Introduction
Intune is very well known for its ability to manage both devices (aka. MDM) and applications (aka.MAM). The core difference between these two options lies back to the level of management that companies require, or employees accept.
While MDM is seen an appropriate way to manage company-owned devices or a full zero trust environment; MAM is useful when a company wants to make sure employees can use their personal devices to run applications that access to company data, and limit what can be done with that data. From that perspective, it can improve zero trust posture of a company as well; making sure that applications used to access certain data such as the company data complies with certain criteria, that is defined in the application protection policy.
It was possible to leverage MAM for unmanaged third party mobile platforms such as iOS and Android however unmanaged – or unenrolled – device support for Windows Information Protection – which was the closest to MAM – was removed quite some time ago. Recent announcements told us that now we can use MAM in Windows platform as well, without requiring too much of hustle and regardless of a device being managed or unmanaged. We will look at the details and what to expect in the following sections:
- Creating Application Protection Policy for Microsoft Edge
- Sign-in and Profile Creation
- Application Configuration Policy
- Seeing it in action
- Wrap up
Creating Application Protection Policy for Microsoft Edge on Windows 11
Just like all the other MAM policies, this one is also created from App protection policies console under Apps node in Microsoft Intune. When clicking on “Create policy” button, you will see four different options as iOS/iPadOS, Android, Windows, and Windows Information Protection. The first two platforms are obviously targeting third party mobile platforms. Fourth one is the Windows Information Protection that is available to enrolled devices, which is discontinued from improvement. And the third option is the long-awaited Mobile Application Management piece for Windows platform. Make no mistake, this is available to both managed and unmanaged devices. Key here is to have a managed browser which we will see in a couple of minutes.
In the first step of new application protection policy creation wizard, we will give a name and enter a description about the policy.
In the next step we will select an application to be applied for this policy. Clicking on the “Select apps” task opens a new section from the right.
When available applications are listed for the Application Protection Policy for Windows platform, the only application that will be listed is Microsoft Edge. – First thing to note here; APP on Windows is available on Microsoft Edge only. At least for now. We will see how and if other applications will be supported with this feature. You can check the list of the MAM enabled apps from the list here.
In the next step of the wizard, options will be presented to configure application capabilities such as inbound and outbound data transfers, cut, copy and paste options and ability to print the organizational data. For this document, I have configured the policy as follows:
- Receive data from: All sources
- Send org data to: No destinations
- Allow cut, copy and paste for: No destination or source
- Print org data: Block
Next step is about defining the application and device conditions. Application conditions include timeout values for offline working, device conditions include device risk level in MDE – which would be valid for managed devices or personal devices that are enrolled to MDE.
Following health checks, assignment of the policy is done. Just like other policies, there are options to include and exclude groups from this policy scope.
As the policy is assigned to the groups, we will review the policy options and create the policy with the configured settings.
Signing in and First Run – Profile Creation
I’ve used an unmanaged device to act as a “Personal Device” in this scenario. So, we will be seeing the perspective of an employee who is trying to use a BYOD.
Initial screen of the browser is the login screen.
Once the sign in button is clicked, a login window is presented.
Once username and password of the user is entered an MFA will be triggered if there is and the login will be completed after SSO selection. Considering this is a BYOD device, users might not wish their device to be managed by the company, they may clear the checkbox and perform the sign in.
Once the sign in is complete, Edge browser will ask the user to create a profile to access the organizational resources.
This will be done by clicking the Continue button. Once it is completed, we will be able to see the created profile from user icon on the right upper corner of the Edge browser window. We can see that the profile is managed by the organizational linked account.
We can check for MAM Policy application by browsing to edge://edge-dlp-internals/ page.
When we browse to the policy page on a personal profile, we may see no policy is applied. However, when we browse to the same page via work profile, we will be able to see the Application Protection Policies that are affecting the profile.
We will take a look at the end user experience in a while, but before jumping to that experience, let's take a look at the second option on managing applications via Intune: Application Configuration Policies.
Creating an Application Configuration Policy to Manage Microsoft Edge
Another piece in the application management is the ability to create application configuration policies for unenrolled devices. This will help to manage applications on unmanaged devices so that baseline management is pushed down. Application configuration also supports different platforms such as iOS/iPadOS and Android. Let’s look at how does Application Configuration Policies work in this scenario.
Application configuration policies also reside on Apps node in Microsoft Intune. When you click on the Add button to create a new application configuration policy, the first thing to determine is the policy scope. Will the policy work with the managed devices or managed apps? This selection will define if MDM or MAM will be used for the created policy.
Once selected, you will see the options such as name and description of the policies and the target of the policy. Options for the target include “Selected apps” and when you choose this option, it will be possible to select applications from the available list of MAM capable applications. Since the goal is to manage Edge browser in Windows; we’re adding Microsoft Edge on Windows platform to the list.
Clicking on the next button will reveal the settings catalog so that we can add settings related to the application. For demonstration purposes, I’ve added simple settings related to the startup and homepage experience as well as immersive reader settings.
Clicking next button will walk us through the usual policy creation wizard. Assignments will be based on groups, and it is possible to include groups as well as excluding them. Once the policy is created and assigned, applications will get the policy and apply the settings once they check-in the service.
It is possible to review policies that are applied on the profile via browsing edge://policy page. When we browse via Personal profile, we can see that no setting is applied as expected.
However, when browsed the same page via Work Profile, it is possible to see the policies effecting the profile.
Mobile Application Management for Microsoft Edge on Windows 11 in Action!
As the policy is applied to the application, it is possible to see the browser managed by the organization. Now since the browser is managed by the organization users will be able to browse in the way they would want.
Copy-Paste Behavior
Let’s check the usual copy – paste behavior of the browser once the application protection policy is applied.
As you can see, user is using the office.com portal in their work profile, and once they select a content and right click & copy the content, they are presented with a message box, stating that the organization limits this kind of activity for this website.
Print the Content
When a user tries to print the organizational data, they will be presented with the usual printing interface.
However, when they select the printing device and click on the print button, they will get an error message as the organization blocks this activity from organizational resources.
Wrap-up
Supporting Windows platform on BYOD would require a mechanism to isolate company data and limit activities to be performed on the corporate data. This would be possible by having two different policies targeted to the browser: one for protecting the applications, another for configuring the application.
One of the components of this solution that would make every other component work is the Conditional Access policies in the environment.
A CA policy that is scoped to the users, targeted to Office 365 applications and Windows device platform that would grant the access if device were either HAADJ (for domain joined scenarios) or marked as compliant (for managed devices that are not domain joined) or have application protection policies in place would allow companies to enforce Application Protection Policies for non-managed devices.
This Conditional Access policy would enforce use of Microsoft Edge browser as no other browser would be managed by Application Protection Policies in place – at least for now in our example.
This CA policy would also require use of Work Profiles in Edge browser so that a user would not be able to work around those protection policies in place. This profile separation would also allow distinction between corporate data and personal data.