MAM (preview) for Windows 365 and Azure Virtual Desktop
Published Jun 18 2024 01:16 PM 8,137 Views
Microsoft

Now in preview, Microsoft Intune Mobile Application Management (MAM) can provide numerous benefits for iOS/iPad OS and Android clients. Have you ever wondered if you could allow users to access Azure Virtual Desktop or Windows 365 on their personal iOS/iPadOS and Android devices? Do you want to do this with more restrictive redirection policies than on managed devices and only allow a connection if some security criteria are met? Well, now you can—and you don’t even have to manage the device.

Configure and apply redirection settings with Intune MAM

End users can now configure different redirections when they connect to Azure Virtual Desktop and Windows 365 using the latest versions of the Remote Desktop client (iOS/iPadOS and Android) and the Windows App (iOS/iPadOS) that are integrated with Intune Mobile Application Management.

Previously, supporting bring your own device (BYOD) was a challenge because Azure Virtual Desktop and Windows 365 end users had the same redirections whether they connected from a corporate or personal device. For example, it wasn’t possible to allow drive and clipboard redirection on a corporate managed device without allowing the same redirections on a personal device. This posed data loss risk when corporate data was copied to the personal device.

With Intune MAM integration, customers can now apply different redirection settings based on user security group, operating system of the device, or whether the device is Intune managed or not. All this can be done without additional Azure Virtual Desktop host pools.

Without managing the personal device, Intune MAM allows you to:

  • Disable specific redirections on personal devices.
  • Require PIN access to app before connection.
  • Block third-party keyboards.
  • Specify a minimum device operating system version before connection.
  • Specify a minimum Windows App and/or Remote Desktop app version number before connection.
  • Block jailbroken/rooted devices from connection.
  • Require a mobile threat defense solution on devices, with no threats detected before connection.

Intune MAM allows you to manage and protect your organization's data within an application without enrolling in device management, while ensuring an employee’s personal data on the device is not accessed. Many productivity apps, such as the Microsoft 365 apps, can already be managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use and the Planning guide: Personal devices vs. Organization-owned devices for more information.

Manage apps using MAM whether devices are enrolled or unenrolled in Intune mobile device management

Intune MAM supports two configurations:

  • Intune mobile device management (MDM) + MAM: IT administrators can manage apps using MAM on devices that are enrolled with Intune MDM.
  • Unenrolled devices with MAM managed applications: IT administrators can manage apps using MAM on unenrolled devices, which typically are employees’ preferred personal devices.

For managed devices, it’s optional to use MDM + MAM. Many Azure Virtual Desktop or Windows 365 customers will only need to apply MAM on unenrolled devices because redirection policies usually have stricter settings on unenrolled devices to protect against data loss. Redirections can work as-is on managed devices without MAM.

 

Important: Configuring redirection settings on a client device isn't a substitute for correctly configuring your host pools and session hosts based on your requirements. Using Intune to configure Windows App and the Remote Desktop app might not be suitable for workloads requiring a higher level of security.

Workloads with higher security requirements should continue to set redirections at the host pool or session host, where all users of the host pool have the same redirection configuration. A data loss protection (DLP) solution is recommended, and redirection should be disabled on session hosts whenever possible to minimize the opportunities for data loss.

There are four primary configurations to manage redirections using MAM:

  • Intune device filters allow app configuration and app protection policies to be targeted for specific devices, regardless of whether they are enrolled or unenrolled devices.
  • Intune app configuration policies manage redirection settings for Windows App and the Remote Desktop app on a client device.
  • Intune app protection policies specify security requirements that must be met by the application and the client device. Use filters to target users based on specific criteria.
  • Conditional Access policies control access to Azure Virtual Desktop and Windows 365 and ensure criteria set in app configuration policies and app protection policies are met.

The screenshots below illustrate the key steps to configure different redirections on personal devices. For this example, we will disable drive redirection on a personal iPad so corporate data cannot be copied to the local iPad storage.

    1. Create a filter for unmanaged devices.

      MAM for AVD - Image 1 smaller.png
    2. Create an app configuration policy to disable drive redirection using the Remote Desktop Protocol (RDP) property name of drivestoredirect as listed in Configure device redirection. Assign a value of 0.

      MAM for AVD - Image 2.png
    3. Select the groups the Intune app configuration policy applies to (hence the groups the redirection settings apply to). Select Edit Filter and choose the unmanaged devices filter that was created earlier.

      MAM for AVD - Image 3.png
    4. Sign in to your Azure Virtual Desktop session host or Windows 365 Cloud PC.

On a managed iPad, drive redirection is allowed, as shown here:

MAM for AVD  - Image 4a.png

 

 

 

On an unmanaged iPad, drive redirection is disallowed, as shown here:

MAM for AVD - Image 4b.png

 

In addition to different redirections, you may also want to require a minimum OS and Remote Desktop app version to reduce the risk of threats caused by older and potentially unsupported devices that are not current with the latest security updates. Configure an Intune app protection policy (see App protection policies overview) to do this. In the example below, you can require that the Android device be:

  • Android 14.0 or later.
  • Remote Desktop 10.0.19 or later.
  • Determined as Secured – no threats - by Microsoft Defender for Endpoint.

MAM for AVD - Image 5.png

With the Intune app protection policy applied to Remote Desktop and Windows App, the following three scenarios are now possible even on personal devices that you don’t manage:

 

Block by OS version
Access is blocked as the operating system version of the device does not meet the requirements of Android version 14.0 or higher set by the IT admin.

MAM for AVD - Image 6a OS blocked.png

 

Block by app version
Access is blocked as the version of the Remote Desktop client does not meet the requirement of 10.0.18.1258 or higher as set by the IT admin.

MAM for AVD  - Image 6b app version blocked.png


 

Only allow approved clients
Access is blocked as a version of the client supporting app protection policy is required in Microsoft Entra Conditional Access policies.

MAM for AVD  - Image 6c approved clients.png

In the future, we will be extending these redirection and device posture checking capabilities on personal devices to Windows.

To learn more detail about these capabilities, see our documentation.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

4 Comments
Co-Authors
Version history
Last update:
‎Jun 18 2024 01:43 PM
Updated by: