deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into live

Browse Source
This commit is contained in:
LizRoss
2016-10-14 09:55:33 -07:00
parent f96a42b3d7 556ac88b92
commit 45972b72c5
63 changed files with 933 additions and 747 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/keep-secure/TOC.md
View File

@ -34,6 +34,7 @@
### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)

131
windows/keep-secure/app-behavior-with-wip.md Normal file
View File

@ -0,0 +1,131 @@
---
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
description: How unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) networking policies, app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: w10
ms.mktglfcycl: explore
ms.pagetype: security
ms.sitesec: library
localizationpriority: high
---
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
- Dont use common controls for saving files.
- Dont use common controls for text boxes.
- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
>[!Note]
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
## Unenlightened app behavior
This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
<table>
<tr>
<th>App rule setting</th>
<th align="center" colspan="2">Networking policy configuration</th>
</tr>
<tr>
<th>&nbsp;</th>
<th align="center">Name-based policies, without the <code>/*AppCompat*/</code> string</th>
<th align="center">Name-based policies, using the <code>/*AppCompat*/</code> string or proxy-based policies</th>
</tr>
<tr align="left">
<td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
<td>
<ul>
<li>App is entirely blocked from both personal and enterprise cloud resources.</li>
<li>No encryption is applied.</li>
<li>App cant access local Work files.</li>
</ul>
</td>
<td>
<ul>
<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.</li>
<li>No encryption is applied.</li>
<li>App cant access local Work files.</li>
</ul>
</td>
</tr>
<tr align="left">
<td><strong>Not required.</strong> App connects to enterprise cloud resources, using a hostname.</td>
<td colspan="2">
<ul>
<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
<li>No encryption is applied.</li>
<li>App cant access local Work files.</li>
</ul>
</td>
</tr>
<tr align="left">
<td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td colspan="2">
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
<li>Auto-encryption is applied.</li>
<li>App can access local Work files.</li>
</ul>
</td>
</tr>
<tr align="left" colspan="2">
<td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td colspan="2">
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
<li>No encryption is applied.</li>
<li>App can access local Work files.</li>
</ul>
</td>
</tr>
</table>
## Enlightened app behavior
This table includes info about how enlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
<table>
<tr>
<th>App rule setting</th>
<th>Networking policy configuration for name-based policies, possibly using the <code>/*AppCompat*/</code> string, or proxy-based policies</th>
</tr>
<tr>
<td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td>
<ul>
<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
<li>No encryption is applied.</li>
<li>App can't access local Work files.</li>
</ul>
</td>
</tr>
<tr>
<td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td>
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
<li>App protects work data and leaves personal data unprotected.</li>
<li>App can access local Work files.</li>
</ul>
</td>
</tr>
<tr>
<td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td>
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
<li>App protects work data and leaves personal data unprotected.</li>
<li>App can access local Work files.</li>
</ul>
</td>
</tr>
</table>

4
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -16,7 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| New or changed topic | Description |
| --- | --- |
| [VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls. |
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
|[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
## September 2016

9
windows/keep-secure/limitations-with-wip.md
View File

@ -71,7 +71,12 @@ This table provides info about the most common problems you might encounter whil
</tr>
<tr>
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
<td>A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.</td>
<td>Open File Explorer and change the file ownership to **Personal** before you upload.</td>
<td>A message appears stating that the content is marked as <strong>Work</strong> and the user isn't given an option to override to <strong>Personal</strong>.</td>
<td>Open File Explorer and change the file ownership to <strong>Personal</strong> before you upload.</td>
</tr>
<tr>
<td>ActiveX controls should be used with caution.</td>
<td>Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.</td>
<td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<p>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
</tr>
</table>

3
windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -29,6 +29,9 @@ Configure your browser to allow cookies.
### No data is shown on the portal
If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
> [!NOTE]
> You must use the HTTPS protocol when adding the following endpoints.
Depending on your region, add the following endpoints to the whitelist:
U.S. region: