Windows 10 Windows Information Protection
Windows Information Protection, formerly known as, Enterprise Data Protection is a solution that aims to resolve the issue of maintaining separate "personal" and "corporate" containers on a device while maintaining both end user privacy as well as corporate security with optimal usability. WIP on Windows 10 gives you more granularity compared to other operating systems in defining the capabilities of trusted applications, trusted enterprise boundaries, as well as the enforcement level of various policies. With this function, all "corporate" data is automatically encrypted and can only be decrypted when accessed by a privileged application.
1. Privileged Applications
Like other device types, Windows 10 supports the ability to push down apps in a "managed" state, which provides them additional capabilities to other apps. However, Windows 10 can also put apps that were not pushed through MDM into a managed state. An administrator can specify that any application that is installed on a device is a privileged application, which automatically places it in a managed state. For example, if an application such a Notepad is installed on the device prior to enrollment, AirWatch can still put that app into a managed state upon enrollment.
In addition to identifying certain applications as privileged applications, each application can be configured with different per-app VPN settings (refer to Adding a VPN Profile). Depending on the needs of the organization, every privileged application can have a unique VPN configuration, all privileged applications could utilize the same VPN configuration, or anywhere in between. This gives administrators the flexibility for microsegmentation in their internal network; dividing the network into smaller domains to ensure that each internal endpoint is accessible only by the appropriate application.
With Windows 10, Microsoft will also deliver an updated Windows SDK that will allow all application developers to better handle corporate data. Application developers will be able to determine exactly how they choose to handle both corporate and personal data if the application is marked as privileged. For example, if Notepad is a privileged application, a user may still want to use it to create and save a personal file. As this application is updated in Windows 10 to utilize the new SDK, a user will be able to save any new file as either "corporate" or "personal." For other applications, the application developers may choose to only allow the application to save "corporate" files if it is marked as privileged.
Note: Per Microsoft recommendations, do not set Microsoft Office 2010 or 2013 applications as privileged. These apps do not yet utilize the latest SDK and are currently not supported in this use case.
1.4. General Profile Settings
- Enter "Windows Information Protection" into the Name field
- Select your "All Devices" smart group for the Assigned Groups
1.5. Data Protection
- Click Data Protection
- Click Configure
1.6. Enterprise Applications
1.7. Search: AirWatch Content Locker
- Click Select next to AirWatch - Content Locker application
2. Enterprise Boundaries
On Windows 10, administrators can specify an enterprise boundary to automatically encrypt any "work" data that is downloaded to a device. For example, an administrator can specify certain IP ranges or domains as a protected network. Any data downloaded from these locations on the device is automatically encrypted and can only be opened by privileged applications. For example, if the domain air-watch.com is specified as a protected network, then any data downloaded from sharepoint.air-watch.com can only be opened by the privileged applications on that device. Additionally, an administrator can specify that any IP address located in the internal company network are in the protected network.
Likewise, any email attachments that have been sent from a user whose domain is in the protected network will also be encrypted and can only be opened by a privileged application.
3. Levels of Protection
An administrator can configure different levels of protection for different groups of end users, depending on the demands of the organization. These settings are:
- Block: Corporate data can only be accessed from privileged applications.
- Override: If a user attempts to access corporate data with a non-privileged application, a warning prompt will appear. A user can still choose to complete the action, but the action will be logged in an audit log.
- Audit: If a user attempts to access corporate data with a non-privileged application, they will be allowed to do so. However, the action will be logged in an audit log.
- Off: EDP is disabled.
3.1. Enforcement Policies
3.2. Search for MMC
- Expand Certificates - Current User > Personal > Certificates
- Right click the "Administrator" certificate
- Click All Tasks
- Click Export...
3.13. Export Successful
3.15. File Upload
3.17. Save & Publish
- Click Save & Publish
3.18. Device Assignment
- Click Publish
3.19. Verify Profile
You should now see your Windows Information Protection profile. In this workshop, we did a simple Data Protection use-case, in production you will want to ensure you define all applications which are corporate applications.
4. Sharing Data to the Cloud
WIP is intended to protect corporate information on a device level. However, if data is being transferred to a file share or some sort of cloud repository, WIP itself cannot guarantee data protection. Protecting data even when shared requires the use of Rights Management Services (RMS) integration, such as Azure RMS. By integrating with Azure RMS, you can ensure that even if data is copied from a managed device to a fileshare or internal cloud repository, that data will continue to be secured and only accessible by other managed devices. This data will be encrypted prior to transfer via encryption keys that are managed by RMS. Thus, while WIP is used to protect data on the device itself, RMS is integral in protecting data when it is transferred to the cloud or to other internal systems.
As a final note, third party apps that sync to the cloud (such as Dropbox) will be unable to access corporate files unless they are marked as a privileged app. However, if these applications are marked as privileged, corporate data can be synced to their respective clouds.