Force WIP-Without Enrollment Windows 10
When creating WIP-WE (MAM for Windows 10) Policies you may have noticed that the end user is required to manually add their work or school account in settings on the device to enroll into MAM before the policy will take effect. This is a blocker for a lot of organisations because the end user could just not follow the instructions and carry on accessing corporate data without WIP applying (There is no conditional access option to force device registration).
Until NOW there was no way around this! You can now leverage a feature within Azure AD Terms of Use along with Conditional Access to force device registration in order for end users to be able to access corporate data. Effectively you can use this as a way of forcing WIP (MAM) on Windows 10 BYOD devices and ensuring that corporate data is protected.
The process
I am making the assumption that you already have created and deployed a WIP-WE Policy and have enabled MAM Autoenrollment in Azure Active Directory. If you have not done this then please take a look at the following links.
- https://docs.microsoft.com/en-us/intune/app-protection-policies-configure-windows-10
- https://docs.microsoft.com/en-us/intune/windows-information-protection-policy-create
- Navigate to Azure Active Directory > Conditional Access > Terms of Use
- Create a new terms of use policy and enter the following information:
- Name
- Display Name
- Upload PDF containing Terms of Use
- Turn ON require users to consent on every device (This is the key setting for device registration)
- Under “Enforce with conditional access policy templates” choose “Create conditional access policy later”
- Create the Policy
- Now go and create a new Conditional Access Policy. The Policy can be targeted to whichever cloud apps you want and select the device platforms (in our case we want Windows). Under the Access Controls > Grant Section you will see that the new Terms of Use Policy you created is available to be selected.
Once you target the CA policy to your users and they go to access a corporate cloud app they will be prompted to Accept the terms and conditions. They wont be able to accept the terms and conditions until they have registered their device in Azure AD. Once they register in Azure AD the device will then start receiving any Windows Information Protection Policies. (Providing MAM is turned on in AAD Autoenrollment).
End User Experience
As you can see in the screenshot below when trying to access a cloud app specified in the CA policy (in this case exchange online) from a device which is not registered in Azure AD I am prompted with the following message:
- After adding my work or school account I can check that my device has auto-enrolled into MAM by clicking the info button on my work or school account.
- If you then scroll down to the connection info you should see that the address is https://wip.mam.manage.micrsoft.com:444/checkin
- Now I can go back to my cloud app and try logging in again and now that the device registration is complete I can accept the terms and conditions and access my cloud app.
To summarise I have basically used the terms of use feature in Azure AD and combined it with Conditional Access to Force device registration which essentially allows me to force users to enroll personal Windows devices into MAM to receive WIP-WE policies IF they try to access their corporate data.
Thanks for reading, please feel free to reach out to my on twitter or LinkedIn for clarification on any of the above.