Dec 16 2020 01:58 PM
Dec 16 2020 01:58 PM
I am attempting to get a WIP policy set up for my company to protect our files in this new "work-from-home" era. Our devices are MDM enrolled and the policy I have created is working mostly as intended for my test group.
Biggest issue is this: all files labeled File Ownership - "work-domain" are opening as read-only with the following message in Office apps.
If I click on Activate, it completely messes up my computer's Office activation, I become un-activated on all profiles and have to completely re-install to fix the issue.
What am I missing? Is this a network boundary issue? An enrollment issue? Or some other setting I have overlooked, perhaps on a different window?
Any help would be grand!
Dec 17 2020 10:47 AM
@jjboffy Did you add the /*AppCompat*/ string to your boundaries?
Is the Office Proplus XML included in the apps section?
Dec 17 2020 04:21 PM - edited Dec 18 2020 08:18 AM
@JanBakkerOrphanedThanks for the reply!
I haven't configured any cloud services boundaries yet, so I haven't used the /*AppCompat*/ string. Do I need to use it on network domain and IP4 boundaries as well? I didn't think I did. And yes, the Office ProPlus XML is included in my protected apps.
I wasn't sure what the Denied-Office option was below it, but I've tried it with both, neither, and each selected, all with the same results. I've even tried adding the Excel Program via the Desktop Apps dropdown where you have to enter the fully qualified application publisher name. Same behavior.
My issue is happening when reading any file on a network file server mapped to my profile. My inclination is that its either not seeing my domain boundary or IP boundary. When I open the file with Excel, it becomes read-only and when I bring up "Task Manager ---> Details ---> Enterprise Context" Excel.exe is listed as Enlightened and Work Owned, so I figured that I had the Protected Apps set up correctly.
I was hoping the domain portion of this project would be the easy part, because I know when I start adding cloud service boundaries it is going to get hairy
Dec 18 2020 02:33 PM
Dec 24 2020 08:55 AM
To answer your questions, I worked more on this policy this week:
1) Yes, I have the network domain configured with the FQDN along with the IP ranges for the data sources in question.
2) I do see the extra column for file ownership in file explorer, it lists the company's onmicrosoft account as owner.
3) I am testing this policy as a regular domain user, not as a domain admin. So I have to use mapped drives and locations, regular users can't see the machines these locations are mapped to. If it helps, we use DFS to create namespaces for our locations that are in various geographic areas.
4) I've tested with .txt files with both wordpad and notepad with the same "Read-Only" results.
5) No, when opening a .docx with Wordpad, it gives the alert that "This is not an approved work resource".
6) It has the same effect whether I move from silent, override, or block.
7) The only event that popped up was "info" tagged from office opening in read-only mode.
8) I can set up a policy to test the Online resources, but I was hoping to get the domain stuff working before I moved onto that portion. One step at a time you know?
I really appreciate the help with this. I think we might have another avenue of securing our data using bitlocker and group policy, but I was hoping to move to a cloud-based solution since that is where our company is headed long-term.
Dec 30 2020 03:24 AM
@jjboffy Sorry couldn't be of help. Did you open a support case with Microsoft already? I'm looking at this from a MEM and WIP perspective but I'm starting to think the root cause is something else.
PS: If we don't speak to each other this year...All the best for 2021! New year, new start...and hopefully a solution to this mind-boggling situation you have.