Secure and configure unmanaged devices (MAM-WE) 1/3

Using Intune you can secure and configure applications on unmanaged devices. This is called “Mobile application management without enrollment” (MAM-WE). In this blog I will show how to configure and secure email on an unmanaged Android/iOS device using the Outlook app for iOS and Android. To secure and configure email I will configure conditional acces policies, an app protection policy and for the configuration an App Configuration policy.

 

Seperate Datalayers using an App Protection policy

In the following picture you can see that corporate data is secured on an unmanaged device and can only be opened with applications which are allowed to open corporate data. Other apps like Twitter or Facebook are not allowed to open the corporate data.

Advantages:

  • Can be used when a device is already enrolled with a different Intune tenant
  • Outlook widgets can be used. (optional)
  • Outlook address book can be synced with personal contacts. (This is important if you used Whatsapp)
  • Company data protected at app level

Disadvantages:

  • Every application needs to be configured before it will be protected.
  • Not all apps support App Protection policies, this can be added by using the Intune App Wrapping Tool.
  • Software needs to be installed manually by the user
  • Company Portal is required for MAM-WE.
  • Only a single managed account is allowed on a device.

 

Requirements:

Before we start with the configuration you will need the following:

  • Testuser with an Azure AD account and the following licences
  • Azure AD group containing the testuser to apply the policies

I’ve created a group “Secure Mobile Outlook” and a testuser “Cynthia Carey” which is member of this group.

 

Conditional Access policies

To secure the company data on unmanaged Android and iOS devices we only want users to connect with exchange online using the mobile app “Outlook for iOS and Android“. To prevent users from using different Mail client to connect we need to configure conditional access policies. Depending on your situation you will need to configure one or two conditional access policies. If you only allow Modern Authentication you will have to configure one access policy, but if you still allow basic authentication an additional access policy has to be created for this protocol. In this blog I will configure both conditional access policies. I will be using the MEM admin center, but you can also configure this in the Azure Portal.

 

Conditional access for Exchange Activesync

Let’s start with the conditional access policy for Exchange Activesync clients. This policy will prevent users from using other clients than the “Outlook for iOS and Android” when they connect to exchange online using Exchange ActiveSync.

1. Go to “Endpoint Security” -> “Conditional access” or press here. Press “+New policy” to create a new Conditional Access policy.

 

2. Enter a name, I will call this policy “CA – iOS & Android – Outlook – EAS clients”. Assign the policy to the group with the testuser “Secure Mobile Outlook”

 

3. Select “Cloud apps or actions” go to “Include” -> “Select apps” and select “Office 365 Exchange Online”

 

4. Select “Conditions” -> “Device platforms” -> select “Configure” yes and select the device platforms “Android” and “iOS” and press “Done”

 

5. Select “Conditions” -> “Client apps” -> select “Configure” yes and select Legacy authentication clients  “Exchange ActiveSync clients” and press “Done”

 

6. Select “Access Controls” -> “Grant” and select “Grant access” -> “Require approved client app” and press “Select”

 

7. The final step is to enable the policy and press “Create” to finish.

 

Conditional access for Modern Authentication

Now we will create the conditional access policy for Modern Authentication clients. This policy will prevent users from using other clients than the “Outlook for iOS and Android” when they connect to exchange online using Modern Authentication and requires the use of MFA.

 

8. Go to “Endpoint Security” -> “Conditional access” or press here. Press “+New policy” to create a new Conditional Access policy.

 

9. Enter a name, I will call this policy “CA – iOS & Android – Outlook – Modern authentication clients”. Assign the policy to the group with the testuser “Secure Mobile Outlook”

 

10. Select “Cloud apps or actions” go to “Include” -> “Select apps” and select “Office 365 Exchange Online”

 

11. Select “Conditions” -> “Device platforms” -> select “Configure” yes and select the device platforms “Android” and “iOS” and press “Done”

 

12. Select “Conditions” -> “Client apps” -> select “Configure” yes and select Modern authentication clients  “Mobile apps and desktop clients” and press “Done”

 

13. Select “Access Controls” -> “Grant” and select “Grant access” -> select “Require multi-factor authentication” and “Require approved client app”. Press “Select” to continue.

 

14. The final step is to enable the policy and press “Create” to finish.

 

With the Conditional Access policies configured it should not be possible to use a mailclient other than Outlook on an iOS or Android device to connect. Let’s see what happens when the testuser Cynthia tries to add an email account in a mailclient which is not in the approved client apps list for example the Native Samsung app. The following message will appear, notice the line “It looks like you’re trying to open this resource with an app that hasn’t been approved by your IT department”.

 

App protection policies

The CA policies have been configured. The testuser will only be able to connect to their mailaccount with Outlook. The next step is to secure the corporate data this can be accomplished using an App protection policy. Using these policies you can protect corporate data on managed and unmanaged devices. App protection policies can prevent data relocation e.g  Restrict printing, save copies, cut, copy, and paste. Also additional access security can be set like require a pincode and prevent opening on a jailbroken device.

 

App protection policy for outlook

The app protection policies need to be created separately for each OS type. I will only create the App protection policy for Android, but the policy for iOS is almost simular, so the same steps can be used to create the App protection policy for iOS.

 

15. Go to “Apps” -> “App protection policies” or press here. Press “+Create policy” and select “Android” to create a new App protection policy.

 

16. Enter a name and press “Next”

 

17. Because this Protection policy will be only used for unmanaged devices I will select only Unmanaged, but you can also target other device types if you want to use the same policy. Press “+ Select public apps” to add “Microsoft Outlook”. Press “Next” to continue.

 

18. Select the Data protection settings you want to apply. These settings will protect the corporate data in Outlook. For this demo I will “Block” Screen capture and Google Assistant” and “Restrict cut, copy, and paste between other apps”. Press “Next” to continue.

 

19. Select the Access requirements you want to apply to Outlook to prevent unwanted access. By default a 4 digit pincode is required to be entered after a reboot or 30 minutes of inactivity. For this demo I will change it to 6 digit. Press “Next” to continue.

 

20. In the conditional launch tab you can edit settings how long an application can run offline and after how many days offline a selective wipe will be performed (more info here). Also device conditions can be set for example if an Jailbroken device can be used. I will use the default settings and press “Next” to continue.

 

21. Apply any additional Scope tags (optional) and press “Next” to continue.

 

22. Assign the policy to the testgroup “Secure Mobile Outlook” and press “Next” to continue.

 

23. Press “Create” to create and assign the App Protection policy to the testuser.

 

After the app protection policy has been applied, its no longer possible to take screenshots of your mailbox. You will see an error “Couldn’t save screenshot” (screenshot left). When you try to copy data from outlook and paste it outside the outlook profile. Instead of the copied data a message “Your organization’s data cannot be pasted here” (screenshot right) will be pasted.

 

App Configuration Policies

App Configuration policies can be used to preconfigure settings for users. Using an App Configuration policy settings are supplied automatically when the app is configured on the end-users device. This way users don’t have to configure (global) settings themself and there will be more consistency in application configuration across users. App configuration policies can be used on managed applications and devices. The policies are available for Android, iOS and iPadOS.

 

App Configuration policy for outlook

In this blog we will create an App Configuration policy for Outlook. Because the confiration policy will be applied to unmanaged devices it will be a managed apps policy.

 

24. Go to “Apps” -> “App configuration policies” or press here. Press “+Add” and select “Managed apps” to create a new App configuration policy.

 

25. Enter a name for the policy and press “+ Select public apps” to add the Public apps “outlook for Android and iOS/iPadOS”. Press “Next” to continue.

 

26. On the Settings page you can configure the settings you want preconfigure for users. In this demo I will disable the “Focused inbox” and disable “organize mail by thread”. Press “Next to continue.

 

27. Apply any additional Scope tags (optional) and press “Next” to continue.

 

28. Assign the policy to the testgroup “Secure Mobile Outlook” and press “Next” to continue.

 

29. Press “Create” to create and assign the App Configuration policy to the testuser.

 

After the app configuration policy has been applied the “Focused inbox” and “Organise email by thread” will be disabled by default. The user will be able to change the setting if they would like to enable the focuse inbox or organise email by thread.

 

Result

For the Conditional access and App protection policies to work the user needs to have the Company portal installed on Android. If the Company portal has not installed before setup it needs to be installed during the configuration of the email account. I’ve created two GIFs to show the difference in setup. The Left GIF is adding the mailaccount with the company portal and the right is without the company portal installed.

For the App Protection policy to work the Company portal is required, but the user does not have to launch or sign-in to the Company Portal. It’s important to instruct your users not to login to the company portal because this will enroll their device in Intune. As you can see in the screenshot below, there is only a “Sign In” button and not a “Close” button to close the Company Portal to continue setup.

 

Conclusion

By combining Conditional access, App protection policy and App configuration policy you can use Intune to secure corporate data and pre-configure settings. Beacause of the requirement for the Company Portal the installation can be a real hassle. Therefore It’s important to create instructions for users what to do with the Company Portal to prevent unwanted Intune enrollments if you allow personal enrollment of Android devices for all users.

 

In my next blog I will show how you can Monitor policies on unmanaged devices.

Leave a Reply

Your email address will not be published. Required fields are marked *