cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure OneDrive | Teams on unmanaged devices

Michiel Dekker
Copper Contributor

‎Apr 01 2020 12:01 AM

‎Apr 01 2020 12:01 AM

Secure OneDrive | Teams on unmanaged devices

Hi all,

I'm trying to build a solution to secure the related data when a user as installed Onedrive | Teams on a unmanaged W10 device. Tried several things, WIP without enrollment, but can't seem to find the right way. No we have a EMS+E5 trial license activated and maybe I can accomplish this with MCAS. 

 

Has anyone else tried to set this up already, or can somebody put me in the right direction?

 

Thanks!

 

Best regards,

Michiel

1,807 Views
1 Like
5 Replies
Reply
5 Replies
Ru

‎Apr 01 2020 03:06 AM

‎Apr 01 2020 03:06 AM

Re: Secure OneDrive | Teams on unmanaged devices

Hey Michiel,

WIP-WE stands out to me as the best choice if you can't control them with MDM. What problems did you face with this? You could bundle it with a terms and conditions conditional access policy to force them to enroll in MAM, and create a protection policy that covers the OneDrive sync client (assuming you're trying to encrypt the synced files rather than in the web viewer). The MCAS route you mention would let you route OneDrive/SharePoint/Teams through a reverse proxy to disable downloads, but doesn't seem to be what you're after (and could be done using standard conditional access anyway).
0 Likes
Reply
Michiel Dekker

‎Apr 01 2020 03:18 AM

‎Apr 01 2020 03:18 AM

Re: Secure OneDrive | Teams on unmanaged devices

@Ru 

 

Hi Ruairidh,

Thanks for replying so soon! Great community...;)

 

I think WIP-WE is also the best option, but the customer wants to now if there are any other options to accomplish this case. 

The Teams desktop client is great, but it's connected to different O365 App (SP, OneDrive, Exchange, etc.) so it's a hard thing to secure this on unmanaged devices.

 

1 Like
Reply
Ru

‎Apr 01 2020 04:25 AM

‎Apr 01 2020 04:25 AM

Re: Secure OneDrive | Teams on unmanaged devices

Yeah, Conditional Access can be a bit convoluted because of all the cloud apps and their dependencies, but they've just released a single 'Office 365' app which works well.

If the goal is just preventing them from getting files onto the actual device (downloads), you can definitely use Conditional Access to lock that down. Configure the "Unmanaged Devices" setting in SharePoint Online's access control page, then enable a CA policy at session level against the Office 365 cloud app. You could also block sync by requiring a domain GUID match. If you do really need downloads, but then protect them, that's exactly what WIP's for.
0 Likes
Reply
Ru

‎Apr 01 2020 05:38 AM

‎Apr 01 2020 05:38 AM

Re: Secure OneDrive | Teams on unmanaged devices

Had another thought on this. With MCAS, you can create a policy that will apply an AIP encrypting label to any SharePoint downloads. If the device is stolen or files are accessed by anyone that label isn't giving permissions to, they wouldn't have access. Note this is downloads - not syncing.

All depends on what exactly you want to protect against :)
0 Likes
Reply
Michiel Dekker

‎Apr 01 2020 05:56 AM

‎Apr 01 2020 05:56 AM

Re: Secure OneDrive | Teams on unmanaged devices

@Ru 

 

We want to support the employees that they can access the O365 app on the most secure way. A lot of these people are using private owned W10 devices, so we're looking for the best and most user-friendly and secure way to accomplish this. 

0 Likes
Reply