There may be times when you need to add a Microsoft Store application to the App Rules list. The following steps will show you how to complete this task:
- In the App Rules area (see Figure 14.7), click Add. The Add App Rule box appears.
- In the Title box, add a name for the app. In this example, it’s Microsoft OneNote.
- From the Windows Information Protection Mode drop-d own list, choose Allow to turn WIP on to help protect that app’s company data.
- Select Store App from the Rule Template drop- down list. The box will change to show the store app rule options.
- Type the name of the app and the name of its publisher, and then click OK. For this UWP app example, the publisher is CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and the product name is Microsoft.Office.OneNote.
FIGURE 14.7 Create Configuration Item Wizard – Add App Rule
6. After configuring the policy, you can review all of the settings by looking at the Summary screen. Click Summary to review the policy choices and then click Next to finish and save the policy.
WIP File Behavior
Files and apps can be categorized as either work or personal. Where you get the file and where you save new files determines whether files are protected by WIP.
When working with existing files:
■ If you get a file from a corporate location, it will automatically be WIP-p rotected.
■ If you get it from a personal location, it will not be WIP- protected. When saving new files:
■ If you save it to a corporate location, it will be WIP-p rotected.
■ If you save it to a personal location, it will not be WIP- protected.
Enlightened apps also provide the option when saving a file to specify whether it’s corporate- related or personal. However, if you store a work file to a personal location, WIP gives you the option of saving it as a personal file or saving it at a different location.
Determine the Enterprise Context of an App
You can check the context of an app on your machine by using Windows Task Manager. But you must first activate the Enterprise Context column in Task Manager. To activate the column, perform the following:
- Open Task Manager and, if you aren’t already in the detail view, click More Details.
- Select the Details tab.
- Right- click in the column heading area and then click Select Columns.
- Scroll down, select the Enterprise Context option, and then click OK to close the box. The Enterprise Context column will now be visible in Task Manager.
The Enterprise Context column displays what each app can do with your corporate data:
Domain If your domain is displayed, the app is running in corporate- related mode and protects the content the app is currently accessing.
Personal If Personal is displayed, the app is running in personal mode and can’t touch any work data or resources.
Exempt If Exempt is displayed, the app is running in trusted mode and WIP policies are bypassed.
Monitor WIP Events
A device protected by WIP will generate different events that are saved to the event log on the local machine. WIP will create audit events in the following situations:
■ A user changes the File ownership for a file from corporate to personal data.
■ Data is marked as corporate data but shared to a personal app or web page. Can be shared through copy and paste, drag and drop, sharing a contact, uploading to a personal web page, or if the user grants a personal app temporary access to a protected file.
■ An app has custom audit events.
You can use Windows Event Forwarding to collect the WIP audit events and then view those events using Event Viewer.
Changing File Ownership
It is possible to change the file ownership using Windows Explorer. You simply check File Ownership and change it from Personal to Work, or vice versa. When you perform this operation, it will be saved to the event log.