Secure OneDrive | Teams on unmanaged devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1270297%22%20slang%3D%22en-US%22%3ESecure%20OneDrive%20%7C%20Teams%20on%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270297%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20build%20a%20solution%20to%20secure%20the%20related%20data%20when%20a%20user%20as%20installed%20Onedrive%20%7C%20Teams%20on%20a%20unmanaged%20W10%20device.%20Tried%20several%20things%2C%20WIP%20without%20enrollment%2C%20but%20can't%20seem%20to%20find%20the%20right%20way.%20No%20we%20have%20a%20EMS%2BE5%20trial%20license%20activated%20and%20maybe%20I%20can%20accomplish%20this%20with%20MCAS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20tried%20to%20set%20this%20up%20already%2C%20or%20can%20somebody%20put%20me%20in%20the%20right%20direction%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EMichiel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1270297%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270845%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20OneDrive%20%7C%20Teams%20on%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270845%22%20slang%3D%22en-US%22%3EHey%20Michiel%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWIP-WE%20stands%20out%20to%20me%20as%20the%20best%20choice%20if%20you%20can't%20control%20them%20with%20MDM.%20What%20problems%20did%20you%20face%20with%20this%3F%20You%20could%20bundle%20it%20with%20a%20terms%20and%20conditions%20conditional%20access%20policy%20to%20force%20them%20to%20enroll%20in%20MAM%2C%20and%20create%20a%20protection%20policy%20that%20covers%20the%20OneDrive%20sync%20client%20(assuming%20you're%20trying%20to%20encrypt%20the%20synced%20files%20rather%20than%20in%20the%20web%20viewer).%20The%20MCAS%20route%20you%20mention%20would%20let%20you%20route%20OneDrive%2FSharePoint%2FTeams%20through%20a%20reverse%20proxy%20to%20disable%20downloads%2C%20but%20doesn't%20seem%20to%20be%20what%20you're%20after%20(and%20could%20be%20done%20using%20standard%20conditional%20access%20anyway).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270881%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20OneDrive%20%7C%20Teams%20on%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270881%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Ruairidh%2C%3C%2FP%3E%3CP%3EThanks%20for%20replying%20so%20soon!%20Great%20community...%3B)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20WIP-WE%20is%20also%20the%20best%20option%2C%20but%20the%20customer%20wants%20to%20now%20if%20there%20are%20any%20other%20options%20to%20accomplish%20this%20case.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Teams%20desktop%20client%20is%20great%2C%20but%20it's%20connected%20to%20different%20O365%20App%20(SP%2C%20OneDrive%2C%20Exchange%2C%20etc.)%20so%20it's%20a%20hard%20thing%20to%20secure%20this%20on%20unmanaged%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1271050%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20OneDrive%20%7C%20Teams%20on%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1271050%22%20slang%3D%22en-US%22%3EYeah%2C%20Conditional%20Access%20can%20be%20a%20bit%20convoluted%20because%20of%20all%20the%20cloud%20apps%20and%20their%20dependencies%2C%20but%20they've%20just%20released%20a%20single%20'Office%20365'%20app%20which%20works%20well.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20the%20goal%20is%20just%20preventing%20them%20from%20getting%20files%20onto%20the%20actual%20device%20(downloads)%2C%20you%20can%20definitely%20use%20Conditional%20Access%20to%20lock%20that%20down.%20Configure%20the%20%22Unmanaged%20Devices%22%20setting%20in%20SharePoint%20Online's%20access%20control%20page%2C%20then%20enable%20a%20CA%20policy%20at%20session%20level%20against%20the%20Office%20365%20cloud%20app.%20You%20could%20also%20block%20sync%20by%20requiring%20a%20domain%20GUID%20match.%20If%20you%20do%20really%20need%20downloads%2C%20but%20then%20protect%20them%2C%20that's%20exactly%20what%20WIP's%20for.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1271285%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20OneDrive%20%7C%20Teams%20on%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1271285%22%20slang%3D%22en-US%22%3EHad%20another%20thought%20on%20this.%20With%20MCAS%2C%20you%20can%20create%20a%20policy%20that%20will%20apply%20an%20AIP%20encrypting%20label%20to%20any%20SharePoint%20downloads.%20If%20the%20device%20is%20stolen%20or%20files%20are%20accessed%20by%20anyone%20that%20label%20isn't%20giving%20permissions%20to%2C%20they%20wouldn't%20have%20access.%20Note%20this%20is%20downloads%20-%20not%20syncing.%3CBR%20%2F%3E%3CBR%20%2F%3EAll%20depends%20on%20what%20exactly%20you%20want%20to%20protect%20against%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1271343%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20OneDrive%20%7C%20Teams%20on%20unmanaged%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1271343%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20support%20the%20employees%20that%20they%20can%20access%20the%20O365%20app%20on%20the%20most%20secure%20way.%20A%20lot%20of%20these%20people%20are%20using%20private%20owned%20W10%20devices%2C%20so%20we're%20looking%20for%20the%20best%20and%20most%20user-friendly%20and%20secure%20way%20to%20accomplish%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all,

I'm trying to build a solution to secure the related data when a user as installed Onedrive | Teams on a unmanaged W10 device. Tried several things, WIP without enrollment, but can't seem to find the right way. No we have a EMS+E5 trial license activated and maybe I can accomplish this with MCAS. 

 

Has anyone else tried to set this up already, or can somebody put me in the right direction?

 

Thanks!

 

Best regards,

Michiel

5 Replies
Highlighted
Hey Michiel,

WIP-WE stands out to me as the best choice if you can't control them with MDM. What problems did you face with this? You could bundle it with a terms and conditions conditional access policy to force them to enroll in MAM, and create a protection policy that covers the OneDrive sync client (assuming you're trying to encrypt the synced files rather than in the web viewer). The MCAS route you mention would let you route OneDrive/SharePoint/Teams through a reverse proxy to disable downloads, but doesn't seem to be what you're after (and could be done using standard conditional access anyway).
Highlighted

@Ruairidh Campbell 

 

Hi Ruairidh,

Thanks for replying so soon! Great community...;)

 

I think WIP-WE is also the best option, but the customer wants to now if there are any other options to accomplish this case. 

The Teams desktop client is great, but it's connected to different O365 App (SP, OneDrive, Exchange, etc.) so it's a hard thing to secure this on unmanaged devices.

 

Highlighted
Yeah, Conditional Access can be a bit convoluted because of all the cloud apps and their dependencies, but they've just released a single 'Office 365' app which works well.

If the goal is just preventing them from getting files onto the actual device (downloads), you can definitely use Conditional Access to lock that down. Configure the "Unmanaged Devices" setting in SharePoint Online's access control page, then enable a CA policy at session level against the Office 365 cloud app. You could also block sync by requiring a domain GUID match. If you do really need downloads, but then protect them, that's exactly what WIP's for.
Highlighted
Had another thought on this. With MCAS, you can create a policy that will apply an AIP encrypting label to any SharePoint downloads. If the device is stolen or files are accessed by anyone that label isn't giving permissions to, they wouldn't have access. Note this is downloads - not syncing.

All depends on what exactly you want to protect against :)
Highlighted

@Ruairidh Campbell 

 

We want to support the employees that they can access the O365 app on the most secure way. A lot of these people are using private owned W10 devices, so we're looking for the best and most user-friendly and secure way to accomplish this.