deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Fixed branding and removed slug

Browse Source
This commit is contained in:
LizRoss 2016-07-21 17:45:50 -07:00
parent e190dca28f
commit 62147edd56
1 changed files with 19 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -1,8 +1,8 @@
---
title: Add apps to your enterprise data protection (EDP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
description: Add apps to your enterprise data protection (EDP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: EDP, Enterprise Data Protection, protected apps, protected app list
keywords: WIP, Enterprise Data Protection, protected apps, protected app list
ms.prod: w10
ms.mktglfcycl: explore
ms.pagetype: security
@ -10,17 +10,15 @@ ms.sitesec: library
author: eross-msft
---
# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
**Applies to:**
- Windows 10 Insider Preview
- Windows 10, version 1607
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
You can add apps to your enterprise data protection (EDP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
>**Important**  
>**Important**<br>
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
## Add Store apps
@ -28,15 +26,15 @@ Results can be unpredictable if you configure your policy using both the UI and
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *EDP_StoreApps_Rules*.
This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
@ -67,29 +65,29 @@ Results can be unpredictable if you configure your policy using both the UI and
```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *EDP_DesktopApps_Rules*.
This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
<p>
>**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
>**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
@ -117,12 +115,12 @@ After saving the policy, youll need to deploy it to your employees devices
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
##Related topics
- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)