Forum Discussion

Tom_Fox's avatar
Tom_Fox
Iron Contributor
Jul 30, 2021

ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy

I am trying to configure the ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy to allow EML and MSG attachments from our HR systems to be downloaded automatically, without having to allow them.

 

 

We use DNS aliases, so I have whitelisted ".hrm.app.ourcompany.com", ".hrm.appdev.ourcompany.com" and ".hrm.appacc.ourcompany.com", as I read in the documentation that you need to start with a period to match that specific entry.  We don't want to whitelist our entire domain if possible, for security reasons.

 

I have configured this through Group Policy using the example in the documentation, and it loads correctly in the edge://policy list.  Its strange that "domains" and "file_extension" are swapped around, although it says OK.  In edge://policy I have the following:

 

{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "eml" } ,{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "msg" }

 

But this doesn't work, my users still receive the message that they first need to allow the file.  Is there somewhere I can check the internal processing of these rules?  I don't see anything in DevTools, unless I am looking in the wrong place.

 

Has anybody successfully implemented this policy?

  • Tom_Fox's avatar
    Tom_Fox
    Iron Contributor

    astee1280 

     

    You need to put each file extension on a new line. In my example, this is as follows:

     

    {"file_extension": "eml", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }

    {"file_extension": "msg", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }

    • astee1280's avatar
      astee1280
      Copper Contributor
      Hi Tom_Fox,

      Our current working example is;
      <Enabled/><data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc" value='1&#xF000;{"file_extension": "eml", "domains": ["mydomain"]}'/>

      Should the 2 line example be;

      <Enabled/><data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc" value='1&#xF000;{"file_extension": "eml", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }, {"file_extension": "msg", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }'/>

      Would you be able to copy out your working string?

      Thanks,
      Alex
      • Tom_Fox's avatar
        Tom_Fox
        Iron Contributor

        astee1280 

         

        How are you configuring this setting, through Group Policy, InTune or directly in the registry?

         

        Tom

    • Tom_Fox's avatar
      Tom_Fox
      Iron Contributor

      Hi Kelly_Y,

      Sorry for my late reply to this. After extensive testing, we can confirm that this policy works fine when we specify server names, but fails when we use DNS aliases. I believe this a bug. Please can you ask your Dev Team to replicate this to confirm.

      I tried looking in the DevTools logs when launching a download, to see if I can find a check on these rules, but didn't find anything. Can you confirm if there is some logging generated when downloading?

      Tom Fox

      • Kelly_Y's avatar
        Kelly_Y
        Icon for Microsoft rankMicrosoft

        Tom_Fox Hi!  I've reached out to the team about the issue you are having with DNS aliases.  We will follow up with any insights from them.  Thanks!

         

        -Kelly

Resources