Create the Data Protection (Preview) profile to use the Microsoft Windows Information Protection feature to limit user and application access to your organizational data to approved networks and applications. You can set detailed controls over data protection.


  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  2. Select Windows and choose Windows Desktop as the platform.
  3. Select Device Profile.
  4. Configure the profile General settings.
  5. Select the Data Protection payload.
  6. Configure the Enterprise Data Protection settings:
    Settings Descriptions

    Select to add enterprise applications to the enterprise allowed list.

    Applications added here are trusted to use enterprise data.

    App Type

    Select whether the application is a traditional desktop application or a Microsoft Store app.

    You can also select an application publisher for desktop applications or store apps. Selecting a publisher whitelists all apps from the publisher.

    Name Enter the app name. If the app is a Microsoft Store app, select the Search icon () to search for the app Package Family Name (PFN).
    Identifier Enter the file path for a desktop application or the package family name for a store app.

    Select the check box if the app does not support full data protection but still needs access to enterprise data. Enabling this option exempts the app from data protection restrictions. These apps are often legacy apps not yet updated for data protection support.

    Creating exemptions creates gaps in data protection. Only create exemptions when necessary.

    Primary Domain

    Enter the primary domain that your enterprise data uses.

    Data from protected networks is accessible by enterprise applications only. Attempting to access a protected network from an application not on the enterprise allowed list results in enforcement policy action.

    Enter domains in lowercase characters only.

    Enterprise Protected Domain Names

    Enter a list of domains (other than your primary domain) used by the enterprise for its user identities. Separate the domains with the vertical bar character (|).

    Enter domains in lowercase characters only.

    Enterprise IP Ranges

    Enter the enterprise IP ranges that define the Windows 10 devices in the enterprise network.

    Data that comes from the devices in range are considered part of the enterprise and are protected. These locations are considered a safe destination for enterprise data sharing.

    Enterprise Network Domain Names

    Enter the list of domains that are the boundaries of the enterprise network.

    Data from a listed domain that is sent to a device is considered enterprise data and is protected. These locations are considered a safe destination for enterprise data sharing.

    Enterprise Proxy Servers Enter the list of proxy server that the enterprise can use for corporate resources.
    Enterprise Cloud Resources

    Enter the list of enterprise resource domains hosted in the cloud that need to be protected by routing through the enterprise network through a proxy server (on port 80).

    If Windows cannot determine whether to allow an app to connect to a network resource, it will automatically block the connection. If you want Windows to default to allow the connections, add the /*AppCompat*/ string to the setting. For example: | /*AppCompat*/

    Only add the /*AppCompat*/ string once to change the default setting.

    Application Data Protection Level Set the level of protection and the actions taken to protect enterprise data.
    Show EDP Icons

    Enable to display an EDP icon() in the Web browser, file explorer, and app icons when accessing protected data. The icon also displays in enterprise-only app tiles on the Start menu.

    Revoke on Unenroll Enable to revoke Data Protection keys from a device when the device unenrolls from Workspace ONE UEM.
    User Decryption

    Enable to allow users to select how data is saved using an enlightened app. They can select Save as Corporate or Save as Personal.

    If this option is not enabled, all data saved using an enlightened app will save as corporate data and encrypt using the corporate encryption.

    Direct Memory Access Enable to allow users direct access to device memory.
    Data Recovery Certificate Upload the special Encrypting File System certificate to use for file recovery if your encryption key is lost or damaged. For more information, see Create an Encrypting File System Certificate.
  7. Select Save & Publish to push the profile to devices.