Exam MS-500 topic 2 question 17 discussion

I believe you guys are thinking in terms of TO instead of FROM. The policy is set to block. "Block: Blocks enterprise data FROM LEAVING protected apps." The protected app is App1. So the policy would prevent data from LEAVING App1. 1. Device 1 is an Android Device and WIP won't work at all -> Answer YES 2. App2 is exempt, but the policy protects >App1< from data LEAVING it. So the copy gets blocked -> Answer NO 3. This is effectively the same as #2. Sure, App3 is not impacted, but App1 is, and you cannot copy data FROM App1 -> Answer NO

I think this is not correct... 1. Device 1 is an Android Device and WIP won't work at all -> Answer YES 2. App 2 is an excempt App so this should work -> Answer YES 3. APP 3 is neither a protected nor an excempt app. WIP should Block -> Answer NO

This is clearly about App Protection Policies, so should be N, N, N ?

On exam 24/02/2023

https://learn.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create Microsoft Endpoint Manager has discontinued future investments in managing and deploying Windows Information Protection. You can expunge this from your memories now

Starting in July 2022, Microsoft is deprecating Windows Information Protection. Microsoft Endpoint Manager is discontinuing future investments in managing and deploying Windows Information Protection (WIP). Just move on to the next question. The process of deprecation is to be completed by December 2022.

You learn something every day. Been obsessing on this question. WIP will not work on android (I was getting confused between WIP and AIP). Device 1 is android.

Valid on exam. Jun 10, 2022

The question does not specify which platform the policy is created for. The is only one policy which can either be for Android or for Windows 10. If the policy is for Android, the answer would be NO, YES, YES. If it is for Windows 10, answer is YES, YES, NO.

Correct answer is YNN. 1. Yes because device 1 is an Adroid Device and it's not included in policy; 2. No becasue App1 and device windows are included in policy; 3. No for the same reason of Q2.

Well... I'm torn. I want to believe everyone saying that Q1 is Yes. It makes sense that WIP doesn't apply to Android devices so you can copy the data all day if you want. But I'm reading what the block mode does, and I don't know that I truly believe that theory. From: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#:~:text=Table%202%20%20%20%20Mode%20%20,off%20and%20doesn%27t%20help%20to%20pr%20...%20 Block: WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. I don't think that WIP is going to allow the ability to copy the data from App1 to App3. Also App3 isn't included in the policy anywhere. Every time I've read something about WIP if an app isn't a part of the policy, it's unenlightened and you can't do anything with it. So I say it's N/Y/N.

YNN- You can use Windows Information Protection (WIP) policies with Windows 10 apps to protect apps without device enrollment. https://docs.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create

app protection policy works on Android 1. Device 1 is an Android Device and app protection policy works on it -> Answer NO 2. App2 is exempt, but the policy protects >App1< from data LEAVING it. So the copy gets blocked -> Answer NO 3. This is effectively the same as #2. Sure, App3 is not impacted, but App1 is, and you cannot copy data FROM App1 -> Answer NO

Y, N, N

Corrected ans in short is # YES NO NO 1. Device 1 is an Android Device and WIP won't work at all -> Answer YES 2. App 2 is an exempt App but not App1 -> Answer NO.... The reasoning why you can't Copy and Paste into App2 is due to the app being unenlightened so the Context this app runs will be "Personal". You can copy and paste out of App2 to another app but Copy and Pasting from App1 to App2 wouldn't work as App1 is enlightened and runs under the corporate context and wouldn't allow pasting into an app running in the personal context 3. APP 3 is neither a protected nor an excempt app. WIP should Block -> Answer NO

Just to clarify. What is the goal here ? You want to block the copy feature from any app. Except from app1 and app2 as app2 is exempted from the policy and app1 can copy from and to itself. Wich means if you try to copy from app3 it won't work (from any device). So the answer is No - Yes - No You won't be able to copy from App3 what ever device it is. To reach this goal, you have to create at least 2 app protection policies : one for android and one for Windows.

The answer is... ...it depends! The question does not provide enough information. Are the apps enlightened? Is the data work or personal? If we assume that the data is being copied from a work context in App1: YES - This is WIP, so nothing to do with Android, i.e. the policy will not be applied. YES - Exempt apps can interact with any work or personal data. NO - The app is not included in the policy so will have the enterprise context of personal, so can only interact with personal data. I read with interest the explanation from DTz, but in my humble opinion it is wrong. "Block" does not prevent enterprise data from leaving protected apps. If you think about it, that would be silly as users have to be able to copy and paste between enterprise apps. What "block" does is prevent copying from a work context to a personal one.