deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updating content

Browse Source
This commit is contained in:
LizRoss
2017-05-01 06:46:49 -07:00
parent 273dfc0789 c6c6bb91da
commit fcaac61784
2 changed files with 35 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
View File

@ -1,5 +1,5 @@
---
title: Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune (Windows 10)
title: Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
keywords: WIP, Enterprise Data Protection
@ -11,22 +11,22 @@ author: eross-msft
localizationpriority: high
---
# Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune
# Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Azure Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Associate your WIP policy to your VPN policy by using Microsoft Azure Intune
## Associate your WIP policy to your VPN policy by using Microsoft Intune
Follow these steps to associate your WIP policy with your organization's existing VPN policy.
**To associate your policies**
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
2. Open the Microsoft Azure Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png)
@ -70,4 +70,4 @@ After youve created your VPN policy, you'll need to deploy it to the same gro
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

53
windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Azure Intune (Windows 10)
description: Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
title: Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
ms.prod: w10
ms.mktglfcycl: explore
@ -10,14 +10,14 @@ author: eross-msft
localizationpriority: high
---
# Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Azure Intune
# Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
>[!Important]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) topic.
@ -26,9 +26,9 @@ Microsoft Azure Intune helps you create and deploy your Windows Information Prot
After youve set up Intune for your organization, you must create a WIP-specific policy.
**To add a WIP policy**
1. Open the Microsoft Azure Intune mobile application management console, click **All settings**, and then click **App policy**.
1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**.
![Microsoft Azure Intune management console: App policy link](images/wip-azure-portal-start.png)
![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png)
2. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy.
@ -39,7 +39,7 @@ After youve set up Intune for your organization, you must create a WIP-specif
- **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
![Microsoft Azure Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
3. Click **Create**.
@ -56,7 +56,6 @@ The steps to add your apps are based on the type of template being applied. You
>[!Important]
>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a Recommended app to your Allowed apps list
For this example, were going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
@ -65,19 +64,19 @@ For this example, were going to add Microsoft Edge, a recommended app, to the
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
![Microsoft Azure Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
2. From the **Allowed apps** blade, click **Add apps**.
The **Add apps** blade appears, showing you all **Recommended apps**.
![Microsoft Azure Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
3. Select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade updates to show you your selected apps.
![Microsoft Azure Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
#### Add a Store app to your Allowed apps list
For this example, were going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
@ -100,7 +99,7 @@ For this example, were going to add Microsoft Power BI, a store app, to the *
>[!NOTE]
>To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Azure Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
@ -203,7 +202,7 @@ For this example, were going to add WordPad, a desktop app, to the **Allowed
>[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Azure Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
**To find the Publisher values for Desktop apps**
If youre unsure about what to include for the publisher, you can run this PowerShell command:
@ -296,15 +295,15 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using Microsoft Azure Intune.
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your list of Allowed apps using Microsoft Azure Intune**
**To import your list of Allowed apps using Microsoft Intune**
1. From the **Allowed apps** area, click **Import apps**.
The blade changes to let you add your import file.
![Microsoft Azure Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then click **Open**.
@ -346,7 +345,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
The **Required settings** blade appears.
![Microsoft Azure Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
|Mode |Description |
|-----|------------|
@ -370,7 +369,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
2. If the identity isnt correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
![Microsoft Azure Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@ -390,7 +389,7 @@ There are no default locations included with WIP, you must add each of your netw
The **Add network boundary** blade appears.
![Microsoft Azure Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
3. Select the type of network boundary to add from the **Boundary type** box.
@ -443,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw
6. Decide if you want to Windows to look for additional network settings:
![Microsoft Azure Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
@ -462,7 +461,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Azure Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
### Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
@ -471,7 +470,7 @@ After you've decided where your protected apps can access enterprise data on you
1. Choose to set any or all optional settings:
![Microsoft Azure Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png)
![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png)
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
@ -500,7 +499,7 @@ After you've decided where your protected apps can access enterprise data on you
### Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Azure Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
Optionally, if you dont want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
@ -509,10 +508,16 @@ Optionally, if you dont want everyone in your organization to be able to shar
## Related topics
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](create-vpn-and-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).