This week is kind of a follow up on my post of a couple of weeks ago about why enrolling personal Windows devices might be a really bad idea. That post was focussed on advising against allowing enrolling personal Windows devices into Microsoft Intune (or any other MDM provider). The logic follow up question would be: what are the alternatives? And that’s of course a fair question. This post will be about answering that specific question. And to be quite honest, the answer might come very close to a blog post of about four years around supporting unsupported platforms. The main difference will be what Microsoft has provided over the years. And that’s a lot, especially for the Windows platform. This post will focus on the different options for providing access to corporate data on personal Windows, without losing control over that data.
The different options for personal Windows devices
When looking at the different options for providing access to corporate data on personal Windows, it’s important to start at the beginning. The starting point. Within a Microsoft solution, that starting point is Conditional Access. The front door to the corporate data. The place were to configure what access is allowed from personal Windows devices. Well, to be completely fair, not just personal Windows devices, but basically any unmanaged Windows device. When talking about personal Windows devices, this post is referring to a Windows device that is bought by the user, owned by the user, and configured with a personal account of that user. The user actually uses that device for personal activities and for storing personal data and apps.
So, when starting were that previous post ended, it’s technically possible to enroll personal Windows devices. That does, however, not mean that it’s actually a good idea to do that. Because of the many reason of that previous post, enrolling a personal Windows devices is not considered as an option for providing access to corporate data on personal Windows devices. Not in a secure way. Something similar is applicable for just requiring MFA for access on personal Windows devices. That is only an access control and in no way protects the corporate data. It protects the access to the data, but after having access, basically anything can happen. With that in mind, that leaves the following options as alternatives on the table:
- Provide limited access to personal Windows devices
- Provide access via managed apps on personal Windows devices
- Provide access via a virtual desktop on personal Windows devices
Note: The idea behind these options is to provide secure access to corporate data, on personal Windows devices.
Option 1: Provide limited access to personal Windows devices
The first option is about the longest existing capabilities and related to providing limited access to corporate data on personal Windows devices. The limited access is focused on the browser of the user. In this case the organization is allowing users to access corporate data on personal Windows devices via the browser, by protecting the session of the user. To achieve this, there are actually two different methods available that can help the IT administrators to achieve their goal.
- The most accessible option – also from a licensing perspective – is using app enforced restrictions. That option enables the IT administrator to enforce additional restrictions directly via the app that the user is trying to access. Supported apps for this functionality are Exchange Online and SharePoint Online. Within those apps, the IT administrator can configure a limited experience for the user when accessing those apps via an unmanaged device. That limited experience will allow the user to work via the browser, without being able to take the data out of the session. For more flexibility this functionality can nowadays also be used in combination with labels. That enables the IT administrator to differentiate the behavior between different SharePoint sites, based on the label that is assigned to the that specific site. Below in Figure 1 is an overview of that limited user experience that will also reflect in documents in that environment.
- The more advanced option – also from a licensing perspective – is using app control. That option enables the IT administrator to enforce additional restrictions via Microsoft Defender for Cloud Apps. Defender for Cloud Apps is the cloud access security broker of Microsoft that can be used to control the session of the user to the attached apps. That provides the IT administrator with a lot more flexibility and granularity, as it will be possible to control the access to data based on it’s sensitivity. With that, IT gains a lot more flexibility to differentiate the access to corporate data on personal Windows devices. Below in Figure 2 is an overview of the user experience when blocking actions based on the type of data (in this example copy the email address of corporate data is blocked on personal Windows devices).
Option 2: Provide access via managed apps on personal Windows devices
The second option is about the latest capabilities and related to providing access via managed apps on personal Windows devices. That option enables the IT administrator to enforce the use of a managed app. Since recently Windows MAM provides the user with managed and protected local apps on personal Windows devices. Currently, that functionality is only available for Microsoft Edge. However, it does provide the user with a locally protected app that can be used to access corporate data. No matter which app or data the user is accessing. The main difference with the previous option is that this protects the data locally in the app and doesn’t protect the session. The only thing that the user has to do, is to sign in to the browser. Below in Figure 3 is an overview of the user experience when the browser is managed.
Option 3: Provide access via a virtual desktop on personal Windows devices
The third option is related to providing access via a virtual desktop on personal Windows devices. That option enables the IT administrator to enforce the use of a managed device for accessing any form of corporate data. To still provide the user access to that data, the IT administrator provides the user with a virtual desktop. That virtual desktop can be either a Windows 365 Cloud PC, or an Azure Virtual Desktop. Those different solutions come with different costs (subscription versus usage). No matter which solution is used, the solution will be more expensive as the other options. Besides that, this does provide the user with full access to corporate data and apps for working with that data. Below in Figure 4 is an overview of the user experience on a Cloud PC.
Brief summary
When it’s required to provide full access to corporate data, the only secure option is to provide the user with a full desktop. Besides that, when it’s just needed to provide secure access to corporate data, it could be sufficient to protect the session, or the app. Or maybe even a combination. Eventually, it all comes down the requirements, the available options and the costs of those options. Personally, when looking at the different options for protecting the data, I would look into using a combination of protecting the data in the session with protecting the data in the app itself. The first to provide some flexibility and granularity, and the latter to have a method to always wipe any locally cached information. For the sake of simplicity, I’ve created the table below. That allows a really straight forward comparison on some basic differences.
| App enforced restrictions | App control | App control | |
|---|---|---|---|
| Enrollment | N/a | App enrollment | N/a |
| Management | N/a | App management | N/a |
| Data protection | Session controlled | App level | Session controlled |
| Supported apps | SharePoint, OneDrive and Exchange | All Cloud apps | All Cloud apps when connected |
| Supported browser | Microsoft Edge, Google Chrome, Mozilla Firefox | Microsoft Edge | Microsoft Edge, Google Chrome, Mozilla Firefox |
| Required license | Microsoft 365 E3 | Microsoft 365 E3 | Microsoft 365 E5 |
| Admin experience | Straight forward | Straight forward | More complex |
| User experience | Straight forward | More complex | Straight forward |
Note: For the simplicity, I deliberately only mentioned the Microsoft 365 licenses, to show the main difference. Of course most functionalities are also available via separate, Entra, Intune, and Defender licenses.
Thank you for posting this. I am currently wrestling with this. We have a BYOD environment, and unlike iOS / Android that Intune can have simple & effective App Protection Policy, there is NO WAY to control access / behavior for MS Office apps from within Windows / macOS, despite the fact that the apps are “enlightened”.
My Microsoft counterpart in the modern desktop team said MCAS can apply a sensitivity label when an unmanaged device downloads a file from SPO, but I have yet to be able to get to that place.
Thanks,
Steven
Hi Steven,
Nearly all options to really stay in control of the data are focused on access via the browser. In general, the Office apps provide to much access to the data to stay in control. Windows Information Protection, what you’re probably referring to, is deprecated and will become unavailable.
Regards, Peter
Hej Peter, thank you so much for this very interesting article! I totally agree on the importance of the subject. I agree as well with the observation of the need to find the balance between what you want to achieve and the restrictions which the business side is enforcing. Especially in regarding the subject of personal devices. I am having a lot of thoughts about that and I have one question : as you named, required licenses – Microsoft 365 E3, do you know if it will might work as well for Microsoft 365 A3 licenses?
Hi Ido,
I’m not a licensing expert, but I would think that app enforced restrictions and app protection policies should be available.
Regards, Peter
Hi Peter,
Great Article.
We are currently also investigating in your mentioned Option2 “Windows MAM” to protect the Edge Browser via App Protection Policies.
Do you have any idea how the locally stored data from the Edge profile is protected -> C:\Users\[USER]\AppData\Local\Microsoft\Edge\User Data\[Profile]?
There for example the bookmarks can be easily accessed.
Cheers, Kevin
Hi Kevin,
I sadly don’t have the answer on that question, as it hasn’t been documented anywhere.
Regards, Peter
Hi Peter,
Thanks for the insights in your article.
We also strive for protection using “Option 2: Provide access via managed apps on personal Windows devices”.
Do you know if the local data of the work profile is protected in any way which are residing on “C:\Users\[USER]\AppData\Local\Microsoft\Edge\User Data\Profile”?
As it seems at least there is easy access to without any protection and you can even get some information easily in clear-text like bookmarks”.
Another question would be do you know of any way from IT side to remove the work profile from windows setting?
In Intune you have the chance to perform app selective wipe which removes the Edge Profile but not the work account.
Regards, Kevin
Hi Kevin,
Sadly we don’t have an easy method to achieve that second item. The only thing that we can achieve is the app selective wipe.
Regards, Peter