deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

added image

Browse Source
This commit is contained in:
Justin Hall 2019-03-08 14:56:23 -08:00
parent 3cc8b5970b
commit 181ca0dc90
2 changed files with 52 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -352,9 +352,6 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**. We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**. 1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
@ -377,10 +374,14 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. 1. From the **App policy** blade, click the name of your policy, and then click **Required settings**.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add domains, for example your email domains, you can do it in the **Advanced settings** area. 2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
![Add protected domains](images/add-protected-domains.png)
## Choose where apps can access enterprise data ## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@ -391,28 +392,56 @@ There are no default locations included with WIP, you must add each of your netw
**To define where your protected apps can find and send enterprise data on you network** **To define where your protected apps can find and send enterprise data on you network**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**. Click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
2. Click **Add network boundary** from the Network perimeter area.
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
3. Select the type of network boundary to add from the **Boundary type** box. Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
### Cloud resources
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.
Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
Separate multiple resources with the "|" delimiter.
If you dont use proxy servers, you must also include the "," delimiter just before the "|".
For example:
```code
URL <,proxy>|URL <,proxy>
```
Personal applications will be able to access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site.
In this case, Windows blocks the connection by default.
To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
For example:
```code
URL <,proxy>|URL <,proxy>/*AppCompat*/
```
When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
Value format with proxy:
```code
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
```
Value format without proxy:
```code
contoso.sharepoint.com|contoso.visualstudio.com
```
### Protected domains
4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
<table>
<tr>
<th>Boundary type</th>
<th>Value format</th>
<th>Description</th>
</tr>
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Protected domains</td> <td>Protected domains</td>
<td>exchange.contoso.com,contoso.com,region.contoso.com</td> <td>exchange.contoso.com,contoso.com,region.contoso.com</td>
<td>Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple domains, you must separate them using the "," delimiter.</td> <td>Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple domains, you must separate them using the "," delimiter.</td>

BIN
windows/security/information-protection/windows-information-protection/images/add-protected-domains.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB