Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to forbid printing in Remote Work scenario?

Brass Contributor

Hi,

With so many people working remote these days we have a question.

Assume our employee Bob goes home, and starts his personal home computer, opens a browser and connects to the Company Azure SharePoint Portal, Outlook Online, Teams online, etc and opens a Word document. Bob then prints this Word document on his home printer.

We dont want that to happen. We dont want Bob printing company material when he is at home (on his home computer and via his home printer - neither being company controlled in any way).

 

However, when Bob returns to the office on Friday, he must be able to access and print that Word document - on the office provided computer and printer.

 

Our question is, is this scenario even possible?

IMHO, the MS stack wont achieve the above...and we may need to explore things like:

- blocking the use of untrusted devices (home pc's)

- possibly the use of Citrix desktop / Windows Cloud PC (for home use)

- or enforcing the use of only company owned devices to access company resources

 

Are we on the right track?

 

Look forward to hearing from you.

Cheers,

SK

7 Replies
Hi @ShimKwan

Just for understanding, your company is a whole Azure env or only things like sharepoint?
If so check out the following articles:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/print-to-corporate-printers-f...

If you are only using any MS online products I would recommend to use the variant to only allow a static set of IP addresses (just example):
https://community.spiceworks.com/topic/2124004-restrict-management-access-by-ip-in-office-365

Feel free to give feedback

Best regards
Schnittlauch

My answer helped you? Don't forget to leave a like. Also mark the answer as solved when your problem is solved. :)
Thank you for those links.
Unfortunately we are talking about home computers that are not part of anything, not domain joined, not AAD joined, no Intune deployed, its not even a BYOD scenario.
You may restrict printing in case you are using Information Right Management.
They could be a home PC but as long as they required authentications like using Microsoft 365 to access document, you may restrict them.
For example, this is applicable for a home PC when they want to access document using SharePoint online.
https://support.microsoft.com/en-us/topic/restrict-access-to-documents-with-information-rights-manag...
https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-irm-in-sp-admin-center?view=o365-wo...
https://docs.microsoft.com/en-us/microsoft-365/enterprise/activate-rms-in-microsoft-365?view=o365-wo...
https://docs.microsoft.com/en-us/Exchange/policy-and-compliance/information-rights-management?view=e...

Hi Reza,
Thank you for the links.
What I fail to understand is how Information Rights Management will solve this problem.

How will Rights Management be able to detect that when I am in the office, using company equipment I should be able to print a document....while when I am working from home, using my home computer (not company supplied), I shouldn't be able to print that very same document on my home printer (not company supplied).

Are you able to clarify, in detail, how Rights Management achieves this functionality?

Thank you.

Hi @ShimKwan,

 

IMO, you can do it with MCAS Conditional Access Apps Control apps and session control, take a look here.

 

Cheers,

 

 

 
 
 
 
 
Are you using local AD in your company?
In this case, you may setup a group and in that group you set the Right Management to permit printing and add users to this group.
So while they are at work, they would be able to print because they have access to this local AD group.
However, in Azure AD (outside company) the policy would prevent printing.
You may check conditional access too:
https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management