Forum Discussion
How to block file save on mobile device from broswer and apps
Hi SebastiaanSmits,
I use condition access, select my account and only allow Android devices, and select Office365, grant is not set, select Use Conditional Access App Control in the Session field, then select Use custom policy, and add a session policy on the Defender. As long as the user has login activity, if I download files will be blocked by session policy.
However, I also added an access policy, but it has no effect on the app outlook.
Someone told me that session control can only block browser download,
App blocking requires the use of app protection.
- shotimeMar 01, 2024Brass ContributorThank you SebastiaanSmits,
Looking forward to your test results. I have selected for browser, mobile apps, and desktop clients, but in actual, I still cannot block download from apps. - SebastiaanSmitsMar 04, 2024Steel Contributor
I performed some test on my Android device. From the Android device when I use a browser (chrome) the Session policy for restrict copy/paste and download al function but from the Outlook app it does not work. I am also never prompted the traffic is routed through MDCA.
This is all tested on unmanaged devices but it should not be different for managed. The thing is I am unable to find a conclusive answer in the Docs about this only being for browsers but I beginning to think this is indeed the case.
- SebastiaanSmitsMar 04, 2024Steel ContributorSo to get back to your issue and question, you say you tried the App Protection Policy to stop downloads, did you use the option: "Save copies of org data" , set to block? If you used this it will only work for certain apps, see here: https://learn.microsoft.com/en-gb/mem/intune/apps/app-protection-policy-settings-android?WT.mc_id=Portal-Microsoft_Intune#data-protection -- and than this part:
"This setting is supported for Microsoft Excel, OneNote, PowerPoint, Word, and Edge. It may also be supported by third-party and LOB apps."
There is no need to pair this with a Conditional Access policy by the way, to answer your other question.
Even with Android Enterprise mode where you have a separation between work an private profile the local storage is accessible by both, so when you let downloads be as is, but try to isolate the downloaded files, this can not be completely accomplished.. - shotimeMar 05, 2024Brass Contributor
Hi SebastiaanSmits,
Thank you for your reply,
Regarding app protection, I have enabled the block option for all settings that allow file copying or sharing, but my testing has not been effective. I simply adjusted the app protection options and assigned devices and accounts. Later, I used a combination of CA to set it, but when combined with CA, it would be directed to the Edge browser, and would show that my app is not compliant or Access denied - the app must be protected with an Intune policy, I set all apps for policy.
I have spent a lot of time testing this, will it be related to the registration method I use on my phone? I have tried dedicated mode and fully managed user mode.
But I have seen that other people's phones can really prevent file downloads. - SebastiaanSmitsMar 05, 2024Steel ContributorHi,
When you say: "Later, I used a combination of CA to set it, but when combined with CA, it would be directed to the Edge browser, and would show that my app is not compliant or Access denied - the app must be protected with an Intune policy, I set all apps for policy." - that should not be the case if you use the Conditional Access grant type of: "Require app protection policy" you should be fine. But this forces the apps you use to have an APP and is not a mechanism for stopping downloads by itself.
If you say: "But I have seen that other people's phones can really prevent file downloads." - can you be mor explicit, what did you see and on what apps, as stated in my previous comment there are certain apps you can prevent save-as for.
By the way your solution might be in the type of Android Enterprise mode you use. If you indeed use the fully managed mode (COBO or COSU) you isolate all your downloads. There is no way to share between private and work profile because the whole phone is in essence a 'work profile'. There is no need to stop downloads in that scenario because a company you control the complete phone and you control the apps that are present on the phone (only company managed apps). Is this a feasible scenario for your use case? - shotimeMar 05, 2024Brass Contributor
Hi SebastiaanSmits.
1. "But I have seen that other people's phones can really prevent file downloads.", I have confirmed that the M365 app (like outlook, word, Excel, etc.) will be blocked later, but adobe reader not.
2. (COBO or COSU)
The original customer requirement was not to download files to company's PAD. When they use Outlook, Word, Excel, OneDrive, etc., if the files are downloaded to the phone's storage and then uploaded to personal emails or Google Drive, etc.
I will test the app protection again,
Thank you for your help. - SebastiaanSmitsMar 05, 2024Steel ContributorHi,
Regarding point 1 where did you see this? Was this on internet or actual when holding a device? Is there anyway you can point us to the resource or consult the person responsible for this setup? With APP the documentation is clear, as stated before:
"Save copies of org data" > set to block. It will only work for certain apps, see here: https://learn.microsoft.com/en-gb/mem/intune/apps/app-protection-policy-settings-android?WT.mc_id=Po... -- and than this part:
"This setting is supported for Microsoft Excel, OneNote, PowerPoint, Word, and Edge. It may also be supported by third-party and LOB apps."
There are no other download settings in APP.. - shotimeMar 05, 2024Brass ContributorHi SebastiaanSmits,
Yes, that's right.
Have you tried app protection to successfully block file downloads?