Mobile Application Management on Windows 11

Introduction

Intune is very well known for its ability to manage both devices (aka. MDM) and applications (aka.MAM). The core difference between these two options lies back to the level of management that companies require, or employees accept.

While MDM is seen an appropriate way to manage company-owned devices or a full zero trust environment; MAM is useful when a company wants to make sure employees can use their personal devices to run applications that access to company data, and limit what can be done with that data. From that perspective, it can improve zero trust posture of a company as well; making sure that applications used to access certain data such as the company data complies with certain criteria, that is defined in the application protection policy.

It was possible to leverage MAM for unmanaged third party mobile platforms such as iOS and Android however unmanaged – or unenrolled – device support for Windows Information Protection – which was the closest to MAM – was removed quite some time ago.  Recent announcements told us that now we can use MAM in Windows platform as well, without requiring too much of hustle and regardless of a device being managed or unmanaged. We will look at the details and what to expect in the following sections:

  • Creating Application Protection Policy for Microsoft Edge
  • Sign-in and Profile Creation
  • Application Configuration Policy
  • Seeing it in action
  • Wrap up

Creating Application Protection Policy for Microsoft Edge on Windows 11

Just like all the other MAM policies, this one is also created from App protection policies console under Apps node in Microsoft Intune. When clicking on “Create policy” button, you will see four different options as iOS/iPadOS, Android, Windows, and Windows Information Protection. The first two platforms are obviously targeting third party mobile platforms. Fourth one is the Windows Information Protection that is available to enrolled devices, which is discontinued from improvement. And the third option is the long-awaited Mobile Application Management piece for Windows platform. Make no mistake, this is available to both managed and unmanaged devices. Key here is to have a managed browser which we will see in a couple of minutes.

Image 1: App Protection Policies Console from Apps node in Microsoft IntuneImage 1: App Protection Policies Console from Apps node in Microsoft Intune

In the first step of new application protection policy creation wizard, we will give a name and enter a description about the policy.

Image 2: New APP creation wizard – Name and DescriptionImage 2: New APP creation wizard – Name and Description

In the next step we will select an application to be applied for this policy. Clicking on the “Select apps” task opens a new section from the right.

Image 3: New APP creation wizard – Application SelectionImage 3: New APP creation wizard – Application Selection

When available applications are listed for the Application Protection Policy for Windows platform, the only application that will be listed is Microsoft Edge. – First thing to note here; APP on Windows is available on Microsoft Edge only. At least for now. We will see how and if other applications will be supported with this feature. You can check the list of the MAM enabled apps from the list here.

Image 4: New APP creation wizard – Application SelectionImage 4: New APP creation wizard – Application Selection

Image 5: New APP creation wizard – Application SelectionImage 5: New APP creation wizard – Application Selection

In the next step of the wizard, options will be presented to configure application capabilities such as inbound and outbound data transfers, cut, copy and paste options and ability to print the organizational data. For this document, I have configured the policy as follows:

  • Receive data from: All sources
  • Send org data to: No destinations
  • Allow cut, copy and paste for: No destination or source
  • Print org data: Block

Image 6: New APP creation wizard – Data ProtectionImage 6: New APP creation wizard – Data Protection

Next step is about defining the application and device conditions. Application conditions include timeout values for offline working, device conditions include device risk level in MDE – which would be valid for managed devices or personal devices that are enrolled to MDE.

Image 7: New APP creation wizard – Health ChecksImage 7: New APP creation wizard – Health Checks

Following health checks, assignment of the policy is done. Just like other policies, there are options to include and exclude groups from this policy scope.

Image 8: New APP creation wizard – AssignmentImage 8: New APP creation wizard – Assignment

As the policy is assigned to the groups, we will review the policy options and create the policy with the configured settings.

Signing in and First Run – Profile Creation

I've used an unmanaged device to act as a “Personal Device” in this scenario. So, we will be seeing the perspective of an employee who is trying to use a BYOD.

Initial screen of the browser is the login screen.

Image 9: Microsoft Edge Browser – First loginImage 9: Microsoft Edge Browser – First login

Once the sign in button is clicked, a login window is presented.

Image 10: Work or School Account LoginImage 10: Work or School Account Login

Once username and password of the user is entered an will be triggered if there is and the login will be completed after SSO selection. Considering this is a BYOD device, users might not wish their device to be managed by the company, they may clear the checkbox and perform the sign in.

Image 11: SSO to the ApplicationsImage 11: SSO to the Applications

Once the sign in is complete, Edge browser will ask the user to create a profile to access the organizational resources.

Image 12: Microsoft Edge Profile Creation PageImage 12: Microsoft Edge Profile Creation Page

This will be done by clicking the Continue button. Once it is completed, we will be able to see the created profile from user icon on the right upper corner of the Edge browser window. We can see that the profile is managed by the organizational linked account.

Image 13: Microsoft Edge Browser – Managed Account InformationImage 13: Microsoft Edge Browser – Managed Account Information

As the user wants to browse any website, they will be presented with a pop-up window. Stating that Edge browser should be managed by the organization to allow access to the organizational resources associated with the logged in identity.

Image 14: Microsoft Edge Browser App Access Blocked Pop-upImage 14: Microsoft Edge Browser App Access Blocked Pop-up

This will highlight another requirement of managing the application: Application Configuration Profile.

Creating an Application Configuration Policy to Manage Microsoft Edge

Another piece in the application management is the ability to create application configuration policies for unenrolled devices. This will help to manage applications on unmanaged devices so that baseline management is pushed down. Application configuration also supports different platforms such as iOS/iPadOS and Android.  Let's look at how does Application Configuration Policies work in this scenario.

Image 15: Application Configuration Policy CreationImage 15: Application Configuration Policy Creation

Application configuration policies also reside on Apps node in Microsoft Intune. When you click on the Add button to create a new application configuration policy, the first thing to determine is the policy scope. Will the policy work with the managed devices or managed apps? This selection will define if MDM or MAM will be used for the created policy.

Once selected, you will see the options such as name and description of the policies and the target of the policy. Options for the target include “Selected apps” and when you choose this option, it will be possible to select applications from the available list of MAM capable applications. Since the goal is to manage Edge browser in Windows; we're adding Microsoft Edge on Windows platform to the list.

Image 15: Application Configuration Policy Creation.Image 15: Application Configuration Policy Creation.

Clicking on the next button will reveal the settings catalog so that we can add settings related to the application. For demonstration purposes, I've added simple settings related to the startup and homepage experience as well as immersive reader settings.

Image 17: Application Configuration Policy – Settings CatalogImage 17: Application Configuration Policy – Settings Catalog

Clicking next button will walk us through the usual policy creation wizard. Assignments will be based on groups, and it is possible to include groups as well as excluding them. Once the policy is created and assigned, applications will get the policy and apply the settings once they check-in the service.

Mobile Application Management for Microsoft Edge on Windows 11 in Action!

As the policy is applied to the application, it is possible to see the browser managed by the organization. Now since the browser is managed by the organization users will be able to browse in the way they would want.

Image 18: Microsoft Edge – Managed Browser MessageImage 18: Microsoft Edge – Managed Browser Message

Copy-Paste Behavior

Let's check the usual copy – paste behavior of the browser once the application protection policy is applied.

Image 19: Copy Activity from MailboxImage 19: Copy Activity from Mailbox

Image 20: Message box from APP – Blocked copyImage 20: Message box from APP – Blocked copy

Print the Content

When a user tries to print the organizational data, they will be presented with the usual printing interface.

Image 21: Printing from Organizational DataImage 21: Printing from Organizational Data

However, when they select the printing device and click on the print button, they will get an error message as the organization blocks this activity from organizational resources.

Image 22: Regular Printing InterfaceImage 22: Regular Printing Interface

Image 23: Message Box from APP – Blocked PrintingImage 23: Message Box from APP – Blocked Printing

Wrap-up

Supporting Windows platform on BYOD would require a mechanism to isolate company data and limit activities to be performed on the corporate data. This would be possible by having two different policies targeted to the browser: one for protecting the applications, another for configuring the application.

One of the components of this solution that would make every other component work is the Conditional Access policies in the environment.

Image 24: Conditional Access Policy – MAM EnforcementImage 24: Conditional Access Policy – MAM Enforcement

A CA policy that is scoped to the users, targeted to Office 365 applications and Windows device platform that would grant the access if device were either HAADJ (for domain joined scenarios) or marked as compliant (for managed devices that are not domain joined) or have application protection policies in place would allow companies to enforce Application Protection Policies for non-managed devices.

Image 25: Non-Microsoft Edge Browser WarningImage 25: Non-Microsoft Edge Browser Warning

This Conditional Access policy would enforce use of Microsoft Edge browser as no other browser would be managed by Application Protection Policies in place – at least for now in our example.

Image 26: Microsoft Edge Personal Profile WarningImage 26: Microsoft Edge Personal Profile Warning

This CA policy would also require use of Work Profiles in Edge browser so that a user would not be able to workaround those protection policies in place. This profile separation would also allow distinction between corporate data and personal data.

 

This article was originally published by Microsoft's Azure Blog. You can find the original article here.