From my previous post of Windows Information Protection | Intune App Protection Without Enrolment | Step by Step, I have discussed how we can protect corporate data on BYOD devices using Windows Information protection. We have used Intune app protection policies to deploy WIP configurations without enrolling devices into Intune. From this post, I am expressing the expected user experience after correctly deploying these settings.
If you are new to WIP or looking for a BYOD scenario, reading this post and understanding the expected behavior is useful before implementing the solution. It will tell you what to expect and what is not, also how you can build the BYOD hygiene and adaptation among users.
My previous posts on this topic:
01 - Understanding Microsoft Information Protection
02 - Windows Information Protection | Intune App Protection Without Enrolment | Step by Step
03 - Windows Information Protection | Intune App Protection Without Enrolment | User Experience (This Post)
Expected BYOD scenario
From my previous post (here), I have targeted a BYOD strategy where users can use their own device, and corporate data are separated from personal and protected on unauthorized use. Users can only copy and paste among manage apps such as MS office apps, Edge, and notepad. Corporate data will not flow out of these protected apps, and the only source of going out is OneDrive or Email, which we can monitor from Office 365 side. Any attempt to share files through the external drive, OneDrive personal, Gmail, dropbox will be blocked.
Let us see how the user experience will be.
Sign in to Office require Azure AD registration.
When the policy assigns users to sign into any Office desktop app or Office online application, they are asked to register their device to the Azure AD. If you have configured multi-factor authentication, the user is asked to satisfy the MFA. Users need to satisfy this. MAM provider configuration is required for this.
Then you can sign in to Office.
Click Info, and you can see the Last sync time. If you want a apply a policy change or other setting change immediately, Click Sync.
Saving as Corporate or Personal
When you open a Manage app and try to save your work, there are two options. Personal or Work,
Manage App Saving to Corporate Location
When you save a document to a corporate location such as OneDrive or corporate file server where you defined in WIP policy, the Mandatory Work profile will be selected, and the document will be in an encrypted state. Even if you save your personal files to these corporate locations, they will be tagged as Work files.
Copy-Paste between protected apps and unprotected
In this scenario, I am copying text from previously saved work files to the WordPad application. WordPad is an unenlightened app, so copying is restricted.
Receiving from Protected apps such as Outlook or OneDrive
When you are copying from OneDrive to a local drive, files will be remaining as Work files, you can see it will mark as a work file, and the work profile applied.
Note – Copying and pasting the document to the local drive will not be restricted. This will help users to work as before without any changes to their user experience. Users can work even without the internet on local files, but these data cannot use other than this user or this device.
From Outlook
Since Outlook is a protected app, copy-paste will be blocked to the unenlightened apps such as WordPad.
Copying to One driver Personal
When you are copying from OneDrive Business to OneDrive Personal, Action will be blocked with the following error.
Copying to external drives
I am trying a VM and using RDP to connect to that, so I tried to copy a protected file to a redirected drive from my local machine. It is getting denied giving the following error.
When you copy your protected (work) files to a USB device, data will copy as work protected. And this data can only be opened through the device it was copied originally.
Additional Reading
I hope this post is useful.
Asitha De Silva
