cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking download files with sensitive data from desktop client Apps on non-domain joined systems

VKantamneni
Brass Contributor

‎Jan 13 2020 07:36 AM

‎Jan 13 2020 07:36 AM

Blocking download files with sensitive data from desktop client Apps on non-domain joined systems

What is the best way to block downloading files with sensitive data on to non-domain joined personal desktops using desktop client apps (Outlook, One Drive, Teams...).

 

Using Conditional access policies with Cloud App Security, we can block file downloads which contains sensitive data by configuring Session policies. However session policies applies to browser based apps,but not thick clients.

 

We don't want to block thick clients, just want to block sensitive data file downloads onto personal desktops.

 

Can we block by using Microsoft CASB solution, or any other process we need to follow?

 

Any guidance to resolve this issue is much appreciated.

 

Thanks in advance

Labels:
3,970 Views
0 Likes
7 Replies
Reply
7 Replies
Fananico

‎Feb 02 2020 11:01 PM

‎Feb 02 2020 11:01 PM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

Hi,

Session policies don’t support mobile and desktop apps. Mobile apps and desktop apps can be blocked or allowed by creating an access policy.

However access policies do not allow block of download.

You can use this link to block download via a SharePoint policy

https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices.

Thx,

Shlomi
0 Likes
Reply
VKantamneni

‎Feb 03 2020 06:56 AM

‎Feb 03 2020 06:56 AM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

@Fananico 

 

Thank you Shlomi,

 

We have already applied this settigns. However, we don't want to block  all downloads, just want to restrict downloading sensitive data onto non-domain joined PCs ( personal PCs).

0 Likes
Reply
Fananico

‎Feb 03 2020 02:37 PM

‎Feb 03 2020 02:37 PM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

@VKantamneni 

 

Hi,

 

what are you considering as sensitivity data?

is it based on information protection labels, PII, PCI data?

 

Thx,

 

Shlomi

0 Likes
Reply
VKantamneni

‎Feb 04 2020 04:20 AM

‎Feb 04 2020 04:20 AM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

@Fananico 

 

Yes, sensitive data like US SSN, Bank Account number, Driving license (PII).

0 Likes
Reply
Fananico

‎Feb 04 2020 04:42 AM

‎Feb 04 2020 04:42 AM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

Have you tried using session policy, configured to trigger for non domain joined devices or no compliant devices and trigger a block download based on DLP?
0 Likes
Reply
VKantamneni

‎Feb 04 2020 10:10 AM

‎Feb 04 2020 10:10 AM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

@Fananico 

 

Yes, session policies applied for browser based access only. applied and working fine for browser sessions. Desktop client apps not blocking.

0 Likes
Reply
John_Lewis

‎Feb 06 2020 08:54 AM

‎Feb 06 2020 08:54 AM

Re: Blocking download files with sensitive data from desktop client Apps on non-domain joined system

@VKantamneni 

 

Hi Venkat,

 

It is recommended that you block mobile and native clients by using an access policy. You can customize the block message to inform the user to either access the application on a domain joined/managed machine or navigate to the web-based application. Forcing users to access the app via the web-based application will allow you to apply session controls and prevent the download of sensitive information to an unmanaged device. Please note, if the mobile or client app is using an embedded web frame, session policies will still apply to that application. If you still want to allow thick clients to access that data, you should consider applying protection on it as we can’t apply control on unmanaged devices.

 

 

More information can be found here: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls

0 Likes
Reply