When creating WIP-WE (MAM for Windows 10) Policies you may have noticed that the end user is required to manually add their work or school account in settings on the device to enroll into MAM before the policy will take effect. This is a blocker for a lot of organisations because the end user could just not follow the instructions and carry on accessing corporate data without WIP applying (There is no conditional access option to force device registration).
I am making the assumption that you already have created and deployed a WIP-WE Policy and have enabled MAM Autoenrollment in Azure Active Directory. If you have not done this then please take a look at the following links.
- Display Name
- Turn ON require users to consent on every device (This is the key setting for device registration)
- Under “Enforce with conditional access policy templates” choose “Create conditional access policy later”
- Create the Policy
Once you target the CA policy to your users and they go to access a corporate cloud app they will be prompted to Accept the terms and conditions. They wont be able to accept the terms and conditions until they have registered their device in Azure AD. Once they register in Azure AD the device will then start receiving any Windows Information Protection Policies. (Providing MAM is turned on in AAD Autoenrollment).
End User Experience
As you can see in the screenshot below when trying to access a cloud app specified in the CA policy (in this case exchange online) from a device which is not registered in Azure AD I am prompted with the following message:
- After adding my work or school account I can check that my device has auto-enrolled into MAM by clicking the info button on my work or school account.
- If you then scroll down to the connection info you should see that the address is https://wip.mam.manage.micrsoft.com:444/checkin
- Now I can go back to my cloud app and try logging in again and now that the device registration is complete I can accept the terms and conditions and access my cloud app.
Thanks for reading, please feel free to reach out to my on twitter or LinkedIn for clarification on any of the above.