Monday, November 13, 2017

Microsoft 365 Application Management for Windows 10 mappings

I wrote a previous article that showed the mapping from the Microsoft 365 Business Windows 10 Device Configuration settings to those in the Intune console in Azure. You can read that article here:

Microsoft 365 Windows 10 Device Management settings

What I am now going to cover is the Application Management for Windows 10 policy. That is the software and information that resides on Windows 10 devices.

image

Start by navigating to the Admin center in your Microsoft 365 Business tenant.

image

Locate the Device policies tile and select it.

image

You may see a number of policies here but one should be named Application Management for Windows 10 as shown above. Select this.

clip_image001
clip_image001[5]

If the policy doesn’t exist you can create a new one. When you do you will see the above settings.

If you expand the display for each option you should see a list of all the options and their status as shown above.

The question now is, how do these map to settings in Intune?

To view the settings in Intune you’ll need to login to the Azure portal for that tenant and then navigate to the Intune option.

image

The easiest way to find the Intune settings is to do a search in the top right and then select Intune from the results.

image

You should see the Intune console displayed as shown above.

image

From the menu, under the Manage section, select Mobile apps.

image

From here select the App protection policies option under the Manage section. This should display a policy on the right that matches the one you have in the Microsoft 365 Business console (here Application Management for Windows 10). Select the policy name to continue.

image

You will notice that when you create a new Application Management for Windows 10 policy that you have the option to set Encrypt work files to be on or off.

image

However, after you set it to on and save the policy you can’t change it to off as shown above. Thus, once Encrypt work files is set to on, it stays and can’t be changed.

image

This setting maps to the Windows Information protection mode in the Required settings of the Application Management policy in Intune as shown above.

image

When Encrypt work files is set to on, the option in Intune is set to Block. This basically prevents Office 365 data from being used in non Office 365 applications on Windows 10. Thus, you can’t save an Office 365 file to a consume storage platform like Google Drive.

clip_image001[9]

When Encrypt work files is set to off, the option in Intune is also set to off as shown above. Thus, Office 365 files can be shared with any application.

image

If the option to Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business is set to on, then I can ‘t see how this is enforced by the policy as there doesn’t appear to be any settings for this like there is with iOS and Android policies. I’ll need to investigate this one further.

clip_image001[11]

The next setting is Manage how users access Office files on mobile devices.

image

image

If the Require a PIN or fingerprint to access Office apps is set to on, the use Windows Hello for Business as a method of signing into Windows in the Access section of the Advanced Settings of the policy is also set to on as shown above.

image

image

The Microsoft 365 Business policy options Reset PIN when login fails this many times and Require users to sign in again after Office apps have been idle for settings are located at the bottom of this same policy as shown above.

image

The next option Recover data on Windows devices appears to map to the Data protection area of the Intune policy.

image

I haven’t quite worked this setting out yet. I’m unsure whether you need to upload your certificate BEFORE you apply the policy to machines or you can do it at any time AFTER the policy has been applied. One would think that you need to do it BEFORE and retain the certificate to decrypt files later. However, I need to dig deeper here and do a follow up article.

clip_image001[13]

image

The Protect additional network and cloud locations in Microsoft 365 Business option maps to the following areas in Intune policy.

image

The final option, Files used by these apps are protected

image

map to

image

image

the Protected Apps area of the policy as shown above.

Remember, there is a similar policy for both iOS and Android that I’ll cover soon. There are also a few things here I need to do more research on but you should now have a better idea of how the Microsoft 365 Business settings map to Intune.

Also, as I understand it, you can’t make changes to the policies in Intune, they all need to be done via the Microsoft 365 Business console.

So, when you create a Application management for Windows 10 policy in Microsoft 365 Business, these are the mapping that occur to Intune under the covers.