WIP-WE

WIP-WE User Experience

In this post I’ll focus on WIP-WE User Experience. Also known as Windows Information Protection without enrollment on Windows 10 devices. WIP Without Enrollment is a great solution for organizations supporting a BYOD solution. In addition, WIP-WE provides a degree of control to manage and secure corporate data on personal devices. If you want to know how to configure WIP-WE policies, read my previous post covering just that.

This post is part of a series I’m working on. Have a look at my other posts for more information about WIP.

  1. Introduction to Windows Information Protection
  2. Configuring MDM user scope and MAM user scope
  3. WIP-WE / MAM – Windows Information Protection without enrollment
  4. Windows Information Protection with Enrollment
  5. Windows Information Protection User Experience
  6. WIP-WE User Experience – WIP Without MDM enrollment (this post)
  7. Set up Azure Rights Management for WIP
  8. WIP Without Enrollment Selective Wipe
  9. Troubleshooting Windows Information Protection
  10. Monitoring and collecting WIP audit event logs
  11. WIP Learning mode
  12. Limiting Access to SharePoint Online on unmanaged devices
  13. Limiting Access to Exchange Online on unmanaged devices

Prerequisites

The first part of this document will be about the prerequisites, considerations and my test configuration setup to give you a better understanding about what I worked with. After that, I’ll dive into to the WIP-WE user experience.

Make sure you have the prerequisites in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above (Pro, Enterprise, Education)
  • EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
  • Configure your MAM provider in Azure AD for WIP without enrollment

Configuring your MAM provider

Before you create your WIP-WE policy, you need to set up your MAM provider or the MAM URLs in Azure AD. Configure the MAM Discovery URL to enable WIP-WE for Windows 10 devices . In other words, without a MAM provider users cannot enroll into WIP-WE (MAM) management.

I dedicated another blog post on configuring MDM users scope and MAM user scope. Please read that post if you want to learn more about configuring MDM and MAM scopes.

WIP-WE Considerations

I suggest you have a whiteboard session before you actually configure and  deploy WIP-WE for all your users. Think about what it is exactly that you want to accomplish on NON managed BYO devices. What degree of security are you looking for? Here are a few topics that you may want to consider:

  • Can users Azure AD Join and MDM enroll personal devices?
  • Can they install and use Office 365 desktop apps to access corporate data?
    • Do you allow access only by using a browser (Online only)?
  • Can users Sync OneDrive for Business on their personal Windows 10 devices?
  • Is downloading corporate data allowed on personal Windows 10 devices? Think about downloading:
    • E-mail attachments
    • OneDrive files
    • SharePoint Online
    • Microsoft Teams
  • Can users remove WIP protection from files?

MDM Device Enrollment restrictions

I configured MDM device enrollment restrictions. As a result I don’t allow personal devices to be Azure AD joined. If you do the same, make sure you understand the consequences and limitations. Please read the documentation about blocking personal Windows 10 devices.

MDM Device Enrollment restrictions

Windows Information Protection configuration

I’ve set the ‘Windows Information Protection mode’ to Block and the Network boundaries are configured as described in my previous post Windows Information Protection without Enrollment.

IMPORTANT: Unlike Azure AD Joined and MDM enrolled devices, you have a lot less control over personal devices that are only Azure AD registered.

By setting your WIP protection mode to Allow Override, users are allowed to change file ownership and decrypt files. This action is written to the local event log. However, you cannot collect event log entries to Azure Log Analytics. To collect event logs, you need to install Microsoft Monitoring Agent. And since deploying apps to Windows 10 requires a device to be MDM enrolled, you cannot collect event logs. Therefore I set it to Block.

  • I have configured and assigned WIP policies
  • As before, In this scenario I did not configure Azure RMS

Windows 10 test device configuration

  • I have a personal Windows 10 1909 Pro test-device available for this WIP-WE User Experience.
  • The device is NOT managed with Microsoft Intune and is not registered with Azure AD.
  • I have a personal OneDrive and Personal Dropbox configured
  • Installed my Office 365 desktop apps from the Office 365 portal.
  • OneDrive for Business is installed

Azure AD registration

WIP-WE works only when a device is Azure AD registered. This can be accomplished by adding a work or school account by going to Settings –> Accounts –> Access work or school, or after adding an account to one of the Office 365 apps. For example, In this post I’ll go for the Office 365 apps version to register my device in Azure AD.  And when I start Office Outlook for the first time, I need to login with an account to activate my license.

Add account to Office 365 apps

Have a look at this next screen because this screen follows after you login to Office:

Allow my organization to manage my device

Most users will not pay any attention and just click on Yes without unchecking the check box “Allow my organization to manage my device”. As a result, the device will try to register in Azure AD. It also works wonders for SSO. For the purpose of this example I’m going to click on Yes and continue.

the device will try to register in Azure AD

Assuming everything goes as planned and without errors, the device will complete the registration with Azure Active Directory.

Device is Azure AD registered

Finally, click on Done and complete the setup for Office Outlook.

outllook setup

 

Check your Azure AD registration

You can check and see if your work account was added by going to Settings –> Accounts –> Access work or school

Add work or school account

Click on Info to see more about the connection. The management Server Address shows https://wip.mam.manage.microsoft.com:444/checkin.

WIP management Server Address

Also have a look at Azure AD devices:

Azure AD devices

The device is Azure AD registered, not managed by MDM and therefore, does not need to be compliant. Can’t explain it any better than Microsoft, and I quote:

The goal of Azure AD registered devices is to provide your users with support for the Bring Your Own Device (BYOD) or mobile device scenarios.” Read more about Azure AD registered devices on Microsoft’s website.

WIP-WE User experience

The WIP-WE user experience is almost the same as with MDM enrolled devices like I wrote about in my previous blog Windows Information Protection User Experience. However, there are some things to keep in mind:

  • WIP protection mode is set to Block and as a result users are not allowed to change file ownership.  Also copy/paste to unprotected apps or unprotected locations is not allowed. Most importantly, WIP protection cannot be overruled.

OneDrive for Business works the same as with WIP with enrollment. Consequently, you’ll see there is an extra column “File ownership”. And all the files have famsari.nl (my test tenant) set as the File ownership. The same is true for all the synced files from SharePoint. File encryption based on EFS only occurs when downloading files locally on your device. That is to say, data is not encrypted online!

Have a look at the screenshot below. You’ll see that all file icons have an extra symbol in the form of a suitcase. This is yet another indication that these files are corporate data. You can enable or disable this icon overlay by setting the WIP configuration option “Show the enterprise data protection icon” to On or Off.

OneDrive for Business

Copy paste restrictions between applications

Just like before, the restrictions for copy/paste actions from managed to unmanaged application depend on the targeted applications you have configured for the WIP-WE policy. When I copy data from Outlook (managed application) to Wordpad (unmanaged application), instead of pasting the information I copied, an error message is pasted; “Your organization doesn’t allow you to use work content with this application

Copy paste restrictions between applications

Notepad is configured as a managed application and the Task Manager shows the Enterprise context is set to famsari.nl. Managed (enlightened) applications can differentiate between corporate and personal data. First I’ll open Notepad and just start writing. Have a look at the upper right corner (minimize, restore, close). This file is handled as a personal file and saved without WIP protection.

Notepad is configured as a managed application

When I copy/paste corporate data from Outlook to Notepad, it knows this is corporate data and shows this with an extra symbol in the upper right corner. Notepad is a managed application and therefore I’m allowed to paste data.

copy/paste corporate data from Outlook to Notepad

Unapproved browsers

Just as with WIP with MDM enrollment, unapproved browsers like Google Chrome will not allow to copy/paste information from documents. In addition, uploading documents is not allowed. There is no option to overrule the WIP-WE protection.

Unapproved browsers

Approved browsers

Microsoft Edge legacy Browser supports WIP.  However, WIP Protection mode is set to block and as a result my actions to copy/paste or upload an attachment to Google Gmail are blocked.

OneDrive for Business: Relocating protected files

WIP-WE will protect files when I copy and paste or move documents from OneDrive for Business to any other location on my device (like C:\Temp). You can double check this by looking at the File ownership property of your files.

OneDrive for Business - Relocating protected files

I can’t remove the WIP protection from these files. Right click on any of your files and click on File Ownership in the menu. Personal and Work options are greyed out.

I can’t remove the WIP protection

Relocating WIP-WE protected files to OneDrive Personal

I am not allowed to copy/paste or move files from OneDrive for Business and SharePoint Online to OneDrive Personal. The action is blocked by WIP-WE.

Relocating WIP-WE protected files to OneDrive Personal

Relocating WIP-WE protected files to Dropbox

Copying WIP-WE protected files to Dropbox seems to work but again, files will not sync. Look closer and you will see that the files have the corporate file ownership tag and a red cross in the document icons. As a result, the files will not sync to Dropbox.

Dropbox

And again, I cannot change the File ownership from work to private because I have set the ‘Windows Information Protection mode’ to Block.

Relocating WIP-WE protected files to USB drives

When you set the ‘Windows Information Protection mode’ to Block, you will only have the option to copy data to a USB drive as work protected or skip the operation.

USB drive

Saving attachments from e-mails

When I open an e-mail with an attachment, I can save it as usual, but the file will be protected with WIP wherever I save the file. If I had set the WIP Protection Mode to Allow Override, I would have the option to save this file as a personal file. With my WIP Protection Mode set to Block, I only have the option to save files in a corporate context.

Saving attachments from e-mails

Conclusion

WIP is a robust solution for protecting corporate data. Firstly, It can separate personal and work data. Secondly, WIP helps prevent unintentional information sharing. And this makes WIP a good choose for companies wanting to support a BYOD scenario. In addition, combined with AIP it adds an extra layer of security making it possible for your users to share data among each other.

As with other methods used to protect information and devices, you need to find a good balance between security and business productivity. If users set their mind on stealing information, they will find a way. Lucky for us admins, most users don’t have malicious intent.

Oktay Sari

CTO | Microsoft WI MVP | Likes to work on Creative #Cloud solutions | P-TSP | #Microsoft365 | #EMS | Father | #Diver | #RC Pilot & #Magician in spare time

4
Leave a Reply

avatar
2 Comment threads
2 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
Paris WellsJanOktay SariChris Hill Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Chris Hill
Guest
Chris Hill

H Otkay, I’m a big fan of your blog and find the articles really helpful when trying to deploy new Azure and Intune stuff onto the network I manage! I thought you might want to be aware (and perhaps draw awareness to) a serious limitation in Windows Information Protection that I’ve just come across: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6172 It appears that Windows Information Protection does not protect Outlook OST and PST files for remote wipe or encryption by default. This means if Outlook is used in Cached Exchange Mode (the default), any mailbox data downloaded by Outlook will not be removed as part… Read more »

Paris Wells
Guest

“WIP-WE works only when a device is Azure AD registered.”

Thanks you so much for this info , trying to find out why my policy wasn’t deploying