3-662

Enterprise Data Protection: Building Universal Windows Apps That Keep Work and Personal Data Separate and Secure

Derek AdamProgram Manager

This talk is about making them ready for the workplace

Our apps are our babies

Respect the stewardship you (might) have

Don’t reveal company secrets

Respect boundaries of access and use terms

Wants things locked up in his domain

Makes rules to try to keep it that way

Understanding the Enterprise customer: IT Administrator

Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013

WillyVWonka

Want access from personal devices

Prefer as little management as possible

We all make mistakes

Understanding the Enterprise customer: Information Worker

People Like You and Me

Information protection journey

DEVICE PROTECTIONBitLocker enhancements in Windows 8.1

InstantGo

3rd party adoption

Protect data when device is lost or stolen

DATA PROTECTIONRights Management Services (RMS)

Office Information Rights Management (IRM)

Azure AD, Azure Rights Management in 2013

Protect data when …..

THE GAP

Accidental data leakage

Enterprise Data Protection

OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS

Switching modes and between containers

Users change apps to work securely

Experience between mobile and desktop inconsistent

Solutions are an add on to the platform == expensive

OUR VISION

Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through email, social media and public cloud

Windows 10 Enterprise Data Protection

Better approach to data management

Mobile & Desktop

Corp data identifiable from personal

Protects data at rest, and when roaming

Platform integrated, no mode switching

Only IT-Allowed apps see business data

IT controls keys, can remote wipe

Common experience, x-plat support

Windows 10 Enterprise Data Protection

Extra Security with

Data Protection Under Lock

Blocks read when screen is locked

Optional screen lock security policy

System tosses decryption key on lock

Can encrypt new files and data

Logon, unlock restores keys and access

Helps mitigate system level attacks

See session 639 “Microsoft Passport and Windows Hello: Moving beyond passwords and credential theft”

Business/PersonalOne experience

Data is isolated

Data is encrypted at rest

Block/audit data exchange

Organization holds keys

Office and OneDrive

APIs for ISVs

MDM managed

Lync eMail Facebook

OneDrive for Business Contacts

WhatsApp

PowerPoint Calendar OneDrive

PDF Reader Photos Weather

Business Apps & Data(Managed)

Personal Apps & Data(Unmanaged)

Data exchange is blocked or audited

Enterprise Data Protection

1

User enrolls with enterprise MDM or domain join

MDM or ConfigMgr provisions policy and encryption keys

User

2

PROVISIONING: KEYS AND POLICIES

Policies:

1. Enterprise allowed apps

2. Network policies

3. App restriction policy

See: “Managing Mobile Devices and Applications in an Enterprise” (Session 654)

Enterprise Data Protection

User

DATA INGRESS

Data from enterprise network is encrypted

E.g. OneDrive For Business, Corporate Exchange mail, etc.

Enterprise Data Protection

User

Saving to enterprise folder encryption auto-applied

User option to save as corporate

IT can configure unenlightened apps to automatically protect data

Enlightened apps protect corporate data

(from app to disk)

DATA EGRESS

Enterprise Data Protection

User

DATA EGRESS

Enlightened apps can maintain protection

App restriction policy: Can block egress to other apps

Network policy: Can block egress to non-corporate

sites

(Inter-app, or over network)

Enterprise Data Protection

User

CROSS PLATFORM DATA SHARING

Readers available for cross-platform editing

Public API for secure sharing

Common MDM support across Windows, iOS & Android with Microsoft Intune

Common developer experience across platforms

iOS & Android enabled via Intune App Wrapping Tool for IT Pros

iOS & Android apps enabled via Intune App SDK

Microsoft Intune SDK for iOS & Android

Enterprise Data Protection

User

REVOKEUnenroll removes keys, and

wipes the inaccessible enterprise data

(On unenroll)

Enterprise Data Protection - Demo

Enlightening your app forEnterprise Data Protection

Recognize enterprise data sources

Protect data at rest, in use, in flight

Follow policy

Enterprise Enlightened Apps

Recognize personal data sources

Let personal data be personal

No policy for personal apps & data

Enterprise Enlightened Apps

Something IT and IW can agree on

Competitive advantage: satisfy both

Enterprise Enlightened Apps

xmlns:rescap= "http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"

<Capabilities> <rescap:Capability Name="enterpriseDataPolicy"/> </Capabilities>

Declare your app enlightened (WinRT)Add the enterpriseDataPolicy capability

MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOIDBEGIN    0x0001END

Declare your app enlightened (Win32)Add entry to resources.rc

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Data Ingress – Recognize enterprise files

Namespace: Windows.Security.EnterpriseDataClass: FileProtectionManagerMethod: GetProtectionInfoAsync

Takes an IStorageItemReturns protection status and identity string

FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}

Check file

Data Ingress – Recognize enterprise files (Pt.2)

Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: IsIdentityManaged

Identity is an email address or domain

Data managed only when identity managed

FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}

Check file

FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}

Check file

FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}if (protectionInfo.Status == FileProtectionStatus.Unprotected){ // Data is personal}

Check file

FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}if (protectionInfo.Status == FileProtectionStatus.Unprotected){ // Data is personal}if (protectionInfo.Status == FileProtectionStatus.Revoked){ // Call your revocation handling code}

Check file

Data Ingress – Enterprise data packages

Namespace:Windows.ApplicationModel.DataTransferClass: DataPackagePropertySetViewProperty: EnterpriseId

Managed clipboard / share data is taggedProperty is empty string when not managed

var enterpriseID = shareOperation.data.properties.enterpriseId;

if (string.IsNullOrEmpty(enterpriseId)){

// Personal}else{

// Enterprise managed}

Check data package view properties(clipboard / share)

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Data Ingress – Check if host is enterprise

Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: GetPrimaryManagedIdentityForNetworkEndpointAsync

Takes a host name objectReturns enterprise identity stringEmpty string means personal, not enterprise

var resourceUri = new Uri(serverNameString);

// Check if URI is an enterprise managed endpoint. string enterpriseId = await ProtectionPolicyManager.GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host));

if(!string.IsNullOrEmpty(enterpriseId)) { // If the enterprise ID is non-empty, it’s managed.

// Make VPN claim, protect download data, etc.// ...

}

Check network host

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

AND

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

Unwrap files (if necessary)

OR Wrap files for transport

Data Ingress – Unwrap enterprise container files

Namespace: Windows.Security.EnterpriseDataClass: FileProtectionManagerMethod: LoadFileFromContainerAsync

Takes a containerized fileMakes a new file with local encryption

var tempFolder = ApplicationData.Current.TemporaryFolder; var appDataFolder = ApplicationData.Current.LocalFolder;

// Get a handle to the downloaded containerized file. var containerFile = await tempFolder.GetFileAsync("myAppDataFile.dat"); // Import container to encrypted file systemProtectedContainerImportResult result = await

FileProtectionManager.LoadFileFromContainerAsync(containerFile,appDataFolder);

StorageFile protectedFile = result.File;

Load encrypted container into the file system

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Data In Use – Set app view to enterprise

Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: GetForCurrentViewProperty: Identity

Puts AppView (i.e. window) into enterprise modeWindows enforces clipboard & share policy

private void TagCurrentViewWithEnterpriseId(string enterpriseId){ // Note: Empty enterpriseId sets mode to personal

ProtectionPolicyManager protectionPolicyManager =

ProtectionPolicyManager.GetForCurrentView();

protectionPolicyManager.Identity  = enterpriseId; }

Set AppView to enterprise

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Data In Use – Set network context on thread

Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: CreateCurrentThreadNetworkContext

Marks thread for enterprise network accessSockets created on the thread get VPN

// Set enterprise context to access enterprise network resources// Create protected network context on current threadThreadNetworkContext context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(entepriseId);

var client = new HttpClient(); // Gets VPN for enterpriseId

if(context != null) // Clear context before leaving scope{ context.Dispose();}// New connections don’t get ‘enterpriseId’ VPN now...

Set / Clear enterprise network thread context

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Data Egress – Protect enterprise data: Files

Namespace: Windows.Security.EnterpriseDataClass: FileProtectionManagerMethod: ProtectAsync

Takes IStorageItem and enterprise ID string

Encrypts file with key tagged to enterprise ID

// Protect file to ‘identity’ (Managed email address or domain)

FileProtectionInfo protectionInfo = await FileProtectionManager.ProtectAsync(file, identity); // Use standard APIs to read or write from the file.

Protect file

Data Egress – Protect enterprise data: Buffers

Namespace: Windows.Security.EnterpriseDataClass: DataProtectionManagerMethod: ProtectAsync

Takes IBuffer and enterprise ID string

Returns new IBuffer encrypted to enterprise

IBuffer inputBuffer = CryptographicBuffer.ConvertStringToBinary(protectedMessage,

BinaryStringEncoding.Utf8); protectedBuffer = await

DataProtectionManager.ProtectAsync(inputBuffer, EnterpriseIdentity);

// Best practice: check return statusif (protectedBuffer.ProtectionInfo.Status == Unprotected){ // Protection can fail if app not allowed for EnterpriseIdentity}

Protect buffer

Data Egress – Protect enterprise data: Save UX

Namespace: Windows.Storage.PickersClass: FileSavePickerMethod: FileSavePicker (constructor)Property: EnterpriseId

Takes enterprise identity stringSets encryption dropdown to match (if managed)

private async void SaveFile_Click(object sender, RoutedEventArgs e) { var savePicker = new FileSavePicker(); savePicker.EnterpriseId = GetCurrentEnterpriseId();

var file = await savePicker.PickSaveFileAsync(); if (file != null) { // Best practice: // Check status with GetProtectionInfoAsync(file) } }

Set enterprise context for FilePicker

Enlightening Apps for Enterprise Data Protection 

 

Local (productivity apps) Network capable (channel apps)

Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise

Data In Use Set mode: Enterprise / Personal Turn VPN On / Off

Data Egress Protect enterprise dataBlock sending to non-enterprise hosts

Event

handling

Revoke: Close & cleanup Revoke: Stop enterprise sync completely

Screen lock: Close contentScreen unlock: Reopen content

Screen lock: Stop uploadsScreen unlock: Resume uploads

ANDUnwrap files (if necessary)

OR Wrap files for transport

Event Handling – Revoke

Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerEvent: ProtectedContentRevoked

Register your event handler for revoke

// Register handler for revoke eventProtectionPolicyManager.ProtectedContentRevoked += HandleProtectedContentRevoked;

void HandleProtectedContentRevoked(Object sender,ProtectedContentRevokedEventArgs args)

{ MyRevokeCleanupRoutine();

// Clean up files, settings, accounts, creds, etc. // Sync engines should break enterprise sync relationship. }

Handle revoke events

Event Handling – Screen lock / unlock

Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerEvent: ProtectedAccessSuspending (screen locking)

ProtectedAccessResumed(screen unlocked)

Register event handlers for both events

Tip: Close as much enterprise data as possible

Tip: Can’t read enterprise under lock, but Can create new files, buffers, streams

// Register for device lock and unlockProtectionPolicyManager.ProtectedAccessSuspending += HandleProtectedAccessSuspending;ProtectionPolicyManager.ProtectedAccessResumed += HandleProtectedAccessResumed;

void HandleProtectedAccessSuspending(Object sender,ProtectedAccessSuspendingEventArgs

args) { // Stop enterprise upload, close enterprise files, etc.} void HandleProtectedAccessResumed(Object sender,

ProtectedAccessResumedEventArgs args) { // Resume enterprise upload, reopen enterprise content, etc.}

Handle suspend / resume events

OS Settings and App Data Roaming…in the Enterprise!

• Windows 10 supports roaming based on AAD as well as MSA accountsFeature parity to Win 8/8.1 with additional security and management capabilitiesPremium administrative features as part of Enterprise Mobility Suite (EMS)

• Data is automatically sync’d with the correct storage cloud (OneDrive/AzureAD tenant)OS settings roam based on the identity used to sign into WindowsWindows App state roams on the identity used to acquire the app

• Supported on Windows Phone and Desktop

Enterprise Roaming in Windows 10

See session 709 “Single Sign-On with Secure Authentication” by Karanbir Singh

• SecurityAll enterprise data is encrypted both in transit (TLS) and at rest in the cloud (RMS)Support for both “default” and “premium” key management capabilities• Default: Keys managed in the cloud by Microsoft (free)• Premium: Keys managed in the cloud by the customer

• ManagementAdmin UX is available from the Azure Active Directory portal• Default: On/off switch; data deletion (free)• Premium: Security group “allowed list”; user reports

MDM provides admins the ability to turn on/off per device

Enterprise Roaming in Windows 10

• General• Guidelines for roaming app data• Quickstart: Roaming app data • How to roam data between a Windows Store app and a Windows Phone

Store app

• Blog: Roaming your app data

• APIs• ApplicationData.RoamingFolder | roamingFolder property • ApplicationData.RoamingSettings | roamingSettings property• ApplicationData.SignalDataChanged | signalDataChanged method

MSDN Roaming References

Windows 10 MDM documentation ONLINE http://aka.ms/kw2vwj

MDM related sessions @ Ignite Vladimir Holostov | Provisioning Windows 10 Devices with New Tools [Link] Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link] Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and SPO with Intune [Link] John Vintzel | Windows 10 Universal App Deployment for Enterprises [Link] Tejas Patel | Using the Business Store Portal with Windows 10 Devices [Link] Yogesh Mehta | Protecting your data with containers without boxing yourself in [Link] Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link] Nelly Porter | Secure authentication with Windows Hello [Link] Deepak Manohar | Next Generation Malware detection with Windows Defender [Link]

MDM Resources

• Join the Windows Insider Program …… and give us feedback!

• Explore the Enterprise Data Protection samples

• Check the Roaming App Data resources

• Get your app ready for management!

Call to Action

Raise apps that help users respect enterprise data,and you will be rewarded

Trustworthy apps will be chosen

Click icon to add picture

© 2015 Microsoft Corporation. All rights reserved.