Close Menu
    Facebook X (Twitter) Instagram
    Monday, June 23
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»App protection policies»New Microsoft Edge chromium browser supports for windows information protection (WIP) – Intune

    New Microsoft Edge chromium browser supports for windows information protection (WIP) – Intune

    Eswar KonetiBy Eswar KonetiMay 01, 7:20 pm5 Mins Read App protection policies 3,428 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Windows information protection is mobile application management (MAM) for windows 10 and it helps to protect the enterprise data from unauthorized or accidental data leakage.

    On Jan 15th, 2020, Microsoft released a new edge chromium-browser which is so amazing. When it was released, some of our users requested to roll out to their devices which are Azure AD joined/Intune enrolled devices.

    we use windows information protection to protect the corporate data for the approved/managed/enlighten applications. For more information about windows information protection and how to configure, please refer here

    Before releasing any feature /product/application to end-users (especially in the cloud era), we do conduct some testing's internally both technical functionality and security (DLP).

    As part of this, we have done some testing on the edge browser support for windows information protection and found that edge was not ready for WIP at that point of time (first release of Edge). For more details, you can refer to my previous blogpost.

    image

    On April 13th, 2020, Microsoft released stable version 81.0.416.53 which supports Windows Information Protection (WIP) which will help enterprise customers to protect corporate data from the leakage.

    Starting with Microsoft Edge version 81, the following features are supported for Windows Information Protection:

    · Worksites will be indicated by a briefcase icon on the address bar.

    · Files downloaded from a work location are automatically encrypted.

    · Silent/Block/Override enforcement for work file uploads to non-work locations.

    · Silent/Block/Override enforcement for file Drag & Drop actions.

    · Silent/Block/Override enforcement for Clipboard actions.

    · Browsing to work locations from non-work profiles automatically redirects to the Work Profile (associated with the Azure AD Identity.)

    · IE Mode supports full WIP functionality.

    How to configure Windows Information Protection to protect the Microsoft Edge browser?

    If you already have a working WIP policy in your intune tenant, the procedure is very simple.

    1. Login to https://endpoint.microsoft.com

    2.Browse to apps, app protection policies

    3. Select the WIP policy, properties, Targeted apps, click edit.

    image

    4. When you click on Edit, you will see a list of managed/protected apps by WIP. Click on Add

    image

    5. In the recommended apps, scroll down down bottom, you will see an XML file MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml which  is made available to all tenants by Microsoft.

    Is there way to download this XML to see what is inside? yes, you can download the XML file from here.

    If you are not using Microsoft Intune, you can download the XML file and apply the policy update in the WIP Enterprise Applocker Policy File.

    image

    6. Click add , click review and save and save the policy.

    You will now see the policy saved and the protected apps are also increased.

    image

    7. If you have not already targeted the policy to users, please assign it to the AD sec group (user-based).

    If you do not an existing WIP policy, please follow the steps outlined here and enable the edge support using the above steps.

    As soon as the policy is saved, devices that are managed by intune will receive the policy and update the changes.

    The changes can be seen on the intune enrolled device from C:\windows\system32\AppLocker\MDM\ folder (app locker enterprisedataprotection, exe)

    image

    The above information is coming from the XML that we imported earlier.

    we have now successfully created/updated the Windows Information Protection policy to protect the Edge browser.

    Before we see the end-user experience results, please note that Windows Information Protection with Microsoft Edge requires (mandatory) the presence of work profile.

    Without creating a profile with a work account, the user will not be able to access corporate data on the browser.

    On Azure AD joined devices, when users launch the edge browser, it does automatically create work profile and sign-in with a user account. To make sure that users don't remove this profile, which is needed for WIP, configure NonRemovableProfileEnabled policy.

    End user experience:

    When end-user launches the edge browser and access the corporate data, they will see a briefcase icon (This is coming from my WIP policy).

    image

    When the URL is protected, the data that is being copied from the URL to notepad/managed apps, data is still protected.

    image

    Copying the data from Edge to unmanaged apps such as WhatsApp, notepad++,google chrome etc, user will see the following.

    Your organization doesn't allow you to use work content with this application

    image

    Limitations:

    The Edge support for Windows Information protection has a limitation with identify protection.

    If you create more than 1 work profile with different identities (corporate profile and personal profile that has office 365 for testing) then the WIP policy will be applied to all identities in the Edge browser.

    For example, I have created 2 profiles in edge browser 1) with my office identify (Eswar.koneti@abc.com) 2) with my personal/other tenant (eswar.koneti@xyz.com)

    On the device that is managed by a company called abc.com, if I launch teams/office 365 resources in the XYZ work profile, the data is still protected with corporate WIP policies configured by abc.com which is a drawback.

    In reality, not every user has multiple identities to access office 365 resources.

    Hope to see Microsoft fix the this limitation in the upcoming versions of Edge.

    All in all, good to see that Microsoft Edge now support Windows Information Protection to protect enterprise data.

    Recommended reading:

    WIP Prerequisites

    Plan your deployment of Microsoft Edge

    Microsoft Edge – Available Policies

    Edge browser support for WIP Edge chromium intune MAM MDM office 365 Windows 10 windows information protection WIP
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Troubleshooting Windows Hello for Business PIN Reset Issues – Something went wrong

    March 06, 9:48 pm

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    1 Comment

    1. pocketoption on May 9, 2024 6:35 PM

      Your style is very unique in comparison to other
      folks I have read stuff from. Many thanks for posting
      when you have the opportunity, Guess I'll just book mark this page.

      Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.