Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Mobile Application Management on Windows 11
Published Oct 04 2023 11:00 PM 5,794 Views
Microsoft

Introduction

 

Intune is very well known for its ability to manage both devices (aka. MDM) and applications (aka.MAM). The core difference between these two options lies back to the level of management that companies require, or employees accept.

While MDM is seen an appropriate way to manage company-owned devices or a full zero trust environment; MAM is useful when a company wants to make sure employees can use their personal devices to run applications that access to company data, and limit what can be done with that data. From that perspective, it can improve zero trust posture of a company as well; making sure that applications used to access certain data such as the company data complies with certain criteria, that is defined in the application protection policy.

It was possible to leverage MAM for unmanaged third party mobile platforms such as iOS and Android however unmanaged – or unenrolled – device support for Windows Information Protection – which was the closest to MAM – was removed quite some time ago.  Recent announcements told us that now we can use MAM in Windows platform as well, without requiring too much of hustle and regardless of a device being managed or unmanaged. We will look at the details and what to expect in the following sections:

 

  • Creating Application Protection Policy for Microsoft Edge
  • Sign-in and Profile Creation
  • Application Configuration Policy
  • Seeing it in action
  • Wrap up

Creating Application Protection Policy for Microsoft Edge on Windows 11

 

Just like all the other MAM policies, this one is also created from App protection policies console under Apps node in Microsoft Intune. When clicking on “Create policy” button, you will see four different options as iOS/iPadOS, Android, Windows, and Windows Information Protection. The first two platforms are obviously targeting third party mobile platforms. Fourth one is the Windows Information Protection that is available to enrolled devices, which is discontinued from improvement. And the third option is the long-awaited Mobile Application Management piece for Windows platform. Make no mistake, this is available to both managed and unmanaged devices. Key here is to have a managed browser which we will see in a couple of minutes.

 

Image 1: App Protection Policies Console from Apps node in Microsoft IntuneImage 1: App Protection Policies Console from Apps node in Microsoft Intune

 

In the first step of new application protection policy creation wizard, we will give a name and enter a description about the policy.

 

Image 2: New APP creation wizard – Name and DescriptionImage 2: New APP creation wizard – Name and Description

 

In the next step we will select an application to be applied for this policy. Clicking on the “Select apps” task opens a new section from the right.

 

Image 3: New APP creation wizard – Application SelectionImage 3: New APP creation wizard – Application Selection

 

When available applications are listed for the Application Protection Policy for Windows platform, the only application that will be listed is Microsoft Edge. – First thing to note here; APP on Windows is available on Microsoft Edge only. At least for now. We will see how and if other applications will be supported with this feature. You can check the list of the MAM enabled apps from the list here.

 

Image 4: New APP creation wizard – Application SelectionImage 4: New APP creation wizard – Application Selection

 

Image 5: New APP creation wizard – Application SelectionImage 5: New APP creation wizard – Application Selection

 

 

In the next step of the wizard, options will be presented to configure application capabilities such as inbound and outbound data transfers, cut, copy and paste options and ability to print the organizational data. For this document, I have configured the policy as follows:

  • Receive data from: All sources
  • Send org data to: No destinations
  • Allow cut, copy and paste for: No destination or source
  • Print org data: Block

 

Image 6: New APP creation wizard – Data ProtectionImage 6: New APP creation wizard – Data Protection

 

Next step is about defining the application and device conditions. Application conditions include timeout values for offline working, device conditions include device risk level in MDE – which would be valid for managed devices or personal devices that are enrolled to MDE.

 

Image 7: New APP creation wizard – Health ChecksImage 7: New APP creation wizard – Health Checks

 

Following health checks, assignment of the policy is done. Just like other policies, there are options to include and exclude groups from this policy scope.

 

Image 8: New APP creation wizard – AssignmentImage 8: New APP creation wizard – Assignment

 

As the policy is assigned to the groups, we will review the policy options and create the policy with the configured settings.

 

Signing in and First Run – Profile Creation

 

I’ve used an unmanaged device to act as a “Personal Device” in this scenario. So, we will be seeing the perspective of an employee who is trying to use a BYOD.

Initial screen of the browser is the login screen.

 

Image 9: Microsoft Edge Browser – First loginImage 9: Microsoft Edge Browser – First login

 

 

Once the sign in button is clicked, a login window is presented.

 

 

Image 10: Work or School Account LoginImage 10: Work or School Account Login

 

Once username and password of the user is entered an MFA will be triggered if there is and the login will be completed after SSO selection. Considering this is a BYOD device, users might not wish their device to be managed by the company, they may clear the checkbox and perform the sign in.

 

Image 11: SSO to the ApplicationsImage 11: SSO to the Applications

 

Once the sign in is complete, Edge browser will ask the user to create a profile to access the organizational resources. 

 

Image 12: Microsoft Edge Profile Creation PageImage 12: Microsoft Edge Profile Creation Page

 

 

This will be done by clicking the Continue button. Once it is completed, we will be able to see the created profile from user icon on the right upper corner of the Edge browser window. We can see that the profile is managed by the organizational linked account.

 

Image 13: Microsoft Edge Browser – Managed Account InformationImage 13: Microsoft Edge Browser – Managed Account Information

 

We can check for MAM Policy application by browsing to edge://edge-dlp-internals/ page. 

 

Image - 14: Edge DLP Internals - Policy page - Personal ProfileImage - 14: Edge DLP Internals - Policy page - Personal Profile

 

When we browse to the policy page on a personal profile, we may see no policy is applied. However, when we browse to the same page via work profile, we will be able to see the Application Protection Policies that are affecting the profile.

 

Image - 15: Edge DLP Internals - Policy page - Work ProfileImage - 15: Edge DLP Internals - Policy page - Work Profile

 

 

We will take a look at the end user experience in a while, but before jumping to that experience, let's take a look at the second option on managing applications via Intune: Application Configuration Policies.

 

Creating an Application Configuration Policy to Manage Microsoft Edge

 

Another piece in the application management is the ability to create application configuration policies for unenrolled devices. This will help to manage applications on unmanaged devices so that baseline management is pushed down. Application configuration also supports different platforms such as iOS/iPadOS and Android.  Let’s look at how does Application Configuration Policies work in this scenario.

 

Image 16: Application Configuration Policy CreationImage 16: Application Configuration Policy Creation

 

 

Application configuration policies also reside on Apps node in Microsoft Intune. When you click on the Add button to create a new application configuration policy, the first thing to determine is the policy scope. Will the policy work with the managed devices or managed apps? This selection will define if MDM or MAM will be used for the created policy.

Once selected, you will see the options such as name and description of the policies and the target of the policy. Options for the target include “Selected apps” and when you choose this option, it will be possible to select applications from the available list of MAM capable applications. Since the goal is to manage Edge browser in Windows; we’re adding Microsoft Edge on Windows platform to the list.

 

Image 17: Application Configuration Policy Creation.Image 17: Application Configuration Policy Creation.

 

 

Clicking on the next button will reveal the settings catalog so that we can add settings related to the application. For demonstration purposes, I’ve added simple settings related to the startup and homepage experience as well as immersive reader settings.

 

Image 18: Application Configuration Policy – Settings CatalogImage 18: Application Configuration Policy – Settings Catalog

 

 

Clicking next button will walk us through the usual policy creation wizard. Assignments will be based on groups, and it is possible to include groups as well as excluding them. Once the policy is created and assigned, applications will get the policy and apply the settings once they check-in the service.

 

Image 19: Edge Policy View, Personal ProfileImage 19: Edge Policy View, Personal Profile

 

It is possible to review policies that are applied on the profile via browsing edge://policy page. When we browse via Personal profile, we can see that no setting is applied as expected.

 

Image 20: Edge Policy View, Work ProfileImage 20: Edge Policy View, Work Profile

 

However, when browsed the same page via Work Profile, it is possible to see the policies effecting the profile.

 

Mobile Application Management for Microsoft Edge on Windows 11 in Action!

 

As the policy is applied to the application, it is possible to see the browser managed by the organization. Now since the browser is managed by the organization users will be able to browse in the way they would want.

 

Image 21: Microsoft Edge – Managed Browser MessageImage 21: Microsoft Edge – Managed Browser Message

 

Copy-Paste Behavior

 

Let’s check the usual copy – paste behavior of the browser once the application protection policy is applied.

 

Image 22: Copy Activity from MailboxImage 22: Copy Activity from Mailbox

 

 

As you can see, user is using the office.com portal in their work profile, and once they select a content and right click & copy the content, they are presented with a message box, stating that the organization limits this kind of activity for this website.

 

Image 23: Message box from APP – Blocked copyImage 23: Message box from APP – Blocked copy

 

 

 

Print the Content

 

When a user tries to print the organizational data, they will be presented with the usual printing interface.

 

Image 24: Printing from Organizational DataImage 24: Printing from Organizational Data

 

 

However, when they select the printing device and click on the print button, they will get an error message as the organization blocks this activity from organizational resources.

 

Image 25: Regular Printing InterfaceImage 25: Regular Printing Interface

 

 

Image 26: Message Box from APP – Blocked PrintingImage 26: Message Box from APP – Blocked Printing

 

 

Wrap-up

Supporting Windows platform on BYOD would require a mechanism to isolate company data and limit activities to be performed on the corporate data. This would be possible by having two different policies targeted to the browser: one for protecting the applications, another for configuring the application.

One of the components of this solution that would make every other component work is the Conditional Access policies in the environment.

 

Image 27: Conditional Access Policy – MAM EnforcementImage 27: Conditional Access Policy – MAM Enforcement

 

 

A CA policy that is scoped to the users, targeted to Office 365 applications and Windows device platform that would grant the access if device were either HAADJ (for domain joined scenarios) or marked as compliant (for managed devices that are not domain joined) or have application protection policies in place would allow companies to enforce Application Protection Policies for non-managed devices.

 

Image 28: Non-Microsoft Edge Browser WarningImage 28: Non-Microsoft Edge Browser Warning

 

 

This Conditional Access policy would enforce use of Microsoft Edge browser as no other browser would be managed by Application Protection Policies in place – at least for now in our example.

 

Image 29: Microsoft Edge Personal Profile WarningImage 29: Microsoft Edge Personal Profile Warning

 

 

This CA policy would also require use of Work Profiles in Edge browser so that a user would not be able to work around those protection policies in place. This profile separation would also allow distinction between corporate data and personal data.

 

3 Comments
Co-Authors
Version history
Last update:
‎Oct 26 2023 07:47 AM
Updated by: