Jan 13 2020 07:36 AM
What is the best way to block downloading files with sensitive data on to non-domain joined personal desktops using desktop client apps (Outlook, One Drive, Teams...).
Using Conditional access policies with Cloud App Security, we can block file downloads which contains sensitive data by configuring Session policies. However session policies applies to browser based apps,but not thick clients.
We don't want to block thick clients, just want to block sensitive data file downloads onto personal desktops.
Can we block by using Microsoft CASB solution, or any other process we need to follow?
Any guidance to resolve this issue is much appreciated.
Thanks in advance
Feb 02 2020 11:01 PM
Feb 03 2020 06:56 AM
Thank you Shlomi,
We have already applied this settigns. However, we don't want to block all downloads, just want to restrict downloading sensitive data onto non-domain joined PCs ( personal PCs).
Feb 03 2020 02:37 PM
Hi,
what are you considering as sensitivity data?
is it based on information protection labels, PII, PCI data?
Thx,
Shlomi
Feb 04 2020 04:20 AM
Feb 04 2020 04:42 AM
Feb 04 2020 10:10 AM
Yes, session policies applied for browser based access only. applied and working fine for browser sessions. Desktop client apps not blocking.
Feb 06 2020 08:54 AM
Hi Venkat,
It is recommended that you block mobile and native clients by using an access policy. You can customize the block message to inform the user to either access the application on a domain joined/managed machine or navigate to the web-based application. Forcing users to access the app via the web-based application will allow you to apply session controls and prevent the download of sensitive information to an unmanaged device. Please note, if the mobile or client app is using an embedded web frame, session policies will still apply to that application. If you still want to allow thick clients to access that data, you should consider applying protection on it as we can’t apply control on unmanaged devices.
More information can be found here: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls