Mobile Application Management on Windows 11

  • Thread starter Thread starter AtilGurcan
  • Start date Start date
A

AtilGurcan

Introduction




Intune is very well known for its ability to manage both devices (aka. MDM) and applications (aka.MAM). The core difference between these two options lies back to the level of management that companies require, or employees accept.

While MDM is seen an appropriate way to manage company-owned devices or a full zero trust environment; MAM is useful when a company wants to make sure employees can use their personal devices to run applications that access to company data, and limit what can be done with that data. From that perspective, it can improve zero trust posture of a company as well; making sure that applications used to access certain data such as the company data complies with certain criteria, that is defined in the application protection policy.

It was possible to leverage MAM for unmanaged third party mobile platforms such as iOS and Android however unmanaged – or unenrolled – device support for Windows Information Protection – which was the closest to MAM – was removed quite some time ago. Recent announcements told us that now we can use MAM in Windows platform as well, without requiring too much of hustle and regardless of a device being managed or unmanaged. We will look at the details and what to expect in the following sections:



  • Creating Application Protection Policy for Microsoft Edge
  • Sign-in and Profile Creation
  • Application Configuration Policy
  • Seeing it in action
  • Wrap up
Creating Application Protection Policy for Microsoft Edge on Windows 11




Just like all the other MAM policies, this one is also created from App protection policies console under Apps node in Microsoft Intune. When clicking on “Create policy” button, you will see four different options as iOS/iPadOS, Android, Windows, and Windows Information Protection. The first two platforms are obviously targeting third party mobile platforms. Fourth one is the Windows Information Protection that is available to enrolled devices, which is discontinued from improvement. And the third option is the long-awaited Mobile Application Management piece for Windows platform. Make no mistake, this is available to both managed and unmanaged devices. Key here is to have a managed browser which we will see in a couple of minutes.



large?v=v2&px=999.pngImage 1: App Protection Policies Console from Apps node in Microsoft Intune



In the first step of new application protection policy creation wizard, we will give a name and enter a description about the policy.



large?v=v2&px=999.pngImage 2: New APP creation wizard – Name and Description



In the next step we will select an application to be applied for this policy. Clicking on the “Select apps” task opens a new section from the right.



large?v=v2&px=999.pngImage 3: New APP creation wizard – Application Selection



When available applications are listed for the Application Protection Policy for Windows platform, the only application that will be listed is Microsoft Edge. – First thing to note here; APP on Windows is available on Microsoft Edge only. At least for now. We will see how and if other applications will be supported with this feature. You can check the list of the MAM enabled apps from the list here.



large?v=v2&px=999.pngImage 4: New APP creation wizard – Application Selection



large?v=v2&px=999.pngImage 5: New APP creation wizard – Application Selection





In the next step of the wizard, options will be presented to configure application capabilities such as inbound and outbound data transfers, cut, copy and paste options and ability to print the organizational data. For this document, I have configured the policy as follows:

  • Receive data from: All sources
  • Send org data to: No destinations
  • Allow cut, copy and paste for: No destination or source
  • Print org data: Block



large?v=v2&px=999.pngImage 6: New APP creation wizard – Data Protection



Next step is about defining the application and device conditions. Application conditions include timeout values for offline working, device conditions include device risk level in MDE – which would be valid for managed devices or personal devices that are enrolled to MDE.



large?v=v2&px=999.pngImage 7: New APP creation wizard – Health Checks



Following health checks, assignment of the policy is done. Just like other policies, there are options to include and exclude groups from this policy scope.



large?v=v2&px=999.pngImage 8: New APP creation wizard – Assignment



As the policy is assigned to the groups, we will review the policy options and create the policy with the configured settings.



Signing in and First Run – Profile Creation




I’ve used an unmanaged device to act as a “Personal Device” in this scenario. So, we will be seeing the perspective of an employee who is trying to use a BYOD.

Initial screen of the browser is the login screen.



large?v=v2&px=999.pngImage 9: Microsoft Edge Browser – First login





Once the sign in button is clicked, a login window is presented.





large?v=v2&px=999.pngImage 10: Work or School Account Login



Once username and password of the user is entered an MFA will be triggered if there is and the login will be completed after SSO selection. Considering this is a BYOD device, users might not wish their device to be managed by the company, they may clear the checkbox and perform the sign in.



large?v=v2&px=999.pngImage 11: SSO to the Applications



Once the sign in is complete, Edge browser will ask the user to create a profile to access the organizational resources.



large?v=v2&px=999.pngImage 12: Microsoft Edge Profile Creation Page





This will be done by clicking the Continue button. Once it is completed, we will be able to see the created profile from user icon on the right upper corner of the Edge browser window. We can see that the profile is managed by the organizational linked account.



large?v=v2&px=999.pngImage 13: Microsoft Edge Browser – Managed Account Information



As the user wants to browse any website, they will be presented with a pop-up window. Stating that Edge browser should be managed by the organization to allow access to the organizational resources associated with the logged in identity.



large?v=v2&px=999.pngImage 14: Microsoft Edge Browser App Access Blocked Pop-up



This will highlight another requirement of managing the application: Application Configuration Profile.



Creating an Application Configuration Policy to Manage Microsoft Edge




Another piece in the application management is the ability to create application configuration policies for unenrolled devices. This will help to manage applications on unmanaged devices so that baseline management is pushed down. Application configuration also supports different platforms such as iOS/iPadOS and Android. Let’s look at how does Application Configuration Policies work in this scenario.



large?v=v2&px=999.pngImage 15: Application Configuration Policy Creation



Application configuration policies also reside on Apps node in Microsoft Intune. When you click on the Add button to create a new application configuration policy, the first thing to determine is the policy scope. Will the policy work with the managed devices or managed apps? This selection will define if MDM or MAM will be used for the created policy.

Once selected, you will see the options such as name and description of the policies and the target of the policy. Options for the target include “Selected apps” and when you choose this option, it will be possible to select applications from the available list of MAM capable applications. Since the goal is to manage Edge browser in Windows; we’re adding Microsoft Edge on Windows platform to the list.



large?v=v2&px=999.pngImage 15: Application Configuration Policy Creation.



Clicking on the next button will reveal the settings catalog so that we can add settings related to the application. For demonstration purposes, I’ve added simple settings related to the startup and homepage experience as well as immersive reader settings.



large?v=v2&px=999.pngImage 17: Application Configuration Policy – Settings Catalog



Clicking next button will walk us through the usual policy creation wizard. Assignments will be based on groups, and it is possible to include groups as well as excluding them. Once the policy is created and assigned, applications will get the policy and apply the settings once they check-in the service.



Mobile Application Management for Microsoft Edge on Windows 11 in Action!




As the policy is applied to the application, it is possible to see the browser managed by the organization. Now since the browser is managed by the organization users will be able to browse in the way they would want.



large?v=v2&px=999.pngImage 18: Microsoft Edge – Managed Browser Message



Copy-Paste Behavior




Let’s check the usual copy – paste behavior of the browser once the application protection policy is applied.



large?v=v2&px=999.pngImage 19: Copy Activity from Mailbox



As you can see, user is using the office.com portal in their work profile, and once they select a content and right click & copy the content, they are presented with a message box, stating that the organization limits this kind of activity for this website.



large?v=v2&px=999.pngImage 20: Message box from APP – Blocked copy





Print the Content




When a user tries to print the organizational data, they will be presented with the usual printing interface.



large?v=v2&px=999.pngImage 21: Printing from Organizational Data



However, when they select the printing device and click on the print button, they will get an error message as the organization blocks this activity from organizational resources.



large?v=v2&px=999.pngImage 22: Regular Printing Interface



large?v=v2&px=999.pngImage 23: Message Box from APP – Blocked Printing



Wrap-up


Supporting Windows platform on BYOD would require a mechanism to isolate company data and limit activities to be performed on the corporate data. This would be possible by having two different policies targeted to the browser: one for protecting the applications, another for configuring the application.

One of the components of this solution that would make every other component work is the Conditional Access policies in the environment.



large?v=v2&px=999.pngImage 24: Conditional Access Policy – MAM Enforcement



A CA policy that is scoped to the users, targeted to Office 365 applications and Windows device platform that would grant the access if device were either HAADJ (for domain joined scenarios) or marked as compliant (for managed devices that are not domain joined) or have application protection policies in place would allow companies to enforce Application Protection Policies for non-managed devices.



large?v=v2&px=999.pngImage 25: Non-Microsoft Edge Browser Warning



This Conditional Access policy would enforce use of Microsoft Edge browser as no other browser would be managed by Application Protection Policies in place – at least for now in our example.



large?v=v2&px=999.pngImage 26: Microsoft Edge Personal Profile Warning



This CA policy would also require use of Work Profiles in Edge browser so that a user would not be able to workaround those protection policies in place. This profile separation would also allow distinction between corporate data and personal data.

Continue reading...
 
Back
Top