Graphical user interface, text, application Description automatically generated

Support Windows 10 BYOD with Microsoft Endpoint Manager and WIP-WE

If you’ve read my previous post about Windows Information Protection Without Enrollment (WIP-WE), than you probably figured out it’s a great solution but also comes with some limitations. However, I’m a fan of WIP and in this post I want to talk a little more about how to support Windows 10 BYOD with Microsoft Endpoint Manager and WIP-WE. If you are new to WIP and want to learn more, then feel free to start with the series I wrote about Windows Information Protection.

Require device to be marked as compliant

Consider the following scenario: You have a Conditional Access policy that requires (corporate) devices to be marked compliant, before accessing Office 365 using anything else than a browser.

Support Windows 10 BYOD-Conditional access policy - Mobile apps and desktop clients

Support Windows 10 BYOD-Conditional access policy - require device to be marked as compliant

This means, a device has to be marked as compliant by Intune. Intune in turn forwards the device compliance status to Azure AD where Conditional Access can make decisions to grant or block access to selected resources. So devices need to be enrolled in MDM with Intune.

Block personal devices with enrollment restrictions

Now, also consider that you have a device enrollment restriction that blocks personally owned Windows 10 devices from enrolling into Intune for device management.

Windows 10 BYOD- Device enrollment restrictions

This setup makes sure personal devices cannot MDM enroll a Windows 10 device to Intune. Please read the official Microsoft documentation for more info and pay attention to the following:

enrollment restrictions are not security features

When you block personally owned Windows devices from enrollment, Intune checks to make sure that devices are marked as corporate. Anything else (personal) will be blocked from enrolling into Intune.

Support Windows 10 BYOD with Microsoft Endpoint Manager and WIP-WE

You have also configured Windows Information Protection Without enrollment (WIP-WE) to support a BYOD scenario, but users cannot use their personal devices and the Office applications or the OneDrive client because the previous conditional access policy requires a compliant device.

In this scenario, the only way to access corporate data, would be to use the browser. A very good alternative if you don’t want to go for WIP-WE. However, if you still want to go for WIP-WE, then read along.

Conditional Access: Filters for devices (preview)

When creating Conditional Access policies, you have the ability to target (include) or exclude specific devices. We are going to use this preview functionality to target specific conditional access policies to personal devices. Please note that conditional access Filters for devices is currently in public preview and Microsoft does not recommended it for production workloads. However, it is a very powerful tool and I think (hope) this one is here to stay but don’t take my work for it yet. It is something to keep an eye on.

I have configured 2 conditional access policies that will work together to support Windows 10 BYOD with Microsoft Endpoint Manager and WIP-WE, while also making sure you have compliant corporate devices.

  • CA1: DEV – W10 – COPE – Require compliant devices for apps – Exclude AAD Registered
  • CA2: DEV – W10 – BYOD – Require AAD Registered devices for apps – Exclude corporate devices

DEV – W10 – COPE – Require compliant devices for apps – Exclude AAD Registered

Here’s the configuration for this policy. Pay attention to the Filters for devices (Preview) setting

Setting Value
Assignment
Users and groups All Users (Exclude break glass)
Cloud apps or actions Office 365
Conditions
Device platforms Windows 10
Locations Any location
Client apps Mobile apps and desktop clients
Filters for devices (preview) Exclude filtered devices from policy
Rule syntax device.trustType -eq “Workplace”
Access Controls
Grant Require device to be marked as compliant

Here is the Filters for devices (Preview) configuration in the portal

Windows 10 BYOD WIP-WE conditional access - Filters for devices (Preview)

This conditional access policy will apply to all users on every Windows 10 device, except when the device is Azure AD registered. When you have a BYOD, that is not Azure AD registered, you cannot use the OneDrive sync desktop client to sync your files. However, you can use the browser to access OneDrive for Business.

DEV – W10 – BYOD – Require AAD Registered devices for apps – Exclude corporate devices

Here’s the conditional access policy that will support Windows 10 BYOD with Microsoft Endpoint Manager and WIP-WE.

Setting Value
Assignment
Users and groups All Users (exclude break glass accounts)
Cloud apps or actions Office 365
Conditions
Device platforms Windows 10
Client apps Mobile apps and desktop clients
Filters for devices (preview) Exclude filtered devices from policy
Rule syntax device.trustType -eq “AzureAD” -and device.deviceOwnership -eq “Company”
Access Controls
Grant MemSec Terms of Use

This conditional access policy will apply to all users on every Windows 10 device, except when the device is Azure AD joined and marked as a corporate device. For example, all Windows 10 devices enrolled via Windows Autopilot are marked as corporate automatically.

To summarise, this policy uses the terms of use (TOU) feature in Azure AD, combined with conditional access policies and requires users to accept Terms of use and Azure AD Register their devices, before using desktop clients. You should know by now that WIP-WE only works, on devices that are Azure AD registered.

My Terms of Use setup

Require users to expand the terms of use On
Require users to consent on every device On
Expire consents Off

Update 13-10-2021:

You can use the What if tool to see which conditional access policies apply under selected conditions. While I was testing this on different VM’s the setup/configuration was exactly as written. But when I used the What if tool and selected more than one attribute for Filter for devices. It showed that users would have to accept the TOU on corporate devices. Not that it’s a big deal, but I was playing around and wanted this to work as I configured.

So I changed the above CA (DEV – W10 – BYOD – Require AAD Registered devices for apps – Exclude corporate devices) Filters for devices Rule syntax to device.trustType -eq “AzureAD” (this is the CA that requires users to accept the TOU). I did another run with the What if tool and this time, it showed that the policy did not apply on Azure AD joined devices. The only thing I can think of, is that it needs a little more work here and I guess that’s perhaps one of the reasons it’s still in preview.

Thx for the feedback Jan Bakker!

Conditional Access What If Tool

==================== end update ==================== 

Conditional access flow Windows 10 BYOD WIP-WE

Normally I would create a flow for just one conditional access policy but this time I tried to combine the two policies in one flow for a change. It’s a simple flow but I hope it helps clarify the decision tree and the if-then statements of conditional access assignments and access controls.

Conditional access flow

Final thoughts

By default all conditional access assignments would be ANDed. And in the examples above, one police requires a compliant device, and another requires users to accept Terms of Use and azure ad registration. The filters for devices functionality adds another dimension to conditional access policies. Above all, this feature gives you more control and freedom to work with.

When users try to access Office 365 in this example, using desktop client apps, the devices need to be marked compliant. And in case of a BYOD, the user needs to accept TOU and Azure AD register the device. As a result we can use WIP-WE to protect corporate data on these personal devices. Best of both worlds if you ask me. Below is a video showing how this all works in 10 minutes.

 

Things to think about

  • If you target all users and have AAD Connect. Exclude the Sync user account.
  • Exclude your breakglass admin accounts
  • If you use VDI, you might want to use trusted locations
  • Test with Windows Autopilot enrollment. All AP devices are marked as corporate once enrolled to Intune. Think about your filters

What do you think? Let me know below.

 

0 0 votes
Article Rating

Oktay Sari

#Microsoft365 | #EMS |#MEM | #Intune | Father | #Diver | #RC Pilot & #Magician in spare time | former Microsoft WI MVP

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Sebastian
2 days ago

Excellent post!