https://campbell.scot/categories/windows-information-protection/ Recent content in Windows-Information-Protection on Ru Campbell MVP Hugo en-gb Thu, 14 May 2020 21:05:30 +0000 https://campbell.scot/windows-information-protection-wip-app-protection-policies-protected-and-exempt-denied-and-allowed-what-do-they-mean/ Thu, 14 May 2020 21:05:30 +0000 https://campbell.scot/windows-information-protection-wip-app-protection-policies-protected-and-exempt-denied-and-allowed-what-do-they-mean/ <p>One of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps:  what&rsquo;s the <em>exact</em> difference between a protected app and an exempt app; and what does allow or deny <em>exactly</em> do for both of those?</p> <p>A recap on some terminology before explaining what-does-what.</p> <ul> <li><strong>Targeted apps</strong> are ones the WIP service will implement controls over.</li> <li><strong>Unenlightened apps</strong> cannot differentiate between work and personal data.  They have no idea what WIP is as the developer has not incorporated it.  They can only implement controls if the device is MDM enrolled.</li> <li><strong>Enlightened apps</strong> have incorporated WIP into the design and can differentiate between work and personal data.  For example, Outlook knows if the email account is tenant one or not.  They can implement controls even if it&rsquo;s just using MAM.  Such a scenario is called <strong>WIP Without Enrollment</strong> or <strong>WIP-WE</strong>.</li> <li><strong>Enterprise context</strong> is the ownership of data in the application.  You can review this by adding the column in Task Manager.  Data will either belong to the <strong>tenant</strong> (work) or <strong>personal</strong> (not work).  It can also be <strong>exempt</strong>, which means waived from rules.</li> </ul> <p>In the example below, every app you see - protected and exempt - will be controlled if an MDM scenario, but only enlightened ones can be in a MAM scenario.</p>