Forum Discussion
WIP support
Edge (Chromium based) support for WIP is under development and hence available behind a feature flag (edge://flags/#edge-dataprotection)
Make sure you apply this WIP Enterprise AppLocker policy before you start.
As of now the following WIP integration functionalities are available to pilot:
• File protection on the device when downloaded from a work location
• Audit / Block / Override enforcement for File Uploads
• Briefcase visual indicator available on the address bar when browsing work locations
• Browsing to work locations from other profiles automatically redirects to the Work Profile (associated with the Azure AD Identity)
• IE Mode supports full WIP integration
Coming soon:
• Audit / Block / Override enforcement for Clipboard actions
• Audit / Block / Override enforcement for Drag & Drop actions
Microsoftlightupdifire Georg Brandner Philip Büchler
Hello all,
WIP support is a work in progress at the moment. Edge 82 stable will have the full support turned on by default. Today the latest Dev channel has the full support with matches the old Edge functionality.
Please try it with the following on a Dev channel build and let us know how it goes.
Browser Policy reference - NonRemovableProfileEnabled (enables the flag)
or manually enabling edge://flags/#edge-dataprotection
Naren-Philip Büchler Thanks for the blog post!
Yes...WIP integration is enabled by default in latest Edge STABLE!
Microsoft Intune supports it natively, so you no longer need to manually import any files & MsEdge should be available in the Intune's WIP policy deployment UX.
NonRemovableProfileEnabled Edge policy is also recommended for better user experience: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-information-protection#configure-policies-to-support-wip
- Well so much has changed in the time of development, but I was under the impression "proactive authentication" is needed, so users can't go to edge://flags to disable Information Protection.
I didn't enable "Proactive Authentication" and files saved from protected sites encrypted well.
My action was:
1. Install new Edge via Company Portal
2. In WIP-App Protection policy add from Recommended: "MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml"
3. Sync PC and all works fine.
Can you please explain more in detail the need of the "Proactive Authentication"?
- I wrote it up in a blog post: https://www.wpninjas.ch/2020/04/edge-version-81-now-supports-windows-information-protection/
Jose Castillo Soriano You need to add Edge in the WIP policy with the App Locker XML file and then you need an administrative template activating "Enable Proactive Authentication"
- A few hours ago, stable version 81 was released.
How can we activate WIP natively from Intune?
Regards,
Jose - Arunesh_Chandra
Philip Büchler GitToDeChoppah the Policy is available in Edge 81 which is currently in dev. Expected to reach Beta sometime this week.
- Same here. I can't get it to have the flag activated in the DEV build. When I activate the flag as user, it works as expected, but I can't roll out as long as users can overwrite the flag, take out content and activate again.
So I guess I'll just wait for the final release? Arunesh_Chandra I added the above mentioned policy to Edge (Enable a non-removable default sign-in profile), however it does not appear to have enabled edge WIP. All previous pre-reqs are in place, and legacy Edge works, but new edge (80) still isn't using the established WIP polices.
- Arunesh_Chandra
Georg Brandner - unfortunately its not easy to personally hand roll an MSI and distribute it 😕
If you are trying to deploy on a bigger scale than a few devices and would like to get past the flag - then please deploy this policy which will skip the flag check and turn on WIP.
Browser Policy reference - NonRemovableProfileEnabled
Hope this helps.
Thanks Arunesh_Chandra
I was hoping that you could provide me with (create) a MSI file that then enables the dataprotection flag? So not the browser installation file but just a small MSI file that changes the flag from disabled to enabled. I would then use Intune to deploy to devices.
Regards
- Arunesh_Chandra
Georg BrandnerI understand your concerns!
Here's some guidance on how you can control the install of Chromium-based Edge while keeping the legacy Edge still on the device.
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit
Also, WIP support will be available before new Windows 10 devices will come standard with the new Edge browser. At the moment WIP support is for evaluation only, it is available behind a flag in all Edge 81 builds. You can download the .msi from https://www.microsoft.com/en-us/edge/business/download
Thanks Arunesh_Chandra
I'm afraid I can't follow your logic. The old Edge browser may still be supported but it gets replaced once the new one is installed and Microsoft is actively getting users to upgrade. I would also imagine that all new Windows 10 devices come standard with the new Edge browser?
The correct decision would have been to have all security related features in place before going GA. Now I can't prevent (old) Edge from being used as it's the only browser that supports WIP but at the same time any user that has the latest version just bypasses WIP by default (every downloaded file is marked "personal" and not "work"). I can't even restrict access based on Edge version, as any user that's downloaded the latest version of Edge doesn't have the previous one installed and so wouldn't be able to then access any work data using a browser (if I were to restrict access based on Edge version).
As an interim solution, can you please create a .MSI file for us that enables dataprotection and can then be deployed to Intune managed devices or have the dataprotection flag option as an Administrative Template option in Intune?
- Arunesh_Chandra
Georg Brandner Edge 82 is scheduled to be out by end of April.
We wanted to build the right functionality as some of the user experience was little different from the legacy Edge due to multiple profiles. And since legacy Edge is still a supported browser, we decided not to rush it out.
Any feedback or bugs reports on WIP functionality in the Dev channel would be appreciated - it will help us improve it before we promote it to stable.
Thanx for your interest and support.
Arunesh
Thanks Arunesh_Chandra
Good to hear that it's being looked at. I am still very surprised that Microsoft can release a new product into GA (even Dev channel) with such a gaping data protection hole.
Do you know when the Edge 82 stable will be available?
Thanks and regards,
Georg
