Data Protection policies for web apps

New Contributor

Hi Microsoft Intune Community,

 

What are the options to set up similar data protection policies for Web versions of the Office apps which you can find in Intune?

 

Lately i have set up data protection policies for IOS platform. But you can easily skip these by just going to the webversion of the app. For example outlook.office.com.

 

Im very curious how other have solved this challenge

7 Replies

Hi @MohFarah, what is it that you are looking for exactly? Do you want to limit access to Office 365 Online? Like copy/paste/download on unmanaged devices? If so, you can do a couple of things:

  1. Restrict access from unmanaged devices to SharePoint Online and Exchange Online
    1. SharePoint and OneDrive unmanaged device access controls for administrators - SharePoint in Microsof...
    2. Set-OwaMailboxPolicy (ExchangePowerShell) | Microsoft Docs (ReadOnly)
  2. Create a conditional access policy with App enforced restrictions
  3. Defender for Cloud Apps

Please note: When you set policies from the SPO admin portal. It will create 2 conditional access policies targeting all users. Keep that in mind ;).

 

Hope this helps.

 

Hi @MohFarah 

 

@Oktay Sari has mentioned great solutions for the issue, I would like to mention one more that I like to use for my clients when applying App Protection Policies which is approved Apps. This way, users cannot open the mail using web browser or any other unapproved apps like Mail ‘IOS native’, Gmail etc. 

 

Moe

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app...

Hi @Moe_Kinani 

 

Thank you for your quick reaction. 

 

So the solution you mentioned, is it possible to apply it to private mobile devices (unmanaged)?

 

The client i'm working for has coworkers which use there personally owned mobile devices(sometimes laptops), so you could speak about BYOD. But regarding sensitive information, they would want option like copy/paste etc turnt of on the mobile versions of the Office apps.

Hi @Oktay Sari,

 

What I'm looking is very simple:

Restrict limit acces to O365. So indeed like you mentioned, block copy/paste/download on unmanaged devices.  I see that your provided me with some links, so I will go and have a look. 

 

A brief summary of the situation at the client:

Currently moving from a on premise environment to a full Cloud only environment. So migrating a lot of data to SharePoint/Teams/OneDrive.

 

Some of the data being moved is very sensitive for the company and they wanna make sure that security is top notch, especially on unmanaged devices. 

@MohFarah 

 

Yes, App protection Policies apply on unmanaged devices. You should be able to achieve your goal (restrict copy and paste etc) by using App Protection Policies.

 

Moe

 

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

 

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies

Thx for jumping in @Moe_Kinani ‌‌. @MohFarah App protection policies will help for sure. 

 

You mentioned that users sometimes use laptops too. If you want to dive in a little deeper with regards to Windows devices and BYOD. Perhaps Windows Information Protection (WIP) can help with data protection on the device itself. I'm not saying WIP is something you should do right away though.. Your best option for BYOD Windows scenario is limited browser access only. If that's not enough, perhaps Windows 365 could do the trick. But sometimes, and in some scenario's WIP can be of added value too. Check out the series of posts I wrote on WIP here if you want to learn more.

@Oktay Sari @Moe_Kinani Thank you both for your answers!