In this topic we’ll have a look at how to manage BYOD devices with Intune MAM to enable a bring-your-own-device (BYOD) solution to your organization without the need to fully enroll devices into MDM. BYOD will raise some concerns about devices and applications that are being used by employees to access corporate data.
Therefore we need to protect corporate data on iOS and Android devices using Microsoft Intune app protection policies while making sure employees can be productive on devices they prefer. App protection policies work independent of any MDM solution.
Protecting company data with App Protection Policies
Microsoft Intune supports the following Mobile Application Management (MAM) scenarios manage BYOD devices:
- Fully enrolled in Intune (company owned devices).
- Managed by a third-party MDM solution (company owned devices).
- Devices not managed by any MDM solution (BYOD devices).
App protection policies only work for Office mobile apps that connect to Office 365 services. Apps that connect to on-premises Exchange, Skype for Business,or SharePoint are not supported. Furthermore, Windows devices are not supported in the MAM without enrollment scenario’s but you can use Windows Information Protection (WIP) to do the same for Windows 10 devices.
The difference between MDM and MAM
While Intune MDM protects at the device level, Intune MAM and App Protection policies protect at the application level. For example, with MDM you can force a PIN to access the device or fully encrypt the device, and with MAM you can require a PIN before users can access their corporate e-mail. with MDM enrolled devices you can also manage Windows updates and push software like Office 365 ProPlus.
Configuring Intune MAM without enrollment
Let’s have a look at how to configure App Protection Policies within the Azure Portal. When all is in place, we’ll also have a look at the end user experience on a mobile device.
App Protection Policies
Configure Intune app protection policies before using app-based conditional access policies. App Protection Policies can be accessed and configured from two places:
- Intune>Mobile Apps>App Protection Policies
- Intune App Protection>App Policy
Choose the blade you prefer and click on Add Policy:
Fill in the blanks, choose a platform and click on Apps; Select required apps and choose the apps you want to protect.
Now click on Settings; Configure required settings. There are two sections with settings to configure. Data relocation and Access.
When you use apps without restrictions, corporate data can accidentally or knowingly be saved on for example personal Dropbox accounts causing data loss. You can use app protection policies to restrict data relocation to untrusted resources that are owned by the individual users. In the example below, you can see the Data relocation settings.
Info: The Allow app to transfer data to other apps will affect the the behavior of web content and only allow URL’s to open in the Intune Managed Browser. That is why I also set the Restrict web content to display in the Managed Browser setting to Yes. You can read more about this here.
Then there are Access policies you can configure to enforce settings like PIN for access and Block screen captures. Configure the settings to your liking and click on OK and finally click on Create.
Back on the App Protection Policy blade, click on your newly created policy and assign it to the right user group.
Now that you’ve created your first App Protection Policy, go ahead and create another one for iOS devices. The policies only take effect when users in assigned groups check in using protected applications.
Have a look at the status of the app policy for a user in the App protection user report that is available in the Intune App Protection area:
App Based Conditional Access Policies.
We can only protect company data on MAM enabled or MAM aware applications. Native apps on iOS and Android are not MAM aware and therefore need to be denied access to corporate e-mail and data.
Navigate to >Azure>Intune App Protection. Below the Conditional Access section click on Exchange Online>Allowed Apps. Select “Allow apps that support Intune app policies” and click on Save.
Continue and click on Restricted User Group>Select group, and select the user groups the policy applies to. If need be, you can even Exclude some of the users but personally I would go for all users.
Back on the Intune App Protection Blade do the same for Sharepoint Online.
Remove company data without touching personal data
For the final part in this blog let’s have a look at selective wipe and BYOD devices. When a device has gone missing or when the user leaves the company and there is no need to access data anymore, you can remove corporate data from the mobile device, without ever touching personal data. Once initiated, the device begins the removal process and upon completion, all corporate data is deleted. When fully MDM enrolled a full wipe is also possible.
Navigate to >Intune App Protection>Wipe requests and click on New wipe request.
Click on User; Select the user and find the user. Click on Select.
Next click on Device; Select the device. A list of devices registered for the user will show. Select the device you want to wipe and click on Select.
After selecting user and registered device, click OK to start the wipe process. The screen will show the apps and wipe status. Upon completion, the list will be empty again.
Before you delete a user from Azure Active Directory, make sure you Remove corporate data or fully wipe all devices registered with that user. If you delete users with managed devices, you can no longer issue factory reset or remove corporate data.
When the wipe request has finished you can also delete the device from Azure AD. Go to >Intune>Devices>Azure AD Devices. Search the device and delete it.
This concludes the Administration part in the Azure portal. Now let’s have a look at the user experience from A to Z.
Remember we setup App Based Conditional Access for Exchange online and Sharepoint? In this example we’ll have a look at how the native e-mail client responds after adding a corporate account. I’ll skip the part where you configure the account. Go ahead and configure an account on your mobile and try to login and read your e-mail.
User Experience; Native e-mail application
As you can see, Conditional Access rules are very easy to setup and deploy to your organization. You have effectively restricted access to corporate e-mail using the native e-mail client. Conditional access can ensure that only authenticated users, and approved apps, have access to your corporate data. In this case users need to download the Microsoft Outlook App to read corporate e-mail.
User experience; Managed Apps
Go ahead and install Microsoft Outlook. Once the app is installed, configure your corporate e-mail account. You will be forwarded to the Office 365 portal to login. Once logged in, you will see the following message “Help us keep your device secure”
Intune MAM works together with (and relies on) the Intune Company Portal App. You should be familiar with it as you also need this to fully MDM enroll devices to Intune. There is one difference though. Since we’ll be managing applications only and without enrollment, the user does not need to sign in with the Company Portal App. It is only used to manage application data and enforce policies.
Click on Get the app and install the Intune Company Portal app. Once the app is installed you can continue with Microsoft Outlook. This time the app will request you to register your device to continue. Once registered, Outlook will open and you can access corporate e-mail.
User Experience; App Protection Policies
In most cases Microsoft Outlook will show a message about IT protecting your corporate data. It might take a little longer but when you restart the app, your data is protected.
The app protection policies you configured are now enforced. One of the settings we configured was under the Data relocation section:
Setting: Restrict cut, copy, and paste with other apps
Value: Policy managed apps with paste in.
This setting restricts data from managed apps to be copied to unmanaged apps and prevents data relocation. Let’s see how this looks like for the end user.
Open any e-mail, select some text, right click and copy te text to your clipboard. For this example I’ll use the native Note app on Android and try to paste the data there:
“Your organization’s data cannot be pasted here”. You are not allowed to do so. When you copy data between managed apps, it will allow you to continue without restrictions.
This applies to all managed apps. When a user tries to copy/paste a word document from Onedrive for Business to dropbox, he or she will receive a similar notification.
User Experience; Selective Wipe
In the final step we’ll have a look at the user experience when an administrator initiates a selective wipe for a device. In most cases, it will only take minutes for the device to start removing corporate data. Administrators can also disable logins to make sure the user can’t login, unless the account is re-enabled. The user can now continue to use the apps for personal data and e-mail.
In this blog we have setup Intune app based conditional access and app protection policies to manage BYOD devices with Intune and prevent corporate data from leaking when it is accessed by users on personal devices. The users do not have to fully MDM enroll their devices, which is more appealing as they don’t need to allow 100% control over their own devices by corporate IT.
More about managing BYOD devices with Intune:
- What are app protection policies
- Protect app data using app protection policies with Microsoft Intune
- Understanding the capabilities of unmanaged apps, managed apps, and MAM-protected apps
- Get started with Intune device compliance policies
- Enable BYOD with Intune
- Set up app-based conditional access policies
- Block apps that do not use modern authentication (ADAL)
Conditional Access policies for Intune are now available in Azure AD. Read more about this change update.