep running into issues with the CA policies. I was seeing it throwing a fit about my test BYOD device when using the device matching rule – whether to include personal or try excluding company.
    So I took that out entirely to test further and now it fails saying there isn’t an app protection policy – when I’ve confirmed its setup and targeting user..

    Seems rather odd and noticing others having similar issues –

  4. I have the Same issue, we have set up a CA for all devices need to be compliant (onboarded in intune), we excluded the browser
    then i set up your CA like above .. what if shows it correctly

    however, once i log into edge on boyd with the account, it fires always “you cant get there from here” after
    could it be that, edge sync login does use Desktopclients as “client-apps” and not browser ?

  5. Hi Andrew, just to understand.

    If a device is BYOD, so non compliant and using WINDOWS APPS, it will be blocked.
    If a device is BYOD, so non compliant and using BROWSER, it will be granted, and protected by the App Protection Edge Policy right

    Is it right ?

    What about chrome/firefox ?


  6. Running into issues with the compliance part of this. All devices I try and join say they do not need organisations compliance requirements, see device management portal for why it’s non compliant. Maybe I’m looking in the wrong location, but I can’t find anything that is saying why it’s noncompiant?

    Thanks for the guide!

  7. Hi all!

    Program Manager from Microsoft working on this project here 🙂

    We are very excited about this feature and would love your feedback. Yes, there is a sign up needed for Public Preview. Please see this document for more information:

    Please be mindful to not share information from the Public Preview Teams channel outside of that channel, as we are still working to make this the best possible feature we can.


  8. This is really good, thank you.
    When I try to do this manually and select app, I have no apps available to select from so I cannot select Edge.


Leave a Comment