You’ve probably heard a lot about the app protection policies available for iOS and Android when using Intune or SCCM to manage those devices. And, chances are, you’ve asked yourself and others what’s the deal with protecting data on Windows devices? Well, here’s your answer: Windows Information Protection (WIP)—previously known as Enterprise Data Protection (EDP). I’ll get to how to use WIP policies with Intune and SCCM in a second, but first let’s talk about why we’re here. We need WIP to protect company data on Windows devices.
Everyone knows there’s been a great increase over the past few years of people using their mobile devices for both work and personal tasks. That’s the essence of BYOD really; people just want to work when they feel like it and on their favorite device du jour. Most employees are good people who want to follow the rules about mixing personal and company information, but let’s face it, accidents happen. Accidents like sending business-related emails from a personal email account, sharing company information on social media or saving it in personal cloud storage. When data leaves corporate control it’s gone forever and who knows where it will end up or what damage those inadvertent data leaks might cause. So, instead of learning how bad a data leak can be, let’s try to avoid them by implementing WIP policies that protect company data on Windows 10 devices managed by Intune.
Note: I can only make these blog posts so long so I’m going to show you how to use Intune to create and deploy WIP policies, but you can do the same thing with SCCM. I’ll also show the end-user experience in my next post to avoid tl;dr.
Before getting started, you should understand two important pieces of information. First, WIP polices are only supported for Windows 10 version 1607 (aka the anniversary update) or later PCs. Not Windows 7, not Windows 8, and definitely not Windows 10 version 1511. Next, you should not consider WIP an all-in-one solution for company data protection. These policies (whether iOS and Android app protection policies or Windows WIP policies) will only protect data on the device. If you want to completely secure your app data you need to complement these policies with Azure Rights Management. That will protect company data when it leaves the device. Remember, identity is the new security perimeter. OK, time to get our hands dirty.
What apps do you want to protect?
To apply WIP policies to specific apps, you need to be able to identify them. Seems simple right? Well, it is if you know the necessary AppLocker information for an app off the top of your head. You do know the AppLocker publisher, product and binary name, and version for all your apps right? No? That’s OK. There are many ways to get this information and I’ll show you two of the easiest. Bear with me, this is the hardest part.
You can use PowerShell and the Get-AppLockerFileInformation -Path “<path to your favorite .exe>“ command. That will return the AppLocker information for a specific .exe. If you want to find the information for multiple apps in one directory, just use the Get-AppLockerFileInformation -Directory “<path to your favorite directory>“. This will return something like the next screen shot so you can jot down the relevant AppLocker information:
Don’t want to use PowerShell or need to quickly find AppLocker information for many apps? No problem. On a test system with the apps installed that you want to protect with WIP policies, open the local group policy editor by running the gpedit.msc command. Navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules. You probably won’t see anything there and that’s OK. Just right-click on Executable Rules and select Automatically Generate Rules… Then just accept the defaults for the directory and rule preferences to create the default rules. Now just double-click your favorite app from the generated rules and copy down the AppLocker information:
Time to create a policy
Now I’ll show you how to create a WIP policy for Office using the information we just got. In the Intune console, start by creating a new WIP configuration policy for Windows 10 (POLICY > Add… > Windows > Windows Information Protection (Windows 10 Desktop and Mobile and later)). You need to fill in the name and description metadata like any other policy, but things get interesting when you start adding app rules. Click Add to open the Add App Rule dialog box. Give the rule a name, for this example leave the WIP mode set to allow, select the Desktop App rule template and then enter the AppLocker information discovered in the previous step. If your policy looks something like the below, click OK to save it.
Next it’s time to configure what we want to happen when someone tries to move data in or out of an app (paste/drop/share) that we’ve just told WIP to protect. There are several options here ranging from completely blocking the action (Block), allowing the action, but displaying a prompt and logging the action (Override), just allowing the action to happen and logging the event (Silent), and just turning the policy completely (Off). Select Override because that’s the most interesting for this demo and let’s move on.
Tip: You might want to use silent for a while to see how your company data is being moved in and out of apps that you want to protect before you begin enforcing rules. I’ll show you how to find the event log information in the next post.
After picking the restriction mode, you need to let the policy know how to recognize company resources and data. Define a corporate identity by listing the domains your company uses for company networks and emails. You can add multiple names by separating them with a | like this: jeffgilb.com|corp.jeffgilb.com. After that, you can define your network boundaries by IPv4 and IPv6 ranges, proxy server information, and other cloud resources. You can even add web site addresses here that you want to protect using the policy.
Almost done, now you just need to upload a data recovery agent (DRA) certificate so you’ll be able to recover encrypted data later if you need to. Woah! What’s this, PKI? I’m out. Stick around, this is an easy one.
To generate the needed DRA certificate, just open an administrator command prompt on a Windows 10 PC in your domain and run this command: Cipher /R:<name>. This will create two new files in whatever directory your command prompt is running in: a .PFX file with a certificate and private key and a .CER certificate file.
Back in the Intune admin console, click Browse and upload the .CER file you just created. Too easy. Now would be a good time to store those certificates somewhere safe in case you need them later.
The last step in defining the policy is to configure the Additional Settings options. These are self-explanatory so I won’t go into much detail here, but I always enable them all and show the WIP icon overlay when an app is protected by a WIP policy. I’ll show you what that looks like in the next blog post.
Finally, click Save Policy and then select Yes on the Deploy Policy dialog box to deploy your new WIP configuration policy to your Windows 10 mobile devices. In mere moments (sometimes seconds) your policy will be protecting company app data. Done!
Important: There are two ways to manage Windows 10 PCs with Intune. You can manage them with the Intune PC agent as a computer or through the MDM channel as a mobile device. Intune WIP policies do not work on PCs being managed as computers so there’s no use deploying a WIP configuration policy to them. If you want to use WIP policies on computers managed by traditional client management software, you’ll need to use SCCM.
That’s the end of the administrator experience for creating and deploying WIP policies. In my next post, I’ll show you what the end-user experience is like and how you can read event logs to see what WIP has been up to.
You’ve seen my blog; want to follow me on Twitter too? @JeffGilb.