Archive

Archive for the ‘BYOD’ Category

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

I want you to go read the In the Cloud Blog

I am channeling my early days living and breathing as a U.S. Army Officer.  I can’t be any more clear about what I am asking you to do. So, here is your mission:

Subscribe to this this nine-part Blog Series called:          What’s New in Windows Server & System Center 2012 R2.

In all seriousness… This 9 post blog series has had many eye balls from pretty much every organization across the company. It is a culmination of all the content that we discussed at events like TechEd in New Orleans and Madrid.  The intent is to boil down the core scenarios or pillars for our Windows Server and System Center 2012 R2 release into Four Distinct Groups of articles that if you read them all, you would actually be able to light up each one of these scenarios….

I’m not kidding.

Today, we published the second blog post in the series called, What’s New in 2012 R2:  Making Device Users Productive and Protecting Corporate Information.  This is part 1 of 2 where we talk about lighting up Bring your own device, (BYOD) or what we call People Centric IT (PCIT).

This series of posts feature Brad Anderson our VP for Windows Server and System Center along with his leadership team and also the engineering teams that are still hard at work on releasing R2. There is a section at the bottom of every post called NEXT STEPS to all the underlying engineering blogs that light up the scenario.

I really hope you all take the time to go read these posts. We based this plan on tons of feedback that you wanted more integrated content from our Product Teams.

Thanks and I hope you find these posts useful and if you don’t please let me know what you think we should be doing differently,

Kevin Beares
Senior Community Lead – Windows Server and System Center

Bring Your Own Device (BYOD) – New Windows Server 2012 R2 Device Access and Information Protection

As you will have seen at Microsoft TechEd North America and Europe, we have just delivered the Preview Release of Windows Server 2012 R2 with a stunning amount of new capability that is Cloud First.

My name is Adam Hall and I look after one of the solution areas within People-centric IT that we call “Access & Information Protection”. In this post I will provide more information about what this actually is and the focus areas we have around Bring Your Own Device (BYOD) and the Consumerization of IT.

People-centric IT is about helping organizations empower their users to work on the devices they choose without compromising their information integrity or compliance. The challenge this presents to customers is that as soon as their user works on a device that they do not manage or even have any knowledge of, it becomes very difficult to retain control of sensitive corporate information, and to be able to respond to situations such as the device being sold, lost or stolen.

With our Access & Information Protection solutions, we deliver capabilities that help our customers solve this very challenging problem in the following ways:

Simple registration and enrollment for users adopting Bring Your Own Device programs (BYOD).

Users can register their device using Workplace Join which creates a new device object in Active Directory and installs a certificate on the device, allowing IT to take into account the users device authentication as part of conditional access policies. Users can also opt-in to the Windows Intune management service for consistent access to applications (including internal LOB apps and links to public app stores), management of their own devices and to gain access to their data.

Users can work from the device of their choice to access corporate resources regardless of location.

New in Windows Server 2012 R2 are the Web Application Proxy and Work Folders. The Web Application Proxy provides the ability to publish access to internal resources and perform Multi-Factor Authentication at the edge. Work Folders is a new file sync solution that allows users to sync their files from a corporate file server to all their devices both internally and externally.

 

IT can better protect corporate information and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications.

As users blend their work and personal lives, and organizations adopt a mixture of traditional on-premises and cloud based solutions, IT needs a way to consistently manage the user’s identity and provide users with a single sign-on to all their resources.  Microsoft helps our customers by providing users with a common identity across on-premises or cloud-based services leveraging existing Windows Server Active Directory investments and then connecting to Windows Azure Active Directory.  In Windows Server 2012 R2, we have significantly enhanced Active Directory Federation Services (ADFS) to be easier to deploy and configure, tightly integrated with the Web Application Proxy for simple publishing and federating between Active Directory and Azure AD. 

 

IT can access managed mobile devices to remove corporate data and applications in the event that the device is lost, stolen, or retired from use.

Whether a device is lost, stolen or simply being repurposed, there will be times when IT needs to ensure that the corporate information stored on the device is no longer accessible. With Windows Server 2012 R2, System Center configuration Manager 2012 R2 and Windows Intune, companies have the ability to selectively wipe corporate information while leaving personal data intact.

IT can set policy-based access control for compliance and data protection.

With users working on their own devices, the accessing of corporate resources and storage of information on these devices presents some challenges for ensuring compliance needs are met and information remaining secure.  Windows Server 2012 R2, through the Web Application Proxy, ADFS and Work Folders provides compelling and powerful solutions to make it easy for our customers to make resources available but also remain in control of information.  As we showed in the TechEd Europe keynote in Madrid this week, Work Folders is integrated with Dynamic Access Control, providing the ability to automatically classify information based on content, and perform tasks such as protecting with Rights Management Services, even for data that is created and stored on clients!

 

To see People-centric IT, including System Center 2012 R2 Configuration Manager, Windows Intune, and Windows Server 2012 R2 in action, you can watch a complete presentation and end-to-end demonstration from the TechEd North America Foundational Session. You can also learn more about People-centric IT by downloading the People-centric IT Preview Guide.

Be sure to download System Center 2012 R2 Preview Configuration Manager and Windows Server 2012 R2 Preview today!