Skip to main content

Restrict Access (View only) to org data on Windows 10 Personal device (BYOD)

One of the recent need from the client was as follows :-

He has 3 types of Employees working in his organization. 

1. Company Employees (on-Payroll) - Company owned device

2. Outsourced Consultants - Accessing org data on Payroll org device (non client owned devices)

3. Guest users 

Need

Company employees should have full access to org data on Company owned devices, however if they access org data from their personal device it should be View only.

Consultant - They can access the Data on the device but cannot save anything on device.

Guest - They should have view only access and not able to save anything on device. 

This above should be applicable to Email, One Drive,  SharePoint & Teams Data. 


Solution - 

Step 1 -  Enable limited Access.

Step 2 - Create a conditional access policy for EXO with device and browser based condition to apply app restriction policy.

Step 3 - modify the Sharepoint limited access policy and add the device exception.

Step 4 - Create a policy for guest users to allow access on browser only and apply app condition to block download.

Non-Microsoft Browser is not supported and users will get limited access only. 

After creating  the above policies we were getting issues :- 

Even on the corporate owned devices we were getting limited access and the download/Sync of One Drive for business was not stopped.

We tried Edge and it was the same experience. While looking for the cause for the error we discovered this

Browser is not sending "Device State" Status to Azure AD, resulting this error.

To Fix this we signed in to Edge browser using end users Microsoft 365 account credentials, this fixed the issue.

In order to ensure all the users are signed into Edge we created a policy. 

Create - 

  • Windows 10 configuration policy 
  • Administrative Templates 
  • Select the Edge policies and select the Settings as per the image. 


This helped us to fix the issue across the org.

Comments

  1. prakashjinna1 April 2023 at 14:21

    This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular posts from this blog

Error - QuarantinedAttributeValueMustBeUnique

Case History. 1. Client already had users created in office 365 2. Client wanted to setup SSO for office 365 users Approach for requirement fullfilment   1. Deployed and configured Azure AD connect      95% users were synced and soft match was successfully done  5% users were getting error - QuarantinedAttributeValueMustBeUnique  (to view the sync issues -  https://aad.portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/SyncErros )  When we checked 2 users were found under Active users  1. one in Cloud (this was created earlier/ already existed ) with active licenses and Mailbox 2. one unlicensed synced with AD Solution - 1. Delete the unwanted user in Azure or AD as per this document.  https://blogs.msdn.microsoft.com/hkong/2017/03/23/how-to-fix-attributevaluemustbeunique-error-message-when-trying-to-sync-an-object-from-on-premises-active-directory-to-office-365/ ...
Post a Comment
Read more

Error - AttributeValueMustBeUnique in Azure AD connect sync

My customer had already created accounts in office 365 and managing them in Azure, however due to some changes in business they wanted to sync AD with Azure to sync Password and Manage Identity form AD. Solution - Deploy Azure AD connect on ADDC, and post that it will do a Soft Match. However there were error with some users, their identities did not sync and their status still reflected as Azure AD. Error -  Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. Tracking Id: b8367c95-ae67-46e1-xxxx-xxxxxxxxxx ExtraErrorDetails: [{"Key":"ObjectId","Value":["cd088468-bb6a-4...
4 comments
Read more

Block users from saving data on System Drive on Intune Managed Device

Recently i delivered a project for Intune Deployment and came up with a requirement as follows End Users Should not be able to save data locally on C or D Drive, instead they should be allowed to save data only in One Drive for business (synced with System)  Based on the requirement i did my research and found the Following. its possible to control the Local System settings on a Azure AD joined Machine and Managed by Intune. There is no options to define exceptions in policies to allow data saving in certain folders.  Now most of us will think WIP (windows information protection) policy will help us protecting the data on device, however that's not completely true as . User can change the File Ownership to personal if the WIP policy is set to Allow Override. User can save the file locally on the system User will not be able to copy the data from work file to Personal file if policy is set to Allow override. Unenlightened apps cannot differentiate between personal and corporate...
Post a Comment
Read more