3-662

IT’s biggest challenge is how to manage access to work data for a mobile workforce, where phones and laptops with sensitive data are lost or recycled, employees switch companies, and data lands on personal devices. Windows 10 provides a way for trusted apps to safely handle work and personal, so enterprises can manage their data without destroying personal data or boxing in the user experience. This session will cover the APIs for creating a trustworthy app that complies with enterprise data policy, and can roam enterprise app state like a consumer app does, while providing a safe and uncompromised personal experience.

1.0x

3-662

Created 2 years ago

Duration 0:00:00
lesson view count 16
IT’s biggest challenge is how to manage access to work data for a mobile workforce, where phones and laptops with sensitive data are lost or recycled, employees switch companies, and data lands on personal devices. Windows 10 provides a way for trusted apps to safely handle work and personal, so enterprises can manage their data without destroying personal data or boxing in the user experience. This session will cover the APIs for creating a trustworthy app that complies with enterprise data policy, and can roam enterprise app state like a consumer app does, while providing a safe and uncompromised personal experience.
Select the file type you wish to download
Slide Content
  1. 3-662

    Slide 1 - 3-662

    • Enterprise Data Protection: Building Universal Windows Apps That Keep Work and Personal Data Separate and Secure
    • Derek Adam
    • Program Manager
    • //build/ content is being presented by Microsoft Office Mix The video for this session will be available shortly
  2. This talk is about making them ready for the workplace

    Slide 2 - This talk is about making them ready for the workplace

    • Our apps are our babies
  3. Respect the stewardship you (might) have

    Slide 3 - Respect the stewardship you (might) have

    • Don’t reveal company secrets
    • Respect boundaries of access and use terms
    • Wants things locked up in his domain
    • Makes rules to try to keep it that way
    • Understanding the Enterprise customer: IT Administrator
    • Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013
    • WillyV
    • Wonka
  4. Want access from personal devices

    Slide 4 - Want access from personal devices

    • Prefer as little management as possible
    • We all make mistakes
    • Understanding the Enterprise customer: Information Worker
    • People Like
    • You and Me
  5. Information protection journey

    Slide 5 - Information protection journey

    • DEVICE PROTECTION
    • BitLocker enhancements in Windows 8.1
    • InstantGo
    • 3rd party adoption
    • Protect data when device is lost or stolen
    • DATA PROTECTION
    • Rights Management Services (RMS)
    • Office Information Rights Management (IRM)
    • Azure AD, Azure Rights Management in 2013
    • Protect data when …..
    • THE GAP
    • Accidental data leakage
    • Enterprise Data Protection
  6. Slide 6

    • OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS
    • Switching modes and between containers
    • Users change apps to work securely
    • Experience between mobile and desktop inconsistent
    • Solutions are an add on to the platform == expensive
  7. Slide 7

    • OUR VISION
    • Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through email, social media and public cloud
  8. Windows 10 Enterprise Data Protection

    Slide 8 - Windows 10 Enterprise Data Protection

    • Better approach to data management
    • Mobile & Desktop
    • Corp data identifiable from personal
    • Protects data at rest, and when roaming
    • Platform integrated, no mode switching
    • Only IT-Allowed apps see business data
    • IT controls keys, can remote wipe
    • Common experience, x-plat support
  9. Windows 10 Enterprise Data Protection

    Slide 9 - Windows 10 Enterprise Data Protection

    • Extra Security withData Protection Under Lock
    • Blocks read when screen is locked
    • Optional screen lock security policy
    • System tosses decryption key on lock
    • Can encrypt new files and data
    • Logon, unlock restores keys and access
    • Helps mitigate system level attacks
    • See session 639 “Microsoft Passport and Windows Hello: Moving beyond passwords and credential theft”
  10. Business/PersonalOne experienceData is isolatedData is encrypted at restBlock/audit data exchangeOrganization holds keysOffice and OneDriveAPIs for ISVsMDM managed

    Slide 10 - Business/PersonalOne experienceData is isolatedData is encrypted at restBlock/audit data exchangeOrganization holds keysOffice and OneDriveAPIs for ISVsMDM managed

    • Lync
    • eMail
    • Facebook
    • OneDrive for Business
    • Contacts
    • WhatsApp
    • PowerPoint
    • Calendar
    • OneDrive
    • PDF Reader
    • Photos
    • Weather
    • Business Apps & Data
    • (Managed)
    • Personal
    • Apps & Data
    • (Unmanaged)
    • Data exchange is blocked or audited
  11. Enterprise Data Protection

    Slide 11 - Enterprise Data Protection

    • 1
    • User enrolls with enterprise MDM or domain join
    • MDM or ConfigMgr provisions policy and encryption keys
    • User
    • 2
    • PROVISIONING: KEYS AND POLICIES
    • Policies:
    • Enterprise allowed apps
    • Network policies
    • App restriction policy
    • See: “Managing Mobile Devices and Applications in an Enterprise” (Session 654)
  12. Enterprise Data Protection

    Slide 12 - Enterprise Data Protection

    • User
    • DATA INGRESS
    • Data from enterprise network is encrypted
    • E.g. OneDrive For Business, Corporate Exchange mail, etc.
  13. Enterprise Data Protection

    Slide 13 - Enterprise Data Protection

    • User
    • Saving to enterprise folder encryption auto-applied
    • User option to save as corporate
    • IT can configure unenlightened apps to automatically protect data
    • Enlightened apps protect corporate data
    • (from app to disk)
    • DATA EGRESS
  14. Enterprise Data Protection

    Slide 14 - Enterprise Data Protection

    • User
    • DATA EGRESS
    • Enlightened apps can maintain protection
    • App restriction policy: Can block egress to other apps
    • Network policy: Can block egress to non-corporate sites
    • (Inter-app, or
    • over network)
  15. Enterprise Data Protection

    Slide 15 - Enterprise Data Protection

    • User
    • CROSS PLATFORM DATA SHARING
    • Readers available for cross-platform editing
    • Public API for secure sharing
    • Common MDM support across Windows, iOS & Android with Microsoft Intune
    • Common developer experience across platforms
    • iOS & Android enabled via Intune App Wrapping Tool for IT Pros
    • iOS & Android apps enabled via Intune App SDK
    • Microsoft Intune SDK for iOS & Android
  16. Enterprise Data Protection

    Slide 16 - Enterprise Data Protection

    • User
    • REVOKE
    • Unenroll removes keys, and wipes the inaccessible enterprise data
    • (On unenroll)
  17. Enterprise Data Protection - Demo

    Slide 17 - Enterprise Data Protection - Demo

  18. Enlightening your app forEnterprise Data Protection

    Slide 18 - Enlightening your app forEnterprise Data Protection

  19. Recognize enterprise data sources

    Slide 19 - Recognize enterprise data sources

    • Protect data at rest, in use, in flight
    • Follow policy
    • Enterprise Enlightened Apps
  20. Recognize personal data sources

    Slide 20 - Recognize personal data sources

    • Let personal data be personal
    • No policy for personal apps & data
    • Enterprise Enlightened Apps
  21. Something IT and IW can agree on

    Slide 21 - Something IT and IW can agree on

    • Competitive advantage: satisfy both
    • Enterprise Enlightened Apps
  22. xmlns:rescap= "http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"

    Slide 22 - xmlns:rescap= "http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"

    • <Capabilities>
    • <rescap:Capability Name="enterpriseDataPolicy"/>
    • </Capabilities>
    • Declare your app enlightened (WinRT)Add the enterpriseDataPolicy capability
  23. MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID

    Slide 23 - MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID

    • BEGIN
    •     0x0001
    • END
    • Declare your app enlightened (Win32)Add entry to resources.rc
  24. Enlightening Apps for Enterprise Data Protection

    Slide 24 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  25. Enlightening Apps for Enterprise Data Protection

    Slide 25 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  26. Data Ingress – Recognize enterprise files

    Slide 26 - Data Ingress – Recognize enterprise files

    • Namespace: Windows.Security.EnterpriseData
    • Class: FileProtectionManager
    • Method: GetProtectionInfoAsync
    • Takes an IStorageItem
    • Returns protection status and identity string
  27. FileProtectionInfo protectionInfo =  await

    Slide 27 - FileProtectionInfo protectionInfo = await

    • FileProtectionManager.GetProtectionInfoAsync(FileHandle);
    • if ((protectionInfo.Status == FileProtectionStatus.Protected) &&
    • (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity))
    • { // Enterprise case, so do things like set enterprise mode
    • }
    • Check file
  28. Data Ingress – Recognize enterprise files (Pt.2)

    Slide 28 - Data Ingress – Recognize enterprise files (Pt.2)

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Method: IsIdentityManaged
    • Identity is an email address or domain
    • Data managed only when identity managed
  29. FileProtectionInfo protectionInfo =  await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    Slide 29 - FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    • if ((protectionInfo.Status == FileProtectionStatus.Protected) &&
    • (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity))
    • { // Enterprise case, so do things like set enterprise mode
    • }
    • Check file
  30. FileProtectionInfo protectionInfo =  await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    Slide 30 - FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    • if ((protectionInfo.Status == FileProtectionStatus.Protected) &&
    • (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity))
    • { // Enterprise case, so do things like set enterprise mode
    • }
    • Check file
  31. FileProtectionInfo protectionInfo =  await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    Slide 31 - FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    • if ((protectionInfo.Status == FileProtectionStatus.Protected) &&
    • (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity))
    • { // Enterprise case, so do things like set enterprise mode
    • }
    • if (protectionInfo.Status == FileProtectionStatus.Unprotected)
    • { // Data is personal
    • }
    • Check file
  32. FileProtectionInfo protectionInfo =  await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    Slide 32 - FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);

    • if ((protectionInfo.Status == FileProtectionStatus.Protected) &&
    • (ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity))
    • { // Enterprise case, so do things like set enterprise mode
    • }
    • if (protectionInfo.Status == FileProtectionStatus.Unprotected)
    • { // Data is personal
    • }
    • if (protectionInfo.Status == FileProtectionStatus.Revoked)
    • { // Call your revocation handling code
    • }
    • Check file
  33. Data Ingress – Enterprise data packages

    Slide 33 - Data Ingress – Enterprise data packages

    • Namespace: Windows.ApplicationModel.DataTransfer
    • Class: DataPackagePropertySetView
    • Property: EnterpriseId
    • Managed clipboard / share data is tagged
    • Property is empty string when not managed
  34. Slide 34

    • var enterpriseID = shareOperation.data.properties.enterpriseId;
    • if (string.IsNullOrEmpty(enterpriseId))
    • {
    • // Personal
    • }
    • else
    • {
    • // Enterprise managed
    • }
    • Check data package view properties(clipboard / share)
  35. Enlightening Apps for Enterprise Data Protection

    Slide 35 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  36. Data Ingress – Check if host is enterprise

    Slide 36 - Data Ingress – Check if host is enterprise

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Method: GetPrimaryManagedIdentityForNetworkEndpointAsync
    • Takes a host name object
    • Returns enterprise identity string
    • Empty string means personal, not enterprise
  37. var resourceUri = new Uri(serverNameString);

    Slide 37 - var resourceUri = new Uri(serverNameString);

    • // Check if URI is an enterprise managed endpoint.
    • string enterpriseId = await ProtectionPolicyManager.GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host));
    • if(!string.IsNullOrEmpty(enterpriseId))
    • { // If the enterprise ID is non-empty, it’s managed.
    • // Make VPN claim, protect download data, etc.
    • // ...
    • }
    • Check network host
  38. Enlightening Apps for Enterprise Data Protection

    Slide 38 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • AND
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  39. Data Ingress – Unwrap enterprise container files

    Slide 39 - Data Ingress – Unwrap enterprise container files

    • Namespace: Windows.Security.EnterpriseData
    • Class: FileProtectionManager
    • Method: LoadFileFromContainerAsync
    • Takes a containerized file
    • Makes a new file with local encryption
  40. var tempFolder = ApplicationData.Current.TemporaryFolder;

    Slide 40 - var tempFolder = ApplicationData.Current.TemporaryFolder;

    • var appDataFolder = ApplicationData.Current.LocalFolder;
    • // Get a handle to the downloaded containerized file.
    • var containerFile = await
    • tempFolder.GetFileAsync("myAppDataFile.dat");
    • // Import container to encrypted file system
    • ProtectedContainerImportResult result = await
    • FileProtectionManager.LoadFileFromContainerAsync(containerFile,
    • appDataFolder);
    • StorageFile protectedFile = result.File;
    • Load encrypted container into the file system
  41. Enlightening Apps for Enterprise Data Protection

    Slide 41 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  42. Data In Use – Set app mode enterprise

    Slide 42 - Data In Use – Set app mode enterprise

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Method: TryApplyProcessUIPolicy
    • Puts process into enterprise mode
    • Windows enforces clipboard & share policy
  43. // Clear enterprise app context so it is personal again.

    Slide 43 - // Clear enterprise app context so it is personal again.

    • ProtectionPolicyManager.ClearProcessUIPolicy()
    • Clear UI policy enforcement for the app
  44. Data In Use – Set app view to enterprise

    Slide 44 - Data In Use – Set app view to enterprise

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Method: GetForCurrentView
    • Property: Identity
    • Puts AppView (i.e. window) into enterprise mode
    • Windows enforces clipboard & share policy
  45. private void TagCurrentViewWithEnterpriseId(string enterpriseId)

    Slide 45 - private void TagCurrentViewWithEnterpriseId(string enterpriseId)

    • {
    • // Note: Empty enterpriseId sets mode to personal
    • ProtectionPolicyManager protectionPolicyManager =
    • ProtectionPolicyManager.GetForCurrentView();
    • protectionPolicyManager.Identity  = enterpriseId;
    • }
    • Set AppView to enterprise
  46. Enlightening Apps for Enterprise Data Protection

    Slide 46 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  47. Data In Use – Set network context on thread

    Slide 47 - Data In Use – Set network context on thread

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Method: CreateCurrentThreadNetworkContext
    • Marks thread for enterprise network access
    • Sockets created on the thread get VPN
  48. // Set enterprise context to access enterprise network resources

    Slide 48 - // Set enterprise context to access enterprise network resources

    • // Create protected network context on current thread
    • ThreadNetworkContext context =
    • ProtectionPolicyManager.CreateCurrentThreadNetworkContext(entepriseId);
    • var client = new HttpClient(); // Gets VPN for enterpriseId
    • if(context != null) // Clear context before leaving scope
    • {
    • context.Dispose();
    • }
    • // New connections don’t get ‘enterpriseId’ VPN now...
    • Set / Clear enterprise network thread context
  49. Enlightening Apps for Enterprise Data Protection

    Slide 49 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  50. Data Egress – Protect enterprise data: Files

    Slide 50 - Data Egress – Protect enterprise data: Files

    • Namespace: Windows.Security.EnterpriseData
    • Class: FileProtectionManager
    • Method: ProtectAsync
    • Takes IStorageItem and enterprise ID string
    • Encrypts file with key tagged to enterprise ID
  51. // Protect file to ‘identity’ (Managed email address or domain)

    Slide 51 - // Protect file to ‘identity’ (Managed email address or domain)

    • FileProtectionInfo protectionInfo =
    • await FileProtectionManager.ProtectAsync(file, identity);
    • // Use standard APIs to read or write from the file.
    • Protect file
  52. Data Egress – Protect enterprise data: Buffers

    Slide 52 - Data Egress – Protect enterprise data: Buffers

    • Namespace: Windows.Security.EnterpriseData
    • Class: DataProtectionManager
    • Method: ProtectAsync
    • Takes IBuffer and enterprise ID string
    • Returns new IBuffer encrypted to enterprise
  53. IBuffer inputBuffer = CryptographicBuffer.ConvertStringToBinary(protectedMessage,

    Slide 53 - IBuffer inputBuffer = CryptographicBuffer.ConvertStringToBinary(protectedMessage,

    • BinaryStringEncoding.Utf8);
    • protectedBuffer = await
    • DataProtectionManager.ProtectAsync(inputBuffer,
    • EnterpriseIdentity);
    • // Best practice: check return status
    • if (protectedBuffer.ProtectionInfo.Status == Unprotected)
    • {
    • // Protection can fail if app not allowed for EnterpriseIdentity
    • }
    • Protect buffer
  54. Data Egress – Protect enterprise data: Save UX

    Slide 54 - Data Egress – Protect enterprise data: Save UX

    • Namespace: Windows.Storage.Pickers
    • Class: FileSavePicker
    • Method: FileSavePicker (constructor)
    • Property: EnterpriseId
    • Takes enterprise identity string
    • Sets encryption dropdown to match (if managed)
  55. private async void SaveFile_Click(object sender, RoutedEventArgs e)

    Slide 55 - private async void SaveFile_Click(object sender, RoutedEventArgs e)

    • {
    • var savePicker = new FileSavePicker();
    • savePicker.EnterpriseId = GetCurrentEnterpriseId();
    • var file = await savePicker.PickSaveFileAsync();
    • if (file != null)
    • {
    • // Best practice:
    • // Check status with GetProtectionInfoAsync(file)
    • }
    • }
    • Set enterprise context for FilePicker
  56. Enlightening Apps for Enterprise Data Protection

    Slide 56 - Enlightening Apps for Enterprise Data Protection

    • Local (productivity apps)
    • Network capable (channel apps)
    • Data Ingress
    • Check for enterprise tag on data
    • Check if host belongs to the enterprise
    • Data In Use
    • Set mode: Enterprise / Personal
    • Turn VPN On / Off
    • Data Egress
    • Protect enterprise data
    • Block sending to non-enterprise hosts
    • Event
    • handling
    • Revoke: Close & cleanup
    • Revoke: Stop enterprise sync completely
    • Screen lock: Close content
    • Screen unlock: Reopen content
    • Screen lock: Stop uploads
    • Screen unlock: Resume uploads
    • AND
    • Unwrap files (if necessary)
    • OR
    • Wrap files for transport
  57. Event Handling – Revoke

    Slide 57 - Event Handling – Revoke

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Event: ProtectedContentRevoked
    • Register your event handler for revoke
  58. Slide 58

    • // Register handler for revoke event
    • ProtectionPolicyManager.ProtectedContentRevoked +=
    • HandleProtectedContentRevoked;
    • void HandleProtectedContentRevoked(Object sender,
    • ProtectedContentRevokedEventArgs args)
    • {
    • MyRevokeCleanupRoutine();
    • // Clean up files, settings, accounts, creds, etc.
    • // Sync engines should break enterprise sync relationship.
    • }
    • Handle revoke events
  59. Event Handling – Screen lock / unlock

    Slide 59 - Event Handling – Screen lock / unlock

    • Namespace: Windows.Security.EnterpriseData
    • Class: ProtectionPolicyManager
    • Event: ProtectedAccessSuspending (screen locking) ProtectedAccessResumed (screen unlocked)
    • Register event handlers for both events
    • Tip: Close as much enterprise data as possible
    • Tip: Can’t read enterprise under lock, but
    • Can create new files, buffers, streams
  60. // Register for device lock and unlock

    Slide 60 - // Register for device lock and unlock

    • ProtectionPolicyManager.ProtectedAccessSuspending +=
    • HandleProtectedAccessSuspending;
    • ProtectionPolicyManager.ProtectedAccessResumed +=
    • HandleProtectedAccessResumed;
    • void HandleProtectedAccessSuspending(Object sender,
    • ProtectedAccessSuspendingEventArgs args)
    • { // Stop enterprise upload, close enterprise files, etc.
    • }
    • void HandleProtectedAccessResumed(Object sender,
    • ProtectedAccessResumedEventArgs args)
    • { // Resume enterprise upload, reopen enterprise content, etc.
    • }
    • Handle suspend / resume events
  61. OS Settings and App Data Roaming…in the Enterprise!

    Slide 61 - OS Settings and App Data Roaming…in the Enterprise!

  62. Windows 10 supports roaming based on AAD as well as MSA accounts

    Slide 62 - Windows 10 supports roaming based on AAD as well as MSA accounts

    • Feature parity to Win 8/8.1 with additional security and management capabilities
    • Premium administrative features as part of Enterprise Mobility Suite (EMS)
    • Data is automatically sync’d with the correct storage cloud (OneDrive/AzureAD tenant)
    • OS settings roam based on the identity used to sign into Windows
    • Windows App state roams on the identity used to acquire the app
    • Supported on Windows Phone and Desktop
    • Enterprise Roaming in Windows 10
    • See session 709 “Single Sign-On with Secure Authentication” by Karanbir Singh
  63. Security

    Slide 63 - Security

    • All enterprise data is encrypted both in transit (TLS) and at rest in the cloud (RMS)
    • Support for both “default” and “premium” key management capabilities
    • Default: Keys managed in the cloud by Microsoft (free)
    • Premium: Keys managed in the cloud by the customer
    • Management
    • Admin UX is available from the Azure Active Directory portal
    • Default: On/off switch; data deletion (free)
    • Premium: Security group “allowed list”; user reports
    • MDM provides admins the ability to turn on/off per device
    • Enterprise Roaming in Windows 10
  64. General

    Slide 64 - General

    • Guidelines for roaming app data
    • Quickstart: Roaming app data
    • How to roam data between a Windows Store app and a Windows Phone Store app
    • Blog: Roaming your app data
    • APIs
    • ApplicationData.RoamingFolder | roamingFolder property
    • ApplicationData.RoamingSettings | roamingSettings property
    • ApplicationData.SignalDataChanged | signalDataChanged method
    • MSDN Roaming References
  65. Windows 10 MDM documentation ONLINE http://aka.ms/kw2vwj

    Slide 65 - Windows 10 MDM documentation ONLINE http://aka.ms/kw2vwj

    • MDM related sessions @ Ignite
    • Vladimir Holostov | Provisioning Windows 10 Devices with New Tools [Link]
    • Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link]
    • Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and SPO with Intune [Link]
    • John Vintzel | Windows 10 Universal App Deployment for Enterprises [Link]
    • Tejas Patel | Using the Business Store Portal with Windows 10 Devices [Link]
    • Yogesh Mehta | Protecting your data with containers without boxing yourself in [Link]
    • Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link]
    • Nelly Porter | Secure authentication with Windows Hello [Link]
    • Deepak Manohar | Next Generation Malware detection with Windows Defender [Link]
    • MDM Resources
  66. Join the Windows Insider Program …	… and give us feedback!

    Slide 66 - Join the Windows Insider Program … … and give us feedback!

    • Explore the Enterprise Data Protection samples
    • Check the Roaming App Data resources
    • Get your app ready for management!
    • Call to Action
  67. Raise apps that help users

    Slide 67 - Raise apps that help users

    • respect enterprise data,
    • and you will be rewarded
    • Trustworthy apps will be chosen