When Microsoft released its Windows 10 Anniversary Update last summer, it positioned Windows Information Protection as a better way to keep sensitive data safe. In a bring-your-own-device environment, WIP lets teachers restrict which apps can access school data and how that data can be used, including the ability to cut and paste. It can prevent personal third-party apps and malware from accessing school data, and separates information so that files containing student records and staff payroll can be wiped from devices without affecting personal files.
As a transparent protection for district files, WIP provides a seamless end-user experience on any Windows 10-based device, unlike third-party products that require users to switch modes when working with sensitive data. Here’s how to leverage WIP effectively in your environment:
You can manage WIP, previously known as enterprise data protection, using mobile device management policy, which requires System Center Configuration Manager, Intune or a third-party MDM system. When used in conjunction with Office 365, the district has access to cloud support and Microsoft’s Azure Rights Management protects data shared externally using identity-based authentication.
By default, WIP marks all data as “business” and encrypts it, but you can create policies to let users decide whether data is business or personal. Users will be able to copy and paste data between managed apps, but not to apps that fall outside WIP’s allowed apps policy. You can also use policy to manage WIP-aware apps, such as Microsoft Edge and Internet Explorer 11. That way, users won’t be restricted when using business sites, but they won’t be able to copy district or school data to personal email or cloud storage.
The list of enlightened apps (those that can differentiate between business and personal data) is, for now, primarily limited to Universal Windows Platform apps plus Internet Explorer. Microsoft Office desktop apps deployed using the Office 365 Click-to-Run installer are also enlightened. Developers can enlighten their own applications for WIP (if IT wants to let users determine whether data is marked as personal or business) by tapping into a set of application programming interfaces. The limited list won’t necessarily keep you from deploying WIP, since unenlightened apps included in WIP policy will mark all data as “business.”
Microsoft positions WIP as better than third-party data loss prevention solutions for Windows, but restrictions exist. For K–12 establishments, the most critical may be that WIP shouldn’t be used on shared workstations. Unenrollment can revoke only the data of the user who was enrolled initially, and problems can occur if unenlightened apps encrypt data for multiple users on a device. Also, be aware that WIP is built in to Windows Mobile, but isn’t supported on Android and iOS devices.