Force Windows Information Protection with Conditional Access

Today I will show you how we can enforce a Windows Information Protection (WIP) Policy on unmanaged devices using a Conditional Access (CA) policy. WIP is a Mobile Application Management solution for Windows 10 devices to keep your company data safe, even on personal devices.
In the past we could setup a WIP policy for devices which are unmanaged (not enrolled and managed by Intune) to keep our company data save, but we had no option to enforce this policy on unmanaged devices. Since a short while we have the option to create a Terms of Use as part of the Conditional Access and use that as a control in a CA policy. Because a Terms of use can only be accepted on a Azure AD joined or registered device, this allows us to force the WIP policy on personal devices.

Setup Windows Information Protection

To start using Windows Information Protection we first need to make sure Mobile Application Management (MAM) is enabled in Intune. WIP is the MAM version for Windows 10 devices.

1. Open the Device Management portal and click Device enrollment – Windows Enrollment – Automatic Enrollment
2. Make sure the MAM User scope is set to Some (and select a security group which contains your MAM users) or to All.

1. Move to Client apps – App Protection Policies.
2. Click Click Create policy

1. Give you WIP policy a Name
2. Choose Windows 10 as Platform
3. Choose Without enrollment as Enrollment state

1. Click the Protected apps tab
2. Click Add apps

In this section we will add all the applications which are allowed to access our protected company data. There are two types of apps; enlightened and unenlightened apps. Enlightened apps are MAM (WIP) aware and unlightened apps are MAM unaware. Have a look it this Microsoft doc for more information.

1. Select Recommended apps in the drop-down list
2. Select all the required apps
3. Click OK

1. Click the Required settings tab
2. Select the Windows Information Protection mode of choice (Read this doc for explanation of the different WIP modes).
3. Enter you Corporate identity
4. Click OK

In the next section we add the network boundaries. With network boundaries we determine where protected apps can access our corporate data. Have a look at this doc for the recommended network boundaries.

1. Click the Advanced Settings tab and take a look at the notification about *AppCompat*.
   It`s a good idea to add /*AppCompat*/ to the list of cloud resources. If you do not add this to your list of cloud resources, you`re not able to use third-part browsers like Chrome to access corporate data, as stated in the message. But even on personal device, like in my example WIP without enrollment, you should add it as you`re not able to use third-party browsers to browse the internet at all with out this added to the cloud resources.
2. Click SharePoint

The SharePoint boundary is 9 out of 10 times predefined. If it is not, use below as an example.

Go back to the advanced settings tab and click Add network boundary to add the other boundaries like below example of Outlook (Exchange Online).

The end result is a list of network boundaries.

Still on the Advanced settings tab most default settings are fine, but change them to your needs. Consider using a Data Recovery Agent (DRA) Certificate which allows recovery of encrypted data. This is highly recommend by Microsoft.

At the bottom of the advanced settings tab you will find Windows Hello for Business (WHfB) settings. By default WHfB is turned on. It allows you to turn off WHfB. When you leave it turned on it allows you to configure some settings like the minimum PIN length.

1. When all settings are set, click OK and click Create.
2. Click the Assignments tab
3. Search the required security group with WIP users and select the group
4. Click Save

Setup Terms of Use

The next step in our configuration is setting up our Terms of Use under Conditional Access. As written in the introduction, the Terms of use can only be accepted on devices which are Azure AD joined or registered. If we set this as a control as part of a Conditional Access policy, it forces our users to register their personal devices to gain access to company data. And we can enforce a Windows information Policy on those devices when the device is registered.

1. Click Intune – Conditional Access – Terms of use
2. Click New terms

1. Give your Terms of use a Name
2. Provide the Display name
3. Upload a Terms of use document (PDF)
4. Set Require users to expand the terms of use to ON (this is optional)
5. Set Require to consent on every device to ON (This option is the most important requirement in this ToU setup, it forces your users to register their personal device)
6. Under Conditional Access choose Create conditional access policy later
7. Click Create

Setup Conditional Access policy

We need to setup a Conditional Access policy to set the Terms of use as requirement to allow access to corporate data.

1. Click Intune – Conditional Access – New policy
2. Give your CA Policy a Name
3. Click the Users and groups tab
4. Click All users to assign the policy to all users or click Select users and groups to assign it to a security group
5. Click Done

1. Click the Cloud apps tab
2. Select All cloud apps
3. Click Done
4. Click the Conditions tab
5. Click the Device platforms tab
6. Click under Configure YES
7. Click Select device platforms
8. Mark Windows
9. Click Done

1. Click the Grant tab under Access controls
2. Click Grant access
3. Mark your Terms of Use
4. Click Done
5. Under Enable Policy click On
6. Click Create

End-user experience

Everything is setup to protect our company data on personal devices. Let`s have a look at the end-user experience. On a personal (unmanaged) Windows 10 device open a browser and logon to the Office 365 portal. The user is presented a message like below with explanation why access to company data is prevented. The message also provides information on how to register the device.

When we follow the provided instructions, the users company account is added under Access work and school and the device is Azure AD registered. It looks almost the same as an Azure AD joined device, but if we click Info we can see the Management Server Address.

After clicking Info scroll down to Connection info to see the Management Server Address: wip.mam.management.microsoft.com. The Management Server Address when using Azure AD join/ Intune enrolled is r.manage.microsoft.com

After completing the device registration, open a browser and logon to the Office 365 portal. We are presented a screen with the Terms of Use which we need to accept. If the option Require users to expand the terms of use is set to ON, the user first needs to open the Terms before he is able to Accept the Terms.

When we now open, for example, SharePoint Online we see an icon of a briefcase in the right topcorner. When we hover over the briefcase with the mouse, a message shows the website is manage by the company.

SharePoint and OneDrive files are managed by Windows Information Protection when synced to the local device.
When we save a document with one of the applications of the Office ProPlus suite, it saves the document as a Work (WIP managed) document even if the location is not in de OneDrive synced folder. As an user, you still have the option to save a document as personal document, which is not managed by WIP (and is not removed during a wipe action).

Depending on the WIP Mode set, on the Required settings tab of the WIP policy, we have the option to change a Work document to a personal document.

Perform a App selective wipe

Let`s also have a look at a selective wipe request. When we perform a selective wipe, access to the documents which are managed by Windows Information Protection, is revoked. Personal documents can still be accessed after a wipe.

1. Open the Device Management Portal
2. Click Client apps – App selective wipe – Create wipe request

1. Click the User tab
2. Search for the user and select the user
3. Click the Device tab
4. All WIP managed devices are shown, select the device which need to be wiped
5. Click create

Back at the Selective Wipe tab we can see the status of the wipe request. If the device is connected to the internet, the wipe is started soon after creating the request.

Back on the WIP managed device, when we try to open a Work document after the wipe request is complete, this will fail because access is revoked. Personal documents are untouched and can still be openen.

I hope this post is informative to you and reach out to me if you have any question.