BYOD and MAM for Windows, protecting your data with Intune

With the release of MAM for Windows I thought I would revisit securing your data on BYOD with Windows (previous post here)

In this post we will cover how to fully protect your data so that your Windows users can only access corporate information via a protected browser and keep the data contained.

To make things easier, I’ve also included everything in a PowerShell script here (note: CA policies are disabled for you to manually enable and add exclusions as required)

Device restrictions

The first thing we need to do is block BYOD enrollment via a Device platform restriction policy:

Enable MAM

Now we need to enable MAM by opting into the preview here:

After opting in you will get a new link to access the Intune console and enable the Windows MAM option

In Tenant Administration, click on Connectors and Tokens and then Mobile Threat Defense.

Add a connector for Windows Security Center:

Don’t worry if it displays as unavailable, it will update when used.

Configure MAM

Next, click on Apps and App Protection Policies

Create a new Windows policy (not Windows Information Protection). Select Microsoft Edge and configure as required:

Now we have completed the Intune side, we need to add extra security in Conditional Access

Block anything but web access

First we need to block non-corporate devices from accessing anything but the web app by requiring compliance. Whilst you should do this for all devices, this policy is only for BYOD so we will also use a device filter to exclude corporate owned machines:

Add some conditions:

We want to let the browser through on this one, we will protect that on the next policy:

As mentioned, we will exclude corporate devices:

Then require compliance which will automatically block non-corporate devices:

Restrict Web Access

Finally we want to lock down the browser access with a second CA policy

Add some conditions:

This one is important or the policy will fail to create:

Again, ignore corporate devices:

Most important of all, we need to require app protection in Grant controls:

As an extra layer of security, you can also Block downloads using Conditional Access App Control in the Session controls:

Hope this is of use!

5 thoughts on “BYOD and MAM for Windows, protecting your data with Intune”

  1. This is really good, thank you.
    When I try to do this manually and select app, I have no apps available to select from so I cannot select Edge.

  2. Hi all!

    Program Manager from Microsoft working on this project here 🙂

    We are very excited about this feature and would love your feedback. Yes, there is a sign up needed for Public Preview. Please see this document for more information:

    Please be mindful to not share information from the Public Preview Teams channel outside of that channel, as we are still working to make this the best possible feature we can.



Leave a Comment