Part 3 – Create & deploy Enterprise Data Protection using System Center Configuration Manager Current Branch

In this blog series of Enterprise Data Protection (EDP) I will provide you some more insights what EDP is, how it works and how to create & deploy EDP policies by Configuration Manager and Microsoft Intune.

• Part 1 – Introduction: Enterprise Data Protection – Under the hood
• Part 2 – Retrieve Desktop & Universal Application Information with PowerShell
• Part 3 – Create & Deploy Enterprise Data Protection with Configuration Manager Current Branch
• Part 4 – Create & Deploy Enterprise Data Protection with Microsoft Intune
• Part 5 – Enterprise Data Protection & Azure RMS better together

In this 3rd blog post I’ll outline how to create & deploy Enterprise Data Protection policies by Configuration Manager Current Branch (1511) to Windows 10 devices.

Prerequisites

Before we can deploy Enterprise Data Protection policies we need some basic information including protected applications and corporate network locations. This to define which protected apps can access corporate data on corporate network locations. See my previous EDP blog posts Part 1 – Introduction: Windows 10 Enterprise Data Protection – Under the hood… and Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection how you can define corporate network locations and protected applications.

Create Configuration Item

1. Open the System Center Configuration Manager console, click the Assets and Compliance node, expand the Overview node, expand the Compliance Settings node, and then expand the Configuration Items node. Click the Create Configuration Item button.

On the General Information screen, provide a name (required) and an optional description for your policy. In the Specify the type of configuration item you want to create area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click Next. 

Settings for devices managed with the Configuration Manager client > Windows 10 option (Full client managed)

-OR- 

Settings for devices managed without the Configuration Manager client > Windows 8.1 and Windows 10 option (MDM managed)

On the Supported Platforms screen, click the Windows 10 box, and then click Next.

On the Device Settings screen, click Enterprise Data Protection, and then click Next.

The Configure Enterprise Data Protection settings page appears, where you’ll configure your policy for your organization.

Add an Universal App

From the Configure the following apps to be protected by EDP table in the Protected Apps area, click Add. Click Universal App, type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Edge as protected app.

Get-AppxPackage | select name, publisher | where {$_.name -like “*Edge”} | fl

Name        : Microsoft.MicrosoftEdge
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Copy the Publisher value and paste them into the Publisher Name box and the Name value into the Product Name box of the Add app box, and then click OK.

Add an Desktop App

From the Configure the following apps to be protected by EDP table in the Protected Apps area, click Add. Click Desktop App, pick the options you want (see table), and then click OK. In this example we are defining Microsoft Word 2016 as a protected app. If you’re unsure about what to include for the publisher, you can run the PowerShell one-liner below (in administrative context):

Get-AppLockerFileInformation -Path “<path of the exe>”

Where “<path of the exe>” goes to the location of the app on the device. For example, Get-AppLockerFileInformation -Path “C:\program files (x86)\Microsoft Office\Root\Office16”.

Get-AppLockerFileInformation -Directory “C:\program files (x86)\Microsoft Office\Root\Office16” -recurse -FileType Exe | where {$_.path -like “*winWord.exe”} | fl

Path      : %PROGRAMFILES%\MICROSOFT OFFICE\ROOT\OFFICE16\WINWORD.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE,16.0.4266.1003
Hash      : SHA256 0x75BB2A96B0341CF6E8FD127CC754AF69E6F95CCC95B7CFCA264EF310D6051A09
AppX      : False

Note!

Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the publisher name to enter in the Publisher box.

Where MICROSOFT OFFICE 2016 is the Product name to enter in the Product Name box.

Where WINWORD.EXE is the file name to enter in the File Name box. (if you leave * the default value all Office programs (.exe) will be defined as protected)

Where 16.0.4266.1003 is the version to enter in the Version box.

Comment! For a complete and detailed overview of retrieving application information see Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection

Choose EDP management mode for your enterprise data

After you’ve added the apps you want to protect with EDP, you’ll need to apply an app management mode. In this example we’re selecting Override.

Choose where apps can access enterprise data

After you’ve added a management mode to your protected apps, you’ll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.

To specify where your protected apps can find and send enterprise data on the network. From the Primary domain section of the Protected Apps area, type the name of your primary domain. You can specify all the domains owned by your enterprise, separating them with the “|” character. For example, ronnydejong.sharepoint.com. The first listed domain (in this example, ronnydejong.com) is used to tag files accessed by any app on the Protected App list.

To add other network locations your apps can access, you can click Add, and then choose your location type, including:

Add as many locations as you need, and then click OK. In the optional Use a data recovery certificate in case of data loss box, click Browse to add a data recovery certificate for your policy. Adding a data recovery certificate helps admins access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP protected data from the Windows 10 company computer.

Set the optional EDP-related settings: Block the user from decrypting data that created or edited by the apps configured above. Clicking Yes or Not configured lets your employees right-click to decrypt their enterprise data for protected apps. As I want to show you EDP kicks in when simulating a data leak scenario we leave the default value Not Configured.

Protect app content when the device is in a locked state for the protected apps. Clicking Yes lets EDP help to secure protected app content when a mobile device is locked. It’s recommend turning this option on to help prevent data leakage for things such as email text that appears on the lock screen of a Windows 10 Mobile phone.

Click the Summary button to review your policy choices, and then click Next to finish.

After you’ve created your EDP policy, you’ll need to deploy it to your organization’s devices. For info about your deployment options, see these topics below:

Common tasks for managing compliance on devices not running the System Center Configuration Manager client

Common tasks for creating and deploying configuration baselines with System Center Configuration Manager

The proof of the pudding is in the eating

Now we successfully deployed an EDP policy you’ll see when it kicks in the  protected apps (Microsoft Edge and Word 2016) are subtle featured of a characteristic which indicates the app is protected by EDP.

The same applies when we opening Word 2016 , which is identified as managed.

When we simulate a data leak scenario, by accidently copy data away from this protected Word document we get prompted to make sure that our intention is right? We get prompted as we set the app management mode to Override previously. Now we are able to leak data on purpose.

When setting the app management mode to block, the copy paste action will be prohibit and doesn’t take place at all.

The same applies when saving the document, it will be default automatically encrypted when storing it locally or on any other network location beyond your corporate network boundaries.

Conclusion

When managing Windows 10 devices, Configuration Manager Current Branch will be able to create and deploy configuration items for Windows 10 enterprise data protection (EDP). EDP helps you restrict and/or alert/audit you to company data sharing/leaking. Configuration Manager EDP configuration items will manage the list of apps protected by EDP, enterprise network locations, protection level, and encryption settings.

In my next blog I’ll walkover the same steps to create and deploy EDP policies this time by using Microsoft Intune.

Note! Enterprise data protection is currently being tested with a number of enterprise customers, and will become available to Windows Insiders soon. Tests I performed are based on a Windows 10 1511 Insider Preview build (14279.1000) RS1.

Additional information about Enterprise Data Protection

• Protect your enterprise data using enterprise data protection (EDP)
• Create and deploy EDP policies with Intune or Configuration Manager
• Understand the implications on app and cases where apps need updating
• Execute a series of testing scenarios to help them understand the scope of EDP

Sources

• Enterprise data protection (EDP) overview
• Common tasks for managing compliance on devices not running the System Center Configuration Manager client
• Common tasks for creating and deploying configuration baselines with System Center Configuration Manager