Forum Discussion

Johannes Goerlich's avatar
Johannes Goerlich
Brass Contributor
Mar 29, 2021

Extension Sync with work profiles

Hello folks,    i'm wondering how extension sync is implemented with work profiles? Assuming there are managed clients with GPOs to restrict the installable extensions. These policies affect all p...
Extensions
Sync
Work profile
Kelly_Y's avatar
Kelly_Y
Icon for Microsoft rankMicrosoft
Apr 06, 2021

Johannes Goerlich Hello!  The team has been discussing your question.  

 

They believe that during the extension install process on managed devices (whether via sync or otherwise) the local GPO will be tested and extension will be disabled if not allowed.  Or they also wanted to mention that it is possible to restrict extension sync in general with the SyncTypesListDisabled policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#synctypeslistdisabled).

 

We will let you know if the team has any further insights/information.  Thanks! 

 

-Kelly

Johannes Goerlich's avatar
Johannes Goerlich
Brass Contributor
Apr 07, 2021

Hello Kelly_Y ,

Thank you for your response.


As the SyncTypesListDisabled policy can only be enforced on managed devices this would still not prevent from syncing any data into the work profile (stored in our AzureAD tenant) from unmanaged devices. If im correct, data may be synced between unmanaged devices using the same work profile while sync may be restricted or disabled (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#syncdisabled) on managed devices via GPO. Sign-in may even be completely disabled on managed devices (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#browsersignin), which still would not affect unmanaged devices.


At time of writing the sync and its capabilities cannot be restricted on AzureAD side nor is it possible to restrict from which device one is allowed to sign-in into a work profile (we have a service request open for that since quite some time).

So imho besides syncing, one can take advantage from work profile features like seemless SSO on any device. There is also no need to re-authenticate a work profile sign-in after a certain period of time. If one adds his work profile to an unmanaged device like a personal iPad or a PC in an internet cafe and doesn't remove it, it may stay there logged in forever. These device (at least in my test) even do not show up in https://myaccount.microsoft.com/device-list nor in the company portal app.

 

Best Regards

Joe

  • Johannes Goerlich's avatar
    Johannes Goerlich
    Brass Contributor
    Dec 07, 2021

    The status of our service request was set to 'archived', and it was stated

    • At this time there is still no ETA for the implementation of this Feature Request
    • The Product Group has this on their roadmap and they will revisit this proposal next quarter

    Currently there is no control from which device an employe is allowed to logon to the work profile and use the sync feature. Please remember: As browser policies can only be enforced on managed devices, to restrict on unmanaged devices it would be necessary to have an option to enforce this in the Azure tenant.

Resources