**Test your site on Microsoft Edge**
Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.
Test your site on Microsoft Edge for free on BrowserStack
Use sonarwhal to improve your website.
**Improve compatibility with Enterprise Mode**
With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.
Use Enterprse mode to improve compatibility
Turn on Enterprise Mode and use a site list
Enterprise Site List Portal
Ultimate browser strategy on Windows 10
**Web Application Compatibility Lab Kit**
The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.
Find out more
**Test your site on Microsoft Edge** Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more. Test your site on Microsoft Edge for free on BrowserStack Use sonarwhal to improve your website. | **Improve compatibility with Enterprise Mode** With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11. Use Enterprse mode to improve compatibility Turn on Enterprise Mode and use a site list Enterprise Site List Portal Ultimate browser strategy on Windows 10 | **Web Application Compatibility Lab Kit** The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. Find out more |
-
 **Deployment** Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization. Microsoft Edge deployment guide Microsoft Edge FAQ System requirements and language support Group Policy and MDM settings in Microsoft Edge Download the Web Application Compatibility Lab Kit Microsoft Edge training and demonstrations |  **End user readiness** Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more. Quick Start: Microsoft Edge (PDF, .98 MB) Find it faster with Microsoft Edge (PDF, 605 KB) Use Microsoft Edge to collaborate (PDF, 468 KB) Import bookmarks Password management Microsoft Edge tips and tricks (video, 20:26) |
**Deployment** Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization. Microsoft Edge deployment guide Microsoft Edge FAQ System requirements and language support Group Policy and MDM settings in Microsoft Edge Download the Web Application Compatibility Lab Kit Microsoft Edge training and demonstrations | **End user readiness** Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more. Quick Start: Microsoft Edge (PDF, .98 MB) Find it faster with Microsoft Edge (PDF, 605 KB) Use Microsoft Edge to collaborate (PDF, 468 KB) Import bookmarks Password management Microsoft Edge tips and tricks (video, 20:26) |
-
 **In-place upgrade** The simplest way to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT |  **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT |
 **Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar |  **Other deployment scenarios** Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps. Windows deployment for education environments Set up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
**In-place upgrade** The simplest way to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT | **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT |
**Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar | **Other deployment scenarios** Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps. Windows deployment for education environments Set up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
For example:
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
+
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
@@ -173,10 +173,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. -**To define where your protected apps can find and send enterprise data on you network** + -1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**. +Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. -2. Click **Add network boundary** from the Network perimeter area. +### Cloud resources -  +Specify the cloud resources to be treated as corporate and protected by WIP. +For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. +Be aware that all traffic routed through your Internal proxy servers is considered enterprise. -3. Select the type of network boundary to add from the **Boundary type** box. +Separate multiple resources with the "|" delimiter. +If you don’t use proxy servers, you must also include the "," delimiter just before the "|". +For example: -4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. +```code +URL <,proxy>|URL <,proxy> +``` -
| Boundary type | -Value format | -Description | -|
|---|---|---|---|
| Cloud Resources | -With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL. |
+Personal applications will be able to access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL. |
-
| Protected domains | -exchange.contoso.com,contoso.com,region.contoso.com | -Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. If you have multiple domains, you must separate them using the "," delimiter. |
- |
| Network domains | -corp.contoso.com,region.contoso.com | -Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. If you have multiple resources, you must separate them using the "," delimiter. |
- |
| Proxy servers | -proxy.contoso.com:80;proxy2.contoso.com:443 | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
- |
| Internal proxy servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
- |
| IPv4 ranges | -**Starting IPv4 Address:** 3.4.0.1 **Ending IPv4 Address:** 3.4.255.254 **Custom URI:** 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Starting with Windows 10, version 1703, this field is optional. Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
- |
| IPv6 ranges | -**Starting IPv6 Address:** 2a01:110:: **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Starting with Windows 10, version 1703, this field is optional. Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
- |
| Neutral resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
10.0.0.1-10.255.255.254 + +### IPv6 ranges + +Starting with Windows 10, version 1703, this field is optional. + +Specify the addresses for a valid IPv6 value range within your intranet. +These addresses, used with your network domain names, define your corporate network boundaries. +Classless Inter-Domain Routing (CIDR) notation isn’t supported. + +Separate multiple ranges with the "," delimiter. + +**Starting IPv6 Address:** 2a01:110:: +**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff +**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +### Neutral resources + +Specify your authentication redirection endpoints for your company. +These locations are considered enterprise or personal, based on the context of the connection before the redirection. +Separate multiple resources with the "," delimiter. + +```code +sts.contoso.com,sts.contoso2.com +``` + +Decide if you want Windows to look for additional network settings: + +- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for additional proxy servers in your immediate network. + +- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network. + + ## Upload your Data Recovery Agent (DRA) certificate After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. @@ -526,7 +591,7 @@ WIP can integrate with Microsoft Azure Rights Management to enable secure sharin To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive. >[!IMPORTANT] >Curly braces -- {} -- are required around the RMS Template ID. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md deleted file mode 100644 index 234ef89755..0000000000 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ /dev/null @@ -1,663 +0,0 @@ ---- -title: Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune (Windows 10) -description: The Azure portal for Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, supporting mobile application management (MAM), to let you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -ms.author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/05/2019 ---- - -# Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune - -**Applies to:** - -- Windows 10, version 1703 and later -- Windows 10 Mobile, version 1703 and later (except Microsoft Azure Rights Management, which is only available on the desktop) - -By using Microsoft Intune with Mobile application management (MAM), organizations can take advantage of Azure Active Directory (Azure AD) and the app protection policy feature to keep employees from logging in with personal credentials and accessing corporate data. Additionally, MAM solutions can help your enterprise do the following for mobile apps: - -- Configure, update, and deploy mobile apps to employees -- Control what your employees can do with enterprise data, such as copying, pasting, and saving -- Keep enterprise data separate from your employee's personal data -- Remove enterprise data from employee's devices -- Report on mobile app inventory and track usage - -## Alternative steps if you already manage devices with MDM - -This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). - -If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. - -Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. - -## Prerequisites to using MAM with Windows Information Protection (WIP) -Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10). - -Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device. - ->[!Important] ->WIP doesn't support multi-identity. Only one managed identity can exist at a time. - -## Add a WIP policy -After you’ve set up Intune for your organization, you must create a WIP-specific policy. - -**To add a WIP policy** -1. Open the Azure portal and click the **Intune service** from the sidebar. - - The Microsoft Intune Overview blade appears. - -2. Click **Client apps**, click **App protection policies**, and then click **Add a policy**. - -  - -3. In the **Add a policy** blade, fill out the fields: - - - **Name.** Type a name (required) for your new policy. - - - **Description.** Type an optional description. - - - **Platform.** Choose **Windows 10** to create your MAM policy for desktop client devices. - - - **Enrollment state.** Choose **Without enrollment** as the enrollment state for your policy. - -  - - >[!Important] - >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). - -4. Click **Create**. - - The policy is created and appears in the table on the **Client apps - App protection policies** blade. - - >[!NOTE] - >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. - -## Add apps to your Protected apps list -During the policy-creation process in Intune, you can choose the apps you want to allow, as well as deny, access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. You can also import a list of approved apps or add exempt apps. - -In addition, you can create an app deny list related to the policy based on an **action** value. The action can be either **Allow** or **Deny**. When you specify the deny action for an app using the policy, corporate access is denied to the app. - ->[!Important] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Protected apps** list. If you don’t get this statement, it’s possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation. - -### Add a Recommended app to your Protected apps list -For this example, we’re going to add a few recommended apps to the **Protected apps** list. - -**To add a recommended app** -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - - The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. - -  - -2. From the **Protected apps** blade, click **Add apps**. - - The **Add apps** blade appears, showing you all **Recommended apps**. - -  - -3. Select each app you want to access your enterprise data, and then click **OK**. - - The **Protected apps** blade updates to show you your selected apps. - -  - -4. Click **Save** to save the **Protected apps** list to your policy. - -### Add a Store app to your Protected apps list -For this example, we’re going to add Microsoft Power BI, a Windows store app, to the **Protected apps** list. - -**To add a Store app** -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - - The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. - -2. From the **Protected apps** blade, click **Add apps**. - -3. On the **Add apps** blade, click **Store apps** from the dropdown list. - -4. Type the friendly name of the app, the publisher info, and the product name. For this example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.MicrosoftPowerBIForWindows`. - -5. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. - - >[!NOTE] - >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and continue to add more apps. When you’re done, click **OK**. - -  - -#### Find the Name, Publisher, and Product name for Store apps -If you don't know the publisher or product name for your Store app, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. - -**To find the publisher and product name values for Store apps without installing them** -1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. - -2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. - -3. In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. - - The API runs and opens a text editor with the app details. - - ```json - { - "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` - -4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of the **Add apps** blade. - - >[!Important] - >The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.
For example:
-
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
-
-**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
-1. If you need to add mobile apps that aren't distributed through the Microsoft Store for Business, you must use the **Windows Device Portal** feature.
-
- >[!NOTE]
- >Your PC and phone must be on the same wireless network.
-
-2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7. Start the app for which you're looking for the publisher and product name values.
-
-8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >[!Important]
- >The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.For example:
-
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
-
-### Add a Desktop app to your Protected apps list
-For this example, we’re going to add WordPad, a Desktop app, to the **Protected apps** list.
-
-**To add a Desktop app**
-1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
-
- The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
-
-2. From the **Protected apps** blade, click **Add apps**.
-
-3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
-
- The blade changes to show boxes for you to add the following, based on the results you want returned:
-
- | Field | -Manages | -
|---|---|
| All fields marked as “*” | -All files signed by any publisher. (Not recommended) | -
| Name | -A friendly name for your app. You can't use this field by itself. However, you can use it in conjunction with any of the other fields. | -
| Publisher (required) only | -Filling out this field, gives you all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. This is a required field and must be filled out whether by itself or in conjunction with other fields. |
-
| Publisher (required) and Product name only | -If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher. | -
| Publisher (required), Product name, and File only | -If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher (required), Product name, File, and Min version only | -If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher (required), Product name, File, and Max version only | -If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| All fields completed | -If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher. | -
- This is the XML file that AppLocker creates for Microsoft Dynamics 365. - - ```xml - -
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| - -2. Click **Save**. - -### Define your enterprise-managed corporate identity -Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. - -Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field. - -**To change your corporate identity** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. - - The **Required settings** blade appears. - -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. - -  - -## Manage your Advanced settings -In the **Advanced settings** blade you must specify where apps can access your corporate data, upload a Data Recovery Agent (DRA) certificate, and set several optional data protection and access settings. - -### Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. - -Intune will add SharePoint sites that are discovered through the Graph API. You must add other network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). - ->[!Important] ->Every WIP policy should include policy that defines your enterprise network locations.
Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. - -**To define where your allowed apps can find and send enterprise data on you network** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. - -2. Click **Add network boundary** from the **Network perimeter** area. - - The **Add network boundary** blade appears. - -  - -3. Select the type of network boundary to add from the **Boundary type** box. - -4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. - -
| Boundary type | -Value format | -Description | -
|---|---|---|
| Cloud Resources | -With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
-
| Network domain names | -corp.contoso.com,region.contoso.com | -Starting with Windows 10, version 1703, this field is optional. Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. If you have multiple resources, you must separate them using the "," delimiter. |
-
| Proxy servers | -proxy.contoso.com:80;proxy2.contoso.com:443 | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Internal proxy servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| IPv4 ranges | -**Starting IPv4 Address:** 3.4.0.1 **Ending IPv4 Address:** 3.4.255.254 **Custom URI:** 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Starting with Windows 10, version 1703, this field is optional. Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| IPv6 ranges | -**Starting IPv6 Address:** 2a01:110:: **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Starting with Windows 10, version 1703, this field is optional. Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Neutral resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
This setting has different behavior for mobile devices and desktops. - - - **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data. - - - **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored. - - - **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle. - - >[!NOTE] - >You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored. - - -## Deploy your policy -After you’ve created your policy, you'll need to deploy it to your employees. MAM is deployed to users and not devices. - -**To deploy your policy** - -1. On the **Client apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**. - - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. - -2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. - - The policy is deployed to the selected group. - -  - -## Related topics - -- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) - -- [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/) - -- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) - -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) - -- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 3b2125c461..bcad37a020 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -63,7 +63,7 @@ This section covers how WIP works with sensitivity labels in specific use cases. ### User downloads from or creates a document on a work site -If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label. +If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label. If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png b/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png new file mode 100644 index 0000000000..848ff120a2 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png b/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png new file mode 100644 index 0000000000..345093afc8 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/mobility-provider.png b/windows/security/information-protection/windows-information-protection/images/mobility-provider.png new file mode 100644 index 0000000000..280a0531dc Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/mobility-provider.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/recommended-apps.png new file mode 100644 index 0000000000..658cbb343b Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/recommended-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index a795c151fc..1e633ed77d 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/04/2019 +ms.date: 03/06/2019 ms.localizationpriority: medium --- @@ -75,6 +75,11 @@ This table provides info about the most common problems you might encounter whil
Note
For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).
Data copied from the WIP-managed device is marked as Work.
Data copied to the WIP-managed device is not marked as Work.
Local Work data copied to the WIP-managed device remains Work data.
Work data that is copied between two apps in the same session remains data.