Windows Information Protection

There is always the risk of accidental data leaks through apps and services (email, social media, the public cloud) outside of an enterprise’s control. Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), helps protect against this potential data leakage without otherwise interfering with the user experience.

This feature is supported on Windows 10 devices.

Recommendations for using WIP

We recommend you have met the following in place before starting this section (however they are not required):

  • Standard prerequisites for all Azure services
  • A DRA certificate (contact your Microsoft sales and services associate for more information or go here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)

Verify WIP profiles

You can view a device to see if the required profile settings to use WIP are correct. Currently, there is no compliance based on these settings, however you do have the ability to verify that the device has the proper profiles.

To verify WIP profiles:

  1. Go to Device & Users> Devices.
  2. Select the device.
  3. Select the Policies tab.
  4. Scroll to the WIP Policy2-3 section and expand, if necessary.
  5. Review the WIP settings.
  6. Verify that both Setting Value and Device Value are set to On.

    These must match to be compliant.

WIP work flow

This section describes the overall work flow for setting up WIP:

  1. Set up App Control rule
  2. Creating a Windows Information Protection policy
  3. Apply the profile to a label

Set up App Control rule

The App Control rule is a list of applications that can use and protect data with WIP. These apps will be a combination of enlightened and un-enlightened applications.

Enlightened applications are those apps that have been written to use the functions Microsoft has defined for use with WIP. These functions will help the application know the difference between:

  • Business data
  • Personal data

Otherwise, the application treats all data as business data.

Setting up an App Control rule

This procedure describes how to set up an App Control rule.

  1. Select Apps > App Control> Add.
  2. Select WIP as the Type and enter a name for the rule.
  3. Enter the first application you want to be able to use WIP data, including the following fields:
    • App
    • App Identifier/Name (required)
    • Device Platform (required)
    • Comment
  4. Select the green plus sign (+) to add additional applications, as necessary.
  5. Select Save.

    Select OK in the Success window.

  6. Complete the steps in Creating a Windows Information Protection policy.

Creating a Windows Information Protection policy

To create a WIP policy:

  1. Go to Policies & Configs > Policies.
  2. Select Add New > Windows > Windows Information Protection.
  3. Modify one or more of the fields, as necessary.

    Refer to the Windows Information Protection Fields table for details.

  4. Select Save > Apply to save the changes.
  5. Select Save again to save the WIP policy.
  6. Complete the steps in Apply the profile to a label
  7. See also the Getting Started with Ivanti EPMM for details.

New Windows Information Protection window

The following table summarizes fields and descriptions in the New Windows Information Protection window:

 

Table 67.  Windows Information Protection Fields

Fields

Description

Name

A name use to keep track of the profile in Ivanti EPMM

Description

Describes the profile’s purpose (optional)

App Control Group

Lists applications protected by this policy, as defined in the appropriate App Control rule. (See the Device Management Guide for Windows Devices for more information.)

Enforcement Level

Select one of the following enforcement modes:

  • Block: WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.

  • Override: WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.

  • Ivanti recommends that you start with Override while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can select your final enforcement policy, either Override or Block.

  • Silent: WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.

  • Off (not recommended): WIP is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.

Enterprise Protected Domain Names

Enter your corporate identity.

Corporate identity is usually expressed as your primary Internet domain (miacme.com, for example). It helps to identify and tag your corporate data from apps You have marked as protected by WIP. For example, emails using miacme.com are identified as being corporate and are restricted by your Windows Information Protection policies.

You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (miacme.com|newmiacme.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. Ivanti strongly recommends that you include all of your email address domains in this list.

Enterprise Network Domain Names

Specify the DNS suffixes used in your environment.

All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter. For example "contoso.sharepoint.com,Fabrikam.com".

Enterprise Cloud Resources

Specify the cloud resources you want to be treated as corporate and protected by WIP.

For each cloud resource, you can optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your enterprise internal proxy servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Examples:

  • "With proxy: "contoso.sharepoint.com,contoso.internalproxy1.com |contoso.visualstudio.com,contoso.internalproxy2.com"

  • "Without proxy: "contoso.sharepoint.com|contoso.visualstudio.com"

There is a UI constraint of 64 chars.

In the Enterprise IP Range field, specify the addresses for a valid IPv4 value range within your intranet.

These addresses, used with your enterprise network domain names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter

Example:

3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254

Enterprise IP Ranges Are Authoritative

Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network.

If you clear this box, Windows searches for additional IP ranges on any domain-joined devices connected to your network (auto-detect).

Data Recovery Certificate

Paste your Base64-encoded DRA certificate (.CER) string into the Data Recovery Certificate text box.

After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

Allow User Decryption

Determines whether users can see the Personal option for files within File Explorer and the Save As dialog box in Windows.

If selected, employees can choose whether a file is Work or Personal in File Explorer and the Save As dialog box.

If not selected, only the Work option is available.

If you pick this option, apps that use the Save As dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.

This option works only for devices using the Anniversary Edition of Windows 10 (1607). This options has been deprecated by the OS in all versions greater than the Anniversary Edition.

Revoke On Unenroll

Determines whether to revoke a user's local encryption keys from a device when it is unenrolled from WIP. If the encryption keys are revoked, a user no longer has access to encrypted corporate data.

Uncheck this box to keep local encryption keys when migrating between MDM solutions.

Show WIP Icons

Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explore views.

Require Protection Under Lock

This options applies only to Windows 10 Mobile. It determines whether to encrypt enterprise data using a key that is protected by an employee's PIN code on a locked device. Apps will not be able to read corporate data when the device is locked.

Neutral Resources

Specify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

Example: sts.contoso.com,sts.contoso2.com

Enterprise Proxy Servers

Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they are used for WIP-protected traffic.

This setting is also required if there's a chance you could are behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you are visiting another company and not on the guest network. To make sure this doe not happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Example: proxy.contoso.com:80;proxy2.contoso.com:443

Enterprise Proxy Servers Are Authoritative

Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network (auto-detect).

Enterprise Internal Proxy Servers

Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

This list shouldn't include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Example: contoso.internalproxy1.com;contoso.internalproxy2.com

Allow Azure RMS

Check this box if WIP is to be used in conjunction with Azure Rights Management Service. Azure Rights Management (Azure RMS) can be used if company-wide information protection is desired.

RMS TemplateID

Specify your Azure RMS TemplateID.

Apply the profile to a label

This section describes how to apply the WIP profile to a label.

  1. Select Policies & Configs > Policy.
  2. Select the WIP policy you want to apply to a label.
  3. Select Actions > Apply to Label.
  4. Locate and select the label.
  5. Select Apply.

One note that we see with this profile is that once applied there can be cases where the profile is not removed once un-enrolled in UEM. It is recommended to test with VMs and WIP at this time.