ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2596019%22%20slang%3D%22en-US%22%3EExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596019%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20configure%20the%26nbsp%3BExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%20to%20allow%20EML%20and%20MSG%20attachments%20from%20our%20HR%20systems%20to%20be%20downloaded%20automatically%2C%20without%20having%20to%20allow%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22edge%20error.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299524iAFF847598CFD41E9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22edge%20error.png%22%20alt%3D%22edge%20error.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20DNS%20aliases%2C%20so%20I%20have%20whitelisted%20%22.hrm.app.ourcompany.com%22%2C%26nbsp%3B%22.hrm.appdev.ourcompany.com%22%20and%26nbsp%3B%22.hrm.appacc.ourcompany.com%22%2C%20as%20I%20read%20in%20the%20documentation%20that%20you%20need%20to%20start%20with%20a%20period%20to%20match%20that%20specific%20entry.%26nbsp%3B%20We%20don't%20want%20to%20whitelist%20our%20entire%20domain%20if%20possible%2C%20for%20security%20reasons.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20configured%20this%20through%20Group%20Policy%20using%20the%20example%20in%20the%20documentation%2C%20and%20it%20loads%20correctly%20in%20the%20edge%3A%2F%2Fpolicy%20list.%26nbsp%3B%20Its%20strange%20that%20%22domains%22%20and%20%22file_extension%22%20are%20swapped%20around%2C%20although%20it%20says%20OK.%26nbsp%3B%20In%20edge%3A%2F%2Fpolicy%20I%20have%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%20%22domains%22%3A%20%5B%20%22.hrm.app.ourcompany.com%22%2C%20%22.hrm.appacc.ourcompany.com%22%2C%20%22.hrm.appdev.ourcompany.com%22%20%5D%2C%20%22file_extension%22%3A%20%22eml%22%20%7D%20%2C%7B%20%22domains%22%3A%20%5B%20%22.hrm.app.ourcompany.com%22%2C%20%22.hrm.appacc.ourcompany.com%22%2C%20%22.hrm.appdev.ourcompany.com%22%20%5D%2C%20%22file_extension%22%3A%20%22msg%22%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBut%20this%20doesn't%20work%2C%20my%20users%20still%20receive%20the%20message%20that%20they%20first%20need%20to%20allow%20the%20file.%26nbsp%3B%20Is%20there%20somewhere%20I%20can%20check%20the%20internal%20processing%20of%20these%20rules%3F%26nbsp%3B%20I%20don't%20see%20anything%20in%20DevTools%2C%20unless%20I%20am%20looking%20in%20the%20wrong%20place.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anybody%20successfully%20implemented%20this%20policy%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596597%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396562%22%20target%3D%22_blank%22%3E%40Tom_Fox%3C%2FA%3E%26nbsp%3BHi!%26nbsp%3B%20There%20have%20been%20some%20recent%20discussions%20about%20this%20same%20policy.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fenterprise%2Fsmartscreen-turned-off-gt-java-webstart-jnlp-files-are-marked-as%2Fm-p%2F1584480%2Fhighlight%2Ftrue%23M2272%22%20target%3D%22_blank%22%3ERe%3A%20SmartScreen%20turned%20off%20-%26gt%3B%20Java%20Webstart%20JNLP%20Files%20are%20marked%20as%20%22can%20harm%20your%20computer%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20separately%20we've%20had%20a%20user%20mention%20that%20if%20using%20the%20GP%20editor%20%22%3CSPAN%3Eeach%20file_extension%20MUST%20be%20entered%20on%20a%20separate%20line%20in%20the%20editor%2C%20or%20the%20policy%20will%20not%20apply.%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2716861%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2716861%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F757644%22%20target%3D%22_blank%22%3E%40Kelly_Y%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESorry%20for%20my%20late%20reply%20to%20this.%20After%20extensive%20testing%2C%20we%20can%20confirm%20that%20this%20policy%20works%20fine%20when%20we%20specify%20server%20names%2C%20but%20fails%20when%20we%20use%20DNS%20aliases.%20I%20believe%20this%20a%20bug.%20Please%20can%20you%20ask%20your%20Dev%20Team%20to%20replicate%20this%20to%20confirm.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20tried%20looking%20in%20the%20DevTools%20logs%20when%20launching%20a%20download%2C%20to%20see%20if%20I%20can%20find%20a%20check%20on%20these%20rules%2C%20but%20didn't%20find%20anything.%20Can%20you%20confirm%20if%20there%20is%20some%20logging%20generated%20when%20downloading%3F%3CBR%20%2F%3E%3CBR%20%2F%3ETom%20Fox%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2730384%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2730384%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396562%22%20target%3D%22_blank%22%3E%40Tom_Fox%3C%2FA%3E%26nbsp%3BHi!%26nbsp%3B%20I've%20reached%20out%20to%20the%20team%20about%20the%20issue%20you%20are%20having%20with%20DNS%20aliases.%26nbsp%3B%20We%20will%20follow%20up%20with%20any%20insights%20from%20them.%26nbsp%3B%20Thanks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I am trying to configure the ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy to allow EML and MSG attachments from our HR systems to be downloaded automatically, without having to allow them.

 

edge error.png

 

We use DNS aliases, so I have whitelisted ".hrm.app.ourcompany.com", ".hrm.appdev.ourcompany.com" and ".hrm.appacc.ourcompany.com", as I read in the documentation that you need to start with a period to match that specific entry.  We don't want to whitelist our entire domain if possible, for security reasons.

 

I have configured this through Group Policy using the example in the documentation, and it loads correctly in the edge://policy list.  Its strange that "domains" and "file_extension" are swapped around, although it says OK.  In edge://policy I have the following:

 

{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "eml" } ,{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "msg" }

 

But this doesn't work, my users still receive the message that they first need to allow the file.  Is there somewhere I can check the internal processing of these rules?  I don't see anything in DevTools, unless I am looking in the wrong place.

 

Has anybody successfully implemented this policy?

3 Replies

@Tom_Fox Hi!  There have been some recent discussions about this same policy.  Re: SmartScreen turned off -> Java Webstart JNLP Files are marked as "can harm your computer - Micro...

 

Also, separately we've had a user mention that if using the GP editor "each file_extension MUST be entered on a separate line in the editor, or the policy will not apply." 

 

-Kelly

Hi @Kelly_Y,

Sorry for my late reply to this. After extensive testing, we can confirm that this policy works fine when we specify server names, but fails when we use DNS aliases. I believe this a bug. Please can you ask your Dev Team to replicate this to confirm.

I tried looking in the DevTools logs when launching a download, to see if I can find a check on these rules, but didn't find anything. Can you confirm if there is some logging generated when downloading?

Tom Fox

@Tom_Fox Hi!  I've reached out to the team about the issue you are having with DNS aliases.  We will follow up with any insights from them.  Thanks!

 

-Kelly