WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune

WIP Policies are not Getting Applied to Office web Portal Internal Web Apps

Let’s see how to fix the issue explained in the heading of the post! WIP Policies are not Getting Applied to Office web Portal Internal Web Apps. I deployed Windows Information Protection (a.k.a WIP) policies using Intune. The client side is on Windows 10 1909 version.

I have deployed a standard WIP policy using Intune to Windows 10 devices as explained in the previous post. So that means I configured only the required components and skipped all the optional (advanced settings) in WIP policy from Intune. If you are like me, you also get a similar issue that I’m going to explain in this post.

Problem Statement

The problem statement is very clear as I highlighted in the heading of this post itself. Let me try to explain further on this point. First point is:

  • I have enabled WIP accidental data leakage policies as explained in this post.
    • However, when open corporate email using Microsoft Edge (chromium-based), it’s allowing me to leak the data.
      • You can see in the below screen capture – copying corporate mail content to personal notepad file is allowed!
        • This 🔻🔻is the issue that we want to fix!
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune

Intune Policy for WIP

Let’s check the Intune policy which I configured for WIP to get more details. As you can see in the below screen capture, I have not configured “Advanced settings“. I think this is the main reason

WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune

Advanced Settings

There are no default locations included with Intune WIP, you must add each of your network locations. Now let’s understand what are those advanced settings configurations.

  • Protected domains – Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
    • howtomanagedevices.onmicrosoft.com
    • payroll.howtomanagedevices.com (internal HR app)
    • And all the URLs mentioned in the following section.
  • Network domains – Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

Fix Issue – WIP Policies are not Getting Applied

Let’s fix the target apps list first!

  • Add all the default apps Target apps are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. Only enlightened apps are allowed on devices without MDM.
    • Select MsEdge – WIPMode-Allow – Enterprise AppLocker Policy File.xml (Make sure you select this app) from the list.
  • Click OK
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune

Fix the Network perimeter – Choose where protected apps can access enterprise data on your network.

Add additional network parameters or boundaries to protect accidental cooperate data leakage even though the basic WIP feature is enabled using this.

  • Protected domains – Default – howtomanagedevices.onmicrosoft.com (tenant name)
  • Cloud resources – Exchange – outlook.office365.com|outlook.office.com
  • Cloud resources – Pay Roll – howtomanagedevices.com
  • Cloud resources – HTMD – payroll.htmd.com
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune

Click Review + Save button to fix the issue.

Results

  • Now, you can see the MS Edge enterprise context is changed to the domain as I explained here.
    • You can also Enlighted, Permitted.
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune
WIP Policies are not Getting Applied to Office web Portal Internal Web Apps | Intune

Let’s analyze the results Office portal. Let’s try to copy the corp email data to a personal notepad file. The new policy should block data leakage.

Registry

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\DataProtection
    • EnterpriseProtectedDomainNames
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\NetworkIsolation
    • EnterpriseCloudResources
      • outlook.office365.com|outlook.office.com|payroll.htmd.com|howtomanagedevices.com

Video Recording

  • 📌Why WIP policies are not getting applied to Office web portal and internal web apps? 
  • 📌How to define network boundaries in WIP policies using the Intune portal?
  • 📌What is the protected domain option in network boundary for WIP policies?
  • 📌 How to troubleshoot Windows Information Protection?
  • 📌How Windows Information Protection can prevent data leakage?

Resources

Leave a Comment

Your email address will not be published. Required fields are marked *