Mar 29 2021 01:11 AM
Mar 29 2021 01:11 AM
i'm wondering how extension sync is implemented with work profiles?
Assuming there are managed clients with GPOs to restrict the installable extensions. These policies affect all profiles on the client including the sync-enabled work profile.
Imagine a user is signing-in into her M365 work profile from an unmanaged client (which at time of writing can not be prevented!), now she would be able to install any extension. These extensions would possibly have access to all websites she is able to access/logon with her work profile.
I assume the additionally installed extensions would then also be synced but would be disabled on the managed client through the policies.
Is my assumption correct?
How to prevent users from accessing websites through the work profile on unmanaged clients with enterprise blocked extensions?
Apr 06 2021 04:44 PM
@Johannes Goerlich Hello! The team has been discussing your question.
They believe that during the extension install process on managed devices (whether via sync or otherwise) the local GPO will be tested and extension will be disabled if not allowed. Or they also wanted to mention that it is possible to restrict extension sync in general with the SyncTypesListDisabled policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#synctypeslistdisabled).
We will let you know if the team has any further insights/information. Thanks!
Apr 07 2021 02:45 AM
Hello @Kelly_Y ,
Thank you for your response.
As the SyncTypesListDisabled policy can only be enforced on managed devices this would still not prevent from syncing any data into the work profile (stored in our AzureAD tenant) from unmanaged devices. If im correct, data may be synced between unmanaged devices using the same work profile while sync may be restricted or disabled (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#syncdisabled) on managed devices via GPO. Sign-in may even be completely disabled on managed devices (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#browsersignin), which still would not affect unmanaged devices.
At time of writing the sync and its capabilities cannot be restricted on AzureAD side nor is it possible to restrict from which device one is allowed to sign-in into a work profile (we have a service request open for that since quite some time).
So imho besides syncing, one can take advantage from work profile features like seemless SSO on any device. There is also no need to re-authenticate a work profile sign-in after a certain period of time. If one adds his work profile to an unmanaged device like a personal iPad or a PC in an internet cafe and doesn't remove it, it may stay there logged in forever. These device (at least in my test) even do not show up in My Account -Devices (microsoft.com) nor in the company portal app.
Dec 07 2021 07:38 AM
The status of our service request was set to 'archived', and it was stated
Currently there is no control from which device an employe is allowed to logon to the work profile and use the sync feature. Please remember: As browser policies can only be enforced on managed devices, to restrict on unmanaged devices it would be necessary to have an option to enforce this in the Azure tenant.