WIP-WE

WIP-WE User Experience

In this post I’ll focus on WIP-WE User Experience. Also known as Windows Information Protection without enrollment on Windows 10 devices. WIP Without Enrollment is a great solution for organizations supporting a BYOD solution. In addition, WIP-WE provides a degree of control to manage and secure corporate data on personal devices. If you want to know how to configure WIP-WE policies, read my previous post covering just that.

This post is part of a series I’m working on. Have a look at my other posts for more information about WIP.

  1. Introduction to Windows Information Protection
  2. Configuring MDM user scope and MAM user scope
  3. WIP-WE / MAM – Windows Information Protection without enrollment
  4. Windows Information Protection with Enrollment
  5. Windows Information Protection User Experience
  6. WIP-WE User Experience – WIP Without MDM enrollment (this post)
  7. Set up Azure Rights Management for WIP
  8. WIP Without Enrollment Selective Wipe
  9. Troubleshooting Windows Information Protection
  10. Monitoring and collecting WIP audit event logs
  11. WIP Learning mode
  12. Limiting Access to SharePoint Online on unmanaged devices
  13. Limiting Access to Exchange Online on unmanaged devices

Prerequisites

The first part of this document will be about the prerequisites, considerations and my test configuration setup to give you a better understanding about what I worked with. After that, I’ll dive into to the WIP-WE user experience.

Make sure you have the prerequisites in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above (Pro, Enterprise, Education)
  • EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
  • Configure your MAM provider in Azure AD for WIP without enrollment

Configuring your MAM provider

Before you create your WIP-WE policy, you need to set up your MAM provider or the MAM URLs in Azure AD. Configure the MAM Discovery URL to enable WIP-WE for Windows 10 devices . In other words, without a MAM provider users cannot enroll into WIP-WE (MAM) management.

I dedicated another blog post on configuring MDM users scope and MAM user scope. Please read that post if you want to learn more about configuring MDM and MAM scopes.

WIP-WE Considerations

I suggest you have a whiteboard session before you actually configure and  deploy WIP-WE for all your users. Think about what it is exactly that you want to accomplish on NON managed BYO devices. What degree of security are you looking for? Here are a few topics that you may want to consider:

  • Can users Azure AD Join and MDM enroll personal devices?
  • Can they install and use Office 365 desktop apps to access corporate data?
    • Do you allow access only by using a browser (Online only)?
  • Can users Sync OneDrive for Business on their personal Windows 10 devices?
  • Is downloading corporate data allowed on personal Windows 10 devices? Think about downloading:
    • E-mail attachments
    • OneDrive files
    • SharePoint Online
    • Microsoft Teams
  • Can users remove WIP protection from files?

MDM Device Enrollment restrictions

I configured MDM device enrollment restrictions. As a result I don’t allow personal devices to be Azure AD joined. If you do the same, make sure you understand the consequences and limitations. Please read the documentation about blocking personal Windows 10 devices.

MDM Device Enrollment restrictions

Windows Information Protection configuration

I’ve set the ‘Windows Information Protection mode’ to Block and the Network boundaries are configured as described in my previous post Windows Information Protection without Enrollment.

IMPORTANT: Unlike Azure AD Joined and MDM enrolled devices, you have a lot less control over personal devices that are only Azure AD registered.

By setting your WIP protection mode to Allow Override, users are allowed to change file ownership and decrypt files. This action is written to the local event log. However, you cannot collect event log entries to Azure Log Analytics. To collect event logs, you need to install Microsoft Monitoring Agent. And since deploying apps to Windows 10 requires a device to be MDM enrolled, you cannot collect event logs. Therefore I set it to Block.

  • I have configured and assigned WIP policies
  • As before, In this scenario I did not configure Azure RMS

Windows 10 test device configuration

  • I have a personal Windows 10 1909 Pro test-device available for this WIP-WE User Experience.
  • The device is NOT managed with Microsoft Intune and is not registered with Azure AD.
  • I have a personal OneDrive and Personal Dropbox configured
  • Installed my Office 365 desktop apps from the Office 365 portal.
  • OneDrive for Business is installed

Azure AD registration

WIP-WE works only when a device is Azure AD registered. This can be accomplished by adding a work or school account by going to Settings –> Accounts –> Access work or school, or after adding an account to one of the Office 365 apps. For example, In this post I’ll go for the Office 365 apps version to register my device in Azure AD.  And when I start Office Outlook for the first time, I need to login with an account to activate my license.

Add account to Office 365 apps

Have a look at this next screen because this screen follows after you login to Office:

Allow my organization to manage my device

Most users will not pay any attention and just click on Yes without unchecking the check box “Allow my organization to manage my device”. As a result, the device will try to register in Azure AD. It also works wonders for SSO. For the purpose of this example I’m going to click on Yes and continue.

the device will try to register in Azure AD

Assuming everything goes as planned and without errors, the device will complete the registration with Azure Active Directory.

Device is Azure AD registered

Finally, click on Done and complete the setup for Office Outlook.

outllook setup

 

Check your Azure AD registration

You can check and see if your work account was added by going to Settings –> Accounts –> Access work or school

Add work or school account

Click on Info to see more about the connection. The management Server Address shows https://wip.mam.manage.microsoft.com:444/checkin.

WIP management Server Address

Also have a look at Azure AD devices:

Azure AD devices

The device is Azure AD registered, not managed by MDM and therefore, does not need to be compliant. Can’t explain it any better than Microsoft, and I quote:

The goal of Azure AD registered devices is to provide your users with support for the Bring Your Own Device (BYOD) or mobile device scenarios.” Read more about Azure AD registered devices on Microsoft’s website.

WIP-WE User experience

The WIP-WE user experience is almost the same as with MDM enrolled devices like I wrote about in my previous blog Windows Information Protection User Experience. However, there are some things to keep in mind:

  • WIP protection mode is set to Block and as a result users are not allowed to change file ownership.  Also copy/paste to unprotected apps or unprotected locations is not allowed. Most importantly, WIP protection cannot be overruled.

OneDrive for Business works the same as with WIP with enrollment. Consequently, you’ll see there is an extra column “File ownership”. And all the files have famsari.nl (my test tenant) set as the File ownership. The same is true for all the synced files from SharePoint. File encryption based on EFS only occurs when downloading files locally on your device. That is to say, data is not encrypted online!

Have a look at the screenshot below. You’ll see that all file icons have an extra symbol in the form of a suitcase. This is yet another indication that these files are corporate data. You can enable or disable this icon overlay by setting the WIP configuration option “Show the enterprise data protection icon” to On or Off.

OneDrive for Business

Copy paste restrictions between applications

Just like before, the restrictions for copy/paste actions from managed to unmanaged application depend on the targeted applications you have configured for the WIP-WE policy. When I copy data from Outlook (managed application) to Wordpad (unmanaged application), instead of pasting the information I copied, an error message is pasted; “Your organization doesn’t allow you to use work content with this application

Copy paste restrictions between applications

Notepad is configured as a managed application and the Task Manager shows the Enterprise context is set to famsari.nl. Managed (enlightened) applications can differentiate between corporate and personal data. First I’ll open Notepad and just start writing. Have a look at the upper right corner (minimize, restore, close). This file is handled as a personal file and saved without WIP protection.

Notepad is configured as a managed application

When I copy/paste corporate data from Outlook to Notepad, it knows this is corporate data and shows this with an extra symbol in the upper right corner. Notepad is a managed application and therefore I’m allowed to paste data.

copy/paste corporate data from Outlook to Notepad

Unapproved browsers

Just as with WIP with MDM enrollment, unapproved browsers like Google Chrome will not allow to copy/paste information from documents. In addition, uploading documents is not allowed. There is no option to overrule the WIP-WE protection.

Unapproved browsers

Approved browsers

Microsoft Edge legacy Browser supports WIP.  However, WIP Protection mode is set to block and as a result my actions to copy/paste or upload an attachment to Google Gmail are blocked.

OneDrive for Business: Relocating protected files

WIP-WE will protect files when I copy and paste or move documents from OneDrive for Business to any other location on my device (like C:\Temp). You can double check this by looking at the File ownership property of your files.

OneDrive for Business - Relocating protected files

I can’t remove the WIP protection from these files. Right click on any of your files and click on File Ownership in the menu. Personal and Work options are greyed out.

I can’t remove the WIP protection

Relocating WIP-WE protected files to OneDrive Personal

I am not allowed to copy/paste or move files from OneDrive for Business and SharePoint Online to OneDrive Personal. The action is blocked by WIP-WE.

Relocating WIP-WE protected files to OneDrive Personal

Relocating WIP-WE protected files to Dropbox

Copying WIP-WE protected files to Dropbox seems to work but again, files will not sync. Look closer and you will see that the files have the corporate file ownership tag and a red cross in the document icons. As a result, the files will not sync to Dropbox.

Dropbox

And again, I cannot change the File ownership from work to private because I have set the ‘Windows Information Protection mode’ to Block.

Relocating WIP-WE protected files to USB drives

When you set the ‘Windows Information Protection mode’ to Block, you will only have the option to copy data to a USB drive as work protected or skip the operation.

USB drive

Saving attachments from e-mails

When I open an e-mail with an attachment, I can save it as usual, but the file will be protected with WIP wherever I save the file. If I had set the WIP Protection Mode to Allow Override, I would have the option to save this file as a personal file. With my WIP Protection Mode set to Block, I only have the option to save files in a corporate context.

Saving attachments from e-mails

Conclusion

WIP is a robust solution for protecting corporate data. Firstly, It can separate personal and work data. Secondly, WIP helps prevent unintentional information sharing. And this makes WIP a good choose for companies wanting to support a BYOD scenario. In addition, combined with AIP it adds an extra layer of security making it possible for your users to share data among each other.

As with other methods used to protect information and devices, you need to find a good balance between security and business productivity. If users set their mind on stealing information, they will find a way. Lucky for us admins, most users don’t have malicious intent.

4.7 3 votes
Article Rating

Oktay Sari

CTO | Microsoft WI MVP | Likes to work on Creative #Cloud solutions | P-TSP | #Microsoft365 | #EMS | Father | #Diver | #RC Pilot & #Magician in spare time

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

9 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Chris Hill
Chris Hill
7 months ago

H Otkay, I’m a big fan of your blog and find the articles really helpful when trying to deploy new Azure and Intune stuff onto the network I manage! I thought you might want to be aware (and perhaps draw awareness to) a serious limitation in Windows Information Protection that I’ve just come across: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6172 It appears that Windows Information Protection does not protect Outlook OST and PST files for remote wipe or encryption by default. This means if Outlook is used in Cached Exchange Mode (the default), any mailbox data downloaded by Outlook will not be removed as part… Read more »

Jan
Jan
5 months ago
Reply to  Oktay Sari

Hi guys, a follow up on this would be much appriciated! I think WIP-WE is great in many ways, but you have to understand the limitations. What about all the different browsers on the BYOD for example. Cheers!

Paris Wells
5 months ago

“WIP-WE works only when a device is Azure AD registered.”

Thanks you so much for this info , trying to find out why my policy wasn’t deploying

Kim
Kim
4 months ago
Reply to  Paris Wells

Is there any way to enforce this though? We are currently in testing phase and we have a couple of users who are never prompted to register their personal device in azure. They sign into the teams application and the devices is still unregistered and no account is added to access work or school. This also applies to the checkmark “Allow my organization to manage my device”. If the user removes this checkmark than app protection is not enforced but they still have full access to the applications. There is a policy for this in conditional access but only ios\android… Read more »

Justin
Justin
2 months ago

Great article. Very helpful. One key limitation I’ve come across is WIP-WE only supports one managed identify. If the user has already enrolled their device with a different MDM/MAM provider from a different organization then WIP-WE won’t apply even if you force device registration via the conditional access + terms of use workaround. It would be nice if you could at least block access if WIP-WE isn’t applied.

It’s a shame they created this technology but it can’t be used to guarantee protection. I know they state that it’s not designed to guarantee protection. But why even create it then.

James L
James L
1 month ago

I’ve setup a test WIP policy without enrolment, it’s working fine in that englightened apps show their enterprise context correctly and I can’t copy/paste from them to non protected apps etc.. However, how do you prevent 3rd party browsers from accessing cloud resources that are defined under network boundaries? I have the boundaries configured per MS documentation, but using Chrome I’m able to access <company>.sharepoint.com without being blocked.. Ironically if I don’t add MsEdge – WIPMode-Allow – Enterprise AppLocker Policy File.xml as a protected app then it’s unable to access the cloud resources defined under network boundaries.. yet Firefox and… Read more »

Last edited 1 month ago by James L
Carl
Carl
20 days ago
Reply to  James L

Hi James, I’m getting the same issue. I’ve setup WIP-WE and have the cloud resources defined and this works for Edge and Office apps. However when using Chrome/Firefox I can also connect to portal.office.com, login, open OneDrive download files from the same account and they aren’t blocked. If I try to upload a file into O365 via Chrome I do get blocked as its treating the Chrome O365 as personal. However it doesn’t make sense to me that you can log into O365 and access/download files from OneDrive for Business and copy contents to WordPad etc. This seems to be… Read more »

Eric
Eric
14 days ago
Reply to  James L

I to am having the same issue. I have gone through and looked into everything I can think of and I still can not get it to make the files from sharepoint to be corporate files from either Firefox or Chrome. I can get it to work correctly from the new version of Edge. The only option I can think of it to force the MAM users to use Edge. I dont know about anyone else but I am sure that will not go over in my company.