Extension Sync with work profiles

%3CLINGO-SUB%20id%3D%22lingo-sub-2242038%22%20slang%3D%22en-US%22%3EExtension%20Sync%20with%20work%20profiles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2242038%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20folks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei'm%20wondering%20how%20extension%20sync%20is%20implemented%20with%20work%20profiles%3F%3C%2FP%3E%3CP%3EAssuming%20there%20are%20managed%20clients%20with%20GPOs%20to%20restrict%20the%20installable%20extensions.%20These%20policies%20affect%20all%20profiles%20on%20the%20client%20including%20the%20sync-enabled%20work%20profile.%3C%2FP%3E%3CP%3EImagine%20a%20user%20is%20signing-in%20into%20her%20M365%20work%20profile%20from%20an%20unmanaged%20client%20(which%20at%20time%20of%20writing%20can%20not%20be%20prevented!)%2C%20now%20she%20would%20be%20able%20to%20install%20any%20extension.%20These%20extensions%20would%20possibly%20have%20access%20to%20all%20websites%20she%20is%20able%20to%20access%2Flogon%20with%20her%20work%20profile.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20assume%20the%20additionally%20installed%20extensions%20would%20then%20also%20be%20synced%20but%20would%20be%20disabled%20on%20the%20managed%20client%20through%20the%20policies.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20my%20assumption%20correct%3F%3C%2FP%3E%3CP%3EHow%20to%20prevent%20users%20from%20accessing%20websites%20through%20the%20work%20profile%20on%20unmanaged%20clients%20with%20enterprise%20blocked%20extensions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EJoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2242038%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExtensions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESync%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWork%20profile%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2257847%22%20slang%3D%22en-US%22%3ERe%3A%20Extension%20Sync%20with%20work%20profiles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2257847%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193575%22%20target%3D%22_blank%22%3E%40Johannes%20Goerlich%3C%2FA%3E%26nbsp%3BHello!%26nbsp%3B%20The%20team%20has%20been%20discussing%20your%20question.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20believe%20that%20during%20the%20extension%20install%20process%20on%20managed%20devices%20(whether%20via%20sync%20or%20otherwise)%20the%20local%20GPO%20will%20be%20tested%20and%20extension%20will%20be%20disabled%20if%20not%20allowed.%26nbsp%3B%20Or%20they%20also%20wanted%20to%20mention%20that%20it%20is%20possible%20to%20restrict%20extension%20sync%20in%20general%20with%20the%20SyncTypesListDisabled%20policy%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23synctypeslistdisabled%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23synctypeslistdisabled%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20let%20you%20know%20if%20the%20team%20has%20any%20further%20insights%2Finformation.%26nbsp%3B%20Thanks!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2258550%22%20slang%3D%22en-US%22%3ERe%3A%20Extension%20Sync%20with%20work%20profiles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2258550%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F757644%22%20target%3D%22_blank%22%3E%40Kelly_Y%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20response.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAs%20the%20SyncTypesListDisabled%20policy%20can%20only%20be%20enforced%20on%20managed%20devices%20this%20would%20still%20not%20prevent%20from%20syncing%20any%20data%20into%20the%20work%20profile%20(stored%20in%20our%20AzureAD%20tenant)%20from%20unmanaged%20devices.%20If%20im%20correct%2C%20data%20may%20be%20synced%20between%20unmanaged%20devices%20using%20the%20same%20work%20profile%20while%20sync%20may%20be%20restricted%20or%20disabled%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23syncdisabled%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23syncdisabled%3C%2FA%3E)%26nbsp%3Bon%20managed%20devices%20via%20GPO.%20Sign-in%20may%20even%20be%20completely%20disabled%20on%20managed%20devices%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23browsersignin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23browsersignin%3C%2FA%3E)%2C%20which%20still%20would%20not%20affect%20unmanaged%20devices.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAt%20time%20of%20writing%20the%20sync%20and%20its%20capabilities%20cannot%20be%20restricted%20on%20AzureAD%20side%20nor%20is%20it%20possible%20to%20restrict%20from%20which%20device%20one%20is%20allowed%20to%20sign-in%20into%20a%20work%20profile%20(we%20have%20a%20service%20request%20open%20for%20that%20since%20quite%20some%20time).%3C%2FP%3E%3CP%3ESo%20imho%20besides%20syncing%2C%20one%20can%20take%20advantage%20from%20work%20profile%20features%20like%20seemless%20SSO%20on%20any%20device.%20There%20is%20also%20no%20need%20to%20re-authenticate%20a%20work%20profile%20sign-in%26nbsp%3Bafter%20a%20certain%20period%20of%20time.%20If%20one%20adds%20his%20work%20profile%20to%20an%20unmanaged%20device%20like%20a%20personal%20iPad%20or%20a%20PC%20in%20an%20internet%20cafe%20and%20doesn't%20remove%20it%2C%20it%20may%20stay%20there%20logged%20in%20forever.%20These%20device%20(at%20least%20in%20my%20test)%20even%20do%20not%20show%20up%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmyaccount.microsoft.com%2Fdevice-list%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMy%20Account%20-Devices%20(microsoft.com)%3C%2FA%3E%26nbsp%3Bnor%20in%20the%20company%20portal%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Regards%3C%2FP%3E%3CP%3EJoe%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello folks, 

 

i'm wondering how extension sync is implemented with work profiles?

Assuming there are managed clients with GPOs to restrict the installable extensions. These policies affect all profiles on the client including the sync-enabled work profile.

Imagine a user is signing-in into her M365 work profile from an unmanaged client (which at time of writing can not be prevented!), now she would be able to install any extension. These extensions would possibly have access to all websites she is able to access/logon with her work profile. 

I assume the additionally installed extensions would then also be synced but would be disabled on the managed client through the policies. 

Is my assumption correct?

How to prevent users from accessing websites through the work profile on unmanaged clients with enterprise blocked extensions?

 

Best regards

Joe

2 Replies

@Johannes Goerlich Hello!  The team has been discussing your question.  

 

They believe that during the extension install process on managed devices (whether via sync or otherwise) the local GPO will be tested and extension will be disabled if not allowed.  Or they also wanted to mention that it is possible to restrict extension sync in general with the SyncTypesListDisabled policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#synctypeslistdisabled).

 

We will let you know if the team has any further insights/information.  Thanks! 

 

-Kelly

Hello @Kelly_Y ,

Thank you for your response.


As the SyncTypesListDisabled policy can only be enforced on managed devices this would still not prevent from syncing any data into the work profile (stored in our AzureAD tenant) from unmanaged devices. If im correct, data may be synced between unmanaged devices using the same work profile while sync may be restricted or disabled (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#syncdisabled) on managed devices via GPO. Sign-in may even be completely disabled on managed devices (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#browsersignin), which still would not affect unmanaged devices.


At time of writing the sync and its capabilities cannot be restricted on AzureAD side nor is it possible to restrict from which device one is allowed to sign-in into a work profile (we have a service request open for that since quite some time).

So imho besides syncing, one can take advantage from work profile features like seemless SSO on any device. There is also no need to re-authenticate a work profile sign-in after a certain period of time. If one adds his work profile to an unmanaged device like a personal iPad or a PC in an internet cafe and doesn't remove it, it may stay there logged in forever. These device (at least in my test) even do not show up in My Account -Devices (microsoft.com) nor in the company portal app.

 

Best Regards

Joe