Forum Discussion

Mike Platvoet's avatar
Mike Platvoet
Iron Contributor
Jan 27, 2022

Protect tenant data on unmanaged devices (Copy/Paste)

We are looking for ways to do the following:
- we want to prevent a user or guest who accesses tenant data (through browser or Office apps) from an unmanaged device to copy and paste data outside allowed apps. 

 

This should be done on Windows 10 and higher. 

So basically it is allowed to copy and paste from Teams to Word (with same identity) but not to notepad or Wordpad for example. 

We have been testing with access and session policies that should prevent pasting data outside allowed apps but that does not block pasting to notepad. 
Does anyone have a solution for this very challenging requirement?

Cloudappsecurity
mcas

2 Replies

  • JoeMullarkey's avatar
    JoeMullarkey
    Copper Contributor
    Jul 07, 2022

    Mike Platvoet, WIP is the Microsoft solution to prevent this copy/paste activity. It works by encrypting files with the EFS system and then only allowing access by "Enlightened" apps. Enlightened apps can also be restricted from copy and paste into unenlightened/unallowed apps. https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip

     

    Notepad is on the list of Enlightened apps. So, you'd have to remove it from the WIP policy.  Be careful with WIP, there are only a handful of Enlightened apps and so the rest of your apps won't be able to interact with company data (O365 data) unless you exempt them. However, if you exempt an app, it can do anything with company data. Also, an unenlightened app cannot switch between working with personal and company data. This makes it difficult for users who use apps for both.

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor
    Jan 27, 2022
    Your scenario should be possible using Microsoft Intune, you could prevent data leakage for unmanaged devices and they have to login with credential to be able to copy and paste. Take a look at:
    https://docs.microsoft.com/en-us/mem/intune/protect/data-leak-prevention
    Also take a look at:
    https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-configure-windows-10
    https://docs.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create

Resources