Hi everyone, today we have another great post from Intune Support Engineer Saurabh Sarkar. We have a lot of customers using Windows Information Protection (WIP) to protect their corporate data, and while most people know that WIP classifies apps into categories of either enlightened or unenlightened, occasionally there’s some confusion as to exactly what that means. In this post, Saurabh talks about WIP and sheds a little more light on what it means when we talk about enlightened versus unenlightened apps.
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leakage through apps and services like email, social media and other outlets beyond your control. Windows Information Protection (WIP) helps protect against these potential data leaks without interfering with the employee experience or requiring changes to your environment or other apps.
WIP is just one factor in protecting company data on Windows, another being Azure Information Protection, and you can read more about these here. In this post I’m going to focus solely on WIP, and more specifically, the difference between enlightened and unenlightened applications. It’s important that you understand the differences so that you can create the most effective policies to protect your data. For example, a common misconception is that an enlightened application is one that can be targeted via WIP policy and save files as company data, whereas an unenlightened application is one which cannot be targeted by WIP policy thus is unable to access or create company data. While this first part regarding enlightened apps is true, the statement regarding unenlightened apps is not.
Enlighted apps on Windows have the ability to differentiate between company data and personal data, correctly determining which data to protect based on the policies implemented. When an enlightened app is protected, company data is encrypted on the managed device, and by default any attempts to share this data with personal apps or unauthorized users will fail. Enlightened apps (the current list is here) also have the ability to understand WIP policy. These policies help ensure that company data stays within an app that is controlled and managed by company policies.
A great example using an enlightened app would be applying a WIP policy to Microsoft Excel or Word, both of which are enlightened apps. After the WIP policy has been applied, when a user tries to save a document, they have the option of saving it as company data or personal data. If saved as company data, it will be encrypted and only be accessible from a managed application. If saved as personal data, the data will not be encrypted and may not be accessible from a managed application depending on how the policies applied to the user/device are configured. More details on how to configure a WIP policy can be found here.
In contrast to enlightened apps, unenlightened apps are unable to differentiate between company data and personal data, thus when these apps are managed they consider all data to be company data and encrypt everything by default. Because unenlightened apps are not capable of understanding WIP policy, files created by these applications are saved in the personal context only.
At this point in the conversation I typically get the following questions:
How do I create an enlightened app? To create an enlightened app you would use WIP APIs to enlighten your app, then declare your app as enterprise-enlightened. More information on this can be found here.
How can I tell if my app is enlightened or not? The best answer is you’ll need to consult the app developer, however you can usually tell that an app is unenlightened because Windows Desktop shows it as always running in enterprise mode and the Save As experience only allows you to save your files as company data.
Since unenlightened apps do not understand WIP policy, is there some other option to apply policy settings to these apps? A great option in this scenario is to leverage AppLocker. WIP relies on AppLocker however it is an independent feature in Windows outside of WIP itself. AppLocker functionality within Windows uses XML to implement policy, thus we can take that XML and use it to create our own custom policies in Intune similar to those found in WIP. Let’s take a closer look at this.
Using the XML created by AppLocker, you can easily build custom policies that configure many of the same settings found in the standard WIP policies. Each application is different and there are no guarantees, however it is definitely worth a try and can deliver a similar experience in many cases. Just be sure that you thoroughly test in your environment before rolling out such a solution on a production basis. Also note that leveraging AppLocker XML does not make an application enlightened by any means, it simply provides a method that may allow you to apply policy settings to an app that was otherwise not designed to be managed by WIP. If you’d like more information on how to use AppLocker to create custom Intune policies for Windows 10 apps, we have a great blog post on this here.
A big advantage of using WIP with AppLocker is that your app will be able to access managed files, and files created in the app will be managed and saved in the work context. The caveat to this is that since the application is still not an enlightened app, it does not have the ability to save files as personal data. This means that the user will not have the option of using the same application for personal as well as corporate purposes.