Windows 10 - WIP without enrollment

Resources -
WIP Limitations - Link - WIP is designed for use by a single user per device.


BYOD limitations -
Unable to access online apps
- SharePoint Online
- OneDrive for Business Online

OneDrive Online


Teams Online -

Workaround for Online apps that are blocked - Link


MAM and MDM user scope updated to include all users in MAM


Apps - App protection policies

Create policy - Windows 10

Name - Windows Information Protection Policy - Windows 10 without enrollment
Description - This WIP policy is assigned to BYOD Windows 10 devices and users
Enrollment state - Without enrollment

Targeted apps - Protected apps - Add
Recommended Apps -
Select - Name (This will select all recommended apps)
Select - OK

Select - Next -

Select the mode you would like to apply

Hover over the information icon to see an explanation of the options

As I would like to test the 'Allow overrides' option, select - Allows Overrides.

Advanced settings -
If you don't select and create a network boundary, nothing happens.

Under Network boundaries - select - Add

Boundary type - Cloud resources
Name - Cloud resources
Value -      update the text below with the tenant name -
(copy to notepad and use find - replace)
(make sure there are no new lines and use the pipe character to separate entries)

Replace <tenant> with your tenant name -

Updated details||||||||||/*AppCompat*/

Update the Add network boundary sections - New screenshot

Update other options as needed.
I choose Yes to - Show the enterprise data protection icon -
Click - Next

Options continued.
Configure Access as needed (Windows Hello for Business protected).
Recommend to match the settings in Compliance Policy / Security Baseline.

Click - Next - to continue

Assignments -
Add groups -

Browse and select the groups you want the policy assigned to.
I have assigned the MFA group to ensure this is assigned to all users.

Click - Select

The Assignments will update with the groups assigned

Click - Next

Review and Create -


End user testing

Troubleshooting tips -
Remove the business account in Settings - Accounts -
Reboot -
Add to the Azure AD account - Settings - Accounts
Log into Office 365 portal - OneDrive - Get OneDrive Apps - Start OneDrive
- Sign-in

Register the BYOD device with Azure AD -
Settings - Accounts - Access work or school -
Add the user account

Log into the Office 365 portal -

Online apps blocked - Link
OWA blocked
OneDrive online blocked

Troubleshooting OneDrive for Business app -
Google - OneDrive for Business download - Click - Start OneDrive -
Sign in with corporate credentials - Use this folder

Protected documents - Icon changes with briefcase
OneDrive is protected as Corporate owned files
New column shows File Ownership

Files in OneDrive have no option to change File Ownership

Copying the file to another file location gives you the option to change File Ownership

Here the file has been copied to C:\Files
I can select - Personal - to change the file ownership

Open the file via WordPad

Warning as it is a non-corporate app - needs Microsoft Word which is a corporate app

Trying to email the document from OneDrive via Gmail
Warning as it is not allowed - Use Outlook



About the author -

Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry on LinkedIn -

No comments:

Post a Comment