Configure Enterprise Data Protection Policy Profile (Windows)


SureMDM offers Enterprise Data Protection feature to secure enterprise applications and protect enterprise data. It helps businesses to encrypt data, prevent accidental data leakage and restrict copy-paste functionality outside enterprise applications; all this without impacting with the employee experience.

Enterprise Data Protection feature can be applied to both employee-owned as well as business-owned devices.

Note: This feature is only available for Windows Phone, Windows Enterprise, Windows Education and Windows Pro devices.

To encrypt business data on the enrolled devices, follow these steps:

1.  Navigate to SureMDM Web Console > Profiles > Windows > Add > Enterprise Data Protection > Configure.

2.  Enter a Profile Name.

3.  Under Enterprise Applications, click Add to select the applications.

     a. In Enterprise Application prompt, enter the Publisher and Package Name and click Add.

        The Enterprise Applications can read, create, and update enterprise data. This will help to protect that app’s corporate data through the enforcement of EDP restrictions.   

4.  Under Exempt Applications, click Add to select a supportive application to enable the user to open files under enterprise applications.

      Exempt applications can read enterprise data, but can’t modify the data. Please note that when the user exempts applications, they’re allowed to bypass the EDP restrictions and access the corporate data.

5.  Enter Publisher and Package Name of the application and click Add.

6.  In Primary Domain, enter a single domain that the enterprise uses.

7.  From Application Data Protection Level, select an option from the following to set the level of protection and actions taken to protect enterprise devices:

  • Off: User is free to relocate data off of protected apps. No actions are logged.
  • Silent: User is free to relocate data off of protected apps. These actions are logged.
  • Allow Overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If the user chooses to override this prompt, the action will be logged.
  • Block: Blocks enterprise data from leaving protected apps.

8.  Under Advanced Settings, click Add of the following options:

  • Enterprise Protected Domain Names – Configure list of domains (other than primary  domain) used by the enterprise for its user identifiers.
  • Enterprise IP Ranges – Configure IP ranges with which enterprise data can be protected.
  • Network Domain Names – Configure the list of domains that comprise the boundaries of the enterprise.
  • Internal Proxy Server Names – Configure the list of internal proxy servers that the enterprise can use for corporate resources.
  • Enterprise Proxy Server – Configure the list of proxy servers that the enterprise can use for corporate resources.
  • Enterprise Cloud Resources – Configure the list of enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered as Enterprise data.
  • Neutral Resources – Configure the list of domain names that can be used for personal or work resource.
  • Encrypted File Extensions – Configure the list of file extensions so that files with these extensions are encrypted when copying from SMB share within the corporate boundary.

9.  Allow or deny the following options for accessing the protected data:

  • Prevent Corporate data From Being Accessed by Apps - This option applies only to Windows 10 Mobile. Activating this setting prevents access to corporate files when a device is in a locked state. It also restricts access to background applications or lock screen notifications.
  • Show Enterprise Data Protection Icon – Display’s EDP icon in the web browser and app icons when accessing protected data.
  • Revoke Encryption Keys On Unenroll – Revokes the WIP keys when a device unenrolls from the management service.
  • Enterprise Proxy Servers List is Authoritative – Proxy servers specified in this profile is treated as a complete list of proxy servers available on the network.
  • Enterprise IP Ranges List Is Authoritative – IP ranges specified in this profile is treated as a complete list of IP ranges available on the network.
  • Revoke On MDM Handoff – This policy controls to revoke the WIP keys when a device upgrades from MAM to MDM.

10.  Click OK.  

       The newly created profile will be listed in the Profiles section.

11.  Go back to Home tab and select the Windows device(s) or group(s).

12.  Click Apply to launch the Apply Job/Profile To Device prompt.

13.  In the Apply Job/Profile To Device prompt, select the created profile and click Apply.