IBM Security MaaS360

 View Only

Secure Enterprise Data through IBM MaaS360 Windows Information Protection – Part 2

By Deepti Swain posted Tue April 19, 2022 08:58 AM

  

Co-authored by @DIPIKA AGGARWAL

In Part-1 of this blog series Secure Enterprise Data through IBM MaaS360 Windows Information Protection, we explored how Windows Information Protection(WIP) through IBM MaaS360 can help protect corporate data from inadvertent use and also how it eases the use of BYOD devices for office work,  all while securing corporate data and maintaining the privacy of personal data. In this article, we will explore advanced options under Windows Information Protection policy settings in the IBM MaaS360 portal, showing how the IT Admin can leverage the data protection at the Enterprise Network level.

  1. Enterprise Primary Domain
               This setting specifies the network domain names that your organization uses for its user identities. The data in motion from this domain will always be encrypted with the help of the Windows-provided Encrypting File System (EFS). If you want to pick the domain from enrolment information, use %domain% as described in the hint text.

  1. Other Enterprise Protected Domains

Select the DNS names that are part of your enterprise network. All traffic to the fully qualified domains appearing in this list will be protected. You can add multiple domains separated by the comma (,) symbol.


  1. Enterprise Network Domain Names

This setting specifies a comma-separated list of domains that comprise the boundaries of the enterprise. Data from any of these domains that are sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. Admin can specify the intranet domains that comprise the boundaries of the enterprise. This will help in defining the network perimeter along with the IP ranges.


  1. Enterprise Cloud Resources

This setting specifies the list of enterprise resource domains hosted in the cloud that need to be protected. Data from these resources are considered enterprise data and treated as protected.

  1. Enterprise Neutral Resources

This setting specifies the domains that can be used for work or personal resources, based on the context of the connection before the redirection. Separate multiple resources with the comma (,) delimiter.

  1. Enterprise IP Ranges

Specify the addresses for a valid IP value range within your intranet. Data from these addresses/computers used with your network domain names, define your corporate network boundaries and will be considered enterprise data and protected.

Using the above network settings, enterprise network protection can be easily configured and the admin doesn’t need to worry about protected data being downloaded/uploaded on the network.

Let us explore the concept of enlightened and unenlightened apps and understand the difference between them and how we can resolve the common issues that caused due to the misunderstanding of this feature.

Difference between Enlightened and Unenlightened Apps

Windows Information Protection (WIP) classifies apps into two categories: enlightened applications (MAM aware applications) and unenlightened applications (MAM Unaware).

Enlightened apps: These apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. E.g. Office 365 apps like Word, Excel, PowerPoint, OneNote, Outlook, Edge browser etc are enlightened apps.

Unenlightened apps: These apps cannot identify corporate and personal data separately. Thus, when these apps are managed, they consider all data to be company data and encrypt everything by default. E.g. Chrome, Firefox.

Why my O365 files are not protected by default?

As Office 365 apps are enlightened apps, saving files from enlightened protected apps is not under enterprise context by default.

To save files in the work profile (Enterprise context), there are two ways:

  1. After saving any file from Office 365 Apps, right-click the file and change the File ownership to Work profile as shown in the below image.
  2. While saving the file itself: After selecting the Destination folder, Navigate to the More Options section, and in the pop-up, the user will get the option to save the file in the Work profile as shown in the drop-down.

2. While saving the file itself: After selecting the Destination folder, Navigate to the More Options section, and in the pop-up, the user will get the option to save the file in the Work profile as shown in the drop-down.

Why am I not able to access the internet through Chrome or Firefox after applying the WIP policy?

When an unenlightened app tries to connect to a cloud resource through an IP, Windows can’t determine whether to allow the app to connect, it will automatically block the connection. You could not use browsers like Chrome or Firefox, they would simply not load any internet page like the below:

 To stop Windows from automatically blocking these connections you can use /*AppCompat*/ string to the cloud resources settings.

Why am I not able to access my enterprise cloud resource through the Edge browser?

Since the Microsoft Edge browser is an enlightened app, it requires users to log in with corporate credentials before they can access any WIP protected cloud resource.

More details can be found here: Microsoft Edge support for WIP

Let’s see how this is enforced through a small video

Windows Information Protection(WIP) : Browser use case

How do I check which applications are running in an enterprise context?

In order to check which applications are running in an enterprise context/ are managed and which are running as personal applications/ are not managed, please go to:

Task Manager > Details > Right Click on any of the column header(E.g. Name, PID etc) > Select Columns > Search for Enterprise context > Click Ok.

It will provide the details as shown in the screenshot:



In this blog, we learned:

  • How to make an in-depth configuration for protecting enterprise network and enterprise cloud resources.
  • Which is the difference between enlightened and unenlightened apps, what are the common issues that are caused by their inherent behaviour after WIP is applied and how can we overcome those issues.
  • How to see which applications are running in an enterprise context from Task Manager.

 

Windows Information Protection with IBM MaaS360 is a great solution for protecting corporate data against any potential data leaks without interfering with the employee experience. If you have any questions or feedback, you can post them in the comments section, or reach out to us at deeptiswain@in.ibm.com / daggarw4@in.ibm.com / bnallaga@in.ibm.com  or contact your IBM account representative.
​​​
0 comments
34 views

Permalink