How to block installation of Dropbox / Google Drive etc.

Question

Is there a possibility to block the installation from apps like Dropbox? A regular user can now (although not admin) install the Dropbox application.

harry dubois · Answer

Hi Oliver, the solution is to give the standard user only rights to install apps from the Windows Store by the restriction policy in Intune.

oliver kieselbach · Answer

Hi Harry,
&nbsp;
I assume you are talking about Windows 10 managed by MDM enrolled with Autopilot as Standard User. Dropbox is available as user mode install and therefor can be installed by a standard user. To control execution and install behavior of a Windows 10 device you could leverage AppLocker, which can be configured with MDM also. There you could go for a whitelist or blacklist approach.
&nbsp;
see here:&nbsp;https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp
&nbsp;
best,
Oliver

oliver kieselbach · Answer

Is this a statement, answer or question :-), I'm not sure if I understand your sentence correct.
&nbsp;
I will answer to clarify my statement a bit anyway :-)
AppLocker can control store apps, executables etc. you can build a rule set to allow some executables or block some executables and this is even possible for store apps.&nbsp;
If you like to prevent all executables you could go for S-Mode to only allow store apps which is a great level of security in the end.
If you like to allow the user to install only store apps but you like to deploy executables by a management solution like Intune or ConfigMgr you should go for AppLocker and build a rule set to block everything except the deployed apps from your management software (and of course the system apps). This approach needs quite a bit of work and operational effort as every new app must be whitelisted.&nbsp;
You can find an Intune AppLocker rule set example with focus on security published in the Windows 10 managed with Intune guide from the UK National Cyber Security Centre here:&nbsp;
https://www.ncsc.gov.uk/guidance/eud-guidance-windows-10-1803-mobile-device-management
&nbsp;
best,
Oliver

harry dubois · Answer

Thanx Oliver for your answer in details. I found the solution for installing only Store apps for the user. Thats secure enough for us.&nbsp;

sunyix · Answer

Hi Harry Dubois and allI just tried it and it works fine for standard users. However, if someone is installing Google Drive application with a local admin, they can install it unfortunately. I know, that the solution for this, would be to not give users the local admin password, but unfortunately they cheat the system, because they request the local admin password for a valid things and install an unallowed cloud storage apps with local admin. Does anyone have any idea how to disable cloud storage apps (Dropbox, Google drive and a lot of unknown others) with Intune for standard and admin users also?

Forum Discussion

How to block installation of Dropbox / Google Drive etc.

6 Replies

Resources