Programming Windows Information Protection


With Windows 10 (you need the version 1607 or later), you can use the Windows Information Protection (WIP, formerly “Enterprise Data Protection”), and the developers can also use this features in your app code.

By using this Windows Information Protection (WIP) API, your app can distinguish whether the accessing resources (file, network, etc) are “managed” (corporate) or “unmanaged” (personal) and process the WIP-aware advanced capabilities. (Even if the app is not using WIP API, the Windows Information Protection works. But the app cannot handle the granular controls without this API.)
The Microsoft apps, such as Edge, Notepad, Mobile Office, etc are WIP-aware applications. (Please see the official document “List of enlightened Microsoft apps for use with Windows Information Protection (WIP)” for the complete list.) These apps will help you to understand the WIP API.

Let’s see how to programming, debugging, and how it works.

Applying Policy

Before you start building apps, you must apply the Windows Information Protection policy to your development (test or debugging) host.
To do this, you can use the MDM service (Microsoft Intune, SCCM, or 3rd party product) or WIP Setup Developer Assistant.
I show you how to configure using Microsoft Intune and WIP Setup Developer Assistant.

using Microsoft Intune

If you use the Microsoft Intune, first you open the Intune Portal and click [Add Policy] from the [Policy] tab.

Note : Before starting policy settings, you must enroll your device (PC) into Microsoft Intune. (Here we are assuming that all setting has done.)
If you are using EMS or Azure AD Premium, you can configure such as all users’ Windows 10 devices in Azure AD be managed by Microsoft Intune. (automatic enrollment)

Note : Currently you must use English as the language settings when you set WIP policy using Microsoft Intune portal. (Sorry for inconvenience …)
If you are using non-English language (including Japanese), please change the default language settings to English when you use Microsoft Intune portal.

In the window pop-up, you select [Windows] – [Windows Information Protection] and click [Create Policy] button.
After clicking this button, the policy setting window is displayed.

In the policy setting window, first you set the policy name and description.

Next you can add your developing app by clicking [Add] button.

In this post, we create the UWP app using Visual Studio. You retrieve the app’s publisher name and product name from the app manifest (Package.appxmanifest) in your UWP app project, and paste these values to the following dialog.

Note : When you want to get the publisher name and product name of the app in the Windows store, first you get the app ID (ex. 9wzdncrfhvjl) in the store page’s url and go to https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app id}/applockerdata.
When you want to get the publisher name of the desktop app, you can use Get-AppLockerFileInformation PowerShell command.
Please see “Create a Windows Information Protection (WIP) policy using Microsoft Intune” for details.

Note : You can also use the asterisk (*) for the publisher name and product name. Of course, it’s not good at production, but it could be okay in your dev env.

Next you specify the protection mode (Block actions / Display warning / Auditing log / Off).
In this post, we select [Block] mode which blocks all actions.

Next you specify the identity name for tagging corporate data.
This is usually expressed as your primary internet domain. (If your tenant is also having custom domain, you can specify the multiple values separated by the pipe character.)

Next you add the conditions for the corporate network boundary.
Using this conditions, WIP determines whether the connecting network is “managed” (corporate) or “unmanaged” (personal).

In this setting, “Enterprise Network Domain Names” and “Enterprise IPv4 Ranges” are mandatory.
By default, the enterprise IP range is auto-detected and you can set the arbitrary value in the “Enterprise IPv4 Ranges”.

Lastly, you specify the DRA (Data Recovery Agent) certificate which is used for the recovery of the encrypted data.
When the enterprise data is stored in your device, the data is protected using encryption. If you need to recover these data accidentally, this certificate will be used.

If you want to create this certificate for the development purpose, you can get that by the following command.

cipher /r:{your arbitary certname}

Click [Save policy].
After you complete the Windows Information Protection (WIP) policy creation, click [Manage Deployment] link.

In the dialog, add your device group or user group to the right-side pane, and click [OK] to deploy this policy.

Once you have deployed your policy, please sign-out and sign-in to Windows again. (The policy effects in your host.)

using WIP Setup Developer Assistant

WIP Setup Developer Assistant is very easy to set up the policy, because you don’t need the extra service and difficult prerequisite settings (domain or tenant set-up, device enrollment , etc).

But this tool is for the development purpose, and we don’t recommend to use this tool in your work (or production) environment, because this changes your host WIP settings directly. Please create the specific host for the test and debugging purpose (for ex, using VM) which is in the workgroup and apply the policy using WIP Setup Development Assistant.

First you install WIP Setup Developer Assistant from Windows store, and you run this tool as an administrator.

The setup configuration windows is displayed, and the settings are the same as before. (See the previous Intune policy settings.)
First you install your app using Visual Studio or sideloading, and you just select the installed app by clicking [Select Packages] button.
When the settings are completed, you just click [Apply Changes] button and the WIP is set up in this host. (It’s very simple !)

Programming

Now you can create your code and debug your app.
In this post we use C# for programming, but you can also create your WIP-aware app using C++ (see here).

The official document “Build an enlightened app that consumes both enterprise data and personal data” is a good resource for you (developers), and you can learn the several cases for WIP programming in this document.
Let’s look at a few examples !

First, you create the UWP app project using Visual Studio.

For using WIP API, add library reference for “Windows Desktop Extensions for the UWP” and “Windows Mobile Extensions for the UWP”.

For adding the WIP capabilities to this UWP app, open Package.appxmanifest code editor (right-click and select [View Code] menu) and add the following (bold and red parts).

<?xml version="1.0" encoding="utf-8"?>
<Package
  xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
  xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest"
  xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
  xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
  IgnorableNamespaces="uap mp rescap">
  . . .

  <Capabilities>
    <Capability Name="internetClient" />
    <Capability Name="privateNetworkClientServer" />
    <rescap:Capability Name="enterpriseDataPolicy"/>
  </Capabilities>
</Package>

The following code is just checking if the app is managed.
If the previous policy setup is succeeded, the following code returns “Managed” as a message dialog.

. . .
using Windows.Foundation.Metadata;
using Windows.UI.Popups;
using Windows.Security.EnterpriseData;
. . .

private async void button_Click(object sender, RoutedEventArgs e)
{
  if (!ApiInformation.IsApiContractPresent("Windows.Security.EnterpriseData.EnterpriseDataContract", 3))
  {
    await (new MessageDialog("API is not supported")).ShowAsync();
    return;
  }
  if (ProtectionPolicyManager.IsIdentityManaged("emdemo01.onmicrosoft.com"))
  {
    await (new MessageDialog("Managed")).ShowAsync();
    return;
  }
  else
  {
    await (new MessageDialog("Sorry, unmanaged")).ShowAsync();
    return;
  }
}

First, your app setup the enterprise identity. (You must change “emdemo01.onmicrosoft.com” to your corporate identity value.)

private async void button1_Click(object sender, RoutedEventArgs e)
{
  // Setup Identity
  var protectionPolicyManager = ProtectionPolicyManager.GetForCurrentView();
  protectionPolicyManager.Identity = "emdemo01.onmicrosoft.com";
}

If succeeded, the following briefcase icon will be shown in your app.

The following code copies the text to the clipboard. This clipboard text is protected, because the previous code setup the enterprise identity.

private async void button2_Click(object sender, RoutedEventArgs e)
{
  // Clipboard Copy
  var dataPackage = new Windows.ApplicationModel.DataTransfer.DataPackage();
  dataPackage.SetText(textBox.Text);
  Windows.ApplicationModel.DataTransfer.Clipboard.SetContent(dataPackage);
  await (new MessageDialog("Copied the data to clipboard")).ShowAsync();
}

If you paste the copied (clipboard) data into your personal app (WordPad, etc), the following error message appears and your operation is blocked.

If you build another enterprise app (having the same identity) and request the clipboard access as follows (see dataPackageView.RequestAccessAsync() method), this app can paste the protected clipboard data.

private async void button_Click(object sender, RoutedEventArgs e)
{
  DataPackageView dataPackageView = Clipboard.GetContent();
  if (dataPackageView.Contains(StandardDataFormats.Text))
  {
    ProtectionPolicyEvaluationResult result = await dataPackageView.RequestAccessAsync();
    if (result == ProtectionPolicyEvaluationResult.Allowed)
    {
      string contentsOfClipboard = await dataPackageView.GetTextAsync();
      textBox.Text = contentsOfClipboard;
    }
  }
}

The following example shows that it stores the enterprise data in the local file.

. . .
using Windows.Storage;
using Windows.Security.Cryptography;
. . .

private async void button3_Click(object sender, RoutedEventArgs e)
{
  // Save and Protect your file
  StorageFolder folder =
    ApplicationData.Current.LocalFolder;
  StorageFile file =
    await folder.CreateFileAsync("sample.txt",
      CreationCollisionOption.ReplaceExisting);
  FileProtectionInfo fileProtectionInfo =
    await FileProtectionManager.ProtectAsync(
      file,
      "emdemo01.onmicrosoft.com");
  var buffer = CryptographicBuffer.ConvertStringToBinary(
    "test data", BinaryStringEncoding.Utf8);
  await FileIO.WriteBufferAsync(file, buffer);
  await (new MessageDialog($"Saved protected data in {file.Path}")).ShowAsync();
}

When you try to open this file using unmanaged app, the previous error message (same error) is also displayed.

Of course, your app can read the file and check the protection status as follows.

private async void button4_Click(object sender, RoutedEventArgs e)
{
  // Read the file
  StorageFolder folder =
    ApplicationData.Current.LocalFolder;
  StorageFile file =
    await folder.GetFileAsync("sample.txt");
  string data = await FileIO.ReadTextAsync(file);
  await (new MessageDialog($"Saved protected data in {data}")).ShowAsync();

  // Check the file protection status
  FileProtectionInfo fileProtectionInfo =
    await FileProtectionManager.GetProtectionInfoAsync(file);
  if (fileProtectionInfo.Identity == "emdemo01.onmicrosoft.com" &&
        fileProtectionInfo.Status == FileProtectionStatus.Protected)
  {
    await (new MessageDialog("Protected")).ShowAsync();
  }
  else
  {
    await (new MessageDialog("Not Protected")).ShowAsync();
  }
}

Your app can also understand whether the managed network or not, and access to the enterprise network resources that are managed by the policy.
For more details, see the official document “Build an enlightened app that consumes both enterprise data and personal data“.

Deployment and Debugging

When you debug (set breakpoints, etc) your app, you can use the usual [start debugging] menu in Visual Studio. (Be sure to set the policy as I described before.)
That’s all !

If you’re using the remote host (VM, etc) which is configured by the WIP Setup Developer Assistant, you can use sideloading for app installation.

  1. For enabling sideloading, login to the remote host, open [Settings] – [Update & Security], select [For developers] tab, and be sure to enable the sideloading.
  2. Create the app package using Visual Studio.

  3. The package is in the “AppPackages” folder, and copy the all package files to the remote host.
  4. Run Add-AppDevPackage.ps1 (PowerShell script file) in the package files, and install.
  5. When you debug the app which is remotely installed, install the Visual Studio Remote Tools, launch the installed app, selcet [Debug] – [Attach to Process] menu in Visual Studio, and select the app process in the remote host.

Note : Before you install the app, the certificate must be imported in your local machine beforehand. The previous Add-AppDevPackage.ps1 installs this certificate during the deployment process.


Comments (0)

Skip to main content