Windows Information Protection (WIP) is a set of technologies that protect your organization from accidental or malicious data leaks. It provides this protection to both enterprise-owned devices and BYOD devices.
WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
WIP helps protect enterprise data on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it’s a work document, it becomes locally maintained as enterprise data.
When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
If you download file from SharePoint and OneDrive it will be downloaded as corporate file.
Restrict copy-paste only between managed apps. Adding an app to the protected apps list will make it a managed app (AppLocker functionality).
Access data only using managed apps.
when corporate file is copied to USB drive it will copy as work document only and can accessed by corporate people. If USB drive lost still, we don’t worry about our data.
When we create new document, it will ask for personal or work file.
WIP lets you block, allow overrides, or audit employees’ data sharing actions.
WIP helps protect enterprise data on local files and on removable media.
Employees won’t be able to sync encrypted files to their personal cloud storage.
WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone.
Copy paste block from corporate owned file to personal file
Selective wipe removes this corporate owned downloaded data from device.
We can copy a work content to new file, but the file will save as work document only.
In the image below, a person tries to copy work document to personal OneDrive.
WIP currently addresses these enterprise scenarios:
You can encrypt enterprise data on employee-owned and corporate-owned devices.
You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data.
Your employees won’t have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
In the image below, a person tries to copy work document to USB Storage:
WIP Protection and Management modes
Block stops user from completing the action.
Allow overrides warns users in case it detects inappropriate action and logs details to audit log.
Silent does not stop anything but logs all action.
Off does not protect or audit.
In the image below, a person tries to upload a work document to personal Email like Gmail:
Limitations while using Windows Information Protection (WIP)
WIP is designed for use by a single user per device. We recommend only having one user per managed device.
Changing your primary Corporate Identity isn’t supported. Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
Redirected folders with Client-Side Caching are not compatible with WIP. Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
You can’t upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. Open File Explorer and change the file ownership to Personal before you upload.
Only enlightened apps can be managed without device enrollment. If all apps need to be managed, enroll the device for MDM.