Implement server-side support for mobile application management on Windows
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
Integration with Azure AD
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See Azure Active Directory integration with MDM.
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from Settings > Accounts > Access work or school.
Regular non-admin users can enroll to MAM.
Integration with Windows Information Protection
MAM on Windows takes advantage of built-in Windows Information Protection (WIP) policies to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to enlightened apps and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.
To make applications WIP-aware, app developers need to include the following data in the app resource file.
// Mark this binary as Allowed for WIP (EDP) purpose MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID BEGIN 0x0001 END
Configuring an Azure AD tenant for MAM enrollment
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
Below are protocol changes for MAM enrollment:
- MDM discovery is not supported.
- APPAUTH node in DMAcc CSP is optional.
- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
Here is an example provisioning XML for MAM enrollment.
<wap-provisioningdoc version="1.1"> <characteristic type="APPLICATION"> <parm name="APPID" value="w7"/> <parm name="PROVIDER-ID" value="MAM SyncML Server"/> <parm name="NAME" value="mddprov account"/> <parm name="ADDR" value="http://localhost:88"/> <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" /> </characteristic> </wap-provisioningdoc>
Since the Poll node isn’t provided above, the device would default to once every 24 hours.
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- AppLocker CSP for configuration of WIP enterprise allowed apps.
- ClientCertificateInstall CSP for installing VPN and Wi-Fi certs.
- DeviceStatus CSP required for Conditional Access support (starting with Windows 10, version 1703).
- DevInfo CSP.
- DMAcc CSP.
- DMClient CSP for polling schedules configuration and MDM discovery URL.
- EnterpriseDataProtection CSP has WIP policies.
- Health Attestation CSP required for Conditional Access support (starting with Windows 10, version 1703).
- PassportForWork CSP for Windows Hello for Business PIN management.
- Policy CSP specifically for NetworkIsolation and DeviceLock areas.
- Reporting CSP for retrieving WIP logs.
- RootCaTrustedCertificates CSP.
- VPNv2 CSP should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- WiFi CSP should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
Device lock policies and EAS
MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP.
We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS.
- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both.
MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to authenticate to the service for policy syncs.
Change MAM enrollment to MDM
Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM.
When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
- Both MAM and MDM policies for the organization support WIP.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
- EDP CSP RevokeOnMDMHandoff is set to false.
If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in Settings > Accounts > Access work or school. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
Skype for Business compliance with MAM
We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
|Update channel||Primary purpose||LOB Tattoo availability||Default update channel for the products|
|Current channel||Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.||March 9 2017||
Visio Pro for Office 365
Project Desktop Client
Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)
|Deferred channel||Provide users with new features of Office only a few times a year.||October 10 2017||Microsoft 365 Apps for enterprise|
|First release for Deferred channel||Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.||June 13 2017|