- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
Windows Information Protection device policy
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), is a Windows technology that protects against the potential leakage of enterprise data. Data leakage can occur through sharing of enterprise data to non-enterprise protected apps, between apps, or outside of the organization network. For more information, see Protect your enterprise data using Windows Information Protection (WIP) on Microsoft TechNet.
You can create a device policy in XenMobile to specify the apps that require Windows Information Protection at the enforcement level you set. The Windows Information Protection policy is for Windows 10 version 1607 and later supervised Phone, Tablet, and Desktop.
XenMobile includes some common apps and you can add others. You specify for the policy an enforcement level that affects the user experience. For example, you can:
Block any inappropriate data sharing.
Warn about inappropriate data sharing and allow users to override the policy.
Run WIP silently while logging and permitting inappropriate data sharing.
To exclude apps from Windows Information Protection, define the apps in Microsoft AppLocker XML files and then import those files into XenMobile.
To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.
Desktop App (Windows 10 Tablet), Store App (Windows 10 Phone and Tablet): XenMobile includes some common apps, as shown in the sample above. You can edit or remove those apps as needed.
To add other apps: In the Desktop App or Store App table, click Add and provide the app information.
Allowed apps can read, create, and update enterprise data. Denied apps can’t access enterprise data. Exempt apps can read enterprise data but can’t create or modify the data.
AppLocker XML: Microsoft provides a list of Microsoft apps that have known compatibility issues with WIP. To exclude those apps from WIP, click Browse to upload the list. XenMobile combines the uploaded AppLocker XML and the configured desktop and store apps in the policy sent to the device. For more information, see Recommended deny list for Windows Information Protection.
Enforcement level: Select an option to specify how you want Windows Information Protection to protect and manage data sharing. Defaults to Off.
0-Off: WIP is off and doesn’t protect or audit your data.
1-Silent: WIP runs silently, logs inappropriate data sharing, and doesn’t block anything. You can access logs through Reporting CSP.
2-Override: WIP warns users about potentially unsafe data sharing. Users can override warnings and share the data. This mode logs actions, including user overrides, to your audit log.
3-Block: WIP prevents users from completing potentially unsafe data sharing.
Protected domain names: The domains that your enterprise uses for its user identities. This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. The first domain in the list is the primary corporate identity used in the Windows UI. Use “ ” to separate list items. For example:
domain1.com | domain2.com
Data recovery certificate: Click Browse and then select a recovery certificate to use for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for the encrypting file system (EFS), only delivered through MDM instead of Group Policy. If a recovery certificate isn’t available, create it. For information, see “Create a data recovery certificate” in this section.
Network domain names: A list of domains that comprise the boundaries of the enterprise. WIP protects all traffic to the fully qualified domains in this list. This setting, with the IP range setting, detects whether a network endpoint is enterprise or personal on private networks. Use a comma to separate list items. For example: corp.example.com,region.example.com
IP range: A list of the enterprise IPv4 and IPv6 ranges that define the computers in the enterprise network. WIP considers these locations as a safe destination for enterprise data sharing. Use commas to separate list items. For example:
IP ranges list is authoritative: To prevent auto-detection of IP ranges by Windows, change this setting to On. Defaults to Off.
Proxy servers: A list of the proxy servers that the enterprise can use for corporate resources. This setting is required if you use a proxy in your network. Without a proxy server, enterprise resources might be unavailable when a client is behind a proxy. For example, resources might be unavailable from certain WiFi hotspots at hotels and restaurants. Use commas to separate list items. For example:
Internal proxy servers: A list of the proxy servers that your devices go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. Don’t include in this list any of the servers in the Proxy servers setting, which are used for non-WIP-protected traffic. Use commas to separate list items. For example:
Cloud resources: A list of cloud resources protected by WIP. For each cloud resource, you can also optionally specify a proxy server in the Proxy servers list to route traffic for this cloud resource. All traffic routed through the Proxy servers is treated as enterprise traffic. Use commas to separate list items. For example:
Set Require protection under lock: Windows 10 Phone only. If On, the Passcode device policy is also required. Otherwise, the Windows Information Protection policy deployment fails. Also, if this policy is On, the setting Require protection under lock appears. Default is Off.
Require protection under lock: Windows 10 Phone only. Specifies whether to encrypt enterprise data using a key that’s protected by an employee PIN on a locked device. Apps can’t read corporate data on a locked device. Defaults to On.
Revoke WIP certificate on unenroll: Specifies whether to revoke local encryption keys from a user device when it’s unenrolled from Windows Information Protection. After the encryption keys are revoked, a user can’t access encrypted corporate data. If Off, the keys aren’t revoked and the user continues to have access to protected files after unenrollment. Defaults to On.
- Show overlay icons: Specifies whether to include the Windows Information Protection icon overlay on corporate files in Explorer and enterprise only app tiles in the Start menu. Defaults to Off.
A data recover certificate is required to enable the Windows Information Protection policy.
On the XenMobile Server, open a command prompt and navigate to a folder (other than Windows\System32) where you want to create a certificate.
Run this command:
When prompted, enter a password to protect the private key file.
The cipher command creates a .cer and a .pfx file.
In the XenMobile console, go to Settings > Certificates and import the .cer file, which applies to both Windows 10 tablets and phones.
When Windows Information Protection is in effect, apps and files include an icon:
If a user copies or saves a protected file to a non-protected location, the following notification appears, depending on the enforcement level configured.