Intune Windows Information Protection (WIP) Policies test cases and notes from the field

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

Since few days, I have been busy in testing windows information protection policies on BYOD devices to protect enterprise data  and note the test cases for any such data leakage issues using corporate managed applications such as office 365 pro plus (word,excel and other apps).

If you want read more about what is Windows information protection ,please go through https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip

During my testing ,i have noticed couple of issues on windows 10 with build 1703 (on my surface and also couple of vm’s)  of which ,some of them are fixed (with some simple configuration settings) but there are still some outstanding for which ,i have no fix on the data leakage.

In this blog post, i will list the issues that i have fixed and some outstanding issues .If you see any solution for the outstanding issues ,please report via comment section.

Note: I will be updating all my test cases in this post when i find something interesting .

1. If the device is WIP managed ,internet access is blocked on 3rd party browsers (exclude IE and Edge ) such as chrome,Firefox etc. The fix for this is ,to add /*AppCompat*/ to cloud resource section. More information about this ,please refer this post

2. Unable to upload o365 protected files to Onedrive (onedrive for business) on windows 10 using windows information protection (WIP) policies . I get the following error while trying to upload files that are saved on my desktop .These files are protected using my corporate identify which is set under required settings in WIP policy.

image

I open the corporate managed apps like word,excel or notepad and save the file as work with eskonr.onmicrosoft.com.After i save the doc ,it is protected with brief case icon on it (if you choose to display show enterprise data protection icon in WIP policy).

SNAGHTML60eeaea

when i try to upload these protected docs to my corporate onedrive ,it fail with error ,can’t be synced with onedrive . A policy set by your IT administrator prevents you from synching this work file to your onedrive. This is because ,all the files are protected with the user identify . In this case the user identify is eswar@eskonr.com .This is the user ID that user used to do workplace join on his BYOD to access company resources.

In this case ,user ID is eswar@eskonr.com ,UPN is eskonr.com which not recognized as protected domain. To fix this ,we need to edit the WIP policy to make some changes on the advanced settings.

Go to WIP policy that you have assigned to users ,click on advanced settings ,select Add network boundary ,choose protected domain for boundary type, give the name (anything that suit for you) and in the value ,add eskonr.com

If you have multiple UPN id’s like eskonr.com.sg ,eskonr.com.in,eskonr.com.hk ,you need to add the UPN names here separated with |.

In my case, the setting look like this for multiple UPN’s.

image

 

Once am done with this ,sync the policies on user device .This time ,it will allow you to upload files to onedrive .

Also note that , with this setting ,all the files in onedrive and files that you upload from outside one drive by default will be protected with file ownership as eskonr.microsoft.com ,which help to protect these files from anywhere even user tries to take it external disk.

3.If you have MAM and MDM settings enabled for windows 10 (azure active directory ,mobility (MAM and MDM, intune) for users , MAM will take precedence over MDM and why is this important ? Well ,when you create intune app protection policies (WIP) ,you must align the these policies with enrollment as  ‘With Enrollment’ or ‘without Enrollment’ .

What i have noticed in my testing is that ,if you have set managed type MDM in azure active directory and you create app protection policies for windows 10 with enrollment type ‘without enrollment’ ,these policies will not apply to end user.

After you create policy with enrollment type ‘with enrollment’ ,app protection policies will be applied which will protect your corporate data.

 

Now lets look at the outstanding issues:

1. I have copied word document or notepad (.docx,txt) from my onedrive which is protected with file ownership as ‘eskonr.microsoft.com’ to my BYOD desktop. This file is protected and i can see the briefcase icon on the file.

Since the file is protected ,if i open the document and try to do copy of the content from this doc file to any un-managed app ,it will block the paste action by saying the app can’t access content or paste action is blocked by your IT.

so far we talked about copy paste action which works only with managed apps which is good but now lets try to change the file ownership from work to personnel and see what happens. (I do not have azure RMS enabled with WIP policy).

Open the protected word document ,after it opens ,go to save as and in that, choose file name personal instead of work which allow to do it on windows 10 1703 and lower versions.

1                2                           3

This way you can leak the corporate data Open-mouthed smile .

What is the fix for this ? This issue is fixed in windows 10 1709 (Fall creators update) . In windows 10 1709 ,if you try to open corporate managed documents ,it will not allow you to save as personal .

2. Copy the data from protected app for ex: work1 from above notepad file ,paste it into run command ,explorer and cmd.exe which are un managed apps and from there i can save it personal.

 

Testing in progress ,please wait for more updates!

Leave a Reply