How to protect Azure AD App proxy (AAP) applications on windows 10 using intune windows information protection (WIP) from DLP

 

Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.

Windows Information Protection (WIP), helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.

There is another data protection technology, Azure information protection (AIP) also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

For more information about Windows information protection ,please read https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

windows information protection (WIP) from the filed experience and test cases are explained in http://eskonr.com/2017/10/intune-windows-information-protection-wip-policies-test-cases-and-notes-from-the-field/

Recently ,i had requirement from business to protect applications that are published using Azure AD app proxy solution from BYOD windows 10 devices ,accessing users securely from internet.

By letting users to access these applications securely from iOS/Andriod and windows 10 ,you must have DLP solution in place to prevent accidental data leakage from corporate applications.

For iOS and Andriod ,you can refer this post for Azure AD App proxy with intune managed browser http://eskonr.com/2018/02/control-access-to-applications-published-via-azure-ad-app-proxy-and-manage-access-only-via-approved-client-aka-intune-managed-browser/

In this blog post,we are going to see how to protect the applications that are created/published via azure AD app proxy and OWA(outlook web access) on users BYOD windows 10 device using windows information protection (WIP) .

Note: I would recommend that you turn on Azure Active Directory Conditional Access, using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

First, try to identify the azure AD app proxy application external URL that is being configured in Azure. If you don't have access to azure AD app proxy ,you can ask your GA (global admin) to provide the app formats that are configured.

In my case, all the external URL applications are in below format:

http://SCCMReports-koneti.msappproxy.net/ (Appname-tenantname.msappproxy.net) .

You might have app created in different format that ends with domain names instead of msapproxy.net like http://SCCMReports-eskonr.com/

After you identify the domain names (msappproxy.net or your domain name eskonr.com) ,we will now go to intune portal and create new WIP policy by selecting Edge/IE as allowed applications .

Follow the steps given in the TechNet article to create WIP policy https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

In your WIP policy ,required settings ,choose windows protection mode as Block ,depends on your organisation policy.

image

Block : WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.

After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.

while you are on WIP policy ,click on advanced settings,click on cloud resources.

image

What ever the values you specify in proper format in cloud resources will be will be treated as corporate and protected by WIP based on your protection modes.

For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

For more information about cloud resource and format https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#choose-where-apps-can-access-enterprise-data

image

Since we already collected the necessary information about azure AD app proxy external URL information  ,we will add the extension to this cloud resources tab.

image

In above snippet,I have added multiple cloud resources which includes sharepoint ,yammer ,excel,powerpoint, and finally my app proxy domain .koneti.msappproxy.net and .eskonr.com

Full list is given for you .

koneti.sharepoint.com|koneti.powerbi.com|koneti.visualstudio.com|
koneti.crm.dynamics.com|www.yammer.com|yammer.com|persona.yammer.com|
koneti-files.sharepoint.com|tasks.office.com|protection.office.com|
meet.lync.com|teams.microsoft.com|/*AppCompat*/|
southeastasia1-mediap.svc.ms|excel.officeapps.live.com|
word.officeapps.live.com|Powerpoint.officeapps.live.com|
outlook.office.com|login.microsoftonline.com|login.windows.net|
.koneti.msappproxy.net|.eskonr.com

Go to assignment tab and select groups that you want to assign this policy.

End user experience:

User can either open application using URL or connect to https://myapps.microsoft.com/ to see all azure AD App proxy applications ,will see URL protected right side on the corner .

From these protected URL’s ,if user try to copy the content to un protected apps that are not defined in your WIP policy ,access will be denied.

If user try to copy the content from these protected applications to un-enlighten applications like notepad etc ,the protection controls will be travelled with data and when user try to save the document ,it will be saved as work rather personnel.

List of enlightened Microsoft apps for use with Windows Information Protection (WIP) https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip

Hope you enjoyed reading this article.

Leave a Reply