When Microsoft released its Windows 10 Anniversary Update last summer, it positioned Windows Information Protection as a better way to keep sensitive data safe. As a data loss protection (DLP) tool built in to the update, WIP separates personal and business information. It lets users restrict which apps can access business data and how that data can be used, including the ability to restrict cut-and-paste operations. As a transparent protection for institutional data, WIP provides a seamless end-user experience, unlike third-party products that require users to switch modes when working with sensitive data. Read on to learn how to leverage WIP effectively in your environment.
You can manage WIP using mobile device management policy, which requires System Center Configuration Manager, Intune or a third-party MDM system. When used in conjunction with Office 365, cloud support is provided, and Microsoft’s Azure Rights Management protects data shared externally using identity-based authentication.
By default, WIP marks all data as “business” and encrypts it, but you can create policies to let users decide whether data is business or personal. Users will be able to copy and paste data between managed apps, but not to apps that fall outside WIP’s allowed apps policy. You can also use policy to manage WIP-aware apps, such as Microsoft Edge and Internet Explorer 11. That way, users won’t be restricted when using “business” sites, but they won’t be able to copy institutional data to personal email or cloud storage.
For now, the list of enlightened apps is limited: primarily Universal Windows Platform apps plus Internet Explorer. Microsoft Office desktop apps deployed using the Office 365 Click-To-Run installer are also enlightened. Developers can enlighten their own applications for WIP (if IT wants to let users determine whether data is marked as personal or business) by tapping into a set of application programming interfaces. The limited list won’t necessarily keep you from deploying WIP, since unenlightened apps included in WIP policy will mark all data as “business.”
Microsoft positions WIP as better than third-party DLP solutions for Windows, but important restrictions exist. For education institutions, the most critical may be that WIP is designed for a single user per managed device, so it shouldn’t be used on shared workstations. Unenrollment can revoke only the data of the user who was enrolled initially, and problems can occur if unenlightened apps encrypt data for multiple users on a device. Also note that WIP is built in to Windows Mobile, but isn’t supported on Android and iOS devices.
If users need remote access to file servers, a virtual private network (VPN) should be used because DirectAccess isn’t compatible with WIP. Microsoft Work Folders or OneDrive for Business should be used for offline file synchronization because redirected folders with client-side caching are also incompatible with WIP. And as a best practice, files should be shared via enterprise file servers or enterprise cloud locations. Files stored on external USB drives that WIP marks as business data can’t be used on other devices, although users can manually decrypt files that must be shared on external drives.