互联网络

Windows Information Protection…notes from the field! #MSIgnite

微信扫一扫,分享到朋友圈

Windows Information Protection…notes from the field! #MSIgnite
0

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps organizations to protect corporate data against potential data leakage.

The concept is fairly simple and is actually based on defining two lists:

  • A corporate boundary list, which represents both on-premise & cloud network locations where managed apps can access corporate data;
  • A list of managed (trusted) apps, which are allowed to open, modify & store corporate data within the corporate boundary list.

In this blog we will look at some practical examples which you have to consider for a successful implementation of Windows Information Protection including a top 4 of recommended practices.

Define your corporate identity

During the initial deployment we were facing issues with applications like Intune Company Portal (Store App), Dynamics CRM (Store App), Power BI (Store App) and Skype for Business (Desktop App). What these applications have in common is the fact that we need to log on with corporate credentials (identity) before we’re able to use the applications.

Corporate identity, usually expressed as your primary Internet domain (for example, inovativ.nl ), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by Windows Information Protection policies. The same applies for the mentioned apps above, which where restricted because they are not managed.

After we added Intune Company Portal, Dynamics CRM, Power BI and Skype for Business to the managed app list we were able to use the applications again.

You can specify multiple domains owned by your enterprise by separating them with the “|” character. For example, ( inovativ.nl|inovativ.be|livecare.nl ). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. It’s recommend that you include all of your email address domains in this list.

Corporate Network boundaries

Big chance that you have your corporate data in the cloud. Thus, the more important that these cloud locations are within the defined corporate network boundaries. This to ensure only your managed applications only, are able to access this data. Below an overview of some examples of cloud network locations you can define, and may very based on the number of cloud services used.

Cloud Service(s) URL Application(s)
SharePoint Online .sharepoint.com OneDrive for Business, OneNote (Desktop App)
SharePoint MySite -my.sharepoint.com OneDrive for Business,
OneNote (Desktop App)
Power BI app.powerbi.com Microsoft Power BI (Store App)
Dynamics CRM Online .crm4.dynamics.com Microsoft Dynamics CRM (Store App)
Exchange Online outlook.office365.com Microsoft Outlook (Desktop App)

During the deployment we were facing issues with the default Office applications like Excel, PowerPoint & Word. The same applies to OneDrive for Business, OneNote & Outlook 2016. We couldn’t synchronize files with OneDrive for Business and weren’t able to open and edit Office documents located on SharePoint Online.

In order be able to access corporate data on the above cloud locations we had to add the complete Office 2016 suite to the managed application list. The same applies for additional browsers of choice from where you want to edit your Office documents online. Instead of defining the Office applications separately we added the Office 2016 suite as whole by using the following application rule.

By adding the complete Office suite, including Office Mobile and browser (Internet Explorer, Chrome or Firefox) of choice we remain productive and protect corporate data for accidental data leakage at the same time.

Word 2016

Another aspect of defining your managed applications is the difference between desktop- and store (modern/UWP) applications. As OneNote 2016 has a different product name as Office 2016 we had to add OneNote as a separate desktop app complementary to the Office 2016 suite.

Adding OneNote as managed app solved this challenge…at least for the OneNote desktop version.

OneNote Desktop App

Get-AppLockerFileInformation -Directory “C:program files (x86)Microsoft OfficeRootOffice16” -recurse -FileType Exe | where {$_.path -like “*onenote*”} | fl

OneNote is an exception as it’s available as both desktop- and store application. In order to ensure OneNote is working we had add them both application types to the managed application list.

OneNote Universal (Store) App

OneNote Universal (Store) App

Get-AppxPackage | select name, publisher | where {$_.name -like “*onenote*”} | fl

So the solution was obvious, adding OneNote store app the managed application list.

Windows 10 Mobile Experience

So now we’re all good…or so you thought! As you probably already know Windows Information Protection is available for both Windows 10 and Windows 10 Mobile. The same challenges on Windows 10 were also applicable on Windows 10 Mobile. On the understanding that most applications working as they were added to the managed application list.

Since the Windows Information Protection policy was applied to our Windows 10 Mobile devices we couldn’t use the Microsoft Calendar & Outlook app. Both mail and agenda items couldn’t sync since then.

Windows 10 Calendar & Mail app

The challenging part here was to retrieve the application information of the Microsoft Calendar & Mail app in order to add it to the managed applications list. As it’s an universal windows app, the code base is the same for both Windows 10 and Windows 10 Mobile. Therefore we could retrieve the application information from a Window 10 where the Microsoft Calendar & Mail app is installed on.

The rest is history. After adding the Microsoft Calendar & Mail app to the managed application list we were able to receive and sending e-mail.

Lessons learned

To achieve a successful implementation of Windows Information Protection, it is important that you have a clear understanding what your scope is. Understand which corporate identities exists within your organization and which you want to operate with Windows Information Protection. Defining corporate identities might lead to (temporary) non-functioning of your applications.

  • Tip 1: Identity your corporate identities which are in scope;
  • Tip 2: Identity your applications which explicitly use corporate identities;
  • Tip 3: Have an overview of applications utilizing data which are within your corporate network boundaries;
  • Tip 4: Define managed applications first, secondly your network boundaries;

Furthermore, it is of importance that the relationship between your currently used (both desktop & store) applications and definition of your corporate network locations, whether on-premise or cloud is clear.

阅读原文...


Avatar

Setting up React Native build environments using NativeModules

上一篇

What is Jobs to be Done and how can you use it to build better products?

下一篇

您也可能喜欢

评论已经被关闭。

插入图片
Windows Information Protection…notes from the field! #MSIgnite

长按储存图像,分享给朋友