Microsoft
MicrosoftHi Nip17,
the customer concern is:
* Some employees uses laptop and some a PC;
* for both cases users should be able to handle .DOCX files on their daily basis routine.
If we use Exchange MAILFLOW RULES, we can detect some 'strange behavior' like users sending files as attachment to their personal e-mail address (@gmail.com, @hotmail.com, @yahoo.com and etc) and then quarentine or just block and etc. Sometimes users just create a new e-mail on the MS Outlook windows app and then add those files as attachment but do not send - just 'save and hold'; during the night at home they can access his accounts via https://outlook.office.com and then download the files.
I know that we can access https://compliance.microsoft.com/datalossprevention and create a new policy/rule for some file share, but the problem is if they upload/attach that files to their personal e-mail address using the web browser (gmail website for example). Since their credentials is still valid, they can save locally at their home computer, open the file for edit and etc. But and about the copy saved on the local 'downloads' folder??? How to ensure that thoses files will be deleted after work??? Is there a way to limit user 'logon/authentication' for non business hours?
How to limit upload using webbrower? As I know the only way is to use antivirus with DLP rules or even PROXY/FW with DLP.
If these employes has access to 'datastore' like pendrive or even his mobile phone with USB cable, how to prevent they to copy files? As I know we must block USB datastore using Antivirus.
Is there a way to limit on what 'device' they can manage those files? If we use encrypt solution, only allowed devices (with install key/certificate) can be able to open/handle those files.
Few months ago I created a support ticket with MS O365 team about how to limit OneDrive app to be unable to sync personal accounts because we found some guys copying from OneDrive CORP account disk folder to OneDrive PERSONAL account disk folder - they sent instructions about GPO and .ADMX files for that, but since that customer doesn´t have local AD, we asked for more options and they send REG KEYS to be used for that situation.
>>> As you can see, 'begginers' employees can copy data based on senior employee effort!!!
* We also have a similar situation about protect corporate data, where a customer has CAD project files to protect (Autodesk Powermill and Machine Strategist files).
##############################################
If someone reading this needs, about OneDrive app blocking sync personal account, I´ll share information:
##############################################
Go to "%systemroot%\policyDefinitions\en-us" and put OneDrive.adml
Once it is completed, users can't sync personal OneDrive. For those users who have synced personal OneDrive previously, unlink personal OneDrive, they will not see the OneDrive-personal icon on File Explorer either.
