Forum Discussion
Newlife
Dec 06, 2019Brass Contributor
Questions on device Security
Hi Community,
One of our customer raised the below queries on certain scenarios.
Scenario 1: One of the our partner raised this query, they have an issue with SharePoint is that when they create a label no action is applied on the site. They want to have a limited access policy (for all devices or non-corporate devices) on the site if they chose for example highly confidential label. For now it just shows the tag with no action.
Is there any other way to achieve this?
Scenario 2: Corporate devices need full offline and sync access. These are azure joined devices for their customer but other customers may have a hybrid joined device. Because intune doesn’t update compliancy consistently sometimes devices show as non-complaint even though they are. Partner tried to do this with conditional access but Partner think that has some limitations to achieve this.
Is there any other way to achieve this?
Scenario 3: Corporate device owners that want to work on a personal desktop device (no offline access, no outlook client connect, just office online access. No download possibility for outlook online, or sync or download files from sharepoint or onedrive. Just online access.
Can we set up a policy for this?
Scenario 4: Corporate device owners with full offline access on personal desktop devices.
How can we protect data that is being used on a non-corporate windows desktop?
Scenario 5: BYOD, its basically the same scenario as the one above.
Is there any other way to achieve this?
Scenario 2: Corporate devices need full offline and sync access. These are azure joined devices for their customer but other customers may have a hybrid joined device. Because intune doesn’t update compliancy consistently sometimes devices show as non-complaint even though they are. Partner tried to do this with conditional access but Partner think that has some limitations to achieve this.
Is there any other way to achieve this?
Scenario 3: Corporate device owners that want to work on a personal desktop device (no offline access, no outlook client connect, just office online access. No download possibility for outlook online, or sync or download files from sharepoint or onedrive. Just online access.
Can we set up a policy for this?
Scenario 4: Corporate device owners with full offline access on personal desktop devices.
How can we protect data that is being used on a non-corporate windows desktop?
Scenario 5: BYOD, its basically the same scenario as the one above.
However, on personal windows desktops how can we protect data?
Any pointers would be of great help!!
Thanks!!
- Thijs LecomteBronze ContributorHi Newlife
Lots of questions, I will try my best to answer them 🙂
Scenario 1:
You can block access to specific SPO sites from unmanaged devices through CA, but no way possible to block sites with a specific tag AFAIK
Check out this: https://docs.microsoft.com/en-US/sharepoint/control-access-from-unmanaged-devices#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive
Scenario 2:
It's true that compliance updates very slow sometimes on Windows devices. I would recommend to set-up the grace period for non-compliant devices higher. That might solve your issue.
Scenario 3:
I do this one all the time. Set-up a CA policy that targets all apps (except browsers) and set the action to - require hybrid joined devices.
Scenario 4+5:
I would recommend looking into Windows Information Protection - https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip- NewlifeBrass Contributor
Thijs Lecomte - Thanks a lot for your response.
We have read the link you send over but couldn’t get it to work like we intended to. Because of limitations with conditional access etc.
However, is it somehow possible to setup these policies together to make sure that we understand every option and configure it the way it is meant to?
- Thijs LecomteBronze ContributorWhat do you mean, setup them up together?
Where are you getting stuck exactly? What scenario?