With the massive shift towards user mobility and BYOD devices, it’s important to consider how we can help users be at their most productive while maintaining control over data. For mobile devices (Android, iOS) we have Microsoft Endpoint Manager (Intune) Mobile Application Management (MAM) Policies. MAM Policies work extremely effectively for BYOD devices and help provide the security needed by sandboxing the mobile applications used to connect to our corporate data.
For Windows devices, there are session control policies which can allow limited, read only access via a web browser from any device and even put some complex rules in place to define what exactly can happen within that session. This is great for web access but when users need some more flexibility around client applications, or when a web application just doesn’t meet the requirements, we need to add some control to how the application works in the context of the users device.
To meet this use case, we have Microsoft Windows Information Protection (WIP). WIP allows us to control how data moves throughout the end user device by designating data as either corporate or personal. Through the use of WIP Enlightened Apps, we can add controls around locations that data will be protected such as SharePoint Online or specific network shared, whether non-enlightened apps can access data marked as corporate, control copy/paste functionality and also add Microsoft Information Protection / Sensitivity Labels to data extracted from corporate locations.
NOTE: It’s important to note the limitations of WIP, as it is not a rock solid DLP solution, but rather another layer in the stack of protections available.
Creating a WIP Policy
To test out WIP, first ensure that the MAM Scope and URLs are up to date in Azure AD by Navigating to ‘Azure AD’ -> ‘MDM & MAM’ -> ‘Microsoft Intune’, verify the MAM user scope contains your target users and hit ‘Restore default MAM URLs’ if you have changed them previously.
Now we can create an App Protection Policy in the Microsoft Endpoint Manager Admin Portal. Navigate to ‘Apps’ -> ‘App Protection Policies’ and create a new Windows 10 Policy.
We create a new policy and choose if it applies to enrolled (MDM) or unenrolled devices (MAM). There are a few important differences to consider when deciding this as outlined in the Microsoft Documentation
- MAM has additional Access settings for Windows Hello for Business.
- MAM can selectively wipe company data from a user’s personal device.
- MAM requires an Azure Active Directory (Azure AD) Premium license.
- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
- MAM supports only one user per device.
- MAM can only manage enlightened apps.
- Only MDM can use BitLocker CSP policies.
- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using Settings > Email & accounts > Add a work or school account), the MAM-only policy will be preferred but it’s possible to upgrade the device management to MDM in Settings. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
Next we choose the targeted and excluded apps. Targeted apps will be the “enlightened” apps that we protect. Excluded apps will be able to access corporate data without restrictions applied.
We can then choose the mode our policy operates in. We can straight away block moving data out of corporate locations, we can allow a user to override the corporate classification or we can run in a silent “monitoring” mode where we can view reporting and assess the impact of enabling WIP. This is recommended before enabling to ensure the impact is understood.
Next we configure the settings of our policy. We can configure for our Proxy server also to ensure endpoints that use a proxy are still protected. We can also assign an RMS template ID to corporate data to add an extra layer of security.
For now, we will just specify our cloud resources to protect as our SharePoint and OneDrive locations. We can add the following list of locations to our scope:
We add SharePoint and OneDrive as Cloud resources, specifying the URL <contoso.sharepoint.com> and <contoso-my.sharepoint.com>.
Now when we assign our policy to a user we can see the added functionality to help protect corporate data.
When our user now connects to corporate data using the apps specified, we can see WIP in action. The first thing to note is that in the policy we enabled the “Show the enterprise data protection icon” which is off by default. This essentially tells the user that the app is working in a “corporate” context.
Clicking on the icon informs the user that they are working in a managed app.
When our user tried to download a file from our corporate location, they will see a briefcase icon indicating that the document came from the corporate environment. We also see the “File ownership” column in file explorer which tells us if the file is corporate data or personal
If we allowed overrides in our policy the user can right click to change the file ownership. We didn’t in our policy so this is greyed out.
The user can however, classify personal documents as corporate.
Once this txt file is classified, we can see the WIP icon appear in Notepad.
Extracting Corporate Data
With all this protection in place, let’s look at what happens when a user drops a corporate document into their personal OneDrive folder. As OneDrive personal is not listed as a corporate location, the user get’s a message telling them that this action isn’t allowed.
We can see similar behavior when the user tries to copy to a removable drive or an unprotected network share.
WIP does not meet every use case and is not a complete protection solution. There are ways around the controls here for savvy users who really want to do it. It is however a great addition to help protect users from making mistakes and make it a little bit harder for someone to carelessly extract corporate data without thinking.
Overall a great technology and another layer of protection that is (relatively) seamless to end users. For more information on configuring WIP, check out the Microsoft Documentation for an in depth guide.