Windows 10 Windows Information Protection

Windows Information Protection, formerly known as, Enterprise Data Protection is a solution that aims to resolve the issue of maintaining separate "personal" and "corporate" containers on a device while maintaining both end user privacy as well as corporate security with optimal usability.  WIP on Windows 10 gives you more granularity compared to other operating systems in defining the capabilities of trusted applications, trusted enterprise boundaries, as well as the enforcement level of various policies.  With this function, all "corporate" data is automatically encrypted and can only be decrypted when accessed by a privileged application.

1. Privileged Applications

Like other device types, Windows 10 supports the ability to push down apps in a "managed" state, which provides them additional capabilities to other apps. However, Windows 10 can also put apps that were not pushed through MDM into a managed state.  An administrator can specify that any application that is installed on a device is a privileged application, which automatically places it in a managed state.  For example, if an application such a Notepad is installed on the device prior to enrollment, AirWatch can still put that app into a managed state upon enrollment.

In addition to identifying certain applications as privileged applications, each application can be configured with different per-app VPN settings (refer to Adding a VPN Profile).  Depending on the needs of the organization, every privileged application can have a unique VPN configuration, all privileged applications could utilize the same VPN configuration, or anywhere in between.  This gives administrators the flexibility for microsegmentation in their internal network; dividing the network into smaller domains to ensure that each internal endpoint is accessible only by the appropriate application.

With Windows 10, Microsoft will also deliver an updated Windows SDK that will allow all application developers to better handle corporate data.  Application developers will be able to determine exactly how they choose to handle both corporate and personal data if the application is marked as privileged.  For example, if Notepad is a privileged application, a user may still want to use it to create and save a personal file.  As this application is updated in Windows 10 to utilize the new SDK, a user will be able to save any new file as either "corporate" or "personal."  For other applications, the application developers may choose to only allow the application to save "corporate" files if it is marked as privileged.

Note: Per Microsoft recommendations, do not set Microsoft Office 2010 or 2013 applications as privileged.  These apps do not yet utilize the latest SDK and are currently not supported in this use case.

1.1. Creating the Data Protection Profile

Creating the Data Protection Profile
  1. Back in the AirWatch console, click ADD
  2. Click Profile

1.2. Windows Platform

Windows Platform
  1. Click Windows

1.3. Windows Desktop Device Type

Windows Desktop Device Type
  1. Click Windows Desktop

1.4. General Profile Settings

  1. Enter "Windows Information Protection" into the Name field
  2. Select your "All Devices" smart group for the Assigned Groups

1.5. Data Protection

  1. Click Data Protection
  2. Click Configure

1.6. Enterprise Applications

Enterprise Applications
  1. Type "Notepad" for the Desktop App Name
  2. Type "%windir%\system32\notepad.exe" for Desktop App Identifier
  3. Click Add
  4. Select Store App from the dropdown
  5. Type "AirWatch Content Locker"
  6. Click the Magnifier to search the Microsoft Store

1.7. Search: AirWatch Content Locker

  1. Click Select next to AirWatch - Content Locker application

2. Enterprise Boundaries

On Windows 10, administrators can specify an enterprise boundary to automatically encrypt any "work" data that is downloaded to a device.  For example, an administrator can specify certain IP ranges or domains as a protected network.  Any data downloaded from these locations on the device is automatically encrypted and can only be opened by privileged applications.  For example, if the domain air-watch.com is specified as a protected network, then any data downloaded from sharepoint.air-watch.com can only be opened by the privileged applications on that device.  Additionally, an administrator can specify that any IP address located in the internal company network are in the protected network.

Likewise, any email attachments that have been sent from a user whose domain is in the protected network will also be encrypted and can only be opened by a privileged application.

2.1. Protected Networks

Protected Networks
  1. Type "awmdm.com" for Primary Domain
  2. Type "192.168.0.1-192.168.0.255" for Enterprise IP Ranges
  3. Type "hol.awmdm.com" for Enterprise Network Domain Names

3. Levels of Protection

An administrator can configure different levels of protection for different groups of end users, depending on the demands of the organization.  These settings are:

  • Block: Corporate data can only be accessed from privileged applications.
  • Override: If a user attempts to access corporate data with a non-privileged application, a warning prompt will appear.  A user can still choose to complete the action, but the action will be logged in an audit log.
  • Audit: If a user attempts to access corporate data with a non-privileged application, they will be allowed to do so.  However, the action will be logged in an audit log.
  • Off: EDP is disabled.

3.1. Enforcement Policies

Enforcement Policies
  1. Set your Data Protection Level to "Encrypt data ... Audit Overrides."
  2. Select Yes for Show EDP Icons
  3. Select Allow for User Decryption - This setting will allow end-users to change the file ownership from corporate to personal. This settings is generally used for BYOD use-cases.
  4. Click Upload

3.2. Search for MMC

Search for MMC

Now back on your Windows 10 device, press the Windows key to bring up the search menu.

  1. Type "mmc"
  2. Click on mmc.exe

3.3. Add/Remove Snap-In

Add/Remove Snap-In
  1. Click File
  2. Click Add/Remove Snap-in...

3.4. Add Certificates Snap-in

Add Certificates Snap-in
  1. Select Certificates
  2. Click Add >

3.5. My User Account

My User Account
  1. Ensure My user account is selected
  2. Click Finish

3.6. Add Certificate Snap-in

Add Certificate Snap-in
  1. Click OK

3.7. Export...

  1. Expand Certificates - Current User > Personal > Certificates
  2. Right click the "Administrator" certificate
  3. Click All Tasks
  4. Click Export...

3.8. Export Wizard

Export Wizard
  1. Click Next

3.9. Do Not Export Private Key

Do Not Export Private Key
  1. Click Next

3.10. Base-64 Encoded X.509

Base-64 Encoded X.509
  1. Select Base-64 encoded X.509 (.CER)
  2. Click Next

3.11. File to Export

File to Export
  1. Type "C:\DRC.cer" for File Name:
  2. Click Next

3.12. Finish Export

Finish Export
  1. Click Finish

3.13. Export Successful

Export Successful
  1. Click OK

Note: Transfer the exported certificate back to the device with AirWatch console. You will have to minimize the Windows 10 device, and use copy + paste.

3.14. Add

Add

Back in the AirWatch console,

  1. Click Browse...

3.15. File Upload

File Upload
  1. Click Local Disk or the location of where you saved your exported certificate
  2. Click DRC.cer
  3. Click Open

3.16. Add

Add
  1. Click Save

3.17. Save & Publish

  1. Click Save & Publish

3.18. Device Assignment

  1. Click Publish

3.19. Verify Profile

You should now see your Windows Information Protection profile. In this workshop, we did a simple Data Protection use-case, in production you will want to ensure you define all applications which are corporate applications.

4. Sharing Data to the Cloud

WIP is intended to protect corporate information on a device level.  However, if data is being transferred to a file share or some sort of cloud repository, WIP itself cannot guarantee data protection.  Protecting data even when shared requires the use of Rights Management Services (RMS) integration, such as Azure RMS.  By integrating with Azure RMS, you can ensure that even if data is copied from a managed device to a fileshare or internal cloud repository, that data will continue to be secured and only accessible by other managed devices.  This data will be encrypted prior to transfer via encryption keys that are managed by RMS.  Thus, while WIP is used to protect data on the device itself, RMS is integral in protecting data when it is transferred to the cloud or to other internal systems.

As a final note, third party apps that sync to the cloud (such as Dropbox) will be unable to access corporate files unless they are marked as a privileged app.  However, if these applications are marked as privileged, corporate data can be synced to their respective clouds.