deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

revised steps

Browse Source
This commit is contained in:
Justin Hall 2018-05-08 14:07:51 -07:00
parent 9995490db8
commit c4294fad2c
1 changed files with 76 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -23,10 +23,10 @@ Microsoft Intune helps you create and deploy your Windows Information Protection
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic. >This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic.
## Add a WIP policy ## Add a WIP policy
After youve set up Intune for your organization, you must create a WIP-specific policy. Follow these steps to add a WIP policy using Intune.
**To add a WIP policy** **To add a WIP policy**
1. Open the Microsoft Intune and click **Mobile apps**. 1. Open Microsoft Intune and click **Mobile apps**.
![Open Mobile apps](images/open-mobile-apps.png) ![Open Mobile apps](images/open-mobile-apps.png)
@ -52,25 +52,34 @@ After youve set up Intune for your organization, you must create a WIP-specif
![Add protected apps](images/add-protected-apps.png) ![Add protected apps](images/add-protected-apps.png)
5. Under **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**. You can add these types of apps:
The **Allowed apps** blade updates to show you your selected apps. - [Recommended apps](#add-recommended-apps)
- [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps)
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) ### Add recommended apps
6. Alternatively, you can add a Store or desktop app by using the app name and publisher. For example, to add the Power BI Mobile App from the Store, select **Store apps** and type the following and click **OK**: To add **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**.
- **Name**: Microsoft Power BI The **Allowed apps** blade updates to show you your selected apps.
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name** is `Microsoft.MicrosoftPowerBIForWindows`
![Add Store app](images\add-a-protected-store-app.png) ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
To add multiple Store apps, click the elipsis **…**. ### Add Store apps
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. To add **Store apps**, type the app product name and publisher and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
- **Name**: Microsoft Power BI
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
![Add Store app](images\add-a-protected-store-app.png)
To add multiple Store apps, click the elipsis **…**.
If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the publisher and product name values for Store apps without installing them**
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*. 1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. 2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
@ -86,24 +95,24 @@ If you don't know the publisher or product name, you can find them for both desk
} }
``` ```
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune. 4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
>[!Important] >[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br> >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code> <code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network. If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. >**Note**<br>Your PC and phone must be on the same wireless network.
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. 1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. 2. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. 3. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
4. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. 6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
@ -115,76 +124,65 @@ If you don't know the publisher or product name, you can find them for both desk
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br> >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code> <code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
### Add a Desktop app to your Allowed apps list ### Add Desktop apps
For this example, were going to add WordPad, a desktop app, to the **Allowed apps** list.
**To add a Desktop app** To add **Desktop apps**, complete the following fields, based on what results you want returned.
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. <table>
<tr>
2. From the **Allowed apps** blade, click **Add apps**. <th>Field</th>
<th>Manages</th>
3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. </tr>
<tr>
The blade changes to show boxes for you to add the following, based on what results you want returned: <td>All fields marked as “*”</td>
<td>All files signed by any publisher. (Not recommended)</td>
<table> </tr>
<tr> <tr>
<th>Field</th> <td>Publisher only</td>
<th>Manages</th> <td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr> </tr>
<tr> <tr>
<td>All fields marked as “*”</td> <td>Publisher and Name only</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td>Publisher only</td>
<td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td>Publisher and Name only</td>
<td>If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.</td> <td>If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.</td>
</tr> </tr>
<tr> <tr>
<td>Publisher, Name, and File only</td> <td>Publisher, Name, and File only</td>
<td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td> <td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr> </tr>
<tr> <tr>
<td>Publisher, Name, File, and Min version only</td> <td>Publisher, Name, File, and Min version only</td>
<td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td> <td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr> </tr>
<tr> <tr>
<td>Publisher, Name, File, and Max version only</td> <td>Publisher, Name, File, and Max version only</td>
<td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td> <td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr> </tr>
<tr> <tr>
<td>All fields completed</td> <td>All fields completed</td>
<td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td> <td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr> </tr>
</table> </table>
4. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
>[!Note] >[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**. >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
**To find the Publisher values for Desktop apps** If youre unsure about what to include for the publisher, you can run this PowerShell command:
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1 ```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>" Get-AppLockerFileInformation -Path "<path_of_the_exe>"
``` ```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`. Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`.
In this example, you'd get the following info: In this example, you'd get the following info:
``` json ```json
Path Publisher Path Publisher
---- --------- ---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US %PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
``` ```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.