Imagine an employee losing their laptop and needing immediate access to company resources. Waiting days for a replacement can hinder productivity, while allowing access on an unmanaged device could expose your organization to significant security risks. Striking a balance between accessibility and security is crucial, especially in a place where remote work is increasingly common.
Continue Reading
Fortunately, Microsoft Intune has introduced Mobile Application Management (MAM) for Windows, enabling organizations to provide access to company resources on unmanaged devices while safeguarding sensitive data. This functionality, launched in September 2023, allows employees to access company data through Microsoft Edge without needing a company-owned device, giving admins a powerful tool to secure data.
Understanding MAM with Intune: How it works
Intune’s Mobile Application Management employs several strategies to ensure organizational data remains protected:
- Applying App Protection Policies: These are essential for controlling how organizational data is accessed or shared within specific apps, ensuring sensitive information remains secure.
- Verifying Device Integrity: Before granting access, Intune assesses a device’s security status via the Windows Security Center. This integration prevents compromised devices from accessing sensitive information.
- Enforcing Conditional Access: Access to organizational data is contingent on compliance with app protection policies, ensuring that only secure devices can retrieve company information.
- Customizing User Experience: Administrators can deploy Application Configuration Policies, allowing for a personalized yet secure interaction with organizational apps.
With a solid understanding of how Intune’s MAM functions, let’s explore the prerequisites for implementing this essential tool.
Requirements
To use MAM effectively, ensure your setup meets the following requirements:
Devices:
- Windows 10, build 19045.3636, KB5031445 or later
- Windows 11, build 10.0.22621.2506, KB5031455 (22H2) or later
- Microsoft Edge (v117 stable branch or later for Windows 11 and v118.0.2088.71 or later for Windows 10)
Licenses:
- Microsoft Intune License
- Entra ID P1 License
Step 1: Create a Conditional Access Policy
- 1. Access the Intune Admin Center, navigate to the Endpoint Security section, and select Conditional access under the Manage column.
- 2. Click on + Create new policy.
- 3. Choose your assignments. For example, target a group named “App Protection Pilot Group.”
- 4. Set the resources to protect with MAM, targeting Cloud Apps and selecting Office 365.
- 5. Specify the conditions for Windows devices and client apps (set to Browser).
- 6. Enable the policy by moving the slider to On.
Step 2: Set Up Windows Security Center
To ensure that unmanaged devices accessing company data are secure, set up the Windows Security Center. Go to Tenant administration in Microsoft Intune Admin Center, then Connectors and tokens > Mobile Threat Defense. Select the Windows Security Center as the mobile threat defense connector and create it.
Step 3: Create an App Protection Policy for Windows
- 1. Navigate to Intune Admin Center > Apps > App protection policies > + Create policy > Windows App Protection Policy.
- 2. Name your policy and provide a description.
- 3. Target Microsoft Edge for the app selection.
- 4. In the Data Protection Settings, establish rules for data transfer, specify allowed destinations for organizational data, and set permissions for cut, copy, and paste functionality.
- 5. Review and create the policy.
Time to Test
After setting up the policies, test them by attempting to access Office resources from an unmanaged device using a browser. If prompted, switch to Microsoft Edge and ensure that the default setting to allow device management is unchecked, allowing registration with Entra AD.
Once successful, users can access organizational applications securely while preventing data leaks by restricting copy-paste actions.
Conclusion
Implementing Mobile Application Management (MAM) for Windows through Intune empowers organizations to enhance security without sacrificing flexibility. By following the outlined steps, administrators can ensure secure access to company resources from unmanaged devices, thereby addressing the needs of a modern workforce while reinforcing cybersecurity. AVASOFT stands ready to support organizations in implementing these solutions to protect their data effectively.