Skip to main content

Enterprise Data Protection Policy Profile

The Enterprise Data Protection profile is designed to safeguard enterprise applications and preserve sensitive corporate data. This profile allows administrators to implement data encryption measures, effectively thwart accidental data leaks, and exert control over the copy-paste function beyond enterprise applications. Importantly, these security measures are seamlessly integrated without compromising the user experience for employees.

note

This feature is only available for Windows Phone, Windows Enterprise, Windows Education and Windows Pro devices.

To encrypt business data on the enrolled devices, follow these steps:

  1. Navigate to SureMDM Web Console > Profiles > Windows > Add > Enterprise Data Protection > Configure.

  2. Enter a Profile Name.

  3. Under Enterprise Applications, click Add to select the applications.

    a. In Enterprise Application prompt, select the Type as Store App/EXE.

    b. enter the Publisher and Package Name and click Add.

    The Enterprise Applications can read, create, and update enterprise data. This will help to protect that app’s corporate data through the enforcement of EDP restrictions.   

  4. Under Exempt Applications, click Add to select a supportive application to enable the user to open files under enterprise applications.

    Exempt applications can read enterprise data, but can’t modify the data. Please note that when the user exempts applications, they’re allowed to bypass the EDP restrictions and access the corporate data.

  5. Select the Type as Store App/EXE, enter the Publisher and Package Name of the application and click Add.

  6. In Primary Domain, enter a single domain that the enterprise uses.

  7. From Application Data Protection Level, select an option from the following to set the level of protection and actions taken to protect enterprise devices:

  • Off: User is free to relocate data off of protected apps. No actions are logged.
  • Silent: User is free to relocate data off of protected apps. These actions are logged.
  • Allow Overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If the user chooses to override this prompt, the action will be logged.
  • Block: Blocks enterprise data from leaving protected apps.
  1. Under Advanced Settings, click Add of the following options:
  • Enterprise Protected Domain Names – Configure list of domains (other than primary  domain) used by the enterprise for its user identifiers.
  • Enterprise IP Ranges – Configure IP ranges with which enterprise data can be protected.
  • Network Domain Names – Configure the list of domains that comprise the boundaries of the enterprise.
  • Internal Proxy Server Names – Configure the list of internal proxy servers that the enterprise can use for corporate resources.
  • Enterprise Proxy Server – Configure the list of proxy servers that the enterprise can use for corporate resources.
  • Enterprise Cloud Resources – Configure the list of enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered as Enterprise data.
  • Neutral Resources – Configure the list of domain names that can be used for personal or work resource.
  • Encrypted File Extensions – Configure the list of file extensions so that files with these extensions are encrypted when copying from SMB share within the corporate boundary.
  1. Allow or deny the following options for accessing the protected data:
  • Prevent Corporate data From Being Accessed by Apps - This option applies only to Windows 10 Mobile. Activating this setting prevents access to corporate files when a device is in a locked state. It also restricts access to background applications or lock screen notifications.
  • Show Enterprise Data Protection Icon – Display’s EDP icon in the web browser and app icons when accessing protected data.
  • Revoke Encryption Keys On Unenroll – Revokes the WIP keys when a device unenrolls from the management service.
  • Enterprise Proxy Servers List is Authoritative – Proxy servers specified in this profile is treated as a complete list of proxy servers available on the network.
  • Enterprise IP Ranges List Is Authoritative – IP ranges specified in this profile is treated as a complete list of IP ranges available on the network.
  • Revoke On MDM Handoff – This policy controls to revoke the WIP keys when a device upgrades from MAM to MDM.

  1. Click OK.  

    The newly created profile will be listed in the Profiles section.

  2. Go back to the Home tab and select the Windows device(s) or group(s).

  3. Click Apply to launch the Apply Job/Profile To Device prompt.

  4. Select the profile under All Jobs/Profiles.

  5. Click Apply in the Apply/Profile To Device prompt.

note

EDP/WIP has been deprecated by Microsoft from July 2022. Microsoft will continue to support EDP/WIP on supported versions of Windows while most of the features will be unsupported in latest Windows versions.