How to block file save on mobile device from broswer and apps

Brass Contributor

Hi All,

 

How to block file save on mobile device from broswer and apps?

I have tried using session control to block  download files from broswer,

I have also set app protection to block download file from apps, but it has no effect.

Do I need to use app protection with condition access?

But when I use it with condition access, it will get stuck in edge browser verification.

Is there any way to achieve my goal?

 

condiction.PNG

 

 

17 Replies
Hi can you please a little more specific about what you are trying to achieve? Is this about Android and iOS ,or also other OS types? Are those devices managed by Intune or are this BYOD devices? What apps need to block downloads?

You can use Session Controls to achieve blocking downloads but you need to configure parts of this in Defender for Cloud Apps:

https://learn.microsoft.com/en-gb/entra/identity/conditional-access/concept-conditional-access-sessi...

https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps

Are you familiair with Defender for Cloud Apps?

Hi @SebastiaanSmits,

This is Android  devices,
I have tried using session control to block download files from broswer, but can't block from apps.
I want to block m365 whaterver download from broswer or apps.

Hi,

Are these Androids BYOD or fully managed?
Can you show how it ends up stuck when managing the app protection with CA?

Thanks 🙂
Can you attach a screenshot of the Session Control setting in Conditional Access you are using?

Hi @NicklasOlsen,

My Andriods with Corporate-owned dedicated devices mode,
I 've  tried to  manage app protect with CA,
when I use Edge to login outlook, it popup google store to install company portal,
but it can't join company portal because it can't creat work profile.
So if my Andriod with Corporate-owned dedicated devices mode,
it can't use app protect ?

Hi @SebastiaanSmits,
I will upload pictures to my question homepage, you can take a look at my question page.

I success block download files from session control, but apps not.

Sorry I am not sure where to find you question Homepage, you can also describe textual what the session control settings are in CA if you like

Hi @SebastiaanSmits,
I use condition access, select my account and only allow Android devices, and select Office365, grant is not set, select Use Conditional Access App Control in the Session field, then select Use custom policy, and add a session policy on the Defender. As long as the user has login activity, if  I download files will be blocked by session policy.
However, I also added an access policy, but it has no effect on the app outlook.

Someone told me that session control can only block browser download,

App blocking requires the use of app protection.

Just to be sure can you verify in your CA rule > Conditions > Client Apps > "Browser" and "Mobile apps and desktop clients" are both selected. To my understanding this should work in apps also, as long as they understand Mondern Auth and are able to adhere to CA Rules. I never seen it on Android apps to be honest. I will set it up in the coming days to see if I can make it work in our Test Tenant and wil let you know..
Thank you @SebastiaanSmits,
Looking forward to your test results. I have selected for browser, mobile apps, and desktop clients, but in actual, I still cannot block download from apps.

@shotime 

 

I performed some test on my Android device. From the Android device when I use a browser (chrome) the Session policy for restrict copy/paste and download al function but from the Outlook app it does not work. I am also never prompted the traffic is routed through MDCA.

 

This is all tested on unmanaged devices but it should not be different for managed. The thing is I am unable to find a conclusive answer in the Docs about this only being for browsers but I beginning to think this is indeed the case. 

So to get back to your issue and question, you say you tried the App Protection Policy to stop downloads, did you use the option: "Save copies of org data" , set to block? If you used this it will only work for certain apps, see here: https://learn.microsoft.com/en-gb/mem/intune/apps/app-protection-policy-settings-android?WT.mc_id=Po... -- and than this part:

"This setting is supported for Microsoft Excel, OneNote, PowerPoint, Word, and Edge. It may also be supported by third-party and LOB apps."

There is no need to pair this with a Conditional Access policy by the way, to answer your other question.

Even with Android Enterprise mode where you have a separation between work an private profile the local storage is accessible by both, so when you let downloads be as is, but try to isolate the downloaded files, this can not be completely accomplished..

Hi @SebastiaanSmits,

Thank you for your reply,
Regarding app protection, I have enabled the block option for all settings that allow file copying or sharing, but my testing has not been effective. I simply adjusted the app protection options and assigned devices and accounts. Later, I used a combination of CA to set it, but when combined with CA, it would be directed to the Edge browser, and would show that my app is not compliant or Access denied - the app must be protected with an Intune policy, I set all apps for policy.
I have spent a lot of time testing this, will it be related to the registration method I use on my phone? I have tried dedicated mode and fully managed user mode.
But I have seen that other people's phones can really prevent file downloads.

Hi,

When you say: "Later, I used a combination of CA to set it, but when combined with CA, it would be directed to the Edge browser, and would show that my app is not compliant or Access denied - the app must be protected with an Intune policy, I set all apps for policy." - that should not be the case if you use the Conditional Access grant type of: "Require app protection policy" you should be fine. But this forces the apps you use to have an APP and is not a mechanism for stopping downloads by itself.

If you say: "But I have seen that other people's phones can really prevent file downloads." - can you be mor explicit, what did you see and on what apps, as stated in my previous comment there are certain apps you can prevent save-as for.

By the way your solution might be in the type of Android Enterprise mode you use. If you indeed use the fully managed mode (COBO or COSU) you isolate all your downloads. There is no way to share between private and work profile because the whole phone is in essence a 'work profile'. There is no need to stop downloads in that scenario because a company you control the complete phone and you control the apps that are present on the phone (only company managed apps). Is this a feasible scenario for your use case?

Hi @SebastiaanSmits.

1. "But I have seen that other people's phones can really prevent file downloads.", I have confirmed that the M365 app (like outlook, word, Excel, etc.) will be blocked later, but adobe reader not.
2. (COBO or COSU)
The original customer requirement was not to download files to company's PAD. When they use Outlook, Word, Excel, OneDrive, etc., if the files are downloaded to the phone's storage and then uploaded to personal emails or Google Drive, etc.
I will test the app protection again,
Thank you for your help.


Hi,

Regarding point 1 where did you see this? Was this on internet or actual when holding a device? Is there anyway you can point us to the resource or consult the person responsible for this setup? With APP the documentation is clear, as stated before:

"Save copies of org data" > set to block. It will only work for certain apps, see here: https://learn.microsoft.com/en-gb/mem/intune/apps/app-protection-policy-settings-android?WT.mc_id=Po... -- and than this part:

"This setting is supported for Microsoft Excel, OneNote, PowerPoint, Word, and Edge. It may also be supported by third-party and LOB apps."

There are no other download settings in APP..
Hi @SebastiaanSmits,

Yes, that's right.
Have you tried app protection to successfully block file downloads?