Explaining to the IT Manager: protecting business data on employee owned devices

%3CLINGO-SUB%20id%3D%22lingo-sub-89347%22%20slang%3D%22en-US%22%3EExplaining%20to%20the%20IT%20Manager%3A%20protecting%20business%20data%20on%20employee%20owned%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89347%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20trying%20to%20plan%20for%20a%20OD4B%20deployment%2C%20I%20have%20done%20a%20lot%20of%20testing%20with%20MAM%20and%20WIP%2C%20both%20enrolled%20and%20not%20enrolled%2C%20and%20now%20Conditional%20Access%20...%20...despite%20searching%20high%20and%20low%2C%20I%20still%20cannot%20find%20a%20solution%20to%20what%20appears%20to%20be%20a%20gap%20in%20Microsoft's%20protection%20coverage%20-%20with%20all%20these%20technologies%20in%20place%2C%20I%20can%20still%20simply%20go%20to%20a%20fresh%20WIn%2010%20device%2C%20log%20in%20to%20it%2C%20and%20because%20it's%20not%20enrolled%2C%20I%20can%20simply%20connect%20with%20OD4B%20and%20download%20all%20the%20data%20which%20is%20otherwise%20protected%20on%20an%20enrolled%2Funenrolled%20device!%20If%20I%20have%20a%20contractor%20resource%20that%20will%20resist%20enrollment%2C%20how%20do%20I%20prevent%20that%20contractor%20from%20doing%20what%20I've%20just%20described%3F%20There%20doesn't%20appear%20to%20be%20an%20ability%20to%20simply%20block%20OD4B%20Sync%20on%20an%20unenrolled%20device%20by%20user%20or%20group.%20Or%20have%20I%20missed%20something%20in%20my%20search%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-89347%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89437%22%20slang%3D%22en-US%22%3ERe%3A%20Explaining%20to%20the%20IT%20Manager%3A%20protecting%20business%20data%20on%20employee%20owned%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89437%22%20slang%3D%22en-US%22%3E%3CP%3EA%20conditional%20access%20policy%20based%20on%20network%20location%20can%20do%20the%20trick.%20So%20can%20the%20SPO%20sync%20restrictions%20as%20detailed%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn917455.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn917455.aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89372%22%20slang%3D%22en-US%22%3ERe%3A%20Explaining%20to%20the%20IT%20Manager%3A%20protecting%20business%20data%20on%20employee%20owned%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89372%22%20slang%3D%22en-US%22%3E%3CP%3ECondictional%20access%20will%20do%20what%20you%20are%20wanting.%20It%20may%20not%20be%20working%20as%20you%20expect%20for%20a%20number%20of%20reasons.%20There%20may%20be%20trusted%20ips%20configured%26nbsp%3Bso%20if%20you%20are%20testing%20on%20a%20trusted%20network%2C%20it%20will%20not%20enforce%20condictional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20other%20somewhat%20obvious%20factors%20include%20not%20deploying%20the%20policy%20to%20user%20account%20you%20are%20tying%20to%20condiction%20and%20allowing%20access%20for%20MFA%20enabled%20accounts%20%22or%22%20compliant%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

In trying to plan for a OD4B deployment, I have done a lot of testing with MAM and WIP, both enrolled and not enrolled, and now Conditional Access ... ...despite searching high and low, I still cannot find a solution to what appears to be a gap in Microsoft's protection coverage - with all these technologies in place, I can still simply go to a fresh WIn 10 device, log in to it, and because it's not enrolled, I can simply connect with OD4B and download all the data which is otherwise protected on an enrolled/unenrolled device! If I have a contractor resource that will resist enrollment, how do I prevent that contractor from doing what I've just described? There doesn't appear to be an ability to simply block OD4B Sync on an unenrolled device by user or group. Or have I missed something in my search?

2 Replies

Condictional access will do what you are wanting. It may not be working as you expect for a number of reasons. There may be trusted ips configured so if you are testing on a trusted network, it will not enforce condictional access.

 

Also, other somewhat obvious factors include not deploying the policy to user account you are tying to condiction and allowing access for MFA enabled accounts "or" compliant device.

A conditional access policy based on network location can do the trick. So can the SPO sync restrictions as detailed here: https://technet.microsoft.com/en-us/library/dn917455.aspx