Hello All, 

I have an understanding wrong application of a Protected App Policy. 

MS 365 Business premium is subscribed. 

I have 3 differents types of user

 A- Internals workers on a enrolled corporate device and network. 

They are in security group A

 B - Sales  representatives with their BYOD windows 10, enrolled in Intune MDM. Outside the company network and no VPN

They are in security group B

C - Sales representatives who doesn't want to enroll their devices. 

They are in security group C

We want to protect our data from copy ou send out the company so we use WIP feature

For type C, its fine. 

In WIP policy for non enrolled device, Protected Apps are recommanded ones. So users can only access to the company data through Office WebApp. 

It targets Security Group C,  groups A & B are excluded

They are block to copy data (from mail to notepad++ for example)

For type A & B  protected mod is switched from BLOCK to Authorize/Allow Override.

Recommanded APP have been added. 

I noticed that all apps Except Word, Excel ,Powerpoint are run in protected mode (padlock icon in title pane)

What i expect is that users are only warned they are accessing protected data 

What i got : 

- They are notified Company can track action when they add a Corporate Fil as attachment in GMAIL (C was blocked) 

- They can copy data from a mail to notepad++

- And the stucking point :  They can't open corporate file like .Docx or XLSX  even they are in their OneDrive folder or other (c:\temp)

Here is the message they got :

(this file can only be opened from a work location)

I CAN access & edit file in notepad (padlocked), i saw encrypted content and i can write in it and save.

I can create files in Onedrive 

I don't why. I suspected Network Boudnaries issues too . I configured Cloud ressources as suggested by MS: Recommended URL by MS  + part46 of O365 Endpoint and also add  /*AppCompat*/ and my Public IP in order to allow my House place  like that : 1.1.1.1-1.1.1.1

I have no idea why this is happening. i just know it is linked to the property attribute which i can modify.. 

Why the Protected mode is blocking ? 

Edit : 

Just after loged in my windows session, before Onedrive is launched, i am able to edit my files with word from my Onedrive folder and save it. I also  see the briefcase on my file (WIP is applied)

Once Onedrive is running , i am no more able to edit my file. 

WHile Onedrive is running and if i am still editing my file nothing happen. i can continue to edit my file and save it. 
If i close it and reopen directly, i got the error

So, it seems it is linked to onedrive or sharepoint. 

Here is what i set in network boudnaries

Ressource Cloud - SHAREPOINT 

mycompany.sharepoint.com | mycompany.-my.sharepoint.com | mycompany-files.sharepoint.com |/*AppCompat*/

Ressource Cloud - O365 services 

tasks.office.com | protection.office.com | meet.lync.com | project.microsoft.com | teams.microsoft.com | outlook.office.com | outlook.office365.com |attachments.office.net|/*AppCompat*/

NEUTRAL - Neutral

login.microsoftonline.com,login.windows.net

thanks a lot for any support