Bring their own Windows 10/11 Laptops


Hi All,

Some consultants (who are third-party employees) bring their own Windows 10/11 laptops. These laptops are not joined to our domain. I have created their accounts in our Azure AD and assigned just the Exchange Online (Plan 1) license to them. They have configured our company’s email account on their laptops.
Now, I want to manage our organization’s data on their laptops, e.g., wipe out the ost/pst from their laptop whenever we want.
How can we achieve this?
Using some user-based policies in Intune?
Or through some Conditional Access policy?
Or through Microsoft Defender for Cloud Apps?
Please guide me on the method…

Posted by Anonymous member in HTMD FB Group

Answers ( 3 )

  1. Replied by Simon Hardy

    The problem is unlike Android/iOS, Windows (and MacOS) have no concept of containerization, so no OS-supplied methods for securely separating personal and work activities and data.

    Replied by Simon Hardy

    1. Conditional Access to block desktop apps such as Outlook from accessing Office 365 services. Once they have downloaded data, you have no control over it on non-Android/iOS devices.

    Replied by Anonymous member

    Simon Hardy, Thanks a lot for the detailed answer.
    I’ll review all these options and then test them.

  2. Replied by Matt Cooper

    Anonymous member WIP is going away. It’s not a viable deployment.

    Replied by Simon Hardy

    4. An alternative would be to ensure all data is classified, labelled and protected (encrypted) via Purview and to use MDCA to ensure all data downloaded to BYOD is labelled and protected (encrypted) – that way, when you revoke their Azure AD identities they can no longer decrypt and open protected documents. This needs a good in-depth understanding of purview, DLP, CLP and all the moving parts and organization-wide rollout of Purview to ensure all data is limited to employees only by default.

    Replied by Simon Hardy

    2. Conditional Access to enforce non-Android/iOS BYOD devices only to have read-only access to Office 365 Online Applications – so they can access email and attachments in a browser but cannot download anything locally.

  3. Replied by Simon Hardy

    3. If browser/online Office 365 applications are not feature-rich enough, then provision some Windows 365 virtual desktops for the consultants and apply similar controls around the access to and data transfer from the virtual desktop to prevent data loss.

    Replied by Juandre Van Der Walt

    App protection policies?

    Replied by Anonymous member

    Juandre Van Der Walt
    Apps > App protection policies > Create policy
    It shows me only three available options;
    Windows Information Protection
    There are no dedicated apps available for Windows devices.

Leave an answer

Sorry, you do not have permission to answer to this question .