Forum Discussion
WIP support
- Nov 14, 2019
Edge (Chromium based) support for WIP is under development and hence available behind a feature flag (edge://flags/#edge-dataprotection)
Make sure you apply this WIP Enterprise AppLocker policy before you start.
As of now the following WIP integration functionalities are available to pilot:
• File protection on the device when downloaded from a work location
• Audit / Block / Override enforcement for File Uploads
• Briefcase visual indicator available on the address bar when browsing work locations
• Browsing to work locations from other profiles automatically redirects to the Work Profile (associated with the Azure AD Identity)
• IE Mode supports full WIP integration
Coming soon:
• Audit / Block / Override enforcement for Clipboard actions
• Audit / Block / Override enforcement for Drag & Drop actions
Georg BrandnerI understand your concerns!
Here's some guidance on how you can control the install of Chromium-based Edge while keeping the legacy Edge still on the device.
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit
Also, WIP support will be available before new Windows 10 devices will come standard with the new Edge browser. At the moment WIP support is for evaluation only, it is available behind a flag in all Edge 81 builds. You can download the .msi from https://www.microsoft.com/en-us/edge/business/download
Thanks Arunesh_Chandra
I was hoping that you could provide me with (create) a MSI file that then enables the dataprotection flag? So not the browser installation file but just a small MSI file that changes the flag from disabled to enabled. I would then use Intune to deploy to devices.
Regards
- Naren-Apr 15, 2020Microsoft
Philip Büchler Thanks for the blog post!
Yes...WIP integration is enabled by default in latest Edge STABLE!
Microsoft Intune supports it natively, so you no longer need to manually import any files & MsEdge should be available in the Intune's WIP policy deployment UX.
NonRemovableProfileEnabled Edge policy is also recommended for better user experience: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-information-protection#configure-policies-to-support-wip
- Philip BüchlerApr 15, 2020Brass ContributorWell so much has changed in the time of development, but I was under the impression "proactive authentication" is needed, so users can't go to edge://flags to disable Information Protection.
- ITCTFApr 15, 2020Brass Contributor
I didn't enable "Proactive Authentication" and files saved from protected sites encrypted well.
My action was:
1. Install new Edge via Company Portal
2. In WIP-App Protection policy add from Recommended: "MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml"
3. Sync PC and all works fine.
Can you please explain more in detail the need of the "Proactive Authentication"?
- Philip BüchlerApr 14, 2020Brass ContributorI wrote it up in a blog post: https://www.wpninjas.ch/2020/04/edge-version-81-now-supports-windows-information-protection/
- Philip BüchlerApr 14, 2020Brass Contributor
Jose Castillo Soriano You need to add Edge in the WIP policy with the App Locker XML file and then you need an administrative template activating "Enable Proactive Authentication"
- Jose Castillo SorianoApr 14, 2020Brass ContributorA few hours ago, stable version 81 was released.
How can we activate WIP natively from Intune?
Regards,
Jose - Arunesh_ChandraFeb 19, 2020Microsoft
Philip Büchler GitToDeChoppah the Policy is available in Edge 81 which is currently in dev. Expected to reach Beta sometime this week.
- Philip BüchlerFeb 18, 2020Brass ContributorSame here. I can't get it to have the flag activated in the DEV build. When I activate the flag as user, it works as expected, but I can't roll out as long as users can overwrite the flag, take out content and activate again.
So I guess I'll just wait for the final release? - GitToDeChoppahFeb 17, 2020Copper Contributor
Arunesh_Chandra I added the above mentioned policy to Edge (Enable a non-removable default sign-in profile), however it does not appear to have enabled edge WIP. All previous pre-reqs are in place, and legacy Edge works, but new edge (80) still isn't using the established WIP polices.
- Arunesh_ChandraFeb 12, 2020Microsoft
Georg Brandner - unfortunately its not easy to personally hand roll an MSI and distribute it 😕
If you are trying to deploy on a bigger scale than a few devices and would like to get past the flag - then please deploy this policy which will skip the flag check and turn on WIP.
Browser Policy reference - NonRemovableProfileEnabled
Hope this helps.