Restricting Download to Personal or Unmanaged Devices
Вставка
- Опубліковано 18 жов 2024
- Prevent data loss to untrusted devices. In this video, I show you how to configure a Microsoft 365 tenant to prevent users from downloading corporate documents to personal or unmanaged devices when they are using Exchange Online. This requires you to set up a conditional access policy and run a few powershell cmdlets.
Powershell Cmdlets: gcits.com/outl...
I've followed this tutorial (and many others!) and I still end up with the same issue. The issue is that this policy applies to ALL devices, regardless of whether they're compliant or not. I'm pulling my hair out.
Question for clarification - You showed 2 parts to the Block download, a policy and a PowerShell "ReadOnly" command. Does the PowerShell "RO" enforce RO for all Web Application users or does it work together with the CA policy which is assigned to a specific user/group?
Only to the users or groups scoped in the CA policy you set up!
Thx 4 sharing
Thanks for watching!
Is this sort of configuration also possible when the Exchange is on-premise 2016? I am planning to build the Intune exchange Connector, but not sure how to enforce the DLP. Please share your viewpoint.
Hey Pranshu, these settings only work in Exchange Online
@@t-minus365 If we setup the Hybrid Exchange configuration and dont migrate the mailboxes to online. Will it work ?
@@ThePranshuarora It will only work with exchange online mailboxes
@@t-minus365 Thanks for the quick reply.
The security block is faded for me and I can’t click it
How to this in modern UI example microsoft entra
Unless I'm missing something this is barely usable in the real world if it requires any agent to be installed on an employee's personal device.
There is no agent involved. It detects whether or not the device is corporate enrolled or not and applies controls accordingly
How about the outlook thick client - How to block download from outlook thick client
This is only supported in OWA but if you were looking to block download to untrusted locations then you would want to set up a windows information protection policy for unenrolled devices: ua-cam.com/video/EVmQH3DPbe4/v-deo.html
I too am trying to block all attachments and downloads from the Outlook thick client. The reason phishing is so successful is that people stand up the Outlook fat client on their local subnet, and users click on links and attachments and malware executes on the same subnet as the file server. But there is no good way to block attachments from the insecure outlook client. OWA is intentionally dumbed down by Microsoft (if OWA worked nearly as well as the fat Outlook client many people would not buy office so Microsoft has chosen dollars over security. We need legislation here -- another subject) so users will not totally accept OWA. If OWA was nearly as capable as the fat client you could gap/proxy your browser and open malware all day long and not affect your local network. But users like that stinking fat Outlook client because OWA sucks so bad. You can add extensions to the list of prohibited outlook attachment files via GPO, but this is easily defeated by changing the extension. If we could solve this problem hardly anyone would get ransomwared anymore,. But Microsoft is standing in the way. There are minimum standards of security and compliance for say, banks, and there should be minimum security for oligopolies like Microsoft. Microsoft's intransigence is the a huge factor in why ransomware has been so prevalent. .