Windows Information Protection

One of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps:  what's the exact difference between a protected app and an exempt app; and what does allow or deny exactly do for both of those? A recap on some terminology before explaining what-does-what. Targeted apps are ones the WIP service will implement controls over. Unenlightened apps cannot differentiate between work and personal data.  They have no…