With the release of MAM for Windows I thought I would revisit securing your data on BYOD with Windows (previous post here)
In this post we will cover how to fully protect your data so that your Windows users can only access corporate information via a protected browser and keep the data contained.
To make things easier, I’ve also included everything in a PowerShell script here (note: CA policies are disabled for you to manually enable and add exclusions as required)
Device restrictions
The first thing we need to do is block BYOD enrollment via a Device platform restriction policy:
Enable MAM
Now we need to enable MAM by opting into the preview here:
https://aka.ms/mamforwindowspublic
After opting in you will get a new link to access the Intune console and enable the Windows MAM option
In Tenant Administration, click on Connectors and Tokens and then Mobile Threat Defense.
Add a connector for Windows Security Center:
Don’t worry if it displays as unavailable, it will update when used.
Configure MAM
Next, click on Apps and App Protection Policies
Create a new Windows policy (not Windows Information Protection). Select Microsoft Edge and configure as required:
Now we have completed the Intune side, we need to add extra security in Conditional Access
Block anything but web access
First we need to block non-corporate devices from accessing anything but the web app by requiring compliance. Whilst you should do this for all devices, this policy is only for BYOD so we will also use a device filter to exclude corporate owned machines:
Add some conditions:
We want to let the browser through on this one, we will protect that on the next policy:
As mentioned, we will exclude corporate devices:
Then require compliance which will automatically block non-corporate devices:
Restrict Web Access
Finally we want to lock down the browser access with a second CA policy
Add some conditions:
This one is important or the policy will fail to create:
Again, ignore corporate devices:
Most important of all, we need to require app protection in Grant controls:
As an extra layer of security, you can also Block downloads using Conditional Access App Control in the Session controls:
Hope this is of use!
This is really good, thank you.
When I try to do this manually and select app, I have no apps available to select from so I cannot select Edge.
I think as it’s still in preview the functionality is still rolling out. Might be worth an MS ticket within the portal
I had the same results and eventually found this sign up form for the public preview
https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5Et9AHvwQBCvdYzt0-Gxb9UM1NFWVRUTlhMUEIwWEc2VTZKUjYwUVk2QS4u
Hi all!
Program Manager from Microsoft working on this project here 🙂
We are very excited about this feature and would love your feedback. Yes, there is a sign up needed for Public Preview. Please see this document for more information: https://aka.ms/mamforwindowspublic.
Please be mindful to not share information from the Public Preview Teams channel outside of that channel, as we are still working to make this the best possible feature we can.
Thanks,
Jordan
Thank you Jordan 🙂