Force WIP-Without Enrollment Windows 10

When creating WIP-WE (MAM for Windows 10) Policies you may have noticed that the end user is required to manually add their work or school account in settings on the device to enroll into MAM before the policy will take effect. This is a blocker for a lot of organisations because the end user could just not follow the instructions and carry on accessing corporate data without WIP applying (There is no conditional access option to force device registration).

Until NOW there was no way around this! You can now leverage a feature within Azure AD Terms of Use along with Conditional Access to force device registration in order for end users to be able to access corporate data. Effectively you can use this as a way of forcing WIP (MAM) on Windows 10 BYOD devices and ensuring that corporate data is protected.

The process

I am making the assumption that you already have created and deployed a WIP-WE Policy and have enabled MAM Autoenrollment in Azure Active Directory. If you have not done this then please take a look at the following links.

image

  • Now go and create a new Conditional Access Policy. The Policy can be targeted to whichever cloud apps you want and select the device platforms (in our case we want Windows). Under the Access Controls > Grant Section you will see that the new Terms of Use Policy you created is available to be selected.

image

Once you target the CA policy to your users and they go to access a corporate cloud app they will be prompted to Accept the terms and conditions. They wont be able to accept the terms and conditions until they have registered their device in Azure AD. Once they register in Azure AD the device will then start receiving any Windows Information Protection Policies. (Providing MAM is turned on in AAD Autoenrollment).

End User Experience

As you can see in the screenshot below when trying to access a cloud app specified in the CA policy (in this case exchange online) from a device which is not registered in Azure AD I am prompted with the following message:

image

  • After adding my work or school account I can check that my device has auto-enrolled into MAM by clicking the info button on my work or school account.

image

image

  • Now I can go back to my cloud app and try logging in again and now that the device registration is complete I can accept the terms and conditions and access my cloud app.

image

To summarise I have basically used the terms of use feature in Azure AD and combined it with Conditional Access to Force device registration which essentially allows me to force users to enroll personal Windows devices into MAM to receive WIP-WE policies IF they try to access their corporate data.

Thanks for reading, please feel free to reach out to my on twitter or LinkedIn for clarification on any of the above.

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME