Windows information protection is mobile application management (MAM) for windows 10 and it helps to protect the enterprise data from unauthorized or accidental data leakage.
On Jan 15th, 2020, Microsoft released a new edge chromium-browser which is so amazing. When it was released, some of our users requested to roll out to their devices which are Azure AD joined/Intune enrolled devices.
we use windows information protection to protect the corporate data for the approved/managed/enlighten applications. For more information about windows information protection and how to configure, please refer here
Before releasing any feature /product/application to end-users (especially in the cloud era), we do conduct some testing's internally both technical functionality and security (DLP).
As part of this, we have done some testing on the edge browser support for windows information protection and found that edge was not ready for WIP at that point of time (first release of Edge). For more details, you can refer to my previous blogpost.
On April 13th, 2020, Microsoft released stable version 81.0.416.53 which supports Windows Information Protection (WIP) which will help enterprise customers to protect corporate data from the leakage.
Starting with Microsoft Edge version 81, the following features are supported for Windows Information Protection:
· Worksites will be indicated by a briefcase icon on the address bar.
· Files downloaded from a work location are automatically encrypted.
· Silent/Block/Override enforcement for work file uploads to non-work locations.
· Silent/Block/Override enforcement for file Drag & Drop actions.
· Silent/Block/Override enforcement for Clipboard actions.
· Browsing to work locations from non-work profiles automatically redirects to the Work Profile (associated with the Azure AD Identity.)
· IE Mode supports full WIP functionality.
How to configure Windows Information Protection to protect the Microsoft Edge browser?
If you already have a working WIP policy in your intune tenant, the procedure is very simple.
1. Login to https://endpoint.microsoft.com
2.Browse to apps, app protection policies
3. Select the WIP policy, properties, Targeted apps, click edit.
4. When you click on Edit, you will see a list of managed/protected apps by WIP. Click on Add
5. In the recommended apps, scroll down down bottom, you will see an XML file MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml which is made available to all tenants by Microsoft.
Is there way to download this XML to see what is inside? yes, you can download the XML file from here.
If you are not using Microsoft Intune, you can download the XML file and apply the policy update in the WIP Enterprise Applocker Policy File.
6. Click add , click review and save and save the policy.
You will now see the policy saved and the protected apps are also increased.
7. If you have not already targeted the policy to users, please assign it to the AD sec group (user-based).
If you do not an existing WIP policy, please follow the steps outlined here and enable the edge support using the above steps.
As soon as the policy is saved, devices that are managed by intune will receive the policy and update the changes.
The changes can be seen on the intune enrolled device from C:\windows\system32\AppLocker\MDM\ folder (app locker enterprisedataprotection, exe)
The above information is coming from the XML that we imported earlier.
we have now successfully created/updated the Windows Information Protection policy to protect the Edge browser.
Before we see the end-user experience results, please note that Windows Information Protection with Microsoft Edge requires (mandatory) the presence of work profile.
Without creating a profile with a work account, the user will not be able to access corporate data on the browser.
On Azure AD joined devices, when users launch the edge browser, it does automatically create work profile and sign-in with a user account. To make sure that users don't remove this profile, which is needed for WIP, configure NonRemovableProfileEnabled policy.
End user experience:
When end-user launches the edge browser and access the corporate data, they will see a briefcase icon (This is coming from my WIP policy).
When the URL is protected, the data that is being copied from the URL to notepad/managed apps, data is still protected.
Copying the data from Edge to unmanaged apps such as WhatsApp, notepad++,google chrome etc, user will see the following.
Your organization doesn't allow you to use work content with this application
Limitations:
The Edge support for Windows Information protection has a limitation with identify protection.
If you create more than 1 work profile with different identities (corporate profile and personal profile that has office 365 for testing) then the WIP policy will be applied to all identities in the Edge browser.
For example, I have created 2 profiles in edge browser 1) with my office identify (Eswar.koneti@abc.com) 2) with my personal/other tenant (eswar.koneti@xyz.com)
On the device that is managed by a company called abc.com, if I launch teams/office 365 resources in the XYZ work profile, the data is still protected with corporate WIP policies configured by abc.com which is a drawback.
In reality, not every user has multiple identities to access office 365 resources.
Hope to see Microsoft fix the this limitation in the upcoming versions of Edge.
All in all, good to see that Microsoft Edge now support Windows Information Protection to protect enterprise data.
Recommended reading:
Plan your deployment of Microsoft Edge
Microsoft Edge – Available Policies
