Build 2015 4/15/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build 2014 4/15/2017 Derek Adam Program Manager Enterprise Data Protection: Building Universal Windows Apps That Keep Work and Personal Data Separate and Secure 3-662 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 3:08 PM Our apps are our babies This talk is about making them ready for the workplace © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Wonka Understanding the Enterprise customer: IT Administrator WillyV
Build 2015 4/15/2017 3:08 PM Respect the stewardship you (might) have Don’t reveal company secrets Respect boundaries of access and use terms Wants things locked up in his domain Makes rules to try to keep it that way WillyV Wonka Understanding the Enterprise customer: IT Administrator Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 3:08 PM Want access from personal devices Prefer as little management as possible We all make mistakes People Like You and Me Understanding the Enterprise customer: Information Worker © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Information protection journey
4/15/2017 Information protection journey DEVICE PROTECTION DATA PROTECTION THE GAP Protect data when device is lost or stolen BitLocker enhancements in Windows 8.1 InstantGo 3rd party adoption Rights Management Services (RMS) Office Information Rights Management (IRM) Azure AD, Azure Rights Management in 2013 Protect data when ….. Accidental data leakage Enterprise Data Protection © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS
Switching modes and between containers Users change apps to work securely Experience between mobile and desktop inconsistent Solutions are an add on to the platform == expensive

OUR VISION Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through , social media and public cloud

Windows 10 Enterprise Data Protection
Build 2014 4/15/2017 Windows 10 Enterprise Data Protection Protects data at rest, and when roaming Platform integrated, no mode switching Corp data identifiable from personal Better approach to data management Mobile & Desktop Only IT-Allowed apps see business data IT controls keys, can remote wipe Common experience, x-plat support © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Enterprise Data Protection
Build 2014 4/15/2017 Windows 10 Enterprise Data Protection Optional screen lock security policy System tosses decryption key on lock Blocks read when screen is locked Extra Security with Data Protection Under Lock Can encrypt new files and data Logon, unlock restores keys and access Helps mitigate system level attacks See session 639 “Microsoft Passport and Windows Hello: Moving beyond passwords and credential theft” © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data exchange is blocked or audited
Build 2015 4/15/2017 3:08 PM Business/Personal One experience Data is isolated Data is encrypted at rest Block/audit data exchange Organization holds keys Office and OneDrive APIs for ISVs MDM managed Business Apps & Data (Managed) Lync Facebook Personal Apps & Data (Unmanaged) OneDrive for Business Contacts WhatsApp PowerPoint Calendar OneDrive PDF Reader Photos Weather Data exchange is blocked or audited © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Data Protection
4/15/2017 Enterprise Data Protection User enrolls with enterprise MDM or domain join PROVISIONING: KEYS AND POLICIES User 1 MDM or ConfigMgr provisions policy and encryption keys 2 Policies: Enterprise allowed apps Network policies App restriction policy See: “Managing Mobile Devices and Applications in an Enterprise” (Session 654) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/15/2017 Enterprise Data Protection DATA INGRESS User Data from enterprise network is encrypted E.g. OneDrive For Business, Corporate Exchange mail, etc. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/15/2017 Enterprise Data Protection Saving to enterprise folder encryption auto-applied User option to save as corporate IT can configure unenlightened apps to automatically protect data Enlightened apps protect corporate data DATA EGRESS User (from app to disk) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/15/2017 Enterprise Data Protection DATA EGRESS User Enlightened apps can maintain protection App restriction policy: Can block egress to other apps Network policy: Can block egress to non-corporate sites (Inter-app, or over network) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/15/2017 Enterprise Data Protection Readers available for cross-platform editing CROSS PLATFORM DATA SHARING User Public API for secure sharing Microsoft Intune SDK for iOS & Android Common developer experience across platforms iOS & Android apps enabled via Intune App SDK iOS & Android enabled via Intune App Wrapping Tool for IT Pros Common MDM support across Windows, iOS & Android with Microsoft Intune © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/15/2017 Enterprise Data Protection REVOKE User (On unenroll) Unenroll removes keys, and wipes the inaccessible enterprise data © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Data Protection - Demo
Build 2015 4/15/2017 3:08 PM Enterprise Data Protection - Demo © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enlightening your app for Enterprise Data Protection
Build 2014 4/15/2017 Enlightening your app for Enterprise Data Protection © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Enlightened Apps
Build 2014 4/15/2017 Enterprise Enlightened Apps Recognize enterprise data sources Protect data at rest, in use, in flight Follow policy © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2014 4/15/2017 Enterprise Enlightened Apps Recognize personal data sources Let personal data be personal No policy for personal apps & data © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2014 4/15/2017 Enterprise Enlightened Apps Something IT and IW can agree on Competitive advantage: satisfy both © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 3:08 PM Declare your app enlightened (WinRT) Add the enterpriseDataPolicy capability xmlns:rescap= " <Capabilities> <rescap:Capability Name="enterpriseDataPolicy"/> </Capabilities> © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Declare your app enlightened (Win32) Add entry to resources.rc
Build 2015 4/15/2017 3:08 PM Declare your app enlightened (Win32) Add entry to resources.rc MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID BEGIN 0x0001 END © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps) Check if host belongs to the enterprise AND Unwrap files (if necessary) Data Ingress Check for enterprise tag on data Data In Use Set mode: Enterprise / Personal Turn VPN On / Off Block sending to non-enterprise hosts Data Egress Protect enterprise data OR Wrap files for transport Revoke: Close & cleanup Revoke: Stop enterprise sync completely Event handling Screen lock: Close content Screen unlock: Reopen content Screen lock: Stop uploads Screen unlock: Resume uploads

Data Ingress – Recognize enterprise files
Namespace: Windows.Security.EnterpriseData Class: FileProtectionManager Method: GetProtectionInfoAsync Takes an IStorageItem Returns protection status and identity string

Check file FileProtectionInfo protectionInfo = await
Build 2015 4/15/2017 3:08 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Recognize enterprise files (Pt.2)
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: IsIdentityManaged Identity is an address or domain Data managed only when identity managed

Build 2015 4/15/2017 3:08 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 3:08 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } if (protectionInfo.Status == FileProtectionStatus.Unprotected) { // Data is personal © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 3:08 PM Check file FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle); if ((protectionInfo.Status == FileProtectionStatus.Protected) && (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)) { // Enterprise case, so do things like set enterprise mode } if (protectionInfo.Status == FileProtectionStatus.Unprotected) { // Data is personal if (protectionInfo.Status == FileProtectionStatus.Revoked) { // Call your revocation handling code © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Enterprise data packages
Namespace: Windows.ApplicationModel.DataTransfer Class: DataPackagePropertySetView Property: EnterpriseId Managed clipboard / share data is tagged Property is empty string when not managed

Check data package view properties (clipboard / share)
Build 2015 4/15/2017 3:08 PM Check data package view properties (clipboard / share) var enterpriseID = shareOperation.data.properties.enterpriseId; if (string.IsNullOrEmpty(enterpriseId)) { // Personal } else // Enterprise managed © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Check if host is enterprise
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: GetPrimaryManagedIdentityForNetworkEndpointAsync Takes a host name object Returns enterprise identity string Empty string means personal, not enterprise

Check network host var resourceUri = new Uri(serverNameString);
Build 2015 4/15/2017 3:08 PM Check network host var resourceUri = new Uri(serverNameString); // Check if URI is an enterprise managed endpoint. string enterpriseId = await ProtectionPolicyManager.GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host)); if(!string.IsNullOrEmpty(enterpriseId)) { // If the enterprise ID is non-empty, it’s managed. // Make VPN claim, protect download data, etc. // ... } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Ingress – Unwrap enterprise container files
Namespace: Windows.Security.EnterpriseData Class: FileProtectionManager Method: LoadFileFromContainerAsync Takes a containerized file Makes a new file with local encryption

Load encrypted container into the file system
Build 2015 4/15/2017 3:08 PM Load encrypted container into the file system var tempFolder = ApplicationData.Current.TemporaryFolder; var appDataFolder = ApplicationData.Current.LocalFolder; // Get a handle to the downloaded containerized file. var containerFile = await tempFolder.GetFileAsync("myAppDataFile.dat"); // Import container to encrypted file system ProtectedContainerImportResult result = await FileProtectionManager.LoadFileFromContainerAsync(containerFile, appDataFolder); StorageFile protectedFile = result.File; © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data In Use – Set app mode enterprise
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: TryApplyProcessUIPolicy Puts process into enterprise mode Windows enforces clipboard & share policy

Clear UI policy enforcement for the app
Build 2015 4/15/2017 3:08 PM Clear UI policy enforcement for the app // Clear enterprise app context so it is personal again. ProtectionPolicyManager.ClearProcessUIPolicy() © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data In Use – Set app view to enterprise
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: GetForCurrentView Property: Identity Puts AppView (i.e. window) into enterprise mode Windows enforces clipboard & share policy

Set AppView to enterprise
Build 2015 4/15/2017 3:08 PM Set AppView to enterprise private void TagCurrentViewWithEnterpriseId(string enterpriseId) { // Note: Empty enterpriseId sets mode to personal ProtectionPolicyManager protectionPolicyManager = ProtectionPolicyManager.GetForCurrentView(); protectionPolicyManager.Identity = enterpriseId; } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data In Use – Set network context on thread
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Method: CreateCurrentThreadNetworkContext Marks thread for enterprise network access Sockets created on the thread get VPN

Set / Clear enterprise network thread context
Build 2015 4/15/2017 3:08 PM Set / Clear enterprise network thread context // Set enterprise context to access enterprise network resources // Create protected network context on current thread ThreadNetworkContext context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(entepriseId); var client = new HttpClient(); // Gets VPN for enterpriseId if(context != null) // Clear context before leaving scope { context.Dispose(); } // New connections don’t get ‘enterpriseId’ VPN now... © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Egress – Protect enterprise data: Files
Namespace: Windows.Security.EnterpriseData Class: FileProtectionManager Method: ProtectAsync Takes IStorageItem and enterprise ID string Encrypts file with key tagged to enterprise ID

Build 2015 4/15/2017 3:08 PM Protect file // Protect file to ‘identity’ (Managed address or domain) FileProtectionInfo protectionInfo = await FileProtectionManager.ProtectAsync(file, identity); // Use standard APIs to read or write from the file. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Egress – Protect enterprise data: Buffers
Namespace: Windows.Security.EnterpriseData Class: DataProtectionManager Method: ProtectAsync Takes IBuffer and enterprise ID string Returns new IBuffer encrypted to enterprise

Build 2015 4/15/2017 3:08 PM Protect buffer IBuffer inputBuffer = CryptographicBuffer.ConvertStringToBinary(protectedMessage, BinaryStringEncoding.Utf8); protectedBuffer = await DataProtectionManager.ProtectAsync(inputBuffer, EnterpriseIdentity); // Best practice: check return status if (protectedBuffer.ProtectionInfo.Status == Unprotected) { // Protection can fail if app not allowed for EnterpriseIdentity } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Egress – Protect enterprise data: Save UX
Namespace: Windows.Storage.Pickers Class: FileSavePicker Method: FileSavePicker (constructor) Property: EnterpriseId Takes enterprise identity string Sets encryption dropdown to match (if managed)

Set enterprise context for FilePicker
Build 2015 4/15/2017 3:08 PM Set enterprise context for FilePicker private async void SaveFile_Click(object sender, RoutedEventArgs e) { var savePicker = new FileSavePicker(); savePicker.EnterpriseId = GetCurrentEnterpriseId(); var file = await savePicker.PickSaveFileAsync(); if (file != null) // Best practice: // Check status with GetProtectionInfoAsync(file) } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Event Handling – Revoke
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Event: ProtectedContentRevoked Register your event handler for revoke

Handle revoke events // Register handler for revoke event
Build 2015 4/15/2017 3:08 PM Handle revoke events // Register handler for revoke event ProtectionPolicyManager.ProtectedContentRevoked += HandleProtectedContentRevoked; void HandleProtectedContentRevoked(Object sender, ProtectedContentRevokedEventArgs args) { MyRevokeCleanupRoutine(); // Clean up files, settings, accounts, creds, etc. // Sync engines should break enterprise sync relationship. } © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Event Handling – Screen lock / unlock
Namespace: Windows.Security.EnterpriseData Class: ProtectionPolicyManager Event: ProtectedAccessSuspending (screen locking) ProtectedAccessResumed (screen unlocked) Register event handlers for both events Tip: Can’t read enterprise under lock, but Can create new files, buffers, streams Tip: Close as much enterprise data as possible

Handle suspend / resume events
Build 2015 4/15/2017 3:08 PM Handle suspend / resume events // Register for device lock and unlock ProtectionPolicyManager.ProtectedAccessSuspending += HandleProtectedAccessSuspending; ProtectionPolicyManager.ProtectedAccessResumed += HandleProtectedAccessResumed; void HandleProtectedAccessSuspending(Object sender, ProtectedAccessSuspendingEventArgs args) { // Stop enterprise upload, close enterprise files, etc. } void HandleProtectedAccessResumed(Object sender, ProtectedAccessResumedEventArgs args) { // Resume enterprise upload, reopen enterprise content, etc. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

OS Settings and App Data Roaming …in the Enterprise!
Build 2014 4/15/2017 OS Settings and App Data Roaming …in the Enterprise! © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Roaming in Windows 10
Build 2015 4/15/2017 3:08 PM Enterprise Roaming in Windows 10 Windows 10 supports roaming based on AAD as well as MSA accounts Feature parity to Win 8/8.1 with additional security and management capabilities Premium administrative features as part of Enterprise Mobility Suite (EMS) Data is automatically sync’d with the correct storage cloud (OneDrive/AzureAD tenant) OS settings roam based on the identity used to sign into Windows Windows App state roams on the identity used to acquire the app Supported on Windows Phone and Desktop See session 709 “Single Sign-On with Secure Authentication” by Karanbir Singh © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Roaming in Windows 10
Build 2015 4/15/2017 3:08 PM Enterprise Roaming in Windows 10 Security All enterprise data is encrypted both in transit (TLS) and at rest in the cloud (RMS) Support for both “default” and “premium” key management capabilities Default: Keys managed in the cloud by Microsoft (free) Premium: Keys managed in the cloud by the customer Management Admin UX is available from the Azure Active Directory portal Default: On/off switch; data deletion (free) Premium: Security group “allowed list”; user reports MDM provides admins the ability to turn on/off per device © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

MSDN Roaming References
Build 2015 4/15/2017 3:08 PM MSDN Roaming References General Guidelines for roaming app data Quickstart: Roaming app data How to roam data between a Windows Store app and a Windows Phone Store app Blog: Roaming your app data APIs ApplicationData.RoamingFolder | roamingFolder property ApplicationData.RoamingSettings | roamingSettings property ApplicationData.SignalDataChanged | signalDataChanged method © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

MDM Resources Windows 10 MDM documentation ONLINE http://aka.ms/kw2vwj
Build 2014 4/15/2017 MDM Resources Windows 10 MDM documentation ONLINE MDM related Ignite Vladimir Holostov | Provisioning Windows 10 Devices with New Tools [Link] Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link] Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and SPO with Intune [Link] John Vintzel | Windows 10 Universal App Deployment for Enterprises [Link] Tejas Patel | Using the Business Store Portal with Windows 10 Devices [Link] Yogesh Mehta | Protecting your data with containers without boxing yourself in [Link] Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link] Nelly Porter | Secure authentication with Windows Hello [Link] Deepak Manohar | Next Generation Malware detection with Windows Defender [Link] © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 3:08 PM Call to Action Join the Windows Insider Program … … and give us feedback! Explore the Enterprise Data Protection samples Check the Roaming App Data resources Get your app ready for management! © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Trustworthy apps will be chosen
Build 2015 4/15/2017 3:08 PM Trustworthy apps will be chosen Raise apps that help users respect enterprise data, and you will be rewarded © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build 2015 4/15/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Similar presentations

Presentation on theme: "Build 2015 4/15/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Build 2015 4/15/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Similar presentations

Presentation on theme: "Build 2015 4/15/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION."— Presentation transcript:

Similar presentations

About project

Feedback