Protected App - WIP Protect Authorized mod not working


Hello All, 


I have an understanding wrong application of a Protected App Policy. 

MS 365 Business premium is subscribed. 


I have 3 differents types of user

 A- Internals workers on a enrolled corporate device and network. 

They are in security group A

 B - Sales  representatives with their BYOD windows 10, enrolled in Intune MDM. Outside the company network and no VPN

They are in security group B

C - Sales representatives who doesn't want to enroll their devices. 

They are in security group C


We want to protect our data from copy ou send out the company so we use WIP feature


For type C, its fine. 

In WIP policy for non enrolled device, Protected Apps are recommanded ones. So users can only access to the company data through Office WebApp. 

It targets Security Group C,  groups A & B are excluded


They are block to copy data (from mail to notepad++ for example)



For type A & B  protected mod is switched from BLOCK to Authorize/Allow Override.




Recommanded APP have been added. 

I noticed that all apps Except Word, Excel ,Powerpoint are run in protected mode (padlock icon in title pane)


What i expect is that users are only warned they are accessing protected data 

What i got : 

- They are notified Company can track action when they add a Corporate Fil as attachment in GMAIL (C was blocked) 

- They can copy data from a mail to notepad++

- And the stucking point :  They can't open corporate file like .Docx or XLSX  even they are in their OneDrive folder or other (c:\temp)

Here is the message they got :

(this file can only be opened from a work location)



I CAN access & edit file in notepad (padlocked), i saw encrypted content and i can write in it and save.




I can create files in Onedrive 



I don't why. I suspected Network Boudnaries issues too . I configured Cloud ressources as suggested by MS: Recommended URL by MS  + part46 of O365 Endpoint and also add  /*AppCompat*/ and my Public IP in order to allow my House place  like that :


I have no idea why this is happening. i just know it is linked to the property attribute which i can modify.. 



Why the Protected mode is blocking ? 


Edit : 


Just after loged in my windows session, before Onedrive is launched, i am able to edit my files with word from my Onedrive folder and save it. I also  see the briefcase on my file (WIP is applied)

Once Onedrive is running , i am no more able to edit my file. 


WHile Onedrive is running and if i am still editing my file nothing happen. i can continue to edit my file and save it. 
If i close it and reopen directly, i got the error


So, it seems it is linked to onedrive or sharepoint. 

Here is what i set in network boudnaries


Ressource Cloud - SHAREPOINT | | |/*AppCompat*/


Ressource Cloud - O365 services | | | | | | ||/*AppCompat*/


NEUTRAL - Neutral,




thanks a lot for any support

1 Reply
best response confirmed by Julpi (Visitor)



Hi, some ideas:


1) Incorrect cloud resources? You have an extra point in Also, the formatting is off (not sure if this is copied directly from the WIP policy). You need to seperate the resources with "|" = "|||"


2) Old version of Office? You mention "paddlelock icon" but the icon shoudl not be visible in Office apps (Word, Excel, etc.).


3) OneDrive not an allowed app? Make sure that OneDrive is an allowed app.