With the release of MAM for Windows I thought I would revisit securing your data on BYOD with Windows (previous post here)
In this post we will cover how to fully protect your data so that your Windows users can only access corporate information via a protected browser and keep the data contained.
To make things easier, I’ve also included everything in a PowerShell script here (note: CA policies are disabled for you to manually enable and add exclusions as required)
Updated 15/02/204 with fixes
The first thing we need to do is block BYOD enrollment via a Device platform restriction policy:
Now we need to enable MAM by opting into the preview here:
After opting in you will get a new link to access the Intune console and enable the Windows MAM option
In Tenant Administration, click on Connectors and Tokens and then Mobile Threat Defense.
Add a connector for Windows Security Center:
Don’t worry if it displays as unavailable, it will update when used.
Next, click on Apps and App Protection Policies
Create a new Windows policy (not Windows Information Protection). Select Microsoft Edge and configure as required:
Now we have completed the Intune side, we need to add extra security in Conditional Access
Block anything but web access
First we need to block non-corporate devices from accessing anything but the web app by requiring compliance. As MAM uses APIs to configure the browser, a simple block won’t work here so instead we will grant, but require compliance which is effectively blocking BYOD
We only want O365 here, otherwise we block the API
Add some conditions:
We want to let the browser through on this one, we will protect that on the next policy:
As mentioned, we will exclude corporate devices:
Then require compliance which will automatically block non-corporate devices:
Restrict Web Access
Finally we want to lock down the browser access with a second CA policy
Add some conditions:
This one is important or the policy will fail to create:
Most important of all, we need to require app protection in Grant controls. We will also add compliance here to let through any corporate devices:
As an extra layer of security, you can also Block downloads using Conditional Access App Control in the Session controls:
One thing to note when logging in from here:
Hope this is of use!