Restrict Access (View only) to org data on Windows 10 Personal device (BYOD)

One of the recent need from the client was as follows :-

He has 3 types of Employees working in his organization. 

1. Company Employees (on-Payroll) - Company owned device

2. Outsourced Consultants - Accessing org data on Payroll org device (non client owned devices)

3. Guest users 

Need

Company employees should have full access to org data on Company owned devices, however if they access org data from their personal device it should be View only.

Consultant - They can access the Data on the device but cannot save anything on device.

Guest - They should have view only access and not able to save anything on device. 

This above should be applicable to Email, One Drive,  SharePoint & Teams Data. 


Solution - 

Step 1 -  Enable limited Access.

Step 2 - Create a conditional access policy for EXO with device and browser based condition to apply app restriction policy.

Step 3 - modify the Sharepoint limited access policy and add the device exception.

Step 4 - Create a policy for guest users to allow access on browser only and apply app condition to block download.

Non-Microsoft Browser is not supported and users will get limited access only. 

After creating  the above policies we were getting issues :- 

Even on the corporate owned devices we were getting limited access and the download/Sync of One Drive for business was not stopped.

We tried Edge and it was the same experience. While looking for the cause for the error we discovered this

Browser is not sending "Device State" Status to Azure AD, resulting this error.

To Fix this we signed in to Edge browser using end users Microsoft 365 account credentials, this fixed the issue.

In order to ensure all the users are signed into Edge we created a policy. 

Create - 

  • Windows 10 configuration policy 
  • Administrative Templates 
  • Select the Edge policies and select the Settings as per the image. 


This helped us to fix the issue across the org.

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular Posts