Overcoming WIP limitations on BYOD W10 with Conditional Access App control policies

As you must already be aware you can use BYOD W10 to access your O365 or M365 products. You don’t need to join your devices to the corporate Active Directory domain. Just join your tenant’s Azure AD domain and you are good to access your Office 365 products and toolsets. When you do that you join your BYOD device as an Intune Compliant device.

However, as the title suggests we do have some limitations on BYOD W10 with WIP policies. This is very well documented here. One such limitation is the ability for a user to save a file from OneDrive/SharePoint or Teams straight to a %windir% or (C:\Windows) on their BYOD device and WIP encryption doesn’t apply there.

Excerpts from the article:

By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can’t access it.
Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.

For us this posed a major challenge in the rollout of Windows 10 BYOD devices. We had to block browser-based access for SharePoint Online; Microsoft Teams and Microsoft Exchange Online (OWA) as user could download data from these locations and store it straight to C:\Windows. This pretty much was a major DLP issue.

Blocking Browser based access was even more challenging as users could only access using clients like Outlook/Teams or OneDrive. However, we had genuine need to allow SharePoint online access on BYOD. This proved very inconvenient to our M365 Change Champions when we rolled it out to them. We received a lot of complaints and needed a solution.

In this article I am not going to talk about how to setup the WIP. For that we have tons of articles from Microsoft and from my very good friend @eskonr

You can find the articles below
Protect your enterprise data using Windows Information Protection (WIP)
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

How to protect Azure AD App proxy (AAP) applications on windows 10 using intune windows information protection (WIP) from DLP
http://eskonr.com/2018/04/how-to-protect-azure-ad-app-proxy-aap-applications-on-windows-10-using-intune-windows-information-protection-wip-from-dlp/

Intune Windows Information Protection (WIP) Policies test cases and notes from the field
http://eskonr.com/2017/10/intune-windows-information-protection-wip-policies-test-cases-and-notes-from-the-field/

So how do we overcome the very specific limitation of allowing uses to access SharePoint online/OneDrive/OWA and still prevent them from leaking data.

There are two things that come to the rescue here.

  1. Conditional Access Policies (Session based controls in form of Conditional Access App controls). Read more about it here and here.
  2. Microsoft Cloud App Security (MCAS). Read about what MCAS is here. Part of EMS E5 licenses. Read more about licensing here.

We created a conditional access policy for this very specific purpose.
The way it works; after you configure this policy user access sessions for the apps you configure are proxied via MCAS and MCAS then decides based on what you have configured whether to block downloads or protect the downloaded files via encryption. (You may need AIP for encryption. I will be testing it later and add it as part 2 of this blog). This very proxying of the connection changes the actual URL for your apps. For example if you configure OneDrive For business and if your tenant URL is https://<tenantname-my>.sharepoint.com then the URL will slightly change to https://<tenantname-my>.sharepoint.com.us.cas.ms. There are many more settings to the Conditional Access policies app control settings, and you may want to read more about them in the details here.

The configuration included following settings.

Configuration:

Assignments:
Applied to Test users. Please be careful before you deploy this to all BYOD users.
Test; test and test it first.
Applied to 3 apps (SharePoint Online/Microsoft Exchange Online and Microsoft Teams). You can add more apps or even apps that are deployed via Azure AD App proxy and prevent downloading of sensitive information on BYOD devices.
Conditions: Device Platform: Windows; Location: any; Client Apps: Browser; Device State: All Device States and Exclude “Hybrid Azure AD joined devices”. You don’t want to block downloads on corporate laptops that are joined to your Active Directory and registered with Azure AD. I am assuming that you would have blocked local admin rights on corporate devices and have enough tools on the corporate devices that prevent users from data being taken out of the device.

Access Controls:
Grant access to devices that are marked as compliant.
Session control with Use Conditional Access App Control and select Block Download (Preview).

VERY IMPORTANT Step not to be missed. Again thanks to @eskonr for highlighting this one.

One important thing to note is that once you configure these policies do not forget to add the URL to the Intune App Protection policies. Make sure you have added the URLs for MCAS for your org in the Intune App Protection policies without which WIP will not apply to the new URLs and even though you block the download of actual file users will be able to edit files in Excel/Word/PowerPoint online and copy paste data outside of the browser session and put it on unmanaged files. This is a very important step because it will be easier for users to copy and paste content to Word/Excel to extract data.

The URLs will look something like this.

Go to the Intune App Protection Policies
à
Policy for WIP
à
Advanced Settings
à
Protected Domains (Add the MCAS Proxied URLs Above) and also Cloud resources (Add the MCAS Proxied URLs Above). This will ensure that whatever you copy from Excel/World Online sessions to an unmanaged app you will be prevented by WIP either by copying the content or protecting the enlightened apps by allowing to copy the data but applying WIP policies to protect the copied data.

This is how it will look like in action:

OWA Access

SharePoint Online Access

OneDrive For Business

When you click on “Continue to Microsoft Exchange Online or Microsoft SharePoint Online or Microsoft OneDrive for Business” and try to download a file. This is what you will see.

Leave a Reply

Your email address will not be published. Required fields are marked *