WIP w/ MDM Office 365 Licences

%3CLINGO-SUB%20id%3D%22lingo-sub-1995621%22%20slang%3D%22en-US%22%3EWIP%20w%2F%20MDM%20Office%20365%20Licences%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1995621%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%20Everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20attempting%20to%20get%20a%20WIP%20policy%20set%20up%20for%20my%20company%20to%20protect%20our%20files%20in%20this%20new%20%22work-from-home%22%20era.%20Our%20devices%20are%20MDM%20enrolled%20and%20the%20policy%20I%20have%20created%20is%20working%20mostly%20as%20intended%20for%20my%20test%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBiggest%20issue%20is%20this%3A%20all%20files%20labeled%20File%20Ownership%20-%20%22work-domain%22%20are%20opening%20as%20read-only%20with%20the%20following%20message%20in%20Office%20apps.%E2%80%83%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Activate%20Office%20-%20After%20Click.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241178i3143F0BC7110959F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Activate%20Office%20-%20After%20Click.PNG%22%20alt%3D%22Activate%20Office%20-%20After%20Click.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20I%20click%20on%20Activate%2C%20it%20completely%20messes%20up%20my%20computer's%20Office%20activation%2C%20I%20become%20un-activated%20on%20all%20profiles%20and%20have%20to%20completely%20re-install%20to%20fix%20the%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20am%20I%20missing%3F%20Is%20this%20a%20network%20boundary%20issue%3F%20An%20enrollment%20issue%3F%20Or%20some%20other%20setting%20I%20have%20overlooked%2C%20perhaps%20on%20a%20different%20window%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20grand!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1995621%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1999090%22%20slang%3D%22en-US%22%3ERe%3A%20WIP%20w%2F%20MDM%20Office%20365%20Licences%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1999090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F904280%22%20target%3D%22_blank%22%3E%40jjboffy%3C%2FA%3E%26nbsp%3BDid%20you%20add%20the%20%2F*AppCompat*%2F%20string%20to%20your%20boundaries%3F%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20Office%20Proplus%20XML%20included%20in%20the%20apps%20section%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fwindows-information-protection%2Fapp-behavior-with-wip%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUnenlightened%20and%20enlightened%20app%20behavior%20while%20using%20Windows%20Information%20Protection%20(WIP)%20(Windows%2010)%20-%20Microsoft%20365%20Security%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2001304%22%20slang%3D%22en-US%22%3ERe%3A%20WIP%20w%2F%20MDM%20Office%20365%20Licences%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2001304%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F904280%22%20target%3D%22_blank%22%3E%40jjboffy%3C%2FA%3E%26nbsp%3BMhhm%2C%20never%20had%20this%20experience%20before.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F132717%22%20target%3D%22_blank%22%3E%40Oktay%20Sari%3C%2FA%3E%26nbsp%3Bany%20clue%20what%20could%20be%20wrong%20here%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2003209%22%20slang%3D%22en-US%22%3ERe%3A%20WIP%20w%2F%20MDM%20Office%20365%20Licences%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2003209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F132717%22%20target%3D%22_blank%22%3E%40Oktay%20Sari%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply!%3CBR%20%2F%3E%3CBR%20%2F%3EI%20will%20go%20through%20this%20list%20on%20Monday%20and%20gather%20some%20information%20for%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Greetings Everyone,

I am attempting to get a WIP policy set up for my company to protect our files in this new "work-from-home" era. Our devices are MDM enrolled and the policy I have created is working mostly as intended for my test group.

 

Biggest issue is this: all files labeled File Ownership - "work-domain" are opening as read-only with the following message in Office apps. 

Activate Office - After Click.PNG

If I click on Activate, it completely messes up my computer's Office activation, I become un-activated on all profiles and have to completely re-install to fix the issue.

 

What am I missing? Is this a network boundary issue? An enrollment issue? Or some other setting I have overlooked, perhaps on a different window?

 

Any help would be grand!

7 Replies

@jjboffy Did you add the /*AppCompat*/ string to your boundaries? 

Is the Office Proplus XML included in the apps section? 

 

Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows...

@JanBakkerOrphanedThanks for the reply!

 

I haven't configured any cloud services boundaries yet, so I haven't used the /*AppCompat*/ string. Do I need to use it on network domain and IP4 boundaries as well? I didn't think I did. And yes, the Office ProPlus XML is included in my protected apps.

 

jjboffy_0-1608250509710.png

I wasn't sure what the Denied-Office option was below it, but I've tried it with both, neither, and each selected, all with the same results. I've even tried adding the Excel Program via the Desktop Apps dropdown where you have to enter the fully qualified application publisher name. Same behavior.

 

My issue is happening when reading any file on a network file server mapped to my profile. My inclination is that its either not seeing my domain boundary or IP boundary. When I open the file with Excel, it becomes read-only and when I bring up "Task Manager ---> Details ---> Enterprise Context" Excel.exe is listed as Enlightened and Work Owned, so I figured that I had the Protected Apps set up correctly.

 

I was hoping the domain portion of this project would be the easy part, because I know when I start adding cloud service boundaries it is going to get hairy :facepalm:

@jjboffy Mhhm, never had this experience before. 

 

@Oktay Sari any clue what could be wrong here? 

@JanBakkerOrphaned Haven't seen this before but I'm curious to know more about your configuration @jjboffy . Perhaps you can share a little more info? 

 

  1. Did you configure  Network Domains? These (FQDN's) are used in conjunction with the IP ranges you configure.
  2. Do you see the extra column "file ownership" in explorer when you browse to the SMB share?
  3. You say it happens when "mapped to my profile" Did you test without mapping?
  4. Can you perhaps test with a .txt file? from the same file share (add notepad to your approved apps) Can you open the txt and is it protected?
  5. Can you open a word document from the share using Wordpad? (while not on approved apps list)
  6. How did you configure your WIP protection mode? Block, Allow Override or Silent? ( I'd advise to start with silent)  
  7. Almost sure you did but asking anyway...Did you check the event logs?
  8. Is it possible to configure another (test) WIP policy and target it to a test group with one or 2 users? This policy should be configured the same, but with network domains configured. I'm also curious about Cloud resources. Could you configure this test policy to include cloud resources like Sharepoint and OneDrive? I'm wondering if Office is going to behave the same way when opening files from SPO or OdB.

@Oktay Sari 

Thanks for the reply!

I will go through this list on Monday and gather some information for you.

@Oktay Sari 

To answer your questions, I worked more on this policy this week:

1) Yes, I have the network domain configured with the FQDN along with the IP ranges for the data sources in question.

2) I do see the extra column for file ownership in file explorer, it lists the company's onmicrosoft account as owner.

3) I am testing this policy as a regular domain user, not as a domain admin. So I have to use mapped drives and locations, regular users can't see the machines these locations are mapped to. If it helps, we use DFS to create namespaces for our locations that are in various geographic areas.

4) I've tested with .txt files with both wordpad and notepad with the same "Read-Only" results.

5) No, when opening a .docx with Wordpad, it gives the alert that "This is not an approved work resource".

6) It has the same effect whether I move from silent, override, or block.

7) The only event that popped up was "info" tagged from office opening in read-only mode.

8) I can set up a policy to test the Online resources, but I was hoping to get the domain stuff working before I moved onto that portion. One step at a time you know?

 

I really appreciate the help with this. I think we might have another avenue of securing our data using bitlocker and group policy, but I was hoping to move to a cloud-based solution since that is where our company is headed long-term.

 

@jjboffy Sorry couldn't be of help. Did you open a support case with Microsoft already? I'm looking at this from a MEM and WIP perspective but I'm starting to think the root cause is something else. 

 

PS: If we don't speak to each other this year...All the best for 2021! New year, new start...and hopefully a solution to this mind-boggling situation you have.