Today I will show you how we can enforce a Windows Information Protection (WIP) Policy on unmanaged devices using a Conditional Access (CA) policy. WIP is a Mobile Application Management solution for Windows 10 devices to keep your company data safe, even on personal devices.
Setup Windows Information Protection
To start using Windows Information Protection we first need to make sure Mobile Application Management (MAM) is enabled in Intune. WIP is the MAM version for Windows 10 devices.
- Open the Device Management portal and click Device enrollment – Windows Enrollment – Automatic Enrollment
- Make sure the MAM User scope is set to Some (and select a security group which contains your MAM users) or to All.
- Move to Client apps – App Protection Policies.
- Click Click Create policy
- Give you WIP policy a Name
- Choose Windows 10 as Platform
- Choose Without enrollment as Enrollment state
- Click the Protected apps tab
- Click Add apps
In this section we will add all the applications which are allowed to access our protected company data. There are two types of apps; enlightened and unenlightened apps. Enlightened apps are MAM (WIP) aware and unlightened apps are MAM unaware. Have a look it this Microsoft doc for more information.
- Select Recommended apps in the drop-down list
- Select all the required apps
- Click OK
- Click the Required settings tab
- Select the Windows Information Protection mode of choice (Read this doc for explanation of the different WIP modes).
- Enter you Corporate identity
- Click OK
In the next section we add the network boundaries. With network boundaries we determine where protected apps can access our corporate data. Have a look at this doc for the recommended network boundaries.
- Click the Advanced Settings tab and take a look at the notification about *AppCompat*.
It`s a good idea to add /*AppCompat*/ to the list of cloud resources. If you do not add this to your list of cloud resources, you`re not able to use third-part browsers like Chrome to access corporate data, as stated in the message. But even on personal device, like in my example WIP without enrollment, you should add it as you`re not able to use third-party browsers to browse the internet at all with out this added to the cloud resources.
- Click SharePoint
The SharePoint boundary is 9 out of 10 times predefined. If it is not, use below as an example.
Go back to the advanced settings tab and click Add network boundary to add the other boundaries like below example of Outlook (Exchange Online).
The end result is a list of network boundaries.
Still on the Advanced settings tab most default settings are fine, but change them to your needs. Consider using a Data Recovery Agent (DRA) Certificate which allows recovery of encrypted data. This is highly recommend by Microsoft.
At the bottom of the advanced settings tab you will find Windows Hello for Business (WHfB) settings. By default WHfB is turned on. It allows you to turn off WHfB. When you leave it turned on it allows you to configure some settings like the minimum PIN length.
- When all settings are set, click OK and click Create.
- Click the Assignments tab
- Search the required security group with WIP users and select the group
- Click Save
- Click New terms
- Provide the Display name
- Set Require to consent on every device to ON (This option is the most important requirement in this ToU setup, it forces your users to register their personal device)
- Under Conditional Access choose Create conditional access policy later
- Click Create
Setup Conditional Access policy
- Click Intune – Conditional Access – New policy
- Give your CA Policy a Name
- Click the Users and groups tab
- Click All users to assign the policy to all users or click Select users and groups to assign it to a security group
- Click Done
- Click the Cloud apps tab
- Select All cloud apps
- Click Done
- Click the Conditions tab
- Click the Device platforms tab
- Click under Configure YES
- Click Select device platforms
- Mark Windows
- Click Done
- Click the Grant tab under Access controls
- Click Grant access
- Click Done
- Under Enable Policy click On
- Click Create
Everything is setup to protect our company data on personal devices. Let`s have a look at the end-user experience. On a personal (unmanaged) Windows 10 device open a browser and logon to the Office 365 portal. The user is presented a message like below with explanation why access to company data is prevented. The message also provides information on how to register the device.
When we follow the provided instructions, the users company account is added under Access work and school and the device is Azure AD registered. It looks almost the same as an Azure AD joined device, but if we click Info we can see the Management Server Address.
After clicking Info scroll down to Connection info to see the Management Server Address: wip.mam.management.microsoft.com. The Management Server Address when using Azure AD join/ Intune enrolled is r.manage.microsoft.com
When we now open, for example, SharePoint Online we see an icon of a briefcase in the right topcorner. When we hover over the briefcase with the mouse, a message shows the website is manage by the company.
SharePoint and OneDrive files are managed by Windows Information Protection when synced to the local device.
When we save a document with one of the applications of the Office ProPlus suite, it saves the document as a Work (WIP managed) document even if the location is not in de OneDrive synced folder. As an user, you still have the option to save a document as personal document, which is not managed by WIP (and is not removed during a wipe action).
Depending on the WIP Mode set, on the Required settings tab of the WIP policy, we have the option to change a Work document to a personal document.
Perform a App selective wipe
Let`s also have a look at a selective wipe request. When we perform a selective wipe, access to the documents which are managed by Windows Information Protection, is revoked. Personal documents can still be accessed after a wipe.
- Open the Device Management Portal
- Click Client apps – App selective wipe – Create wipe request
- Click the User tab
- Search for the user and select the user
- Click the Device tab
- All WIP managed devices are shown, select the device which need to be wiped
- Click create
Back at the Selective Wipe tab we can see the status of the wipe request. If the device is connected to the internet, the wipe is started soon after creating the request.
Back on the WIP managed device, when we try to open a Work document after the wipe request is complete, this will fail because access is revoked. Personal documents are untouched and can still be openen.
I hope this post is informative to you and reach out to me if you have any question.