Create the Data Protection (Preview) profile to use the Microsoft Windows Information Protection feature to limit user and application access to your organizational data to approved networks and applications. You can set detailed controls over data protection.


Data Protection is currently a tech preview feature. AirWatch recommends limiting your use of this feature for testing purposes only. Data Protection should not be used in a production environment. Features are not final and are subject to change at any time.

To configure the Enterprise Data Protection profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and choose Windows Phone as the platform.'
  3. Select Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the Data Protection payload.

  6. Configure the Enterprise Data Protection settings:

    Settings Descriptions

    Select to add enterprise applications to the enterprise allowed list.

    Applications added here are trusted to use enterprise data.

    App Type

    Select either Store App or Store App Publisher.

    Selecting a publisher whitelists all apps from the publisher.

    Name Enter the app name. If the app is a Windows Store app, select the Search icon ( Blue_Search_Icon) to search for the app Package Family Name (PFN).
    Identifier Enter the package family name for the store app or the app publisher name.

    Select the check box if the app does not support full data protection but still needs access to enterprise data. Enabling this option exempts the app from data protection restrictions. These apps are often legacy apps not yet updated for data protection support.

    Creating exemptions creates gaps in data protection. Only create exemptions when necessary.

    Protected Networks
    Primary Domain

    Enter the primary domain that your enterprise data uses.

    Data from protected networks is accessible by enterprise applications only. Attempting to access a protected network from an application not on the enterprise allowed list results in enforcement policy action.

    Enter domains in lowercase characters only.

    Enterprise Protected Domain Names

    Enter a list of domains (other than your primary domain) used by the enterprise for its user identities. Separate the domains with the vertical bar character (|).

    Enter domains in lowercase characters only.

    Enterprise IP Ranges

    Enter the enterprise IP ranges that define the Windows 10 devices in the enterprise network.

    Data that comes from the devices in range are considered part of the enterprise and are protected. These locations are considered a safe destination for enterprise data sharing.

    Enterprise Network Domain Names

    Enter the list of domains that are the boundaries of the enterprise network.

    Data from a listed domain that is sent to a device is considered enterprise data and is protected. These locations are considered a safe destination for enterprise data sharing.

    Enterprise Proxy Servers Enter the list of proxy server that the enterprise can use for corporate resources.
    Enterprise Cloud Resources

    Enter the list of enterprise resource domains hosted in the cloud that need to be protected by routing through the enterprise network through a proxy server (on port 80).

    If Windows cannot determine whether to allow an app to connect to a network resource, it will automatically block the connection. If you want Windows to default to allow the connections, add the /*AppCompat*/ string to the setting. For example: | /*AppCompat*/

    Only add the /*AppCompat*/ string once to change the default setting.

    Enforcement Policies
    Application Data Protection Level Set the level of protection and the actions taken to protect enterprise data.
    Show EDP Icons

    Enable to display an EDP icon( EDP icon) in the Web browser, file explorer, and app icons when accessing protected data. The icon also displays in enterprise-only app tiles on the Start menu.

    Revoke on Unenroll Enable to revoke Data Protection keys from a device when the device unenrolls from AirWatch.
    Protection Under Lock Enable to cryptographically protect enterprise data while the device is locked.
    User Decryption

    Enable to allow users to select how data is saved using an enlightened app. They can select Save as Corporate or Save as Personal.

    If this option is not enabled, all data saved using an enlightened app will save as corporate data and encrypt using the corporate encryption.

    Direct Memory Access Enable to allow users direct access to device memory.
    Data Recovery Certificate Upload the special Encrypting File System certificate to use for file recovery if your encryption key is lost or damaged. For more information, see Create an Encrypting File System Certificate.
  7. Select Save & Publish to push the profile to devices.