WinZip Enterprise and Windows Information Protection (WIP)

Note: only WinZip 21 and later support Windows Information Protection (WIP) and then ONLY for those having purchased WinZip Enterprise, not to be confused with a Pro multi-user license or a Standard multi-user license.

Windows 10 has introduced Windows Information Protection, formerly referred to as Enterprise Data Protection (EDP), to guard against accidental data leaks. This protection helps to control files that are shared within a network in an enterprise, differentiating between work files and personal files. We recommend that you review information from Microsoft to get a better understanding of WIP, what it does, and how you can set it up. You might start with Protect your enterprise data using Windows Information Protection (WIP) and possibly continue with the next steps offered on the page.

WinZip is a WIP-enlightened application starting with WinZip 21.0, when installed from the WinZip Enterprise package of files as part of a WinZip Enterprise license. It can be added to the Allowed Apps list by the administrators in a domain, and it will then behave according to the restrictions that are part of the WIP policy for the domain.

For this article, references to the differentiation of files will be mentioned as tags. That is a file might be tagged as work or a file might be tagged as personal.

Basic Operations & Concepts

Domains: Managed vs. Not Managed

Users may be able to see files in a folder and seem to have access to them but not be able to open them. This happens when files are managed by a different domain that has not given access to the user trying to open the files. This would be possible when various users having various permissions save files to a network folder that is common to people of more than one group. In this case, you end up with files that are managed by different domains in the same folder. WIP restricts users from opening these files if they have not been given permission for the domain the file is managed by.

Work vs. Personal files

Under WIP, files are separated into two groups; they are tagged either as work or as personal. Work files are associated with a domain that manages them. Work files can only reside on secure network resources. Personal files can reside on the same resources. User actions are restricted when dealing with files tagged as work, but there are no restrictions on personal files.

Opening Zip files

The following list presents examples you may encounter while in a WIP environment and opening a Zip file in WinZip:

• Personal Zip file; WinZip will work as usual
• Work Zip file from a domain that is not managed; opening will fail
  
• Work Zip file from a managed domain (such as MyTest.com); WinZip will run in "managed mode" and open this file. A WIP tag will display in the top right of the WinZip window showing the domain.
  
• If you open a work Zip file and unzip it, the extracted files will also be tagged as work files.
• In a managed work Zip file, if you try to copy a file name as listed in WinZip and paste the file name into an app that is not managed, you will be prompted to convert the content to personal.
  

Adding files to Zip files

The following list presents examples you may encounter while in a WIP environment when adding files to a Zip file:

1. Open WinZip empty, then add files:

• If the file being added is a personal file, WinZip will work as usual.
• If the file being added is a work file from a domain that is not managed, the add operation will fail.
• If the file being added is a work file from a managed domain, WinZip will run in "managed mode" and the add operation will succeed.
• When WinZip runs in "managed mode", files being saved will be work Zip files by default. This tagging occurs while the Zip file exists in the Temp folder before it is saved. The target folder for saving this Zip file must be a secure location or the save will fail.

Adding files to an open, existing, personal Zip file:

• If the file being added is a personal file, the add operation will succeed.
• If the file being added is a work file, the add operation will fail.

Adding files to an open, existing, work Zip file:

• If the file being added is a personal file, the add operation will succeed.
• If the file being added is a work file, the add operation will succeed.
• If the file being added is a work file for a domain that is not managed, the add operation will fail.

Right-click a file and choose WinZipAdd to filename.zip:

• If the file is tagged as personal, the new Zip file will be personal.
• If the file is tagged as work by a managed domain, the new Zip file will be tagged as work.
• If the file is tagged as work by a domain that is not managed, the operation will fail.

Note: adding files to a Zip file will not change the tag of the Zip file from personal to work or vice versa.

Deleting files from a Zip file

Deleting a file from a Zip file does not change the WIP tag (work or personal).

Renaming a file in a Zip file

Renaming a file in a Zip file does not change the WIP tag (work or personal).

The Save As dialog

In WinZIp's Save As dialog, a drop down menu in front of File name is available. When configured to allow it, the user can use this menu to manually set whether the Zip file will be work or personal.

The following list presents examples you may encounter while in a WIP environment when using Save As if such changes are allowed:

• Open WinZip (or click New Zip File on the File menu), add a personal file, then click Save or Save As; the user can choose to save the Zip file as work or personal. The default is personal.
• Open WinZip (or click New Zip File on the File menu), add a work file from a managed domain, then click Save or Save As; the user can choose to keep the Zip file as work or change it to personal. The default is work.
• Open a personal Zip file and edit it, then click Save As; the user can choose to keep the Zip file as personal or change it to work.
• Open a work zip file and edit it, then click Save As; the user can choose to keep the zip as work or change it to personal.

Note: You cannot save a file managed by one domain in such a way as to have it be managed by another.

Using Drag and Drop

• Dropping files into WinZip from other apps or the desktop works normally.
• Dragging files from a work Zip file to another enlightened app works normally.
• Dragging files from a personal Zip file to other apps or the desktop works normally.
• Dragging files from a work Zip file to a non-enlightened app will fail.

Using Copy and Paste

• In WinZip, you can copy a work file to a local folder; it will continue to be tagged as work.
• You cannot copy a work file to the cloud. An error will display if this is attempted.
• You can copy and paste a personal file to a local folder or to the cloud. It will continue to be tagged as personal.

WinZip Backups (Job Files)

WinZip Backups are created with the Job Wizard and are also referred to as job files (.wjf).

• When creating a backup, if any files or folders tagged as work are included, the job file will be tagged as work. The Zip file created by this backup job will also be tagged as work and the target folder or destination for the Zip file cannot be a public cloud.
• When an existing job is run, if it adds a file or folder that is tagged as work, the destination for the resulting Zip file must be a secure location or the backup will fail. The job file will also be tagged as work.
• If you create a work job file or change a personal job file to work, the resulting Zip file will be tagged as work.
• When creating a backup, if the files or folders to be added are tagged as personal, the job file will be tagged as personal and the resulting Zip file will also be personal.
• If you create a personal or work job file and include a file or folder from domain that is not managed, an error will occur when you run the job.

Split Zip files, self-extractors, and UUE conversion

• When a work Zip file is converted to a split Zip file, each segment of the Zip file will be tagged as work by default.
• Currently, neither self-extractor creation nor UUE encoding are enlightened software. If these are added to the approved app list by an admin, they will be able to read and create work files. As with other non-enlightened apps, they will not be able to create personal files. Work Zip files cannot be used for these actions unless they are first saved as personal.

Clouds, Instant Messages, and Social Media

• If you open a personal Zip file, you can upload it to cloud and/or share it by IM or to Social Media.
• If you open a work file, you cannot upload it to the cloud. If you try to share it by IM or to Social Media, WinZip will display an error and provide the chance to view the error log.

Other Details

• Any temp files created when previewing file or viewing images of work files in WinZip will be tagged as work.
• Any work files extracted to a temp folder for editing by another app will be tagged as work.
• WinZip protects documents when printing. Here are the detailed cases:
  • When you select to print a personal file, it will be printed.
  • When you select to print a work file in the managed domain, if the printer is in the managed domain, the file can be printed. If the printer is not in the managed domain, WinZip will display an error.

General Rules

• You will not be allowed to save or extract work files to unsecure locations like clouds, social media, or instant messaging.
• You will not be able to copy/paste or drag/drop any data from a work file in WinZip into a non-enlightened app.
• Any file tagged as a work file will maintain that tag unless specifically changed by the user. This includes any file conversions (such as converting a document to PDF).