Working with personal Windows devices

This week is kind of a follow up on my post of a couple of weeks ago about why enrolling personal Windows devices might be a really bad idea. That post was focussed on advising against allowing enrolling personal Windows devices into Microsoft Intune (or any other MDM provider). The logic follow up question would be: what are the alternatives? And that’s of course a fair question. This post will be about answering that specific question. And to be quite honest, the answer might come very close to a blog post of about four years around supporting unsupported platforms. The main difference will be what Microsoft has provided over the years. And that’s a lot, especially for the Windows platform. This post will focus on the different options for providing access to corporate data on personal Windows, without losing control over that data.

The different options for personal Windows devices

When looking at the different options for providing access to corporate data on personal Windows, it’s important to start at the beginning. The starting point. Within a Microsoft solution, that starting point is Conditional Access. The front door to the corporate data. The place were to configure what access is allowed from personal Windows devices. Well, to be completely fair, not just personal Windows devices, but basically any unmanaged Windows device. When talking about personal Windows devices, this post is referring to a Windows device that is bought by the user, owned by the user, and configured with a personal account of that user. The user actually uses that device for personal activities and for storing personal data and apps.

So, when starting were that previous post ended, it’s technically possible to enroll personal Windows devices. That does, however, not mean that it’s actually a good idea to do that. Because of the many reason of that previous post, enrolling a personal Windows devices is not considered as an option for providing access to corporate data on personal Windows devices. Not in a secure way. Something similar is applicable for just requiring MFA for access on personal Windows devices. That is only an access control and in no way protects the corporate data. It protects the access to the data, but after having access, basically anything can happen. With that in mind, that leaves the following options as alternatives on the table:

  1. Provide limited access to personal Windows devices
  2. Provide access via managed apps on personal Windows devices
  3. Provide access via a virtual desktop on personal Windows devices

Note: The idea behind these options is to provide secure access to corporate data, on personal Windows devices.

Option 1: Provide limited access to personal Windows devices

The first option is about the longest existing capabilities and related to providing limited access to corporate data on personal Windows devices. The limited access is focused on the browser of the user. In this case the organization is allowing users to access corporate data on personal Windows devices via the browser, by protecting the session of the user. To achieve this, there are actually two different methods available that can help the IT administrators to achieve their goal.

  1. The most accessible option – also from a licensing perspective – is using app enforced restrictions. That option enables the IT administrator to enforce additional restrictions directly via the app that the user is trying to access. Supported apps for this functionality are Exchange Online and SharePoint Online. Within those apps, the IT administrator can configure a limited experience for the user when accessing those apps via an unmanaged device. That limited experience will allow the user to work via the browser, without being able to take the data out of the session. For more flexibility this functionality can nowadays also be used in combination with labels. That enables the IT administrator to differentiate the behavior between different SharePoint sites, based on the label that is assigned to the that specific site. Below in Figure 1 is an overview of that limited user experience that will also reflect in documents in that environment.
  1. The more advanced option – also from a licensing perspective – is using app control. That option enables the IT administrator to enforce additional restrictions via Microsoft Defender for Cloud Apps. Defender for Cloud Apps is the cloud access security broker of Microsoft that can be used to control the session of the user to the attached apps. That provides the IT administrator with a lot more flexibility and granularity, as it will be possible to control the access to data based on it’s sensitivity. With that, IT gains a lot more flexibility to differentiate the access to corporate data on personal Windows devices. Below in Figure 2 is an overview of the user experience when blocking actions based on the type of data (in this example copy the email address of corporate data is blocked on personal Windows devices).

Option 2: Provide access via managed apps on personal Windows devices

The second option is about the latest capabilities and related to providing access via managed apps on personal Windows devices. That option enables the IT administrator to enforce the use of a managed app. Since recently Windows MAM provides the user with managed and protected local apps on personal Windows devices. Currently, that functionality is only available for Microsoft Edge. However, it does provide the user with a locally protected app that can be used to access corporate data. No matter which app or data the user is accessing. The main difference with the previous option is that this protects the data locally in the app and doesn’t protect the session. The only thing that the user has to do, is to sign in to the browser. Below in Figure 3 is an overview of the user experience when the browser is managed.

Option 3: Provide access via a virtual desktop on personal Windows devices

The third option is related to providing access via a virtual desktop on personal Windows devices. That option enables the IT administrator to enforce the use of a managed device for accessing any form of corporate data. To still provide the user access to that data, the IT administrator provides the user with a virtual desktop. That virtual desktop can be either a Windows 365 Cloud PC, or an Azure Virtual Desktop. Those different solutions come with different costs (subscription versus usage). No matter which solution is used, the solution will be more expensive as the other options. Besides that, this does provide the user with full access to corporate data and apps for working with that data. Below in Figure 4 is an overview of the user experience on a Cloud PC.

Brief summary

When it’s required to provide full access to corporate data, the only secure option is to provide the user with a full desktop. Besides that, when it’s just needed to provide secure access to corporate data, it could be sufficient to protect the session, or the app. Or maybe even a combination. Eventually, it all comes down the requirements, the available options and the costs of those options. Personally, when looking at the different options for protecting the data, I would look into using a combination of protecting the data in the session with protecting the data in the app itself. The first to provide some flexibility and granularity, and the latter to have a method to always wipe any locally cached information. For the sake of simplicity, I’ve created the table below. That allows a really straight forward comparison on some basic differences.

App enforced restrictionsApp controlApp control
EnrollmentN/aApp enrollmentN/a
ManagementN/aApp managementN/a
Data protectionSession controlledApp levelSession controlled
Supported appsSharePoint, OneDrive and ExchangeAll Cloud appsAll Cloud apps when connected
Supported browserMicrosoft Edge, Google Chrome, Mozilla FirefoxMicrosoft EdgeMicrosoft Edge, Google Chrome, Mozilla Firefox
Required licenseMicrosoft 365 E3Microsoft 365 E3Microsoft 365 E5
Admin experienceStraight forwardStraight forwardMore complex
User experienceStraight forwardMore complexStraight forward

Note: For the simplicity, I deliberately only mentioned the Microsoft 365 licenses, to show the main difference. Of course most functionalities are also available via separate, Entra, Intune, and Defender licenses.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.