Forum Discussion
WIP w/ MDM Office 365 Licences
JanBakkerOrphanedThanks for the reply!
I haven't configured any cloud services boundaries yet, so I haven't used the /*AppCompat*/ string. Do I need to use it on network domain and IP4 boundaries as well? I didn't think I did. And yes, the Office ProPlus XML is included in my protected apps.
I wasn't sure what the Denied-Office option was below it, but I've tried it with both, neither, and each selected, all with the same results. I've even tried adding the Excel Program via the Desktop Apps dropdown where you have to enter the fully qualified application publisher name. Same behavior.
My issue is happening when reading any file on a network file server mapped to my profile. My inclination is that its either not seeing my domain boundary or IP boundary. When I open the file with Excel, it becomes read-only and when I bring up "Task Manager ---> Details ---> Enterprise Context" Excel.exe is listed as Enlightened and Work Owned, so I figured that I had the Protected Apps set up correctly.
I was hoping the domain portion of this project would be the easy part, because I know when I start adding cloud service boundaries it is going to get hairy 
JanBakkerOrphaned Haven't seen this before but I'm curious to know more about your configuration @jjboffy . Perhaps you can share a little more info?
- Did you configure Network Domains? These (FQDN's) are used in conjunction with the IP ranges you configure.
- Do you see the extra column "file ownership" in explorer when you browse to the SMB share?
- You say it happens when "mapped to my profile" Did you test without mapping?
- Can you perhaps test with a .txt file? from the same file share (add notepad to your approved apps) Can you open the txt and is it protected?
- Can you open a word document from the share using Wordpad? (while not on approved apps list)
- How did you configure your WIP protection mode? Block, Allow Override or Silent? ( I'd advise to start with silent)
- Almost sure you did but asking anyway...Did you check the event logs?
- Is it possible to configure another (test) WIP policy and target it to a test group with one or 2 users? This policy should be configured the same, but with network domains configured. I'm also curious about Cloud resources. Could you configure this test policy to include cloud resources like Sharepoint and OneDrive? I'm wondering if Office is going to behave the same way when opening files from SPO or OdB.
To answer your questions, I worked more on this policy this week:
1) Yes, I have the network domain configured with the FQDN along with the IP ranges for the data sources in question.
2) I do see the extra column for file ownership in file explorer, it lists the company's onmicrosoft account as owner.
3) I am testing this policy as a regular domain user, not as a domain admin. So I have to use mapped drives and locations, regular users can't see the machines these locations are mapped to. If it helps, we use DFS to create namespaces for our locations that are in various geographic areas.
4) I've tested with .txt files with both wordpad and notepad with the same "Read-Only" results.
5) No, when opening a .docx with Wordpad, it gives the alert that "This is not an approved work resource".
6) It has the same effect whether I move from silent, override, or block.
7) The only event that popped up was "info" tagged from office opening in read-only mode.
😎 I can set up a policy to test the Online resources, but I was hoping to get the domain stuff working before I moved onto that portion. One step at a time you know?
I really appreciate the help with this. I think we might have another avenue of securing our data using bitlocker and group policy, but I was hoping to move to a cloud-based solution since that is where our company is headed long-term.
jjboffy Sorry couldn't be of help. Did you open a support case with Microsoft already? I'm looking at this from a MEM and WIP perspective but I'm starting to think the root cause is something else.
PS: If we don't speak to each other this year...All the best for 2021! New year, new start...and hopefully a solution to this mind-boggling situation you have.
Thanks for the reply!
I will go through this list on Monday and gather some information for you.
