@SB V Months later but still. Perhaps it might help
Q: When to use WIP over Azure Information Protection?
A: WIP will only protect data after it has been downloaded from protected/designated (online) resources. If your goal is to protect data on endpoints WIP can help. WIP is a Endpoint DLP solution, limited to endpoints. AIP can step-up the security on the endpoints. AIP is also a DLP solution (Sensitivity labels) but these are not limited/restricted to endpoints. With WIP you are actually using a RMS Template when using this functionality.
Q: What scenarios would we use both WIP and Information Protection side by side?
A: See above. Microsoft Azure Rights Management (Azure RMS) helps secure files when users want to share data using removable USB drives. Azure Rights Management is the protection technology used by Azure Information Protection (AIP). Azure RMS uses encryption, identity, and authorization policies to secure files and protection remains with your files, even when it’s saved on a USB drive. AIP protect documents and emails by applying labels. Azure RMS combined with WIP only works when you configure Azure Information Protection labels and a RMS template. AIP or sensitivity labels are not restricted to endpoints. WIP only works on Windows devices, labels can be uses on Windows, Android, iOS, MacOS, in the browser etc.
Q: Why would we need WIP for managed devices?
A: these days, managed corporate devices are also used personally. I'm not saying it's becoming a standard, but it is happening more and more. With WIP on managed devices, you can have an active data separation solution in place. WIP can automatically apply protection for work files and data to prevent accidental data leakage. While keeping personal files untouched. The risk of data leaks comes from both fully managed devices and personal devices accessing work data.
Q: Should we limit access for unmanaged devices (access control) or WIP for unmanaged devices (BYOD)?
A: With access control you mean app restrictions right? like (limited) browser only access? If so, the answer totally depends on what the organization and users need to do their work. If (limited) browser only access is enough, then yes for sure, go for that solution only. WIP is not bullet-proof, nor was it meant to be. However, if your users do need access to data locally on the device, then go for WIP. You can also combine both solutions.
I've written a lot on WIP. Have a look at this post: Azure Rights Management for WIP - Azure RMS for WIP (allthingscloud.blog) and also make sure to check out the links section below the post. Hope this helps...
