Windows 10 - WIP without enrollment

Resources -
WIP Limitations - Link - WIP is designed for use by a single user per device.

======================================================================

BYOD limitations -
Unable to access online apps
- OWA
- SharePoint Online
- OneDrive for Business Online

OneDrive Online


OWA -


Teams Online -


Workaround for Online apps that are blocked - Link


======================================================================



MAM and MDM user scope updated to include all users in MAM



======================================================================


Apps - App protection policies


Create policy - Windows 10


Name - Windows Information Protection Policy - Windows 10 without enrollment
Description - This WIP policy is assigned to BYOD Windows 10 devices and users
Enrollment state - Without enrollment


Targeted apps - Protected apps - Add
Recommended Apps -
Select - Name (This will select all recommended apps)
Select - OK



Select - Next -

Select the mode you would like to apply

Hover over the information icon to see an explanation of the options


As I would like to test the 'Allow overrides' option, select - Allows Overrides.
Next


Advanced settings -
If you don't select and create a network boundary, nothing happens.

Under Network boundaries - select - Add


Boundary type - Cloud resources
Name - Cloud resources
Value -      update the text below with the tenant name -
(copy to notepad and use find - replace)
(make sure there are no new lines and use the pipe character to separate entries)

Replace <tenant> with your tenant name -
<tenant>.sharepoint.com|<tenant>-my.sharepoint.com|<tenant>-files.sharepoint.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com|outlook.office365.com|outlook.office.com|attachments.office.net

Updated details
intuneadmin.sharepoint.com|intuneadmin-my.sharepoint.com|intuneadmin-files.sharepoint.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com|outlook.office365.com|outlook.office.com|attachments.office.net|/*AppCompat*/

Update the Add network boundary sections - New screenshot


Update other options as needed.
I choose Yes to - Show the enterprise data protection icon -
Click - Next


Options continued.
Configure Access as needed (Windows Hello for Business protected).
Recommend to match the settings in Compliance Policy / Security Baseline.


Click - Next - to continue

Assignments -
Add groups -


Browse and select the groups you want the policy assigned to.
I have assigned the MFA group to ensure this is assigned to all users.


Click - Select

The Assignments will update with the groups assigned


Click - Next

Review and Create -
Create

=======================================================================

End user testing

Troubleshooting tips -
Remove the business account in Settings - Accounts -
Reboot -
Add to the Azure AD account - Settings - Accounts
Log into Office 365 portal - OneDrive - Get OneDrive Apps - Start OneDrive
- Sign-in

Register the BYOD device with Azure AD -
Settings - Accounts - Access work or school -
Add the user account


Log into the Office 365 portal -

Online apps blocked - Link
OWA blocked
OneDrive online blocked

Troubleshooting OneDrive for Business app -
Google - OneDrive for Business download - Click - Start OneDrive -
Sign in with corporate credentials - Use this folder


Protected documents - Icon changes with briefcase
OneDrive is protected as Corporate owned files
New column shows File Ownership



Files in OneDrive have no option to change File Ownership



Copying the file to another file location gives you the option to change File Ownership

Here the file has been copied to C:\Files
I can select - Personal - to change the file ownership


Open the file via WordPad

Warning as it is a non-corporate app - needs Microsoft Word which is a corporate app



Trying to email the document from OneDrive via Gmail
Warning as it is not allowed - Use Outlook


=========================================================================


 

About the author -

Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry on LinkedIn - https://www.linkedin.com/in/terry-munro/

No comments:

Post a Comment