Blog Posts, Microsoft Intune July 13, 2023 7

First Look at Mobile Application Management (MAM) for Windows

Update: Microsoft has moved this feature from Public Preview to General Availability. I’ll update this post once new features or changes are introduced.

Recently, on July 7th, 2023, Microsoft announced the long-awaited Mobile Application Management (MAM) for Windows. Now that it has entered Public Preview, it allows us to play around with its capabilities.

Mobile Application Management enables us to apply policies to corporate applications such as Outlook, Microsoft Teams, or other Office or third-party apps. These policies allow us to protect company data and prevent leakage to personal devices. This feature is especially useful in Bring Your Own Device scenarios as you will not need to manage the device fully with Microsoft Intune.

MAM has been available on Android and iOS for some time. However, its introduction to Windows is a welcome surprise, especially as its predecessor, Windows Information Protection (WIP), will be discontinued in future Windows versions.

Until now, when it came to personal devices, our closest solution was to enforce limited web-only access with conditional access or session policies, which offers comparable features to WIP, but its experience, in my opinion, is lacking.

In this blog post, we will take a first look at the configuration and user experience of MAM for Windows.

Please remember that this post was written during the public preview experience; some things might have changed slightly.

The post will cover the following sections:

Prerequisites

To configure Mobile Application Management for Windows, you will need to meet a few requirements. 

  • Up-to-date versions of Windows 11 22H2 and Microsoft Edge
  • Users must have a Microsoft Intune license assigned
  • MAM for Windows only supports unmanaged devices, unlike MAM for Android and iOS.

However, keep in mind that these requirements may change as new features become available. 

Mobile Threat Defense connector

First, we will need to go to the tenant administration section of Microsoft Intune and add the Mobile Threat Defense (MTD) connector. This connector will seamlessly integrate with Microsoft Intune to help us detect local health threats, so we can block access from compromised or vulnerable devices. Once the device is enrolled in MAM, the connector should be automatically enabled in both the portal and the device.

Configure Application Protection policy

Next, let’s go through the Application Protection policy configuration together.

Unfortunately, we will notice right away that we can only manage the Microsoft Edge app. I already knew this, but I hope we’ll see other Microsoft apps soon.

On the second page, we can configure the data protection restrictions, which allow us to;

  • Specify whether the managed app can receive data from all sources or no sources.
  • Specify whether organizational data can be sent to all destinations or no destinations.
  • Allow cut, copy, and paste actions to any destination or no destination.
  • Allow or block the printing of organizational data.

The available options are currently minimal but will most likely be improved upon soon.

Lastly, we can set specific health check conditions and define actions based on whether those conditions are met or not. For instance, you can configure conditions such as a disabled account, maximum offline grace period, or minimum OS versions. Depending on these conditions, you can issue a warning, block access, or wipe the organizational data.

As an example, we have configured the policy to block access when the medium device threat level is reached. We will see how this action plays out later on.

Enforce MAM for Windows with Conditional Access

Finally, we need to configure the following conditional access policy as the last step. This policy will enforce the app protection policy we created earlier, ensuring that users cannot access the resources without being protected by Mobile Application Management (MAM).

User Experience

Let’s sign into our personal Windows device that is not joined to Azure AD or managed by Microsoft Intune and does not have an active Azure AD registration yet.

Next, we’ll proceed by signing into the Microsoft 365 portal.

Okay, let’s create a new Microsoft Edge profile and sign in with our corporate account.

After registering the device with Entra ID and enabling Mobile Application Management (MAM), we can now sign in to the Microsoft 365 portal. Let’s test if the MAM policies are being enforced.

Alright, we’ve seen how it can protect data in Microsoft 365. But since MAM’s primary purpose is to protect data on the application level, let’s see what it can do outside of the Microsoft 365 environment.

That was great stuff. Our corporate Microsoft Edge profile ensures that our actions are isolated and data is not leaked outside the profile

Keep in mind that users can still use their personal Microsoft Edge profiles without any restrictions.

Alright, to wrap things up, let’s do something we shouldn’t try at home.

Once we re-enable the real-time protection and click the recheck button, we immediately regain access to the corporate app data.

Conclusion

Currently, the features of MAM for Windows are very similar to what we can already do with session policies in Microsoft Defender for Cloud Apps. However, I am looking forward to the future of MAM for Windows. It has so much potential because we can not only prevent data leakage but, more importantly, provide secure access for BYOD devices without actually managing them. 

I am looking forward to the introduction of new features, particularly the support for other apps besides Microsoft Edge, such as the MS Office suite. Additionally, it would be great to have the ability to enable copy/pasting between corporate apps and prevent screenshots.

If any significant features or changes are introduced to Mobile Application Management, I’ll update this post.

I’ll update this post once new features or changes are introduced.

This post is part of the unmanaged devices blog series; find more posts here.
View previous part: Block access for unmanaged devices with Conditional Access
View next part: Mobile Application Management (MAM) for personal Android and iOS devices

A first look at MAM for Windows

, ,

About the author

Myron Helgering:

7 Comments

  1. Chad

    September 24, 2024
    Reply

    Are there any posted dates when Microsoft will support the full M365 suite instead of just edge?

  2. Chad

    September 24, 2024
    Reply

    What is the roadmap date for MSFT to support the full M365 suite via app protection in windows?

    • Myron Helgering

      October 2, 2024
      Reply

      Sadly, no roadmap date has been communicated publicly yet. Sorry!

  3. Aditya

    November 29, 2024
    Reply

    Hi Myron, When we open any onedrive document like excel and word and click in w=edit in desktop app, it will open the app and then we are able to copy the data from offline app, is there any way to stop this.

    • Myron Helgering

      November 29, 2024
      Reply

      Sadly, Office apps are not supported yet, so this is not possible.
      If possible, I would advise you to block desktop app access for unmanaged devices until MAM for (desktop) office apps is supported.

  4. Bilal Khan

    May 15, 2025
    Reply

    Hello Myron,

    What if contractor device is already managed by Intune? I am getting an option to switch to edge profile however when I try to signed in, it signs in my company account and I cannot access contractor account.

    • Myron Helgering

      May 15, 2025
      Reply

      Hi Bilal, I'm sorry this is not possible (yet). At the moment this solution only works with unmanaged devices.

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply