Block unmanaged device from Group/SharePoint site, but images still embed in Teams messages

%3CLINGO-SUB%20id%3D%22lingo-sub-1339170%22%20slang%3D%22en-US%22%3EBlock%20unmanaged%20device%20from%20Group%2FSharePoint%20site%2C%20but%20images%20still%20embed%20in%20Teams%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339170%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20enabled%20the%20sensitivity%20labels%20preview%20described%20here%20and%20set%20up%20a%20group%20that%20is%20blocking%20unmanaged%20devices%3A%26nbsp%3B%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-teams-groups-sites%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-teams-groups-sites%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20goal%20is%20to%20block%20access%20to%20files%20in%20certain%20groups%20from%20unmanaged%20devices%2C%20while%20still%20allowing%20access%20to%20Teams%20for%20communication%20purposes.%20This%20works%20perfectly%2C%20albeit%20it%20would%20make%20sense%20to%20also%20block%20the%20Teams%20channel%20associated%20with%20a%20group%20that%20blocks%20unmanaged%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20remaining%20is%20that%20images%20are%20embedded%20into%20chat%20messages.%20So%20even%20though%20the%20image%20is%20uploaded%20to%20the%20%22Files%22%20folder%20on%20the%20group's%20sharepoint%20site%2C%20the%20image%20in%20the%20chat%20message%20is%20being%20hosted%20somewhere%20else%20that%20still%20allows%20the%20unmanaged%20device%20access.%20Presumably%20with%20the%20text%20chat%20messages.%20Some%20of%20our%20teams%20produce%20infographics%20and%20maps%20that%20we%20cannot%20allow%20to%20be%20viewed%20on%20an%20unmanaged%20device.%20Is%20there%20a%20way%20to%20block%20embedded%20pictures%20at%20the%20tenant%20or%20group%2Fchannel%20level%20so%20it%20just%20provides%20the%20sharepoint%20link%20as%20if%20it%20were%20a%20pdf%20file%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1339170%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESensitivity%20Labels%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%20Chat%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUnmanaged%20Device%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1341224%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20unmanaged%20device%20from%20Group%2FSharePoint%20site%2C%20but%20images%20still%20embed%20in%20Teams%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1341224%22%20slang%3D%22en-US%22%3EThere%20is%20currently%20no%20way%20to%20manage%20this.%20I%20think%20you%20have%20a%20few%20options%3A%3CBR%20%2F%3E-%20Create%20a%20business%20policy%20which%20disallows%20from%20adding%20pictures%3CBR%20%2F%3E-%20Block%20Teams%20a%20whole%20for%20that%20group%20(not%20just%20Sharepoint)%2C%20because%20I%20think%20some%20discussions%20might%20need%20to%20protected%20too%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1342033%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20unmanaged%20device%20from%20Group%2FSharePoint%20site%2C%20but%20images%20still%20embed%20in%20Teams%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1342033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYeah%20we'll%20have%20to%20go%20with%20%231%20I%20think.%20Blocking%20Teams%20from%20certain%20groups%20and%20largely%20cutting%20off%20their%20communications%20from%20other%20segments%20of%20the%20company%20wouldn't%20fly.%20Hopefully%20we%20can%20block%20Teams%20channels%20from%20unmanaged%20devices%20by%20sensitivity%20label%20at%20some%20point.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have enabled the sensitivity labels preview described here and set up a group that is blocking unmanaged devices: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view...

 

The goal is to block access to files in certain groups from unmanaged devices, while still allowing access to Teams for communication purposes. This works perfectly, albeit it would make sense to also block the Teams channel associated with a group that blocks unmanaged devices.

 

The issue remaining is that images are embedded into chat messages. So even though the image is uploaded to the "Files" folder on the group's sharepoint site, the image in the chat message is being hosted somewhere else that still allows the unmanaged device access. Presumably with the text chat messages. Some of our teams produce infographics and maps that we cannot allow to be viewed on an unmanaged device. Is there a way to block embedded pictures at the tenant or group/channel level so it just provides the sharepoint link as if it were a pdf file? 

2 Replies
There is currently no way to manage this. I think you have a few options:
- Create a business policy which disallows from adding pictures
- Block Teams a whole for that group (not just Sharepoint), because I think some discussions might need to protected too?

@Thijs Lecomte 

Yeah we'll have to go with #1 I think. Blocking Teams from certain groups and largely cutting off their communications from other segments of the company wouldn't fly. Hopefully we can block Teams channels from unmanaged devices by sensitivity label at some point.