Checking to see if escape chars work

2025-06-18 11:53:37 +00:00 · 2016-04-04 14:08:37 -07:00
parent 8bc509f20e
commit e8a8b31570
1 changed files with 86 additions and 219 deletions
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@ -1,28 +1,24 @@
 ---
 title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
 description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: 4B307C99-3016-4D6A-9AE7-3BBEBD26E721
+ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
-author: brianlic-msft
+author: eross-msft
 ---
 # Create an enterprise data protection (EDP) policy using Microsoft Intune
 **Applies to:**
 -   Windows 10 Insider Preview
 -   Windows 10 Mobile Preview
-\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
 Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
 ## In this topic:
 -   [Add an EDP policy](#add-edp-policy)
 -   [Choose which apps can access your enterprise data](#choose-apps)
@ -37,40 +33,31 @@ Microsoft Intune helps you create and deploy your enterprise data protection (ED
 -   [Choose your optional EDP-related settings](#optional-settings)
-## <a href="" id="add-edp-policy"></a>Add an EDP policy
+## Add an EDP policy
 After you’ve installed and set up Intune for your organization, you must create an EDP-specific policy.
 **To add an EDP policy**
 1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
 2.  Click **Add Policy** from the **Tasks** area.
-3.  Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png)
+3.  Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
    ![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png)
 4.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
    ![microsoft intune: required name and optional description fields](images/intune-namedescription.png)
-## <a href="" id="choose-apps"></a>Add individual apps to your Protected App list
+## Add individual apps to your Protected App list
 During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
 The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application.
-**Important**  
+**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+<p>
 **Note**<br>If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 **Note**  If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 <a href="" id="add-uwp"></a>
 **To add a UWP app**
 1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
@ -79,134 +66,72 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
    **To find the Publisher and Product name values for Microsoft Store apps without installing them**
-    1.  Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+    1.  Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.<p>
-
+    **Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
        **Note**  
        If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
    2.  Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
    3.  In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
-
+    <p>
    The API runs and opens a text editor with the app details.
-        ``` syntax
+        ``` json
        {
          "packageIdentityName": "Microsoft.Office.OneNote",
          "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
        }
        ```
    4.  Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
+    <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
-        **Important**  
+    <p>For example:<br>
-        The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+     ``` json
        For example:
        ``` syntax
        {
          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
        }
       ```
    ![microsoft intune: add a universal windows app to the protected apps list](images/intune-addapps.png)
    **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
    1.  If you need to add mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.
    <p>**Note**<br>Your PC and phone must be on the same wireless network.
-    2.  **Note**  
+    2.  On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
        Your PC and phone must be on the same wireless network.
-         
+    3.  In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-    3.  On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+    4.  Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-    4.  In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+    5.  In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-    5.  Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+    6.  On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
    <p>The **Publisher** and **Product Name** values appear.
-    6.  In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+    7.  Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
+    <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
-    7.  On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
+    <p>For example:<br>
-
+     ``` json
        The **Publisher** and **Product Name** values appear.
    8.  Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
        **Important**  
        The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
        For example:
        ``` syntax
        {
          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
        }
       ```
 <a href="" id="add-classic"></a>
 **To add a Classic Windows application**
 1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
-
+<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
    A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
 2.  Click **Desktop App**, pick the options you want (see table), and then click **OK**.
-    <table>
+|Option |Manages |
-    <colgroup>
+|-------|--------|
-    <col width="50%" />
+|All fields left as “*”| All files signed by any publisher. (Not recommended.) |
-    <col width="50%" />
+|**Publisher** selected | All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-    </colgroup>
+|**Publisher** and **Product Name** selected |All files for the specified product, signed by the named publisher. |
-    <thead>
+|**Publisher**, **Product Name** and **File Name** selected |Any version of the named file or package for the specified product, signed by the named publisher.|
-    <tr class="header">
+|**Publisher**, **Product Name**, **File Name**, and **File Version, Exactly** selected |Specified version of the named file or package for the specified product, signed by the named publisher. |
-    <th align="left">Option</th>
+|**Publisher**, **Product Name**, **File Name**, and **File Version, And above** selected |Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened. |
-    <th align="left">Manages</th>
+|**Publisher**, **Product Name**, **File Name**, and **File Version, And below** selected |Specified version or older releases of the named file or package for the specified product, signed by the named publisher. |
    </tr>
    </thead>
    <tbody>
    <tr class="odd">
    <td align="left"><p>All fields left as “*”</p></td>
    <td align="left"><p>All files signed by any publisher. (Not recommended.)</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>Publisher</strong> selected</p></td>
    <td align="left"><p>All files signed by the named publisher.</p>
    <p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>Publisher</strong> and <strong>Product Name</strong> selected</p></td>
    <td align="left"><p>All files for the specified product, signed by the named publisher.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</p></td>
    <td align="left"><p>Any version of the named file or package for the specified product, signed by the named publisher.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</p></td>
    <td align="left"><p>Specified version of the named file or package for the specified product, signed by the named publisher.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</p></td>
    <td align="left"><p>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.</p>
    <p>This option is recommended for enlightened apps that weren't previously enlightened.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</p></td>
    <td align="left"><p>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</p></td>
    </tr>
    </tbody>
    </table>
 ![microsoft intune: add a classic windows app to the protected apps list](images/intune-add-desktop-app.png)
@ -215,8 +140,7 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
 ``` syntax
 Get-AppLockerFileInformation -Path "<path of the exe>"
 ```
-
+Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
    Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
 In this example, you'd get the following info:
@ -225,98 +149,56 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
 ----                                          ---------
 %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
 ```
 Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
-## <a href="" id="exempt-apps"></a>Exempt apps from EDP restrictions
+## Exempt apps from EDP restrictions
 If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
 **To exempt an UWP app**
-1.  Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic, through to Step \#11.
+1.  Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
 2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp  EXE`.
-    Where **edpexempt** is added as a substring, making the app exempt.
+2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
 3.  Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
 4.  Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
    ``` syntax
    <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
    ```
-5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
+5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
    After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
 **To exempt a Classic Windows application**
-1.  Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic, through to Step \#11.
+1.  Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
 2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.
-    Where **edpexempt** is added as a substring, making the app exempt.
+2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
 3.  Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
 4.  Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
    ``` syntax
    <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
    ```
-5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
+5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
    After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
 ## <a href="" id="protect-level"></a>Manage the EDP protection level for your enterprise data
 ## Manage the EDP protection level for your enterprise data
 After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
 We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
-<table>
+|Mode |Description |
-<colgroup>
+|-----|------------|
-<col width="50%" />
+|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
-<col width="50%" />
+|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-</colgroup>
+|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
-<thead>
+|Off |EDP is turned off and doesn't help to protect or audit your data.|
 <tr class="header">
 <th align="left">Mode</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><strong>Block</strong></td>
 <td align="left"><p>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><strong>Override</strong></td>
 <td align="left"><p>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><strong>Silent</strong></td>
 <td align="left"><p>EDP runs silently, logging inappropriate data sharing, without blocking anything.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><strong>Off</strong>
 <p>(Not recommended)</p></td>
 <td align="left"><p>EDP is turned off and doesn't help to protect or audit your data</p></td>
 </tr>
 </tbody>
 </table>
 ![microsoft intune: add protection level for protected apps list](images/intune-encryption-level.png)
-## <a href="" id="define-enterprise-managed-identity-domains"></a>Define your enterprise-managed identity domains
+## Define your enterprise-managed identity domains
 Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
 You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
@ -327,43 +209,28 @@ This list of managed identity domains, along with the primary domain, make up th
 **To add your primary domain**
-   Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
+-   Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
 If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
-## <a href="" id="choose-where-apps"></a>Choose where apps can access enterprise data
+## Choose where apps can access enterprise data
-
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.<p>
-
+**Important**<br>
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
 **Important**  
 -   Every EDP policy should include policy that defines your enterprise network locations.
 -   Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
 **To specify where your protected apps can find and send enterprise data on the network**
-1.  Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:
+1.  Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:<p>
-    <table>
+|Network location type |Format |Description |
-    <colgroup>
+|----------------------|-------|------------|
-    <col width="33%" />
+|Enterprise Cloud Domain |contoso.sharepoint.com,proxy1.contoso.com\|office.com\|proxy2.contoso.com|
-    <col width="33%" />
+
-    <col width="33%" />
+
-    </colgroup>
+
-    <thead>
+    <td align="left"><p></p></td>
-    <tr class="header">
+    <td align="left"><p></p></td>
    <th align="left">Network location type</th>
    <th align="left">Format</th>
    <th align="left">Description</th>
    </tr>
    </thead>
    <tbody>
    <tr class="odd">
    <td align="left"><p>Enterprise Cloud Domain</p></td>
    <td align="left"><p>contoso.sharepoint.com,proxy1.contoso.com|office.com|proxy2.contoso.com</p></td>
    <td align="left"><p>Specify the cloud resources traffic to restrict to your protected apps.</p>
    <p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your <strong>Enterprise Internal Proxy Server</strong> policy. If you have multiple resources, you must use the &quot;|&quot; delimiter. Include the &quot;,&quot; delimiter just before the &quot;|&quot; if you don’t use proxies. For example: <code>[URL,Proxy]|[URL,Proxy]</code>.</p></td>
    </tr>