SOLVED

Protected App - WIP Protect Authorized mod not working

%3CLINGO-SUB%20id%3D%22lingo-sub-1477370%22%20slang%3D%22fr-FR%22%3EProtected%20App%20-%20WIP%20Protect%20Authorized%20mod%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477370%22%20slang%3D%22fr-FR%22%3E%3CP%3EHello%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20understanding%20wrong%20application%20of%20a%20Protected%20App%20Policy.%26nbsp%3B%3C%2FP%3E%3CP%3EMS%20365%20Business%20premium%20is%20subscribed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%203%20different%20types%20of%20user%3C%2FP%3E%3CP%3E%26nbsp%3BA-%20Internals%20workers%20on%20a%20enrolled%20corporate%20device%20and%20network.%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EThey%20are%20in%20security%20group%20A%3C%2FP%3E%3CP%3E%26nbsp%3BB%20-%20Sales%20representatives%20with%20their%20BYOD%20windows%2010%2C%20enrolled%20in%20Intune%20MDM.%20Outside%20the%20company%20network%20and%20no%20VPN%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EThey%20are%20in%20security%20group%20B%3C%2FP%3E%3CP%3EC%20-%20Sales%20representatives%20who%20don't%20want%20to%20enroll%20their%20devices.%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EThey%20are%20in%20security%20group%20C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20protect%20our%20data%20from%20copy%20or%20send%20out%20the%20company%20so%20we%20use%20WIP%20feature%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20type%20C%2C%20its%20fine.%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20WIP%20policy%20for%20non-enrolled%20device%2C%20Protected%20Apps%20are%20recommended%20ones.%20So%20users%20can%20only%20access%20to%20the%20company%20data%20through%20Office%20WebApp.%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20targets%20Security%20Group%20C%2C%20groups%20A%20-B%20are%20excluded%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20are%20block%20to%20copy%20data%20(from%20mail%20to%20notepad%20for%20example)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Julpi_0-1592568258240.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199707iBE12230A5EA600DC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Julpi_0-1592568258240.png%22%20alt%3D%22Julpi_0-1592568258240.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFor%20type%20A-B%20protected%20mod%20is%20switched%20from%20BLOCK%20to%20Authorize%2FAllow%20Override.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Julpi_2-1592581616561.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199758i6BB894175C7F6823%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Julpi_2-1592581616561.png%22%20alt%3D%22Julpi_2-1592581616561.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecommended%20APP%20have%20been%20added.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20noticed%20that%20all%20apps%20Except%20Word%2C%20Excel%20%2CPowerpoint%20are%20run%20in%20protected%20mode%20(padlock%20icon%20in%20title%20pane)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20i%20expect%20is%20that%20users%20are%20only%20warned%20they%20are%20accessing%20protected%20data%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20i%20got%3A%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E-%20They%20are%20notified%20Company%20can%20track%20action%20when%20they%20add%20a%20Corporate%20Fil%20as%20attachment%20in%20GMAIL%20(C%20was%20blocked)%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E-%20They%20can%20copy%20data%20from%20a%20mail%20to%20notepad%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E-%20And%20the%20stucking%20point%3A%20They%20can't%20open%20corporate%20file%20like%20.%20Docx%20or%20XLSX%20even%20they%20are%20in%20their%20OneDrive%20folder%20or%20other%20(c%3Atemp)%3C%2FP%3E%3CP%3EHere%20is%20the%20message%20they%20got%3A%3C%2FP%3E%3CP%3E(this%3CSPAN%3E%3CEM%3Efile%20can%20only%20be%20opened%20from%20a%20work%20location)%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Julpi_1-1592581038613.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199750i4EF2369839DB3263%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Julpi_1-1592581038613.png%22%20alt%3D%22Julpi_1-1592581038613.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20CAN%20access%20-%20edit%20file%20in%20notepad%20(padlocked)%2C%20i%20saw%20encrypted%20content%20and%20i%20can%20write%20in%20it%20and%20save.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Julpi_0-1592581479330.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199756iA6A124E5F65AC362%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Julpi_0-1592581479330.png%22%20alt%3D%22Julpi_0-1592581479330.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20create%20files%20in%20Onedrive%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20why.%20I%20suspected%20Network%20Boudnaries%20issues%20too.%20I%20configured%20Cloud%20resources%20as%20suggested%20by%20MS%3A%20-ERR%3AREF-NOT-FOUND-Recommended%20URL%20by%20MS%20'%20part46%20of%20-ERR%3AREF-NOT-FOUND-O365%20Endpoint%20and%20also%20add%20%3CSPAN%3E%2F'%3C%2FSPAN%3E%3CEM%3EAppCompat%3C%2FEM%3E%3CSPAN%3E'%2F%20and%20my%20Public%20IP%20in%20order%20to%20allow%20my%20House%20place%20like%20that%3A%201.1.1-1.1.1.1.1.1.1.1.1.1%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20no%20idea%20why%20this%20is%20happening.%20i%20just%20know%20it%20is%20linked%20to%20the%20property%20attribute%20which%20i%20can%20modify..%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Julpi_1-1592581534004.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199757i4E30A80EB49CF47B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Julpi_1-1592581534004.png%22%20alt%3D%22Julpi_1-1592581534004.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20the%20Protected%20mode%20is%20blocking%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20after%20loged%20in%20my%20windows%20session%2C%20before%20Onedrive%20is%20launched%2C%20i%20am%20able%20to%20edit%20my%20files%20with%20word%20from%20my%20Onedrive%20folder%20and%20save%20it.%20I%20also%20see%20the%20briefcase%20on%20my%20file%20(WIP%20is%20applied)%3C%2FP%3E%3CP%3EOnce%20Onedrive%20is%20running%2C%20i%20am%20no%20more%20able%20to%20edit%20my%20file.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWHile%20Onedrive%20is%20running%20and%20if%20i%20am%20still%20editing%20my%20file%20nothing%20happen.%20i%20can%20continue%20to%20edit%20my%20file%20and%20save%20it.%26nbsp%3B%3CBR%20%2F%3EIf%20i%20close%20it%20and%20reopen%20directly%2C%20I%20got%20the%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20it%20seems%20it%20is%20linked%20to%20onedrive%20or%20sharepoint.%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20what%20i%20set%20in%20network%20boudnaries%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECloud%20Resource%20-%20SHAREPOINT%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Emycompany.sharepoint.com%20mycompany.-my.sharepoint.com%20mycompany-files.sharepoint.com%20AppCompat%2F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECloud%20Resource%20-%20O365%20services%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Etasks.office.com%20protection.office.com%20meet.lync.com%20project.microsoft.com%20teams.microsoft.com%20outlook.office.com%20outlook.office365.com%20'attachments.office.net'%2F%20'AppCompat'%2F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ENEUTRAL%20-%20Neutral%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elogin.microsoftonline.com%2Clogin.windows.net%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20a%20lot%20for%20any%20support%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1477370%22%20slang%3D%22fr-FR%22%3E%3CLINGO-LABEL%3EWIP%20intune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1479519%22%20slang%3D%22en-US%22%3ERe%3A%20Protected%20App%20-%20WIP%20Protect%20Authorized%20mod%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479519%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F704626%22%20target%3D%22_blank%22%3E%40Julpi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20some%20ideas%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Incorrect%20cloud%20resources%3F%20You%20have%20an%20extra%20point%20in%20mycompany.-files.sharepoint.com.%20Also%2C%20the%20formatting%20is%20off%20(not%20sure%20if%20this%20is%20copied%20directly%20from%20the%20WIP%20policy).%20You%20need%20to%20seperate%20the%20resources%20with%20%22%7C%22%20%3D%20%22outlook.office.com%7Cattachments.office.net%7Ctasks.office.com%7Cto-do.office.com...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Old%20version%20of%20Office%3F%20You%20mention%20%22paddlelock%20icon%22%20but%20the%20icon%20shoudl%20not%20be%20visible%20in%20Office%20apps%20(Word%2C%20Excel%2C%20etc.).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20OneDrive%20not%20an%20allowed%20app%3F%20Make%20sure%20that%20OneDrive%20is%20an%20allowed%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

Hello All, 

 

I have an understanding wrong application of a Protected App Policy. 

MS 365 Business premium is subscribed. 

 

I have 3 differents types of user

 A- Internals workers on a enrolled corporate device and network. 

They are in security group A

 B - Sales  representatives with their BYOD windows 10, enrolled in Intune MDM. Outside the company network and no VPN

They are in security group B

C - Sales representatives who doesn't want to enroll their devices. 

They are in security group C

 

We want to protect our data from copy ou send out the company so we use WIP feature

 

For type C, its fine. 

In WIP policy for non enrolled device, Protected Apps are recommanded ones. So users can only access to the company data through Office WebApp. 

It targets Security Group C,  groups A & B are excluded

 

They are block to copy data (from mail to notepad++ for example)

 

Julpi_0-1592568258240.png

For type A & B  protected mod is switched from BLOCK to Authorize/Allow Override.

Julpi_2-1592581616561.png

 

 

Recommanded APP have been added. 

I noticed that all apps Except Word, Excel ,Powerpoint are run in protected mode (padlock icon in title pane)

 

What i expect is that users are only warned they are accessing protected data 

What i got : 

- They are notified Company can track action when they add a Corporate Fil as attachment in GMAIL (C was blocked) 

- They can copy data from a mail to notepad++

- And the stucking point :  They can't open corporate file like .Docx or XLSX  even they are in their OneDrive folder or other (c:\temp)

Here is the message they got :

(this file can only be opened from a work location)

Julpi_1-1592581038613.png

 

I CAN access & edit file in notepad (padlocked), i saw encrypted content and i can write in it and save.

 

Julpi_0-1592581479330.png

 

I can create files in Onedrive 

 

 

I don't why. I suspected Network Boudnaries issues too . I configured Cloud ressources as suggested by MS: Recommended URL by MS  + part46 of O365 Endpoint and also add  /*AppCompat*/ and my Public IP in order to allow my House place  like that : 1.1.1.1-1.1.1.1

 

I have no idea why this is happening. i just know it is linked to the property attribute which i can modify.. 

Julpi_1-1592581534004.png

 

Why the Protected mode is blocking ? 

 

Edit : 

 

Just after loged in my windows session, before Onedrive is launched, i am able to edit my files with word from my Onedrive folder and save it. I also  see the briefcase on my file (WIP is applied)

Once Onedrive is running , i am no more able to edit my file. 

 

WHile Onedrive is running and if i am still editing my file nothing happen. i can continue to edit my file and save it. 
If i close it and reopen directly, i got the error

 

So, it seems it is linked to onedrive or sharepoint. 

Here is what i set in network boudnaries

 

Ressource Cloud - SHAREPOINT 

mycompany.sharepoint.com | mycompany.-my.sharepoint.com | mycompany-files.sharepoint.com |/*AppCompat*/

 

Ressource Cloud - O365 services 

tasks.office.com | protection.office.com | meet.lync.com | project.microsoft.com | teams.microsoft.com | outlook.office.com | outlook.office365.com |attachments.office.net|/*AppCompat*/

 

NEUTRAL - Neutral

 

login.microsoftonline.com,login.windows.net

 

 

 

thanks a lot for any support

1 Reply
Highlighted
Best Response confirmed by Julpi (Visitor)
Solution

@Julpi 

 

Hi, some ideas:

 

1) Incorrect cloud resources? You have an extra point in mycompany.-files.sharepoint.com. Also, the formatting is off (not sure if this is copied directly from the WIP policy). You need to seperate the resources with "|" = "outlook.office.com|attachments.office.net|tasks.office.com|to-do.office.com..."

 

2) Old version of Office? You mention "paddlelock icon" but the icon shoudl not be visible in Office apps (Word, Excel, etc.).

 

3) OneDrive not an allowed app? Make sure that OneDrive is an allowed app.