Companies are encouraging a single device for both organizational and personal use. It could be Bring your Own Device (BYOD), or the companies providing devices for both personal and enterprise use. Between the two, users of these devices will tend to store both enterprise data and personal data on the same device. Besides this, there are company apps, company-approved apps, and personal apps that the user might download for his or her own use and entertainment.
Under such circumstances, it becomes essential that enterprises manage their data and apps securely without spoiling the user experience for the employees. Too many security restrictions preventing users from downloading apps for personal use may turn off the employee. Windows 11/10 offers a way that keeps both admins and employees happy. This article checks out Enterprise Data Protection in Windows 11/10.
Enterprise Data Protection (EDP) in Windows 11/10
This is the module that protects enterprise data against unintended or malicious use. The first thing here is proper encryption so that even if the data is leaked or compromised, the data remains safe as others cannot decode it. The EDP module identifies enterprise and personal apps and lets the employees use them both at the same time without messing up.
The EDP module allows for simultaneous display of both personal as well enterprise apps on the same screen. E.g. the Outlook app for checking personal mail as well as company mail. This is just one example. The enterprise data protection in Windows 10 can do much more:
- Identification and separate handling of enterprise and personal data
- Data protection for existing enterprise apps without having to update the apps now and then;
- Remote wiping of corporate data without affecting personal data
- Audit reports of app usage and tracking purposes for a range of issues – including data leakage
- EDP integrates with your existing system to save time and effort in providing user access rights and other functions.
The only pre-requisite to using EDP in Windows is that you should have Windows Intune, System Center Configuration Manager, OR your own company-wide Mobile Device Management (MDM) solution.
How can EDP help in Windows computers?
You may have an idea of what enterprise data protection does in Windows. I am listing some important highlights of the module:
- Encrypt enterprise-owned data on devices being used by employees – be it BYOD or company-provided devices
- Remotely wipe off corporate data without affecting the employees’ personal data so that employees don’t get to complain
- Designate apps as privileged so that only those apps can access enterprise data even though the device carries many other employee-owned apps; this also means that employees’ private apps will be denied access to enterprise data so that it is safe
- Users or employees need not switch between organizational credentials and personal credentials to work on devices; they can simultaneously use both enterprise and personal apps
Employee experience will be enhanced, as they will not have to switch between enterprise and personal logins. If a personal document is marked as corporate due to an error, the employee can initiate a process to claim it (using the Audit method).
Corporate data is protected even on employee-owned devices. If an employee marks a new document as being work-related, it is automatically protected as enterprise data. When employees leave the organization or move to another department, you can remotely wipe off all the traces of corporate data on their device – without affecting their personal data. This makes sure that they cannot misuse enterprise data.
Moreover, copying enterprise data onto other devices, makes encrypts it so that even if it falls into the wrong hands, the data stays protected. This can prevent accidental or deliberate leaks of enterprise data.
You can mark apps as enterprise related. That way, only the apps marked will get access to corporate data according to the user policies. Personal apps will never be able to look into the enterprise data, keeping it secure always.
Finally – there is always the option to turn off enterprise data protection in Windows 10, though it is not recommended. If you do so, then when you turn it back again, you’ll have to configure the policies and decryption again. The data, however, won’t be affected as it stays encrypted even if the EDP is turned off and hence would be safe.
EDP offers four levels of protection: Block, Override, Audit and Off. It also supports per-file encryption on SD cards along with the device encryption policy. You can read more about this new feature on TechNet.
Now take a look at how Device Management will work in Windows.
