# Enhancing Security With Intune MAM (preview) for Windows 365
## BEFORE YOU BEGIN
{% hint style="warning" %}
**Disclaimer:** All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
{% endhint %}
Hey, folks! - It’s been a while since I last wrote a blog post. A lot has happened in my personal life over the past six months that is beyond my control, which has forced me to prioritize my family above everything else.
But now I'm back with a backpack full of topics for upcoming blog posts - so stay tuned!
In this blog post, we'll look at **Microsoft Intune Mobile Application Management (MAM)** for **Windows 365** and **Azure Virtual Desktop (AVD)**, which is now in public preview.
## What is Intune MAM?
Intune MAM allows us to manage and protect our organization's data within an application. Many productivity apps, such as the **Microsoft 365 Apps**, can be managed by Intune MAM.
{% hint style="info" %}
See the official list of [**Microsoft Intune protected apps**](https://learn.microsoft.com/mem/intune/apps/apps-supported-intune-apps) available for public use.
{% endhint %}
Intune MAM supports two configurations:
* **Intune Mobile Device Management (MDM) + MAM:** IT admins can manage apps using MAM on devices enrolled with Intune MDM.
* **Unenrolled devices with MAM managed applications:** IT admins can manage apps using MAM on unenrolled devices, which typically are employees’ preferred personal devices.
Intune MAM for unenrolled devices is commonly used to protect against data loss on personal devices or in **bring-your-own-device (BYOD)** scenarios. To protect against data loss, Intune MAM for unenrolled devices uses app configuration policies combined with app protection policies and conditional access.
**For unenrolled devices, Intune MAM allows IT admins to:**
* Disable specific redirections on personal devices.
* Require PIN access to app.
* Block third-party keyboards.
* Specify a minimum device operating system version.
* Specify a minimum app version.
* Block jailbroken/rooted devices.
* Require a mobile threat defense (MTD) solution on devices, with no threats detected.
So, buckle up and join me as I explore Intune MAM for **Windows 365** and **Azure Virtual Desktop**. In this post, I will configure the **Windows App (iOS/iPadOS)** and the **Remote Desktop (iOS/iPadOS)** app on unenrolled iOS devices to block drive redirection and restrict cut, copy, and paste between other apps.
**In this post, I'll cover the following topics.**
* [**Prerequisites and Requirements**](#prereq)
* [**Managed App Filter**](#managedappfilter)
* [**App Configuration Policy for Managed Apps**](#appconfigpolicy)
* [**App Protection Policy**](#appprotectpolicy)
* [**App-based Conditional Access Policy**](#capolicy)
* [**Test and Verification**](#testverification)
* [**Summary**](#summary)
## Prerequisites and Requirements
* A valid and working Microsoft Entra and Intune tenant.
* **Azure Virtual Desktop** host pool with session hosts or **Windows 365** Cloud PCs.
* At least one security group containing users to which the policies apply.
* Client devices running one of the following versions of **Windows App** or the **Remote Desktop** app.
* **Windows App:**
* iOS and iPadOS: 10.5.2 or later.
* **Remote Desktop:**
* iOS and iPadOS: 10.5.8 or later.
* Android: 10.0.0.19.1279 or later.
* Before you create an app-based Conditional Access policy, you must have:
* **Enterprise Mobility + Security (EMS)** or a **Microsoft Entra ID P1 or P2 subscription**.
* Users must be licensed for EMS or Microsoft Entra ID.
* Conditional Access Administrator and Microsoft Intune Administrator rights.
## Managed App Filter
First, we must create a managed app filter in Intune, which narrows the assignment scope of the app configuration and app protection policies to unenrolled devices.
{% hint style="warning" %}
**Important:** Managed app filters apply to app configuration and app protection policies. They don't apply to other policies, like compliance or device configuration profiles.
{% endhint %}
Go to [**https://intune.microsoft.com**](https://intune.microsoft.com)\
In the left pane, select **Tenant administration** | **Filters** to create a managed app filter for unenrolled devices.
On the **Basics** tab, fill in the required **Filter name** field and select the **Platform** to which this filter applies.
Your platform options:
* Android
* iOS/iPadOS
* Windows
Click **Next.**
{% hint style="info" %}
**Tip:** Although the **Description** field is optional, I recommend filling it out. Leaving some breadcrumbs is always a great idea, so others know precisely why someone created the filter(s).
{% endhint %}
There are two ways to create a filter rule: Either by using the **Rule builder** or the **Rule syntax.**
* **Rule builder:** Select the following options for the rule expression.
* Property: deviceManagementType (Device Management Type)
* Operator: Equals
* Value: Unmanaged
* **Rule syntax:** Select **Edit** and past in this rule expression: (app.deviceManagementType -eq "Unmanaged")
Click **Next.**
Review that everything is correct and click **Create.**
## App Configuration Policy for Managed Apps
Next, we must create an app configuration policy for managed apps targeting the **Windows App** and the **Remote Desktop** app, which enable us to provide configuration settings to unenrolled devices.
Go to [**https://intune.microsoft.com**](https://intune.microsoft.com)\
In the left pane, select **Apps** | **App configuration policies** (under **Policy**), choose **Add**, and select **Managed apps.**
On the **Basics** tab, fill in the required **Name** field and target the policy to **Selected apps.**\
Next, do the following to target both apps.
* For the **Windows App**, choose **Select custom apps**, then for **Bundle or Package ID**, enter com.microsoft.rdc.apple, and for **Platform**, select **iOS/iPadOS.**
* For the **Remote Desktop** app, choose **Select public apps**, then search for and select **Remote Desktop** for **iOS/iPadOS.**
Click **Next.**
On the **Settings catalog** tab, click **Next.**
On the **Settings** tab, expand **General configuration settings** and enter the name and value below.
* Name: drivestoredirect
* Value: 0
{% hint style="info" %}
**Note:** The above configuration setting corresponds to the RDP properties listed on [**Supported RDP properties**](https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties#device-redirection), but the syntax is slightly different.
{% endhint %}
Click **Next.**
On the **Assignments** tab, assign the policy to a security group containing the users to which it applies. Next, select the filter we created earlier to narrow the policy's assignment scope to unenrolled devices.
Click **Next.**
Review that everything is correct and click **Create.**
### **Beware of the check-in interval**
{% hint style="warning" %}
**Important:** Intune managed apps will check in with an interval of 30 minutes for app configuration policy status, when deployed in conjunction with an app protection policy. If an app protection policy isn't assigned to the user, then the app configuration policy check-in interval is set to 720 minutes.\
\
Source: [**App configuration policies for Microsoft Intune**](https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview#managed-apps)
{% endhint %}
If blocking local drive redirection satisfies your needs, you could stop here and wait 12 hours (720 minutes) for the policy to apply on unenrolled devices. However, I wanted to take it one step further by configuring an app protection policy and two Conditional Access policies. These policies will give us greater control over our security, allowing us to require a minimum app and OS version, restrict cut, copy, and paste between other apps, limit access to the remote session, etc. - it also reduces check-in interval to 30 minutes.
## App Protection Policy
First, we must create an app protection policy for the **Windows App** and the **Remote Desktop** app, which will enable us to control how data is accessed and shared by apps on unenrolled devices.
Go to [**https://intune.microsoft.com**](https://intune.microsoft.com)\
In the left pane, select **Apps** | **App protection policies** (under **Policy**), choose **Create policy**, and select the **Platform** to which this policy applies.
On the **Basics** tab, fill in the required **Name** field.
Click **Next.**
On the **Apps** tab, target the policy to **Selected apps** and do the following to target both apps.
* For the **Windows App**, choose **Select custom apps**, then for **Bundle ID**, enter com.microsoft.rdc.apple and click **Select.**
* For the **Remote Desktop** app, choose **Select public apps**, then search for and select **Remote Desktop.**
Click **Next.**
On the **Data protection** tab, only the following settings are relevant to the **Windows App** and the **Remote Desktop** app. The other settings don't apply as the **Windows App** and the **Remote Desktop** app interact with the Cloud PC or session host and not with data in the app.
* For **iOS/iPadOS**, you can configure the following settings:
* Restrict cut, copy, and paste between other apps
* Third-party keyboards
* For **Android**, you can configure the following settings:
* Restrict cut, copy, and paste between other apps
* Screen capture and Google Assistant
* Approved keyboards
{% hint style="info" %}
**Tip:** If you disable clipboard redirection in an app configuration policy, you should set **Restrict cut, copy, and paste between other apps** in the app protection policy to **Blocked**.
{% endhint %}
{% hint style="info" %}
**Tip:** To allow users to copy phone numbers and/or credit card numbers, you should set the **Cut and copy character limit for any app** in the app protection policy to **19**.
{% endhint %}
Click **Next.**
On the **Access requirements** tab, configure the PIN and credential requirements to fit your organization's needs and click **Next.**
On the **Conditional launch** tab, I recommend the following conditions:
### **App conditions:**
| Setting | Value | Action |
| -------------------- | -------------- | ---------------------- |
| Max PIN attempts | 5 (default) | Reset PIN |
| Offline grace period | 1440 (default) | Block access (minutes) |
| Offline grace period | 90 (default) | Wipe data (days) |
| Min app version | 10.5 (1 | Block access |
*(1. This will allow Windows App v10.5.2 and Remote Desktop v10.5.9*
{% hint style="info" %}
**Note:** If you add MTD conditions under **Conditional launch**, you must set up an MTD connector in MS Intune. For **Microsoft Defender for Endpoint**, see [**Configure Microsoft Defender for Endpoint in Intune**](https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure)
{% endhint %}
### **Device conditions:**
| Setting | Value | Action |
| ------------------------------- | ---------------------------------- | ------------ |
| Jailbroken/rooted devices | N/A | Block access |
| Min OS version | 17.5 (1 | Block access |
| Max allowed device threat level | Secured (2 | Block access |
| Primary MTD service | Microsoft Defender for Endpoint (3 | N/A |
*(1. This will allow iOS v17.5.1*\
\&#xNAN;*(2. This level is the most secure. - For more information, see* [***Create Mobile Threat Defense app protection policy with Intune***](https://learn.microsoft.com/en-us/mem/intune/protect/mtd-app-protection-policy)\
\&#xNAN;*(3. I'm using MDE as my Mobile Threat Defense partner. - However, this configuration should be based on your requirements.*
On the **Assignments** tab, assign the policy to a security group containing the users to which it applies. Next, select the filter we created earlier to narrow the policy's assignment scope to unenrolled devices.
Click **Next.**
Review that everything is correct and click **Create.**
## App-based Conditional Access Policy
Lastly, I will create two **Conditional Access** policies, enabling us to restrict access to a remote session only when an app protection policy is applied with the **Windows App** and the **Remote Desktop** app and block access to **Windows 365** and **Azure Virtual Desktop** using a web browser.
Go to [**https://intune.microsoft.com**](https://intune.microsoft.com) or [**https://entra.microsoft.com**](https://entra.microsoft.com)
* For **Microsoft Intune admin center**: In the left pane, select **Endpoint security** and **Conditional access** (under **Manage**).
* For **Microsoft Entra admin center**: In the left pane, expand **Protection** and select **Conditional Access.**
Choose **Create new policy.**
### **Conditional Access policy: Require app protection policy for Windows 365 and AVD**
For the first policy, we will grant access to **Windows 365** and **Azure Virtual Desktop** only when an app protection policy is applied with the **Windows App** and the **Remote Desktop** app.
{% hint style="warning" %}
**Important:** When you target **Cloud apps** under **Target resources** in **Conditional Access** policies, you will only find **Azure Virtual Desktop** in the list if you registered the **Microsoft.DesktopVirtualization** resource provider on a subscription in your **Microsoft Entra** tenant.
{% endhint %}
Fill in the required **Name** field.\
Under **Assignments**, include a security group containing the users to which the policy applies.
For **Target resources**, choose **Cloud apps**, then for **Include**, select **Select apps**. Search for and select **Azure Virtual Desktop** and **Windows 365**.
For **Conditions**:
* Choose **Device platforms**, then select **iOS** and/or **Android**.
* Choose **Client apps**, then select **Mobile apps and desktop clients.**
Under **Access controls**, select **Grant access**, then check the box for **Require app protection policy** and select the radio button for **Require all the selected controls**. - For **Enable policy**, set it to **On** and click **Create.**
### **Conditional Access policy: Block access to Windows 365 and AVD via web browsers**
For the second policy, we will block access to **Windows 365** and **Azure Virtual Desktop** via web browsers.
Fill in the required **Name** field.\
Under **Assignments**, include a security group containing the users to which the policy applies.
For **Target resources**, choose **Cloud apps**, then for **Include**, select **Select apps**. Search for and select **Azure Virtual Desktop** and **Windows 365**.
For **Conditions**:
* Choose **Device platforms**, then select **iOS** and/or **Android**.
* Choose **Client apps**, then select **Browser.**
Under **Access controls**, select **Block access**, then select the radio button for **Require all the selected controls**.\
For **Enable policy**, set it to **On** and click **Create.**
## Test and Verification
Now it's time to treat yourself to a well-deserved cup of perfectly brewed coffee or tea, sit back, and admire the fantastic work you've accomplished in strengthening your environment's security.
Let’s open the **Windows App** on my iPhone and verify that everything works as intended. The initial indication that the policies have been applied to my unenrolled iPhone is a message indicating that your organization is now protecting its data in this app.
Once the app has been restarted, you should see your **Windows 365 Cloud PCs** and/or **Azure Virtual Desktop** session host.
When I connect to my **Windows 365 Cloud PC**, I'm being asked to configure **Microsoft Defender for Endpoint.**\
Click **Download from App Store**, then download and open the app.
Check the box for **Terms of Use** and click **Accept.** Next, allow **Microsoft Defender** to set up a VPN connection.
**Microsoft Defender** is now set up, and your device is protected. Now, return to the **Windows App**.\
You will now be asked to enter your **PIN** to access your **Cloud PC.**
**WOOHOO!** - I'm connected to my **Windows 365 Cloud PC.**
If I open **File Explorer**, we can see that no local drives are being redirected.
Let's copy a number in the format of a credit card number and see if we can paste it into a note on my iPhone.
We can confirm that it’s allowed. However, we can also verify that if we attempt to paste a longer number, it gets replaced by a message indicating that only 19 characters are allowed.
Finally, we can verify that **Conditional Access** blocks access to **Windows 365 Cloud PCs** and **Azure Virtual Desktop** through web browsers.
Let’s finish with a short video of the end-user experience.
{% embed url="" %}
## Summary
In this blog post, you learned about **Intune MAM** (preview) for **Windows 365** and **Azure Virtual Desktop** and how it can help protect against data loss on unenrolled iOS/iPadOS and/or Android devices by blocking local drive redirection via an app configuration policy.
I explained how we achieve greater control over our security by configuring an app protection policy and two Conditional Access policies, allowing us to require a minimum app and OS version, restrict cut, copy, and paste between apps, limit access to the remote session, and more.
That's it, folks. Happy testing, and have fun exploring 🤓\
If you have any questions regarding this topic, please feel free to reach out to me.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.osdsune.com/home/blog/windows-365/enhancing-security-with-intune-mam-preview-for-windows-365.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.