Let’s see how to fix the issue explained in the heading of the post! WIP Policies are not Getting Applied to Office web Portal Internal Web Apps. I deployed Windows Information Protection (a.k.a WIP) policies using Intune. The client side is on Windows 10 1909 version.
I have deployed a standard WIP policy using Intune to Windows 10 devices as explained in the previous post. So that means I configured only the required components and skipped all the optional (advanced settings) in WIP policy from Intune. If you are like me, you also get a similar issue that I’m going to explain in this post.
Problem Statement
The problem statement is very clear as I highlighted in the heading of this post itself. Let me try to explain further on this point. First point is:
- I have enabled WIP accidental data leakage policies as explained in this post.
- However, when open corporate email using Microsoft Edge (chromium-based), it’s allowing me to leak the data.
- You can see in the below screen capture – copying corporate mail content to personal notepad file is allowed!
- This 🔻🔻is the issue that we want to fix!
- You can see in the below screen capture – copying corporate mail content to personal notepad file is allowed!
- However, when open corporate email using Microsoft Edge (chromium-based), it’s allowing me to leak the data.
Intune Policy for WIP
Let’s check the Intune policy which I configured for WIP to get more details. As you can see in the below screen capture, I have not configured “Advanced settings“. I think this is the main reason
Advanced Settings
There are no default locations included with Intune WIP, you must add each of your network locations. Now let’s understand what are those advanced settings configurations.
- Protected domains – Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
- howtomanagedevices.onmicrosoft.com
- payroll.howtomanagedevices.com (internal HR app)
- And all the URLs mentioned in the following section.
- Network domains – Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
Fix Issue – WIP Policies are not Getting Applied
Let’s fix the target apps list first!
- Add all the default apps – Target apps are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. Only enlightened apps are allowed on devices without MDM.
- Select MsEdge – WIPMode-Allow – Enterprise AppLocker Policy File.xml (Make sure you select this app) from the list.
- Click OK
Fix the Network perimeter – Choose where protected apps can access enterprise data on your network.
Add additional network parameters or boundaries to protect accidental cooperate data leakage even though the basic WIP feature is enabled using this.
- Protected domains – Default – howtomanagedevices.onmicrosoft.com (tenant name)
- Cloud resources – Exchange – outlook.office365.com|outlook.office.com
- Cloud resources – Pay Roll – howtomanagedevices.com
- Cloud resources – HTMD – payroll.htmd.com
Click Review + Save button to fix the issue.
Results
- Now, you can see the MS Edge enterprise context is changed to the domain as I explained here.
- You can also Enlighted, Permitted.
Let’s analyze the results Office portal. Let’s try to copy the corp email data to a personal notepad file. The new policy should block data leakage.
Registry
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\DataProtection
- EnterpriseProtectedDomainNames
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\NetworkIsolation
- EnterpriseCloudResources
- outlook.office365.com|outlook.office.com|payroll.htmd.com|howtomanagedevices.com
- EnterpriseCloudResources
Video Recording
- 📌Why WIP policies are not getting applied to Office web portal and internal web apps?Â
- 📌How to define network boundaries in WIP policies using the Intune portal?
- 📌What is the protected domain option in network boundary for WIP policies?
- 📌 How to troubleshoot Windows Information Protection?
- 📌How Windows Information Protection can prevent data leakage?
Resources
- How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM Intune
- Windows Information Protection | WIP Learn with Joy Part #1 | Intune
- Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
- Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
- Azure Portal Teams SharePoint Blocked with Microsoft Edge Chromium Browser WIP Fix
- Windows Information Protection | WIP Learn with Joy Part #1 | Intune
Thanks for this article.
It works great for most of the domains EXCEPT outlook.office365.us (gov tenant) which is what is shown in the address bar in outlook, same as the other sites I put as cloud resources which work. Wondering what I am doing wrong.