The Data Protection profile configures rules to control how enterprise applications access data from multiple sources in your organization. Learn how using the data protection profile ensures that your data is only accessible by secured, approved applications.

With personal and work data on the same device, accidental data disclosure is possible through services that your organization does not control. With the Data Protection payload, Workspace ONE UEM controls how your enterprise data moves between applications to limit leakage with a minimal impact on end users. Workspace ONE UEM uses the Microsoft Windows Information Protection (WIP) feature to protect your Windows 10 devices.

Data Protection works by whitelisting enterprise applications to give them permission to access enterprise data from protected networks. If end users move data to non-enterprise applications, you can act based on the selected enforcement policies.

WIP treats data as either unencrypted personal data or corporate data to protect and encrypt. Applications whitelisted for Data Protection fall into four different types. These types determine how the app interacts with protected data.

  • Enlightened Apps – These apps fully support WIP functionality. Enlightened apps can access both personal and corporate data without issues. If data is created with an enlightened app, you can save the data as unencrypted personal data or encrypted corporate data. You can restrict users from saving personal data with enlightened apps using the Data Protection profile.
  • Allowed – These apps support WIP-encrypted data. Allowed apps can access both corporate and personal data but the apps save any accessed data as encrypted corporate data. Allowed apps save personal data as encrypted corporate data that cannot be accessed outside of WIP-approved apps. Consider slowly whitelisting allowed apps on a case-by-case basis to prevent issues accessing data. Reach out to software providers for information on WIP approval.
  • Exempt – You determine which apps are exempt from WIP policy enforcement when you create the Data Protection profile. Exempt any apps that do not support WIP-encrypted data. If an app does not support WIP-encryption, the apps break when attempting to access encrypted corporate data. No WIP policies apply to exempt apps. Exempt apps can access unencrypted personal data and encrypted corporate data. Because exempt apps access corporate data without WIP policy enforcement, use caution when whitelisting exempt apps. Exempt apps create gaps in data protection and leak corporate data.
  • Not Allowed – These apps are not whitelisted or exempted from WIP policies and cannot access encrypted corporate data. Not allowed apps can still access personal data on a WIP-protected device.
Important: The Data Protection profile requires Windows Information Protection (WIP). This feature requires the Windows Anniversary Update. Consider testing this profile before deploying to production.