Forum Discussion
Blocking file uploads to all sites, unless safelisted
We're trying to verify if we can block file uploads through the browser to all sites, unless these sites are part of an approved list or the user has an exception. We currently have a similar solutio...
miller34mike, yes. Full E5 licensed tenant, device enrolled in Intune and onboarded in MDE as per the device inventory (screenshot below).
miller34mike
Microsoft
Microsoft
Perfect! The final check to perform is under settings within the compliance portal at the link below, confirm that device onboarding has been enabled and that the same device from MDE shows up under Purview (it may take up-to an hour to complete the onboarding). Enabling Device onboarding within the compliance portal will automatically ingest all MDE-onboarded devices into purview, which is the final step to make sure that Endpoint DLP policies can be pushed to the device.
- which websites did the file blocking work? i tried dropbox and it did not work
Brandon_Tuck Its not resolved like still files are getting uploaded on few site i.e chatgpt and other
How did you solve this issue? I'm having the exact same problem, exact same policy made and for some reason blocking the file upload isn't working.
Thanks!
- miller34mike
Happy to hear it is working for you! Glad I could help. Just finished building the policy too, will still give it a test. Thanks for running through all of this with me!
Btw, if you block Chrome or Firefox from handling sensitive data (endpoint DLP settings) the Microsoft Purview Extension will override that block BUT specific blocks like this should still work.
miller34mike, it WORKED. It finally WORKED. Thanks a mill for your help.
- Thanks. Looking forward to your response.
- miller34mike
I'm going to duplicate your policy and blocked domains to see what my test results in.
The MDE status is because you're managing it with Intune versus using Microsoft Defender for Endpoint Security Configuration Management.
miller34mike , nope, the upload isn't even visible in the Activity Explorer. In terms of the extensions, I entered them with the "." yet it got removed.
Interesting thing though... if I go on the onboarded devices page and look at the overview of the machine, the MDE Enrolment status is N/A. This gives me something to dig into....- miller34mike
do you see the cloud upload activities within Activity Explorer?
also, I do usually recommend including the “.” In the extension, like .docx
on the onboarded devices page, you should be able to select a device and see what policies are active on it. Can you confirm this policy appears for the test device?
miller34mike, only the file extensions are set.
- miller34mike
- miller34mike
Sorry, here is the link to the compliance settings page
Also just to note, onboarding these devices to Purview itself has no impact. The impact occurs when an Endpoint DLP policy is assigned to an identity that logs into an onboarded device.
miller34mike, thanks for this. Checked and they are there.
