WINDOWS INFORMATION PROTECTION OVERVIEW

WINDOWS INFORMATION PROTECTION OVERVIEW
9/16/2018 WINDOWS INFORMATION PROTECTION OVERVIEW Name Windows Information Protection (WIP) is a data leak prevention technology available in Windows 10 Anniversary release. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

You have many of the best security solutions…
9/16/2018 There are many security solutions that provide data protection, but none of them can successfully prevent accidental data leak happening due to employee’s carelessness or lack of company policy. Talk about the example of a G20 organizer leaking personal details of world leaders. You have many of the best security solutions… © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

…but the security landscape has changed
9/16/2018 …but the security landscape has changed © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

REVOLUTION OF CYBER-THREATS TODAY, YOU ARE EXPERIENCING A 9/16/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/16/2018 Wall Street Journal, JP Morgan, White House, Bushehr nuclear reactor, RSA, Microsoft, Google, Apple, Facebook, Sony, Target, Heartland ,EBay Heartland ICANN Home Depot Organizations with enormous security budgets and elite security analysts are struggling to address these modern threats. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AUSTRALIAN IMMIGRATION DEPT. DATA LEAK
9/16/2018 AUSTRALIAN IMMIGRATION DEPT. DATA LEAK “An employee of the department had inadvertently disclosed the passport numbers, visa details and other personal identifiers of the world leaders attending the G20 summit in Brisbane after an was mistakenly sent to an organizer of the Asian Cup football tournament because of an autocomplete function” Personal details of world leaders accidentally revealed by G20 organizers PAUL FARRELL Guardian March 30, 2015 Source: 2015's biggest data breaches: CVS, Anthem, IRS, and worse, Zack Whittaker, ZDNet, October 2, 2015 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data exchange is blocked or audited
Build 2015 9/16/2018 3:43 PM Relevance of WIP to an app ISV Business Apps & Data (Managed) Business Apps & Data (Managed) Skype for Business Mail and Calendar Facebook Personal Apps & Data (Unmanaged) OneDrive for Business Contacts WhatsApp Dynamics PDF Reader OneDrive LOB Photos Weather Why should an ISV care about WIP? WIP will prevent data leak between “work” and “personal” apps. In the context of WIP, there are 3 categories of apps as shown below inside a windows device(can be phone, desktop, laptops, tablets). In Blue, to the extreme left, are work apps like one drive for business, Skype/Lync, HR apps etc., that only creates what can be considered as work related data. In Red, to the extreme right, are a personal applications like Facebook, WhatsApp etc., that will only create what can be considered as personal data. Both of these app types may remain unenlightened(meaning, the app doesn’t need to use WIP apis to differentiate between personal and work data). However, apps in the middle category like app, PDF readers etc., might be dealing with both work and personal data for the same user. These type of apps needs to be enlightened in order to be able to differentiate between work and personal data. Data exchange is blocked or audited © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Risks for an apps in WIP environment
Build 2015 9/16/2018 3:43 PM Risks for an apps in WIP environment ISVs owning a work app that has not been through compatibility testing for WIP may run the risk of breakages in few E2E work flows. ISVs owning apps consuming work and personal data, if not enlightened, will run the risk of not being able to create personal/unencrypted data. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Information protection journey
9/16/2018 Information protection journey DEVICE PROTECTION DATA PROTECTION THE GAP Protect data when device is lost or stolen BitLocker enhancements in Windows 8.1 InstantGo 3rd party adoption Protect data when ….. Rights Management Services (RMS) Office Information Rights Management (IRM) Azure AD, Azure Rights Management in 2013 Accidental data leakage Windows Information Protection Before talking about WIP, lets take a look at other existing data protection technologies in windows. First, Bitlocker is useful in a scenario to protect data when the device is lost or stolen. Bitlocker protects the data on a lost device by encrypting the entire volume. So, Bitlocker is useful to protect data in a scenario when user is not intending to share data and data is lost accidentally. Next, for a scenario when user is intending to share the data, but taking precautions to protect the data using RMS, office IRM and Azure RMS. Where we currently have a gap in windows with respect to data protection is when user is intending to share the data , but due to lack of awareness of company policies or carelessness, it may lead to accidental data leak. This is the gap that WIP is trying to solve. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS
Switching modes and between containers Users change apps to work securely Experience between mobile and desktop inconsistent Solutions are an add on to the platform == expensive Researching existing solutions, we found them to have the following paintpoints Needed switching between modes/user accounts and containers Users had to change apps to work securely Experience b/w phone and desktop form factors were different as the user experience was dependent on the app implementation. The data protection solutions were all sold as separate solutions on top of OS.

OUR VISION Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through , social media and public cloud The 4 goals are Make WIP part of Windows Prevent accidental data leak Prevent malicious data leak Consistence experience across phone and desktop(includes tablets and laptops).

Windows 10 Windows Information Protection
Build 2014 9/16/2018 Windows 10 Windows Information Protection Protects data at rest, and when roaming Platform integrated, no mode switching Corp data identifiable from personal Better approach to data management Mobile & Desktop Only IT-Allowed apps see Corp data Mentioned that WIP applies to Win32 and UWP apps. It to enlightened as well unenlightened app. Mention that Roaming is not in windows 10 anniversary release(summer 2016). IT controls keys, can remote wipe Common experience, x-plat support © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Enlightened Apps
Build 2014 9/16/2018 Enterprise Enlightened Apps Recognize enterprise data sources Protect data at rest, in use, in flight Follow policy Recognize personal data sources Let personal data be personal No policy for personal apps & data This slide talks through some of the high level expectations of an ISV enlightening their apps for WIP. Something IT and IW can agree on Competitive advantage: satisfy both © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Information Protection
9/16/2018 Windows Information Protection User enrolls with enterprise MDM or domain join PROVISIONING: KEYS AND POLICIES User 1 MDM or ConfigMgr provisions policy and encryption keys 2 Policies: Enterprise allowed apps Network policies Enable WIP Recovery certificate EDP needs either an Mobile Device Management(MDM) solution like Intune, MobileIron or System Configuration Center Manager(SCCM) to apply WIP policies on a windows 10 device. The following WIP policies are required for WIP to be enabled Enable WIP Create Recovery certificate Create an enterprise allowed app list Create network policies © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/16/2018 Windows Information Protection DATA INGRESS User Data from enterprise network is encrypted E.g. OneDrive For Business, Corporate Exchange mail, etc. Data that is coming from cloud resources that are part of the enterprise needs to be protected on the device. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/16/2018 Windows Information Protection Saving to enterprise folder encryption auto-applied User option to save as corporate IT can configure unenlightened apps to automatically protect data Enlightened apps protect corporate data DATA EGRESS User (from app to disk) Data that is created on the disk by an IT allowed application needs to protected. Windows will protect any data created by an IT allowed app, if the app is not enlightened. If the app is enlightened, it can provide a create user experience by differentiating work and personal data. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/16/2018 Windows Information Protection DATA EGRESS User Enlightened apps can maintain protection App restriction policy: Can block egress to other apps Network policy: Can block egress to non-corporate sites (Inter-app, or over network) When data is moving between apps(copy/paste) and over networks, the data needs to be protected. Windows will ensure that accidental and malicious data leak(depending on the enforcement level) will be prevented by either warning the user or blocking the data transfer completely. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/16/2018 Windows Information Protection REVOKE User (On unenroll) Unenroll removes keys, and wipes the inaccessible enterprise data Lastly, IT can revoke the content by forcefully unenrolling or revoking the keys required to read the protected data, if an user shouldn’t have access to work data. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2014 9/16/2018 Appendix © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Enterprise Data Protection
Build 2014 9/16/2018 Windows 10 Enterprise Data Protection Optional screen lock security policy System tosses decryption key on lock Blocks read when screen is locked Extra Security with Data Protection Under Lock Can encrypt new files and data Logon, unlock restores keys and access Helps mitigate system level attacks © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/16/2018 Windows Information Protection Readers available for cross-platform editing CROSS PLATFORM DATA SHARING User Public API for secure sharing Microsoft Intune SDK for iOS & Android Common developer experience across platforms iOS & Android apps enabled via Intune App SDK iOS & Android enabled via Intune App Wrapping Tool for IT Pros Common MDM support across Windows, iOS & Android with Microsoft Intune © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enlightening your app for Enterprise Data Protection
Build 2014 9/16/2018 Enlightening your app for Enterprise Data Protection © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Enlightened Apps
Build 2014 9/16/2018 Enterprise Enlightened Apps Recognize enterprise data sources Protect data at rest, in use, in flight Follow policy Recognize personal data sources Let personal data be personal No policy for personal apps & data Something IT and IW can agree on Competitive advantage: satisfy both © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps) Check if host belongs to the enterprise AND Unwrap files (if necessary) Data Ingress Check for enterprise tag on data Data In Use Set mode: Enterprise / Personal Turn VPN On / Off Block sending to non-enterprise hosts Data Egress Protect enterprise data OR Wrap files for transport Revoke: Close & cleanup Revoke: Stop enterprise sync completely Event handling Screen lock: Close content Screen unlock: Reopen content Screen lock: Stop uploads Screen unlock: Resume uploads

Build 2015 9/16/2018 3:43 PM Declare your app enlightened (WinRT) Add the enterpriseDataPolicy capability xmlns:rescap= " <Capabilities> <rescap:Capability Name="enterpriseDataPolicy"/> </Capabilities> © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Declare your app enlightened (Win32) Add entry to resources.rc
Build 2015 9/16/2018 3:43 PM Declare your app enlightened (Win32) Add entry to resources.rc MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID BEGIN 0x0001 END © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Recognize enterprise files
Namespace: Windows.Security.EnterpriseData Class: FileProtectionManager Method: GetProtectionInfoAsync Takes an IStorageItem Returns protection status and identity string

Check file FileProtectionInfo protectionInfo = await
Build 2015 9/16/2018 3:43 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Recognize enterprise files (Pt.2)
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: IsIdentityManaged Identity is an address or domain Data managed only when identity managed

Build 2015 9/16/2018 3:43 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 9/16/2018 3:43 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } if (protectionInfo.Status == FileProtectionStatus.Unprotected) { // Data is personal © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 9/16/2018 3:43 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } if (protectionInfo.Status == FileProtectionStatus.Unprotected) { // Data is personal if (protectionInfo.Status == FileProtectionStatus.Revoked) { // Call your revocation handling code © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Enterprise data packages
Namespace: Windows.ApplicationModel.DataTransfer Class: DataPackagePropertySetView Property: EnterpriseId Managed clipboard / share data is tagged Property is empty string when not managed

Check data package view properties (clipboard / share)
Build 2015 9/16/2018 3:43 PM Check data package view properties (clipboard / share) var enterpriseID = shareOperation.data.properties.enterpriseId; if (string.IsNullOrEmpty(enterpriseId)) { // Personal } else // Enterprise managed © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Check if host is enterprise
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: GetPrimaryManagedIdentityForNetworkEndpointAsync Takes a host name object Returns enterprise identity string Empty string means personal, not enterprise

Check network host var resourceUri = new Uri(serverNameString);
Build 2015 9/16/2018 3:43 PM Check network host var resourceUri = new Uri(serverNameString); // Check if URI is an enterprise managed endpoint. string enterpriseId = await ProtectionPolicyManager.GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host)); if(!string.IsNullOrEmpty(enterpriseId)) { // If the enterprise ID is non-empty, it’s managed. // Make VPN claim, protect download data, etc. // ... } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Unwrap enterprise container files
Namespace: Windows.Security.EnterpriseData Class: FileProtectionManager Method: LoadFileFromContainerAsync Takes a containerized file Makes a new file with local encryption

Load encrypted container into the file system
Build 2015 9/16/2018 3:43 PM Load encrypted container into the file system var tempFolder = ApplicationData.Current.TemporaryFolder; var appDataFolder = ApplicationData.Current.LocalFolder; // Get a handle to the downloaded containerized file. var containerFile = await tempFolder.GetFileAsync("myAppDataFile.dat"); // Import container to encrypted file system ProtectedContainerImportResult result = await FileProtectionManager.LoadFileFromContainerAsync(containerFile, appDataFolder); StorageFile protectedFile = result.File; © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data In Use – Set app view to enterprise
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: GetForCurrentView Property: Identity Puts AppView (i.e. window) into enterprise mode Windows enforces clipboard & share policy

Set AppView to enterprise
Build 2015 9/16/2018 3:43 PM Set AppView to enterprise private void TagCurrentViewWithEnterpriseId(string enterpriseId) { // Note: Empty enterpriseId sets mode to personal ProtectionPolicyManager protectionPolicyManager = ProtectionPolicyManager.GetForCurrentView(); protectionPolicyManager.Identity = enterpriseId; } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data In Use – Set network context on thread
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: CreateCurrentThreadNetworkContext Marks thread for enterprise network access Sockets created on the thread get VPN

Set / Clear enterprise network thread context
Build 2015 9/16/2018 3:43 PM Set / Clear enterprise network thread context // Set enterprise context to access enterprise network resources // Create protected network context on current thread ThreadNetworkContext context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(entepriseId); var client = new HttpClient(); // Gets VPN for enterpriseId if(context != null) // Clear context before leaving scope { context.Dispose(); } // New connections don’t get ‘enterpriseId’ VPN now... © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Egress – Protect enterprise data: Files
Namespace: Windows.Security.EnterpriseData Class: FileProtectionManager Method: ProtectAsync Takes IStorageItem and enterprise ID string Encrypts file with key tagged to enterprise ID

Build 2015 9/16/2018 3:43 PM Protect file // Protect file to ‘identity’ (Managed address or domain) FileProtectionInfo protectionInfo = await FileProtectionManager.ProtectAsync(file, identity); // Use standard APIs to read or write from the file. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Egress – Protect enterprise data: Buffers
Namespace: Windows.Security.EnterpriseData Class: DataProtectionManager Method: ProtectAsync Takes IBuffer and enterprise ID string Returns new IBuffer encrypted to enterprise

Build 2015 9/16/2018 3:43 PM Protect buffer IBuffer inputBuffer = CryptographicBuffer.ConvertStringToBinary(protectedMessage, BinaryStringEncoding.Utf8); protectedBuffer = await DataProtectionManager.ProtectAsync(inputBuffer, EnterpriseIdentity); // Best practice: check return status if (protectedBuffer.ProtectionInfo.Status == Unprotected) { // Protection can fail if app not allowed for EnterpriseIdentity } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Egress – Protect enterprise data: Save UX
Namespace: Windows.Storage.Pickers Class: FileSavePicker Method: FileSavePicker (constructor) Property: EnterpriseId Takes enterprise identity string Sets encryption dropdown to match (if managed)

Set enterprise context for FilePicker
Build 2015 9/16/2018 3:43 PM Set enterprise context for FilePicker private async void SaveFile_Click(object sender, RoutedEventArgs e) { var savePicker = new FileSavePicker(); savePicker.EnterpriseId = GetCurrentEnterpriseId(); var file = await savePicker.PickSaveFileAsync(); if (file != null) // Best practice: // Check status with GetProtectionInfoAsync(file) } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Event Handling – Revoke
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Event: ProtectedContentRevoked Register your event handler for revoke

Handle revoke events // Register handler for revoke event
Build 2015 9/16/2018 3:43 PM Handle revoke events // Register handler for revoke event ProtectionPolicyManager.ProtectedContentRevoked += HandleProtectedContentRevoked; void HandleProtectedContentRevoked(Object sender, ProtectedContentRevokedEventArgs args) { MyRevokeCleanupRoutine(); // Clean up files, settings, accounts, creds, etc. // Sync engines should break enterprise sync relationship. } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Event Handling – Screen lock / unlock
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Event: ProtectedAccessSuspending (screen locking) ProtectedAccessResumed (screen unlocked) Register event handlers for both events Tip: Can’t read enterprise under lock, but Can create new files, buffers, streams Tip: Close as much enterprise data as possible

Handle suspend / resume events
Build 2015 9/16/2018 3:43 PM Handle suspend / resume events // Register for device lock and unlock ProtectionPolicyManager.ProtectedAccessSuspending += HandleProtectedAccessSuspending; ProtectionPolicyManager.ProtectedAccessResumed += HandleProtectedAccessResumed; void HandleProtectedAccessSuspending(Object sender, ProtectedAccessSuspendingEventArgs args) { // Stop enterprise upload, close enterprise files, etc. } void HandleProtectedAccessResumed(Object sender, ProtectedAccessResumedEventArgs args) { // Resume enterprise upload, reopen enterprise content, etc. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

WINDOWS INFORMATION PROTECTION OVERVIEW

Similar presentations

Presentation on theme: "WINDOWS INFORMATION PROTECTION OVERVIEW"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

WINDOWS INFORMATION PROTECTION OVERVIEW

Similar presentations

Presentation on theme: "WINDOWS INFORMATION PROTECTION OVERVIEW"— Presentation transcript:

Similar presentations

About project

Feedback