Part 4 – Create & Deploy Enterprise Data Protection with Microsoft Intune

In this blog series of Enterprise Data Protection (EDP) I will provide you some more insights what EDP is, how it works and how to create & deploy EDP policies by Configuration Manager and Microsoft Intune.

  • Part 1 – Introduction: Enterprise Data Protection – Under the hood
  • Part 2 – Retrieve Desktop & Universal Application Information with PowerShell
  • Part 3 – Create & Deploy Enterprise Data Protection with Configuration Manager Current Branch
  • Part 4 – Create & Deploy Enterprise Data Protection with Microsoft Intune
  • Part 5 – Enterprise Data Protection & Azure RMS better together

In this 4th blog post I’ll outline how to create & deploy Enterprise Data Protection policies to Windows 10 devices by Microsoft Intune.

Prerequisites

Before we can deploy Enterprise Data Protection policies we need some basic information including protected applications and corporate network locations. This to define which protected apps can access corporate data on corporate network locations. See my previous EDP blog posts Part 1 – Introduction: Windows 10 Enterprise Data Protection – Under the hood… and Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection how you can define corporate network locations and protected applications.

Create a New Policy

Open the Intune administration console, and go to the Policy node. Click Add Policy from the Tasks area. Go to Windows , select the Enterprise Data Protection (Windows 10 and Mobile and later) policy, click Create and Deploy a Custom Policy , and then click Create Policy

Add an Universal App

From the Configure the following apps to be protected by EDP pane in the Protected Apps area, click Add.

Select Universal App , type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Excel 2016 mobile app as protected app.

Get-AppxPackage | select name, publisher | where {$_.name -like “*Excel”} | fl

Name : Microsoft.Office.ExcelPublisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Copy the Publisher value and paste them into the Publisher Name box and the Name value into the Product Name box of the Add app box, and then click OK .

Add an Desktop App

Select Desktop App , type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Excel 2016 as a protected app.

Get-AppLockerFileInformation -Path “”

Where “ ” goes to the location of the app on the device. For example, Get-AppLockerFileInformation -Path “C:program files (x86)Microsoft OfficeRootOffice16” .

Get-AppLockerFileInformation -Directory “C:program files (x86)Microsoft OfficeRootOffice16” -recurse -FileType Exe | where {$_.path -like “*winWord.exe”} | fl

Path : %PROGRAMFILES%MICROSOFT OFFICEROOTOFFICE16WINWORD.EXE

Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=USMICROSOFT OFFICE 2016WINWORD.EXE,16.0.4266.1003

Hash : SHA256 0x75BB2A96B0341CF6E8FD127CC754AF69E6F95CCC95B7CFCA264EF310D6051A09

AppX : False

Copy the Publisher value and paste them into the Publisher Name box, the Path value and split this up into the Product Name, File Name and Version (if required) box of the Add app box and then click OK .

Note!

Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the publisher name to enter in the Publisher box.

Where MICROSOFT OFFICE 2016 is the Product name to enter in the Product Name box.

Where EXCEL.EXE is the file name to enter in the File Name box. ( if you leave * the default value all Office programs (.exe) will be defined as protected )

Where 16.0.4266.1003 is the version to enter in the Version box.

Repeat the above steps order to define your protected apps as needed.

Note!For a complete and detailed overview of retrieving application information see Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection

Choose EDP management mode for your enterprise data

After you’ve added the apps you want to protect with EDP, you’ll need to apply an app management mode. In this example we’re selecting Override .

Choose where apps can access enterprise data

After you’ve added a management mode to your protected apps, you’ll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.

To specify where your protected apps can find and send enterprise data on the network. From the Primary domain section of the Protected Apps area, type the name of your primary domain. You can specify all the domains owned by your enterprise, separating them with the “|” character. For example, ronnydejong.sharepoint.com . The first listed domain (in this example, ronnydejong.com ) is used to tag files accessed by any app on the Protected App list.

To add other network locations your apps can access, you can click Add, and then choose your location type, including:

Add as many locations as required, and then click OK . In the optional Use a data recovery certificate in case of data loss box, click Browse to add a data recovery certificate for your policy. Adding a data recovery certificate helps admins access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP protected data from the Windows 10 company computer.

Optional EDP-related settings

  • Block the user from decrypting data that created or edited by the apps configured above . Clicking Yes or Not configured lets your employees right-click to decrypt their enterprise data for protected apps. As I want to show you EDP kicks in when simulating a data leak scenario we leave the default value Not Configured .
  • Protect app content when the device is in a locked state for the protected apps . Clicking Yes lets EDP help to secure protected app content when a mobile device is locked. It’s recommend turning this option on to help prevent data leakage for things such as email text that appears on the lock screen of a Windows 10 Mobile phone.

Deploy Enterprise Data Protection (EDP) policy

After you’ve created your enterprise data protection (EDP) policy, you’ll need to deploy it to your organization’s enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.

Use policies to manage computers and mobile devices with Microsoft Intune

The proof of the pudding is in the eating

Now we successfully deployed an EDP policy you’ll see when it kicks in the protected apps (Office Excel 2016 and Excel Mobile) are subtle featured of a characteristic which indicates the app is protected by EDP.

The same applies when we opening Excel 2016 and Excel Mobile , which are both identified as managed.

When we simulate a data leak scenario, by accidently copy data away from this protected Word document we get prompted to make sure that our intention is right? We get prompted as we set the app management mode to Override previously. Now we are able to leak data on purpose.

The same applies when saving the document, it will be default automatically encrypted when storing it locally or on any other network location beyond your corporate network boundaries.

Conclusion

When managing Windows 10 devices, Configuration Manager Current Branch will be able to create and deploy configuration items for Windows 10 enterprise data protection (EDP). EDP helps you restrict and/or alert/audit you to company data sharing/leaking. Configuration Manager EDP configuration items will manage the list of apps protected by EDP, enterprise network locations, protection level, and encryption settings.

In my next blog I’ll cover Enterprise Data Protection & Azure RMS better together, how decrypt protected files and share corporate documents outside your organization with Azure RMS. Stay tuned!

Note!Enterprise data protection is currently being tested with a number of enterprise customers, and will become available to Windows Insiders soon. Tests I performed are based on a Windows 10 1511 Insider Preview build (14279.1000) RS1.

Sources

Enterprise data protection (EDP) overview

Common tasks for managing compliance on devices not running the System Center Configuration Manager client

Common tasks for creating and deploying configuration baselines with System Center Configuration Manager

稿源:ronnydejong (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 移动互联 » Part 4 – Create & Deploy Enterprise Data Protection with Microsoft Intune

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录