Windows 10 and MAM-WE – Part 1: Configuration

This week another blog post about Windows 10. This time in combination with mobile app management without enrollment (MAM-WE). Due to the size of the blog post, I’ve decided to divide this post in 2 parts. This weeks post will provide a short introduction, followed by the required configurations. Next weeks blog post will be about the end-user experience.

Introduction

MAM-WE, for Windows 10, relies on Windows Information Protection (WIP) in combination with a new enrollment flow in Windows 10, version 1703. That new enrollment flow enables users to enroll their personal device for receiving only MAM policies. Those MAM policies are only applicable to activities performed by the work account and do not apply to the personal account. The part that makes it a bit funny is that it’s named MAM-WE and it’s still required to do an enrollment. However, that enrollment is only for MAM. It’s correct that it’s without MDM enrollment. In other words, no policies are applied to the personal device of the user. This is a very powerful combination with conditional access. 

Configuration

Now let’s have a look at the configuration of the MAM-WE enrollment, the configuration options of the MAM-WE app policy and the assignment of the MAM-WE app policy. I’ll show the locations of the configuration options and the available configuration options. In addition I’ll provide additional information about settings, to clarify the available configuration options.

Enable MAM-WE enrollment

Let’s start with the first step, which is enabling MAM-WE enrollment. The following steps will go through the steps to enable MAM-WE enrollment in the Azure portal.

1 Open the Azure portal and navigate to Azure Active Directory > Mobility (MDM and MAM);
2 Select Microsoft Intune to open the Configure blade;
3

Configure_MAMOn the Configure blade, configure a MAM User scope. To enable MAM-WE for Windows 10 devices this should be configured to either Some or All. Also, make sure that the MAM Discovery URL is correct. To be absolutely sure simply select Restore default MAM URLs. The other URLs are optional. Click Save to enable the functionality.

Create MAM-WE app policy

Let’s continue with the second step, which is creating the MAM-WE policy. The following steps will go through the steps to create the MAM-WE app policy in the Azure portal. The first 4 steps are required actions, the last 4 steps are mainly used for providing information about the available settings.

1 Open the Azure portal and navigate to Intune mobile application management;
2 Select App policy to open the App policy blade;
3 On the App policy blade, click Add a policy to open the Add a policy blade;
4

MAM-WE_Policy1On the Add a policy blade, provide an unique name for the MAM-WE app policy and select Windows 10 as the Platform. This will enable the required configuration options. At this moment the Enrollment state will be automatically configured to Without enrollment. It will also show an informational message about configuring the MAM-WE enrollment.

Now let’s go through the remaining configurations. Allowed apps in step 5, Exempt apps in step 6, Required settings in step 7 and Advanced settings in step 8. After going through these steps simply click Create to create MAM-WE policy;

5

MAM-WE_Policy2On the Allowed apps blade, click Add apps to open the Add apps blade. On the Add apps blade, it’s possible to configure Recommended apps, Store apps and Desktop apps.

  • The Recommended apps selection contains apps that are preconfigured and guaranteed enlightened for WIP;
  • The Store apps selection contains empty lines for manually adding store apps. To get the required information, simply use the Windows Store for Business website;
  • The Desktop apps selection contains empty lines for manually adding desktop apps. To get the required information, simply use the Get-AppLockerFileInformation cmdlet.

Note: Make sure that every configured app is enlightened for WIP. Without that confirmation the app can behave different than expected. For a lot more information see this article.

6 MAM-WE_Policy3On the Exempted apps blade, click Add apps to open the Add apps blade. On the Add apps blade, the configuration options are the same as with the Allowed apps. The only difference is that there are no Recommended apps preconfigured;
7

MAM-WE_Policy4On the Required settings blade, the Corporate identity and the MDM discovery URL are preconfigured. Only the Windows Information Protection mode must be configured. Choose between:

  • Hide overrides: WIP blocks inappropriate data sharing;
  • Allow overrides: WIP prompts the end-user for inappropriate data sharing;
  • Silent: WIP runs silently. It only logs and doesn’t block or prompt;
  • Off: WIP is turned off.

Note: Make sure to start with Silent or Allow overrides for a pilot group. This enables the administrator to add the used apps to the allowed apps list.

8

MAM-WE_Policy5On the Advanced settings blade, configures additional settings in the categories Network perimeter, Data protection and Access. A few important setting that should be considered are:

  • The Add network boundary setting in the Network perimeter category. This settings should be used to define a boundary of the work resources. Use this as a good starting point for defining cloud resources. Also, when using that as a starting point, make sure to also configure conditional access for those resources. This will complete the circle and will make sure that the end-user must do a MDM enrollment or MAM-WE enrollment before using work data;
  • The Revoke encryption keys on unenroll setting, in the Data protection category. This setting should be used to prevent the end-user from accessing locally stored encrypted work data after unenrolling;
  • The Show the enterprise data protection icon setting in the Data protection category. This setting should be used to make sure that the end-user is aware when working with work data.

Note: Make sure to be aware of the remaining available settings related to subjects like RMS and Windows Hello for Business, before finalizing the configuration.

Assign the MAM-WE app policy

The third and last step is assigning the MAM-WE app policy. The following steps will go through the steps to assign the MAM-WE pp policy to an Azure AD user group in the Azure portal.

1 Open the Azure portal and navigate to Intune mobile application management;
2 Select App policy to open the App policy blade;
3 On the App policy blade, select the just created policy to open the {policyname} blade;
3 MAM-WE_Policy_AssignmentOn the {policyname} blade, select User groups to open the User groups blade. On the User groups blade, select Add user group to open the Add user group blade. On the Add user group blade, select an AAD user group and click Select.

More information

For more information about app policies and WIP, please refer to:

Share

6 thoughts on “Windows 10 and MAM-WE – Part 1: Configuration

  1. After configuring a MAM-WE policy using the recommended network boundaries from https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip, and the recommended apps for the Allowed Apps list, I’m getting some odd behaviour.

    In Chrome and Firefox, I am suddenly blocked from visiting a lot of websites (non-microsoft domains). They work fine in Edge and IE, however. Am I missing something in regards to the network boundaries and the use of non-enlightened apps?

Leave a Comment