Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.

wipmam01

I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”

wipmam02

Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy

wipmam03

Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.

wipmam04

I’ll be adding some apps to allow them to access my corporate data.

wipmam05

After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

wipmam06

For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.

wipmam07

In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com

wipmam08

Click on Create, then assign the policy to a group.

wipmam10

Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in

wipmam11

Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned

wipmam12

Enter in the password and click Sign in

wipmam13

Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.

wipmam14wipmam15wipmam16

From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.

wipmam17

Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.

wipmam20

Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.

wipmam18

Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.

wipmam19

What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document

wipmam21

Advertisements

2 thoughts on “Intune – Windows Information Protection without enrollment

  1. Peter Klapwijk (@inthecloud_247)

    Nice overview of setting up and using WIP.
    One thing I`m still missing in this solution, it still doesn`t block access to corporate data when I don`t enroll my Windows (BYO) device in WIP/ MAM. As far as I know you can,t force this WIP policy.

    Regards,

    Peter

    Like

    Reply
    1. nhogarth Post author

      That’s correct. Hopefully in the future Microsoft will add a setting to a conditional access policy that requires the Windows 19 machine to either be MAM enrolled or Intune MDM enrolled.

      Like

      Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s