Forum Discussion
How to block installation of Dropbox / Google Drive etc.
Is there a possibility to block the installation from apps like Dropbox? A regular user can now (although not admin) install the Dropbox application.
Hi Harry,
I assume you are talking about Windows 10 managed by MDM enrolled with Autopilot as Standard User. Dropbox is available as user mode install and therefor can be installed by a standard user. To control execution and install behavior of a Windows 10 device you could leverage AppLocker, which can be configured with MDM also. There you could go for a whitelist or blacklist approach.
see here: https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp
best,
Oliver
- Harry DuboisBrass ContributorHi Oliver, the solution is to give the standard user only rights to install apps from the Windows Store by the restriction policy in Intune.
Is this a statement, answer or question :-), I'm not sure if I understand your sentence correct.
I will answer to clarify my statement a bit anyway :-)
AppLocker can control store apps, executables etc. you can build a rule set to allow some executables or block some executables and this is even possible for store apps.
If you like to prevent all executables you could go for S-Mode to only allow store apps which is a great level of security in the end.
If you like to allow the user to install only store apps but you like to deploy executables by a management solution like Intune or ConfigMgr you should go for AppLocker and build a rule set to block everything except the deployed apps from your management software (and of course the system apps). This approach needs quite a bit of work and operational effort as every new app must be whitelisted.
You can find an Intune AppLocker rule set example with focus on security published in the Windows 10 managed with Intune guide from the UK National Cyber Security Centre here:
https://www.ncsc.gov.uk/guidance/eud-guidance-windows-10-1803-mobile-device-management
best,
Oliver
- subhashPonmalaCopper ContributorHi,
You can use Intune Endpoint privilege management feature to achieve your requirement.
https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview