This week part 2 of my blog post about Windows 10 and MAM-WE. Last week it was about the configuration, this week it’s about the end-user experience. I’ll start this post with a short introduction about the settings that are configured for the end-user experience in this post. After that I’ll show the end-user experience with the enrollment, with accessing data and after enrollment.
Introduction
As I explained last week, there are a few Important settings that should be considered. The end-user experience shown throughout this post is based on the following configuration:
- Allowed apps: Microsoft Edge, PowerPoint Mobile, Excel Mobile, Word Mobile, IE11, Microsoft Remote Desktop, Microsoft Paint, Microsoft OneDrive, Notepad;
- Required settings:
- Windows Information Protection mode: Allow Overrides;
- Advanced settings:
- Network boundary: All Microsoft cloud services;
- Revoke encryption keys on unenroll: On;
- Show the enterprise data protection icon: On.
Enroll device
Now let’s start with the end-user experience for enrolling the Windows 10 device. Keep in mind that the end-user must be Microsoft Intune licensed and must be using at least Windows 10, version 1703. The en-user can now navigate to Settings > Accounts > Access work or school and click Connect (see below on the left). This will start the enrollment experience that is similar to a normal MDM enrollment. The difference is in the background process. Once MAM enrollment is enabled, Windows 10, version 1703, will enroll the device for MAM. After enrollment this can be verified by selecting the work or school account and by clicking Info. This will show the information about the Management Server Address that points to the MAM check-in URL (see below on the right).
Note: After enrolling the device, an administrative user can find an additional device for the end-user in Azure AD. That device has the Trust Type attribute set to Workplace and the Managed By attribute set to None.
Access cloud work data
After enrolling the device it’s possible to connect to the configured Microsoft cloud services, like SharePoint Online. With and without conditional access configured. Browsing to SharePoint Online will show the enterprise data protection icon, the briefcase, next to the URL (see below on the top). When clicking on the enterprise data protection icon, a message will show indicating that the website is managed (see below on the bottom).
Access local work data
When connecting to the configured Microsoft cloud services, like SharePoint Online, it’s also possible to download data, like documents. The downloaded documents will be marked as work data. The fact that it’s work data, ensures that the documents are encrypted. The work data can be recognized by the enterprise data protection icon, the briefcase, and by the File ownership. The File ownership will be set to the company (see below on the left). Work data can only be opened with managed apps. A clear example will show when using Open with > Choose another app. That will show the programs that can be used to open the document, including information about if the program can open work or personal files (see below on the right).
Copy work data
Now that it’s possible to open work data, it’s good to have a look at the behavior with copying content. In this case, opening work data, like a document, in Word Online (as shown below on the left) and Word Mobile (as shown below on the right).
When copying content to an unmanged app, like WordPad, the end-user will be prompted for giving temporary access to use work content (as shown below). After clicking Give access, the content will be copied and the action will be logged.
Note: Keep in mind that every activity related to accessing work data, is logged, in the Event Viewer, In the EDP-Audit-Regular log.
Switch owner
After enrolling the device it’s possible to switch the owner of local data. It’s even possible to switch the owner of the data, when selecting to download it. That enables the end-user to switch personal data to company data and company data to personal data (as shown below). When marked as work data, the data will be encrypted. When marked as personal data, the data will be unencrypted and free accessible.
Note: Keep in mind that every activity related to switching the owner of work data, is logged, in the Event Viewer, in the EDP-Audit-Regular log.
Unenroll device
Another important end-user action is unenrolling the device. With the current configuration this will revoke the encryption keys, which will revoke the end-user access to downloaded work data (as shown below on the left). It’s also really important to know that setting Revoke encryption keys on unenroll to Off will not revoke the end-user access to downloaded work data (as shown below on the right). The indication that it’s work data is still available, but the end-user has full access.
Note: Keep in mind that setting Revoke encryption keys on unenroll to No, should only be used in specific scenarios. Using it in a normal production configuration will create major data leakage.
Great series, thanks Peter.
I wondered if you could elaborate on this line a little bit?
“After enrolling the device it’s possible to connect to the configured Microsoft cloud services, like SharePoint Online. With and without conditional access configured”
My take is this:
If you are using a W10 Pro (or up SKU) then this statement is true
If you are using a W10 Home SKU this statement is not true as W10 Home cannot be AAD joined…and cannot then be evaluated against Conditional Access polices.
JUst wondered if you also agree with this? WIP seems very useful in the BYOC space but there is this caveat above (if true 🙂 )
Thanks again
Carl
Hi Carl,
Correct, Windows 10 Home will not work AAD join. However, that doesn’t mean that it can’t be enrolled (workplace).
Minor detail, to my knowledge WIP is also not available on Windows 10 Home. In other words, the picture on Windows 10 Home will not be as great.
Peter
Windows MAM-WE is supported on Home edition
Thank you for that confirmation, Anna!
Hi Peter, it appears that MAM/WIP registration using the “Connect to work or school” button is voluntary — how can registration be “triggered” so the user has to register? Such that the registration sequence fires up in front of the user? Can that be done with a conditional access policy that works for a device that is unknown to AAD and Intune?
Thanks, Anthony
Hi Anthony,
Yes and no. Conditional access is one of the methods to require an enrolled device or a specific (managed) app to access company data.
Regards, Peter