Co-authored by @DIPIKA AGGARWAL
In Part-1 of this blog series Secure Enterprise Data through IBM MaaS360 Windows Information Protection, we explored how Windows Information Protection(WIP) through IBM MaaS360 can help protect corporate data from inadvertent use and also how it eases the use of BYOD devices for office work, all while securing corporate data and maintaining the privacy of personal data. In this article, we will explore advanced options under Windows Information Protection policy settings in the IBM MaaS360 portal, showing how the IT Admin can leverage the data protection at the Enterprise Network level.
- Enterprise Primary Domain
This setting specifies the network domain names that your organization uses for its user identities. The data in motion from this domain will always be encrypted with the help of the Windows-provided Encrypting File System (EFS). If you want to pick the domain from enrolment information, use %domain% as described in the hint text.
- Enterprise Cloud Resources
This setting specifies the list of enterprise resource domains hosted in the cloud that need to be protected. Data from these resources are considered enterprise data and treated as protected.
- Enterprise Neutral Resources
This setting specifies the domains that can be used for work or personal resources, based on the context of the connection before the redirection. Separate multiple resources with the comma (,) delimiter.
- Enterprise IP Ranges
Specify the addresses for a valid IP value range within your intranet. Data from these addresses/computers used with your network domain names, define your corporate network boundaries and will be considered enterprise data and protected.
Using the above network settings, enterprise network protection can be easily configured and the admin doesn’t need to worry about protected data being downloaded/uploaded on the network.
Let us explore the concept of enlightened and unenlightened apps and understand the difference between them and how we can resolve the common issues that caused due to the misunderstanding of this feature.
Difference between Enlightened and Unenlightened Apps
Windows Information Protection (WIP) classifies apps into two categories: enlightened applications (MAM aware applications) and unenlightened applications (MAM Unaware).
Enlightened apps: These apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. E.g. Office 365 apps like Word, Excel, PowerPoint, OneNote, Outlook, Edge browser etc are enlightened apps.
Unenlightened apps: These apps cannot identify corporate and personal data separately. Thus, when these apps are managed, they consider all data to be company data and encrypt everything by default. E.g. Chrome, Firefox.
Why my O365 files are not protected by default?
As Office 365 apps are enlightened apps, saving files from enlightened protected apps is not under enterprise context by default.
To save files in the work profile (Enterprise context), there are two ways:
- After saving any file from Office 365 Apps, right-click the file and change the File ownership to Work profile as shown in the below image.
- While saving the file itself: After selecting the Destination folder, Navigate to the More Options section, and in the pop-up, the user will get the option to save the file in the Work profile as shown in the drop-down.
To stop Windows from automatically blocking these connections you can use /*AppCompat*/ string to the cloud resources settings.
How do I check which applications are running in an enterprise context?
In order to check which applications are running in an enterprise context/ are managed and which are running as personal applications/ are not managed, please go to:
Task Manager > Details > Right Click on any of the column header(E.g. Name, PID etc) > Select Columns > Search for Enterprise context > Click Ok.
It will provide the details as shown in the screenshot: