Enterprise mobility is widely used nowadays. Many employees now has a smartphone, tablet or both. It is common to find on these devices to enterprise data but also of personal data. The risk of disclosure of professional data is more important. Windows 10 offers an interesting feature EDP (Enterprise Data Protection). You can use EDP for this scenarios :
- Encryption of the data on personal and professional device.
- Remote wipe of business data on managed computers (personal data are not affected).
- Possible selection of applications that can access enterprise data.
- No interaction required by the user to switch between a personal application and an enterprise application.
Enterprise Data Protection
Several publishers of MDM offers of created containers to protect business data. With Windows 10 EDP provides the same functionality. It helps protect the data on a mobile device but can also be coupled with an RMS infrastructure.
Benefits of the EDP functionality
- Protection against leakage of business data
- Separation of the personal data and those of the company, without user interaction.
- Protection of data for business applications.
- Possibility to clear devices business data while retaining personal data.
- Rapports of audit for the monitoring of problems and corrective actions.
- Integration to MDM (Microsoft Intune, System Center Configuration Manager (version 1511 or later).
- Protection using RMS (Right Management Service).
- Possibility to manage Office universal applications on Windows 10 for devices protecting the company’s data.
Create Enterprise Data Protection Policy
If you want to create an Enterprise Data Protection Policy it is necessary to have an infrastructure SCCM (Version 1511 or later) or Microsoft Intune in SAAS mode.I used my platform in SAAS mode to create the policy. We are going to do first the creation of the strategy. Expand the node strategy and policy configuration and click add.
A wizard launches, expand Windows, and then click Enterprise Data Protection. Click create a new policy.
Enter the name you want for the strategy.
It is now possible to add the desired applications. All of these applications will have access to the company’s data. So data cannot be copied to an application not present in this strategy.
Two types of applications can be added:
- Universal application
- Desktop applications (Windows Classic application)
Click on Add.
In the window, it is necessary to enter the name of the Publisher as well as the name of the product. You can use the Get-AppxPackage | Out-GridView PowerShell command to have the information of universal application. You can use the get-appxpackage PowerShell command to have the information of universal application. The name column to configure the Product Name field. The Publisher column allows it to configure the Publisher Name field.
For applications like Desktop application, the necessary information can be recovered by running the command :
Get-AppLockerFileInformation -Directory “C:\Program Files (x86)\Microsoft Office\root\Office16\” -Recurse -FileType exe | fl
Subsequently, it is necessary to indicate the mode of management of the applications. Several choices are available.
- Block : Prevents the company data present in applications that are configured to be copied into another application.
- Override : The user is warned when trying to move data outside of configured applications.
- Silent: The user is free to move data outside of configured applications. Travel logged in the audit log.
- Off: The user is free to move data outside of configured applications. Not logged in the audit log.
Specify the domain name to use, and then click Add. Specify the network location type
Configure the desired settings, and then click Save policy.
It is now necessary to deploy the policy.