Windows Information Protection profile settings Skip Navigation

Windows
Information Protection profile settings

rofile setting
Description
Windows
Information Protection settings
This setting specifies whether
Windows
Information Protection is enabled and the level of enforcement.
  • Off: Data is not encrypted and audit logging is turned off.
  • Silent: Data is encrypted and any attempts to share protected data are logged.
  • Override: Data is encrypted, the user is prompted when they attempt to share protected data, and any attempts to share protected data are logged.
  • Block: Data is encrypted, users cannot share protected data, and any attempts to share protected data are logged.
Enterprise protected domain names
This setting specifies the work network domain names that your organization uses for its user identities. Separate multiple domains with pipes (|). The first domain is used as a string to tag files that are protected by apps that use WIP (for example, example.com|example.net).
Data recovery certificate file (.der, .cer)
This setting specifies the data recovery certificate file that you use to recover files that were locally protected on a device. The file must be a PEM encoded or DER encoded certificate with a .der or .cer file extension.
Remove the
Windows
Information Protection settings when a device is removed from
BlackBerry UEM
This setting specifies whether to revoke WIP settings when a device is deactivated. When WIP settings are revoked, the user can no longer access protected files.
Show
Windows
Information Protection overlays on protected files and apps that can create enterprise content
This setting specifies whether an overlay icon is shown on file and app icons to indicate whether a file or app is protected by WIP.
Work network IP range
This setting specifies the range of IP addresses at work to which an app protected with WIP can share data. Use a dash to denote a range of addresses. Use a comma to separate addresses.
Work network IP ranges are authoritative
This setting specifies if only the work network IP ranges are accepted as part of the work network. When this setting is enabled, no attempts are made to discover other work networks.
Enterprise internal proxy servers
This setting specifies the internal proxy servers that are used when connecting to work network locations. These proxy servers are used only when connecting to the domain listed in the Enterprise cloud resources setting.
Enterprise cloud resources
This setting specifies the list of enterprise resource domains hosted in the cloud that need to be protected. Data from these resources are considered enterprise data and protected.
Cloud resources domain
This setting specifies the domain name.
Paired proxy
This setting specifies a proxy that is paired with a cloud resource. Traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on port 80). A proxy server used for this purpose must also be configured in the Enterprise internal proxy servers field.
Enterprise proxy servers
This setting specifies the list of Internet proxy servers.
Enterprise proxy servers are authoritative
This setting specifies whether the client should accept the configured list of proxies and not try to detect other enterprise proxies.
Neutral resources
This setting specifies the domains that can be used for work or personal resources.
Enterprise network domain names
This setting specifies a comma-separated list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to.
Desktop app payload code
Specify the desktop app keys and values used to configure application launch restrictions on
Windows 10
devices. You must use the keys defined by
Microsoft
for the payload type that you want to configure.
To specify the apps, copy the XML code from the AppLocker policy .xml file and paste it in this field. When you copy the text, copy only the elements as shown in the following code sample:
<RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="0c9781aa-bf9f-4352-b4ba-64c25f36f558" Name="WordMobile" Description=" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Word" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection>
Universal
Windows
Platform app payload code
Specify the Universal
Windows
Platform app keys and values used to configure WIP on
Windows 10
devices. You must use the keys defined by
Microsoft
for the payload type that you want to configure.
To specify the apps, copy the XML code from the AppLocker policy .xml file and paste it in this field. When you copy the text, copy only the elements as shown in the following code sample:
<RuleCollection Type="Exe" EnforcementMode="Enabled> <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> <FilePublisherRule Id="ddd0bc90-dada-4002-9e2f-0fc68e1f6af0" Name="WORDPAD.EXE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WORDPAD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="c8360d06-f651-4883-abdd-9c3a95a415ff" Name="NOTEPAD.EXE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="NOTEPAD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection>
Associated VPN profile
This setting specifies the VPN profile that a device uses to connect to a VPN when using an app protected by WIP. This setting is valid only if "Use a VPN profile" is selected for the "Secure connection used with WIP."
Collect device audit logs
This setting specifies whether to collect device audit logs.