cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prevent Teams to save files to Dropbox on iOS and Android

MrSmith
Copper Contributor

‎Sep 11 2021 12:41 AM - edited ‎Sep 11 2021 12:51 AM

‎Sep 11 2021 12:41 AM - edited ‎Sep 11 2021 12:51 AM

Prevent Teams to save files to Dropbox on iOS and Android

Hello! 

 

All of our mobile devices are Azure AD registered.

We have configured two app protection policies, one for iOS and one for Android.

 

You can find the configuration of the app protection policy below. The problem is, that the users can still save files from Microsoft Teams to Dropbox.

 

How can I prevent the users to save files from MS Teams to private storages?

Basics
 
Name
APP_iOS_-Default
Description
--
 
Platform
iOS/iPadOS
Apps
 
Target to apps on all device types
No
Device types
Unmanaged
Public apps
Microsoft Invoicing
Microsoft Kaizala
Microsoft Power Apps
Microsoft 365 Admin
Microsoft Excel
Microsoft PowerPoint
Microsoft Word
Microsoft Bookings
Microsoft Office
Microsoft OneNote
Microsoft Planner
Microsoft Power BI
Microsoft SharePoint
Microsoft StaffHub
Microsoft OneDrive
Microsoft Teams
Microsoft Lists
Microsoft Stream
Microsoft To-Do
Microsoft Visio Viewer
Microsoft Whiteboard
Custom apps
--
Data protection
 
Prevent backups
Block
Send org data to other apps
Policy managed apps
Select apps to exempt
Default: tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;
Save copies of org data
Block
Allow user to save copies to selected services
OneDrive for Business
SharePoint
Transfer telecommunication data to
Any dialer app
Dialer App URL Scheme
--
Receive data from other apps
All Apps
Open data into Org documents
Allow
Allow users to open data from selected services
OneDrive for Business
SharePoint
Camera
Restrict cut, copy, and paste between other apps
Any app
Cut and copy character limit for any app
0
Third party keyboards
Allow
Encrypt org data
Require
Sync policy managed app data with native apps
Allow
Printing org data
Allow
Restrict web content transfer with other apps
Any app
Unmanaged browser protocol
--
Org data notifications
Allow
Access requirements
 
PIN for access
Require
PIN type
Numeric
Simple PIN
Allow
Select minimum PIN length
4
Touch ID instead of PIN for access (iOS 8+/iPadOS)
Allow
Override biometrics with PIN after timeout
Not required
Timeout (minutes of inactivity)
0
Face ID instead of PIN for access (iOS 11+/iPadOS)
Allow
PIN reset after number of days
No
Number of days
0
App PIN when device PIN is set
Require
Work or school account credentials for access
Not required
Recheck the access requirements after (minutes of inactivity)
10
Conditional launch
 
Setting
 
 
Value
 
 
Action
 
 
Max PIN attempts
5
Reset PIN
 
Offline grace period
720
Block access (minutes)
 
Offline grace period
90
Wipe data (days)
 
Jailbroken/rooted devices
 
Block access
 
 
Assignments
 
Included groups
CL--AZ-MGMT-AllUsers
Excluded groups
CL--AZ-MFA-Exclude-
CL--AZ-MGMT-BreakGlass
Scope tags
Default
4,767 Views
0 Likes
7 Replies
Reply
7 Replies
Rudy_Ooms_MVP

‎Sep 12 2021 01:28 AM - edited ‎Sep 12 2021 02:06 AM

‎Sep 12 2021 01:28 AM - edited ‎Sep 12 2021 02:06 AM

Re: Prevent Teams to save files to Dropbox on iOS and Android

Hi

Are you 100% sure the devices has received the app protection policy? Normally when configuring the save copies to block but looking at the ms docs

https://docs.microsoft.com/nl-nl/mem/intune/apps/app-protection-policy-settings-ios?WT.mc_id=Portal-...

This settings is supported by Microsoft Excel, OneNote, Outlook, PowerPoint en Word. I guess I am missing teams. I am noticing the same thing..

 

UPDATE: decided to write a blog about this issue and which options you have to block it.

I guess for now. Compliance policy to block the device when dropbox is installed... or using MCAS and sanction dropbox as non approved app...

 

 

0 Likes
Reply
MrSmith

‎Sep 12 2021 02:39 AM

‎Sep 12 2021 02:39 AM

Re: Prevent Teams to save files to Dropbox on iOS and Android

@Rudy_Ooms_MVP Hi Rudy! First thank you for your reply. The app protection policy is doing the stuff, for example the apps in scope require the pin/biometrics to start them and also on iOS i cannot save the files direct to the Files app (ootb iOS app for iCloud and local storage). 

 

The problem is, that I can still save the files from Teams on DropBox, Google Drive etc.

 

Is there any way to check what kind of policies are working when opening an app on a mobile device? (like the "what if?" tool for the conditional access policies)

0 Likes
Reply
MrSmith

‎Sep 12 2021 02:41 AM

‎Sep 12 2021 02:41 AM

Re: Prevent Teams to save files to Dropbox on iOS and Android

Hi! Thanks for your reply. MIP is a topic we are working on, but takes time. Basically the requirement is to prevent saving any file from MS Teams / Excel / SharePoint etc. to private storage like Dropbox and Google Drive on iOS and Android.
0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 12 2021 03:59 AM - edited ‎Sep 12 2021 10:30 AM

‎Sep 12 2021 03:59 AM - edited ‎Sep 12 2021 10:30 AM

Re: Prevent Teams to save files to Dropbox on iOS and Android

I did a blog about mam sometime ago ... https://call4cloud.nl/2021/03/the-chronicles-of-mam/

But just like you experienced.. when dropbox is installed you can copy file to it... even when its app protection policy is on block...

 

You could configure the  send org data to other apps to none... but ... i guess that's something you don't want

Rudy_Ooms_0-1631467773696.png

 

0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 12 2021 10:50 PM - edited ‎Sep 13 2021 12:36 AM

‎Sep 12 2021 10:50 PM - edited ‎Sep 13 2021 12:36 AM

Re: Prevent Teams to save files to Dropbox on iOS and Android

I tested some things last afternoon

Policy managed apps: Only allow sending org data to other policy managed apps --> will give you the possibility to send data to whatsapp/dropbox even when all the docs are telling us it shouldn't ?
Configuring that option to none.... removes all the options.... (like expected) The same goes with the onedrive app.... setting the send data to ... to none... removes all options...

I guess we need to climb up the ladder to find out why...


 

It looks like this picture from the ms docs tells us why ?

 

Rudy_Ooms_0-1631518538694.png

 

0 Likes
Reply
Rudy_Ooms_MVP

‎Sep 13 2021 05:24 AM - edited ‎Sep 14 2021 02:11 AM

‎Sep 13 2021 05:24 AM - edited ‎Sep 14 2021 02:11 AM

Re: Prevent Teams to save files to Dropbox on iOS and Android

For your information :)... 

When configured:  Policy Managed Apps --> dropbox is visible and you are able to save it to dropbox. But at the same time the data is encrypted...  so the data is "worthless"

 

If you configured policy managed apps with os sharing on mdm enrolled devices your data will be unencrypted and you could save it to dropbox

 

If you configured Policy managed apps with Open-In/Share filtering the option to save to dropbox is gone.... like you would expect with policy managed apps...  :) 

 

App Protection: Attack of the OS-Sharing - Call4Cloud

 

0 Likes
Reply