First published on TECHNET on May 31, 2017
We're excited to announce several improvements to the Work Folders clients for Windows 10 version 1703, Android and iOS:
- Remote users can securely access their files on the Work Folders server using Azure Active Directory Application Proxy
- Improved single sign on experience (fewer authentication prompts) when using Azure Active Directory Application Proxy
- Group policy setting to manage the Work Folders directory location on Windows devices
For more details, please review the sections below.
Azure Active Directory Application Proxy Support
Applies to: Windows 10 version 1703, Android and iOS
Work Folders supports using VPN, Web Application Proxy (WAP) or a third-party reverse proxy solution to enable remote users access to their files on the Work Folders server. These remote access solutions require expensive hardware or additional on-premises servers that need to be managed.
Work Folders now supports using Azure AD Application Proxy to enable remote users to securely access their files on the Work Folders server.
Benefits of using Azure AD Application Proxy
- It's easier to manage and more secure than on-premises solutions because you don't have to open any inbound connections through your firewall.
- When you publish Work Folders using Azure AD Application Proxy, you can take advantage of the rich authorization controls and security analytics in Azure.
- Improved single sign on experience, the Work Folders clients prompt less frequently for authentication.
To learn more about Azure AD Application Proxy, please see the following article: How to provide secure remote access to on-premises applications
How to enable remote access to Work Folders using Azure Active Directory Application Proxy
For more details on how to configure Work Folders access using Azure AD Application Proxy, please see the following blog: Enable remote access to Work Folders using Azure Active Directory Application Proxy
Token Broker Support
Applies to: Windows 10 version 1703, Android and iOS
A common complaint when using AD FS authentication is the remote user is prompted for credentials every 8 hours if the device is not registered with the AD FS server. To reduce the frequency of credential prompts, you can enable the Keep Me Signed In (KMSI) feature but the maximum single sign on period for a non-registered device is 7 days. To register the device, the user needs to use the Workplace Join feature .
To improve the user experience when using Azure AD Application Proxy, Work Folders now supports Token Broker which is an authentication broker that supports device registration. When using Token Broker with Azure AD Application Proxy for remote access, the client device can be registered in Azure AD when configuring the Work Folders client. Once the device is registered, device authentication will be used to access the Work Folders server.
Device registration provides the following benefits:
- Improved single sign on experience (less authentication prompts)
- Device-based conditional access
For more details on Azure Active Directory device registration, please see the following article on TechNet: Get started with Azure Active Directory device registration
How to enable Token Broker
To enable Token Broker on a Windows 10 version 1703 system, enable the "Enables the user of Token Broker for AD FS authentication" group policy setting which is located under User Configuration\Administrative Templates\Windows Components\Work Folders 
For Android and iOS devices, Token Broker will be used automatically when using Azure AD Application Proxy.
Note : Token Broker is currently supported when using Azure AD Application Proxy for remote access. Using Token Broker with AD FS authentication may be supported in a future update.
How to register devices using the Work Folders client
When Token Broker is enabled on a Windows client, the user will be prompted to register their device in Azure AD when configuring the Work Folders client. If the Work Folders client is managed via group policy, the device is automatically registered in Azure AD.
For devices (Android and iOS), the device is automatically registered when configuring the Work Folders client.
Managing Work Folders client directory location using group policy
Applies to: Windows 10 version 1703
A common request when managing Work Folders clients via group policy is to configure the Work Folders client directory location.
How to configure the Work Folder client directory location using group policy
On Windows 10 version 1703, a group policy setting "Work Folders Local Path" has been added to configure the Work Folders client directory location. This group setting is located under User Configuration\Administrative Templates\Windows Components\Work Folders\Specify Work Folders settings. 
Note : The Work Folders Local Path group policy setting applies to Windows 10 version 1607 and Windows 10 version 1703 systems. If the value is not defined, the client directory will be located under %userprofile%\Work Folders.
Additional Resources