WIP policy for intune enrolled devices cannot run Visio project desktop application in enterprise context

WIP (windows information protection) is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).

WIP provides:

  • Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
  • Additional data protection for existing line-of-business apps without a need to update the apps.
  • Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
  • Use of audit reports for tracking issues and remedial actions.
  • Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company

To know more about windows information protection, please read https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip 

Issue description:

One of our BYOD user reported that ,on Windows 10 intune enrolled (MDM) ,he is unable to open any visio/project work related files (files that are protected with WIP).

Following is the error when launching corporate visio/project files.

Access has been denied

image

Launching personal visio/project files works fine .

To figure out the issue , I started at task manager if the visio app is running in personal or enterprise context mode.

Go to task manager ,details—>select columns—>enterprise context

image

As you see above ,visio.exe is considered as personnel instead of enterprise context.

As per TechNet document https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip , Microsoft Visio and Microsoft Project are not enlightened apps and need to be exempted from WIP policy.

image

What does it mean ?

Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. So user have choice of saving documents either as personal or corporate.

For Enlighted apps ,you will see options like below.

image

Visio and project are unenlightened apps and adding these apps into protected apps into WIP policy always consider all data in these apps are corporate and encrypt everything by default.

For unenlightened apps ,you will see options like below. There is no personal and always going be to work.

image

Solution:

Since visio/project is unenlightened apps, how do we get the WIP policy applied to these unenlightened apps ?

All we know is ,adding desktop apps with publisher information in protected apps in WIP would do the trick ? ? No and Yes. it depends on what settings your WIP policy consists of. I will explain both of these with reason.

To add any unenlightened app to protected apps ,use the following information.

image

Now let see ,adding visio.exe into protected app  as desktop would solve this issue ?

consider the above scenario with No: 

In my App protection policy for windows 10 ,i have the following settings:

In the protected apps, have applocker file imported with xml file and also have added visio/project .

image

image

Currently the enterprise applocker policy xml file for Office 365 ProPlus only contains specific Office apps, so most other apps published by Microsoft will not be included such as Visio and Project.

having both applocker policy with xml file and visio as desktop app will not make visio as protected app due to conflict and user always get access denied when open work files.

and if you look at task manager ,visio.exe run in personal mode rather enterprise context.

Also looking at C:\windows\system32\applocker\MDM\x\x\enterprisedataprotection\ ,WIP policy arrived to client successfully.

image

How do we get this working ?

Consider the scenario of Yes but will do this little bit different: 

If we want to add Visio to WIP allow list, we are going to remove enterprise applocker policy file in the target apps, and create a new desktop app record with only the publisher being set toO=Microsoft Corporation, L=Redmond, S=Washington, C=US”, and leave the rest entries as wildcard “*”, so that every desktop app published by Microsoft will be in protected mode. And the enlightened apps will still have personal and enterprise context, whereas unenlightened apps such as Project and Visio will only be run in enterprise context.

WIP policy configuration:

I remove the existing app locker policy with office 365 and set publisher information to O=Microsoft Corporation, L=Redmond, S=Washington, C=US and remaining entries with *.

SNAGHTML93ca5c40

End user experience:

login to windows 10 BYOD  and perform device sync from work/school account.

This will sync and download the policies and update the settings.

Now open work visio/project files ,they will open successfully and this time ,they run in enterprise context .

There is 1 disadvantage with this setting is ,all visio/project files will be saved by default as work files .

image

Hope it helps!

2 Responses to "WIP policy for intune enrolled devices cannot run Visio project desktop application in enterprise context"

Leave a Reply