Windows information protection incompatibility with new edge chromium browser

The new edge chromium-browser (stable release) from Microsoft was already out on Jan 15th, 2020 and is amazing with many unique features amongst the other browsers out there.

If you wanted to manage the deployment of this new edge browser using configuration manager, please read http://eskonr.com/2020/01/how-to-deploy-microsoft-edge-chromium-stable-version-using-configuration-manager/

If you wanted to manage the deployment of this new edge browser using Microsoft intune, please read https://docs.microsoft.com/en-us/intune/apps/apps-windows-edge

Microsoft intune provide great features to protect your enterprise data using Windows Information Protection for windows 10 devices.

For more information about windows WIP, please read https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

In this blog post, I am going to discuss the case of this new edge browser with windows information protection on intune managed windows 10 device.

I was recently approached on an issue from some financial customer, who allow their employees to access office 365 from BYOD Windows 10 devices which are enrolled into intune and these users are local admin on their devices as well.

When users install the new edge browser, the old edge browser (legacy) is replaced with a new chromium edge and all the bookmarks, favorites everything will gets moved. This all worked well until an issue was discovered in the new Edge Chromium and its incompatibility or feature missing with WIP.

The customer has created a WIP protection policy with WIP mode set to blocked, added the cloud resources to protect the URL's that company manage. So when the user try access the cloud resource URL's or download the content from , all data will be protected with a briefcase icon.

Following are the WIP settings:

image

Block—>    WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.

Briefcase icon setting:

image

Cloud resources: Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

image

With the above setting, what is the expected behavior on the legacy edge browser?

When the user tries to access the cloud resource URLs or download the content (files), the browsing data and the downloaded content from these URLs will be protected with a briefcase icon (show the enterprise data protection icon).

Copying the data or moving/uploading the protected content (briefcase icon) to personal onedrive/Gmail/dropbox etc will be blocked.

Following are the screenshots that refer the file protection with briefcase:

Uploading files to gmail/cloud:

What is the expected behavior on the new edge browser ( at the time of writing this blog post)?

When users try to access cloud resource URLs or download the content, we expected to behave the new edge browser same as legacy edge but that is not the case. The WIP protection policies never applied and the content can be easily taken into dropbox /Gmail/personal onedrive etc.

When the files are downloaded from the new edge browser, there is no briefcase icon and files are saved as personal.

Also, If you have any WIP protected files on your device and if you upload them to any websites like dropbox, Gmail etc using this new edge browser, the protection icon ( briefcase) is removed and files are being uploaded successfully. This pretty much means that the WIP protection on those files is lost.

As you can see below, the left side refers to IE/Legacy edge for cloud resource URL with lock, whereas the right side refers to the new edge chromium, where there is no lock.

This behavior is noticed at the time of writing this blog post and in the near future, Microsoft will bring the WIP capabilities into this new edge browser.

There are two possibilities or scenarios in this situation. Users who have already upgraded to the Edge Chromium and those who will in the future, you need to prevent them until Microsoft comes up with WIP support for Edge Chromium.

The scenarios listed are quick and dirty solutions to prevent the DLP issues with new edge chromium browser.

For scenario 1> How do we prevent this issue on the BYOD intune enrolled devices that have already installed the edge browser?

We will create an app locker policy and deploy using intune device configuration policy with custom OMA URI:

The following are the configuration settings that you can deploy to BYOD users.

Add OMA URI settings:

Name: Anything you like

Description: Anything that make sense to understand the setting

OMA-URI:./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/myapps/EXE/Policy

The bold letters (myapps) can be anything you like.

Data type: String (XML file)

and finally, the xml file to import. Download the attached XML file and import.

This XML file is customized. Please make sure to test thoroughly before you do a mass deployment.

image

Deploy the policy to BYOD users.

Once the policy received by the intune enrolled device and user try to launch the new edge browser, they see the following screen.

Image result for app locker application is blocked

Please make sure you send the communication email to the BYOD users to be aware of this and remove the new edge browser to continue accessing office 365 resources or they can fallback to IE.

When the user uninstalls the new edge, the old edge will be retuned with all bookmarks favorites etc. so it is safe to do.

For scenario 2> How do we prevent users from installing a new Edge Chromium-based browser on BYOD intune enrolled devices?

we can prevent users from installing the new edge Chromium browser using edge administrative templates that are available in intune.

Following are the 4 settings that you can set to disable for edge installation.

image

Deploy the policy to BYOD users.

When this policy is deployed to users , they will not be able to install the new edge browser in any way.

image

Hope this helps!

One Response to "Windows information protection incompatibility with new edge chromium browser"

Leave a Reply