Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, January 9, 2019 10:00 AM
Hi all, I am new to Intune.
I have set up my window 10 device and is Azure AD registered and MDM enrolled. my user account "[email protected] Is been assign with Enterprise Mobility + Security E5 and Office 365 Enterprise E3 license (for Outlook)
On my Intune I have created an App protection policy with enrollment for my Window 10 Device.
on the setting itself I have select All the apps, exempt apps is none, Required settings is Block and on Advanced settings, I Prevent cooperated data from begin accessed by apps when the device is locked. Applies only to Windows 10 Mobile - Off.
Revoke encryption keys on unenroll - Off
Show the enterprise data protection icon - On
Use Azure RMS for WIP - On
and I Assigned my Window 10 Machine to test it.
I open a notepad and I am able to see briefcase which allow me to save it as Work Document or personal.
then on outlook (outlook application on windows) all the application I try to download and save , the default also come with a briefcase. but when I go to website https://outlook.office365.com/owa/ and sign in my user, all the files I try to save it does not default save my file as encrypted with an briefcase beside. Here are my question:
what is the Briefcase beside all my document? what does it do and how do I test out is working?
why is the document in my outlook at the website is not saving my document with the briefcase icon while and the outlook on my computer it always save it as default with an briefcase icon. how do I set this to make sure it also apply on the https://outlook.office365.com/owa/.
I have create an one drive account for personal use(not work account) . but all the file I save to one drive didn't come with the briefcase as well. will it work on personal account for one drive or I need an cooperate account.
at the moment I didn't not add any network boundary at advanced setting .
how do network boundary work? how do I add network boundary? if I am adding it for my one drive or SharePoint(I got no share point at the moment) where do I get the detail for all the boundary. can you provide me an example?
5. do I need a Data Recovery Agent (DRA) certificate? is it necessary?
thanks alot
All replies (4)
Wednesday, January 9, 2019 9:58 PM âś…Answered
1. It shows that you will be saving the document in work context and it will be WIP protected. Once it has saved, you shouldn't be able to copy and paste it to a non-protected app for example Notepad (if you haven't allowed it)
- Did you add outlook.office365.com to the Network permieter in Advanced Settings of the policy as a cloud resource? See https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#define-your-enterprise-managed-corporate-identity It should look like this and only give you the option to download the attachment in work context:
Like above, you can add the Sharepoint site to the network boundary as a cloud resource for testing. For example <tenant>-my.sharepoint.com|outlook.office365.com
See above point, and also see https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip . Make sure you test this to your testing groups.
Its up to you, but Microsoft reccomend it. See https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#upload-your-data-recovery-agent-dra-certificate
Thursday, January 10, 2019 6:28 AM
Hi Nick, thank for your help.
right now I have added 2 network boundary testlab.onmicrosoft.com-my.sharepoint.com|outlook.office365.com
and I have successful tested https://outlook.office365.com/owa/. and it have a briefcase on the right hand side of the URL. at the moment I have not set up any SharePoint yet for testing. but for my cooperate OneDrive I encounter some problem. I am unable to open any Word document that I save on there , when I double click to open word within one drive. I encounter this message "This file can only be opened from a work location. Please move it to a location that your organization has approved for work files." Here is my question. Do I need to add any network boundary for my cooperate one drive? if yes. can you provide me the detail for the one drive for the network boundary.
Thanks
Thursday, January 10, 2019 10:14 AM | 1 vote
Can you change the cloud resource from testlab.onmicrosoft.com-my.sharepoint.com to testlab -my.sharepoint.com like the example in https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip#recommended-enterprise-cloud-resources . Also did you only see that OneDrive issue after adding the cloud resource? Is the OneDrive app a protected app in your WIP policy?
Friday, January 11, 2019 4:02 AM
HI nick , thank for your help. is solved.
I have added OneDrive app in the protected app at WIP before hand but when I open my file at one drive and I got this message "This file can only be opened from a work location. Please move it to a location that your organization has approved for work files.") but after I have change it to testlab-my.sharepoint.com|outlook.office365.com, I am able to open my word document on my one drive without anymore issue. thank a lot for your help. and my the web browser onedrive.live.com/ is also come along with a briefcase now, before hand is not there.