deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

new image

Browse Source
This commit is contained in:
Justin Hall 2019-04-12 11:16:33 -07:00
commit 2e71b9b043
3 changed files with 75 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 03/25/2019 ms.date: 04/12/2019
--- ---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -23,21 +23,20 @@ ms.date: 03/25/2019
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device. Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device.
>[!NOTE] ## Differences between MDM and MAM for WIP
>If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**). the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. MAM supports only one user per device.
## Prerequisites - If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
- MAM supports only one user per device.
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. - MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
- MAM has additional **Access** settings for Windows Hello for Business.
## Differences between MDM and MAM - MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device.
- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
Same user/app targeted - An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
Can only manage enlightened apps
MAM has additional [access settings](#access-settings-for-mam) for Windows Hello for Business.
## Configure the MDM or MAM provider ## Configure the MDM or MAM provider
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD).
1. Sign in to the Azure portal. 1. Sign in to the Azure portal.
2. Click **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**. 2. Click **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**: 3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
@ -307,11 +306,11 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
6. On the **Conditions** page, click **Path** and then click **Next**. 6. On the **Conditions** page, click **Path** and then click **Next**.
![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png) ![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files". 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files".
![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png) ![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then click **Next**. 8. On the **Exceptions** page, add any exceptions and then click **Next**.
@ -608,11 +607,69 @@ Optionally, if you dont want everyone in your organization to be able to shar
>[!NOTE] >[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
## Access settings for MAM ### Configure Windows Hello for Business for MAM
If you created a WIP policy for MAM, you can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
If you created a WIP polciy for MAM, you can set Access settings for Windows Hello for Business under Advanced settings. **To turn on and configure Windows Hello for Business**
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
2. Choose to turn on and configure the Windows Hello for Business settings:
![Microsoft Intune, Choose to use Windows Hello for Business](images/wip-azure-access-options.png)
- **Use Windows Hello for Business as a method for signing into Windows.** Turns on Windows Hello for Business. The options are:
- **On.** Turns on Windows Hello For Business for anyone assigned to this policy.
- **Off.** Turns off Windows Hello for Business.
- **Set the minimum number of characters required for the PIN.** Enter a numerical value (4-127 characters) for how many characters must be used to create a valid PIN. Default is 4 characters.
- **Configure the use of uppercase letters in the Windows Hello for Business PIN.** Lets you decide whether uppercase letters can be used in a valid PIN. The options are:
- **Allow the use of uppercase letters in PIN.** Lets an employee use uppercase letters in a valid PIN.
- **Require the use of at least one uppercase letter in PIN.** Requires an employee to use at least 1 uppercase letter in a valid PIN.
- **Do not allow the use of uppercase letters in PIN.** Prevents an employee from using uppercase letters in a valid PIN.
- **Configure the use of lowercase letters in the Windows Hello for Business PIN.** Lets you decide whether lowercase letters can be used in a valid PIN. The options are:
- **Allow the use of lowercase letters in PIN.** Lets an employee use lowercase letters in a valid PIN.
- **Require the use of at least one lowercase letter in PIN.** Requires an employee to use at least 1 lowercase letter in a valid PIN.
- **Do not allow the use of lowercase letters in PIN.** Prevents an employee from using lowercase letters in a valid PIN.
- **Configure the use of special characters in the Windows Hello for Business PIN.** Lets you decide whether special characters can be used in a valid PIN. The options are:
- **Allow the use of special characters in PIN.** Lets an employee use special characters in a valid PIN.
- **Require the use of at least one special character in PIN.** Requires an employee to use at least 1 special character in a valid PIN.
- **Do not allow the use of special characters in PIN.** Prevents an employee from using special characters in a valid PIN.
- **Specify the period of time (in days) that a PIN can be used before the system requires the user to change it.** Enter a numerical value (0-730 days) for how many days can pass before a PIN must be changed. If you enter a value of 0, the PIN never expires.
- **Specify the number of past PINs that can be associated to a user account that can't be reused.** Enter a numerical value (0-50 days) for how many days can pass before an employee can reuse a previous PIN. If you enter a value of 0, a PINs can be reused immediately and past PINs aren't stored.
>[!NOTE]
>PIN history is not preserved through a PIN reset.
- **Number of authentication failures allowed before the device will be wiped.** Enter a numerical value for how many times the PIN can be incorrectly entered before wiping the device of corporate data. If you enter a value of 0, the device is never wiped, regardless of the number of incorrect PIN entries.<p>This setting has different behavior for mobile devices and desktops.
- **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data.
- **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored.
- **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle.
>[!NOTE]
>You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored.
![MAM access settings](images/mam-access-settings.png)
## Related topics ## Related topics
@ -626,7 +683,5 @@ If you created a WIP polciy for MAM, you can set Access settings for Windows Hel
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/) - [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
>[!NOTE] >[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

4
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 02/26/2019 ms.date: 04/11/2019
--- ---
# How Windows Information Protection (WIP) protects a file that has a sensitivity label # How Windows Information Protection (WIP) protects a file that has a sensitivity label
@ -34,8 +34,6 @@ Microsoft information protection technologies include:
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.
- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365.
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.

BIN
windows/security/information-protection/windows-information-protection/images/mam-access-settings.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 34 KiB