|
Name
|
A name use to keep track of the profile in Core
|
|
Description
|
Describes the profile’s purpose (optional)
|
|
App Control Group
|
Lists applications protected by this policy, as defined in the appropriate App Control rule. (See the Device Management Guide for Windows Devices for more information.)
|
|
Enforcement Level
|
Select one of the following enforcement modes:
•Block: WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.
•Override : WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.
•Ivanti recommends that you start with Override while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can select your final enforcement policy, either Override or Block.
•Silent : WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.
•Off (not recommended) : WIP is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.
|
|
Enterprise Protected Domain Names
|
Enter your corporate identity.
Corporate identity is usually expressed as your primary Internet domain (miacme.com, for example). It helps to identify and tag your corporate data from apps You have marked as protected by WIP. For example, emails using miacme.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (miacme.com|newmiacme.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. Ivanti strongly recommends that you include all of your email address domains in this list.
|
|
Enterprise Network Domain Names
|
Specify the DNS suffixes used in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
If you have multiple resources, you must separate them using the "," delimiter. For example "contoso.sharepoint.com,Fabrikam.com".
|
|
Enterprise Cloud Resources
|
Specify the cloud resources you want to be treated as corporate and protected by WIP.
For each cloud resource, you can optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your enterprise internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Examples:
•"With proxy: "contoso.sharepoint.com,contoso.internalproxy1.com |contoso.visualstudio.com,contoso.internalproxy2.com"
•"Without proxy: "contoso.sharepoint.com|contoso.visualstudio.com"
There is a UI constraint of 64 chars.
In the Enterprise IP Range field, specify the addresses for a valid IPv4 value range within your intranet.
These addresses, used with your enterprise network domain names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter
Example:
3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254
|
|
Enterprise IP Ranges Are Authoritative
|
Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network.
If you clear this box, Windows searches for additional IP ranges on any domain-joined devices connected to your network (auto-detect).
|
|
Data Recovery Certificate
|
Paste your Base64-encoded DRA certificate (.CER) string into the Data Recovery Certificate text box.
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
|
|
Allow User Decryption
|
Determines whether users can see the Personal option for files within File Explorer and the Save As dialog box in Windows.
If selected, employees can choose whether a file is Work or Personal in File Explorer and the Save As dialog box.
If not selected, only the Work option is available.
If you pick this option, apps that use the Save As dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
|
IMPORTANT:
|
This option works only for devices using the Anniversary Edition of Windows 10 (1607). This options has been deprecated by the OS in all versions greater than the Anniversary Edition. |
|
|
Revoke On Unenroll
|
Determines whether to revoke a user's local encryption keys from a device when it is unenrolled from WIP. If the encryption keys are revoked, a user no longer has access to encrypted corporate data.
Uncheck this box to keep local encryption keys when migrating between MDM solutions.
|
|
Show WIP Icons
|
Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explore views.
|
|
Require Protection Under Lock
|
This options applies only to Windows 10 Mobile. It determines whether to encrypt enterprise data using a key that is protected by an employee's PIN code on a locked device. Apps will not be able to read corporate data when the device is locked.
|
|
Neutral Resources
|
Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
If you have multiple resources, you must separate them using the "," delimiter.
Example: sts.contoso.com,sts.contoso2.com
|
|
Enterprise Proxy Servers
|
Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.
This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they are used for WIP-protected traffic.
This setting is also required if there's a chance you could are behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you are visiting another company and not on the guest network. To make sure this doe not happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.
If you have multiple resources, you must separate them using the ";" delimiter.
Example: proxy.contoso.com:80;proxy2.contoso.com:443
|
|
Enterprise Proxy Servers Are Authoritative
|
Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network (auto-detect).
|
|
Enterprise Internal Proxy Servers
|
Specify the proxy servers your devices will go through to reach your cloud resources.
Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Example: contoso.internalproxy1.com;contoso.internalproxy2.com
|
|
Allow Azure RMS
|
Check this box if WIP is to be used in conjunction with Azure Rights Management Service. Azure Rights Management (Azure RMS) can be used if company-wide information protection is desired.
|
|
RMS TemplateID
|
Specify your Azure RMS TemplateID.
|