User Profile
jjboffy
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
WIP (Windows Information Protection /w MDM) is Breaking Office 2019 Activation
Greetings Everyone! I am hoping to get some help with an issue regarding WIP and Office 2019. We are a healthcare company that is attempting to increase employee data access while keeping that data safe. WIP /w MDM seems to be a pretty good fit to what we are looking for and I've had only minor issues in setting up and testing the policies. The primary issue I am experiencing is that when opening a protected document "File Ownership = Work" in Excel or Word, it becomes read-only and is asking for me to "Activate Office to gain full access to your work files". When I click activate, it completely breaks my Office install and I have to completely re-install it to gain activation again. I have tried disabling the WIP policy, which removes the "work/personal" protection options, but Office remains un-activated and broken until re-install. Is there an option, boundary, or setting I am missing on either my client side or on the MDM side? Any help out would be grand!Compliance Center DLP Policy Tips
Greetings! We are in the middle of implementing the Compliance Center DLP solution using a variety of the advanced rules. We really love the idea of Policy Tips providing guidance to users on what they should do with their sensitive data. Our model is that we are allowed to send sensitive data to intended and verified recipients as long as it is encrypted. So we have some rules that look for HIPAA and PII and inform the user that they should encrypt before sending. The selling point for us was the ability to provide users an override to the policy in cases where encryption wasn't necessary. It is less common, but makes up about 10% of our use-case. Minus the normal bumps and issues, we are mostly happy with the way the system works! Users can override, encrypt, and we get good visibility on why users are sending data unencrypted if they do, so we can retrain or tune the system. Our issue is, of course, the wonkyness of the PolicyTips and how it checks for certain conditions and may or may not clear when a condition is met/not-met. Issue: A user composes an email headed out of our company that contains sensitive data. The system catches this and throws a Policy Tip requiring they encrypt or override. They say, "oh ya! Thanks for reminding me" and hit that encrypt button. This doesn't clear the Policy Tip or the block condition and they cannot send the email, even though it is encrypted. What I've Tried: I added the exception onto the rules to exempt if the Message Type is: Permission Controlled. I tried Message Type: Encrypted, but it doesn't work correctly at all. With this setup, everything works except the Policy Tip, which get stuck. Example: blue box is original PolicyTip. Red box is button encryption. Current Work-Around: The users hate it, because the button is way easier than the subject tags. Our current work-around is to "Clear the Policy Tip" by 1) Remove encryption by clicking link in PolicyTip, 2) Remove Recipient using same method inside Policy Tip. This resets the Policy Tip, so then the user can push the Encrypt button first, then add recipients, without redrafting the whole email. Help!! What sort of logic do I need to make the Encrypt button clear out the Policy Tips? Or is this just it? Workaround city! Thanks for reading and I'd love any help or guidance. Trust me, I've read every docs.microsoft article I can find about Policy Tips and DLP. But I'll take some more if you have them if they are relevant.Re: WIP w/ MDM Office 365 Licences
Oktay Sari To answer your questions, I worked more on this policy this week: 1) Yes, I have the network domain configured with the FQDN along with the IP ranges for the data sources in question. 2) I do see the extra column for file ownership in file explorer, it lists the company's onmicrosoft account as owner. 3) I am testing this policy as a regular domain user, not as a domain admin. So I have to use mapped drives and locations, regular users can't see the machines these locations are mapped to. If it helps, we use DFS to create namespaces for our locations that are in various geographic areas. 4) I've tested with .txt files with both wordpad and notepad with the same "Read-Only" results. 5) No, when opening a .docx with Wordpad, it gives the alert that "This is not an approved work resource". 6) It has the same effect whether I move from silent, override, or block. 7) The only event that popped up was "info" tagged from office opening in read-only mode. 😎 I can set up a policy to test the Online resources, but I was hoping to get the domain stuff working before I moved onto that portion. One step at a time you know? I really appreciate the help with this. I think we might have another avenue of securing our data using bitlocker and group policy, but I was hoping to move to a cloud-based solution since that is where our company is headed long-term.File Attachements Corrupted or Missing
Greetings Everyone! We are having an issue where attaching files to email is broken in a way we can't quite get a handle on. It originally started in Outlook 2019 clients. When a user would try to attach a file the error would state: Our work around, which lasted about three days, was to use the O365 webmail to send emails. Then the same thing started happening there with the same error message. Some other users are having issues when they open attached files: Sometimes the attachment will come through with a file size of 0kb, sometimes its just corrupted. In an effort to isolate the issue, we have tried a number of things. Outlook in safe mode Disable all add-ons Attach file in gmail or other webmail System file check (sfc /scannow) Repair on outlook and office files Removing and re-building the Outlook Profile It doesn't effect all users and the users it does effect, it doesn't effect all files. None of the above steps changed the issue. We are all quite confused, especially considering it effects all webmail clients, not just Office or O365. Any one have any input? We are struggling here!Re: WIP (Windows Information Protection /w MDM) is Breaking Office 2019 Activation
Pontus Själander I've only pushed the policy to my PC for testing before I loop other people into it. I don't have any other Intune enrolled devices that I can test on. You know, work from home! If I was able to work from the office I'd just setup a few more test cases.Re: WIP w/ MDM Office 365 Licences
JanBakkerOrphanedThanks for the reply! I haven't configured any cloud services boundaries yet, so I haven't used the /*AppCompat*/ string. Do I need to use it on network domain and IP4 boundaries as well? I didn't think I did. And yes, the Office ProPlus XML is included in my protected apps. I wasn't sure what the Denied-Office option was below it, but I've tried it with both, neither, and each selected, all with the same results. I've even tried adding the Excel Program via the Desktop Apps dropdown where you have to enter the fully qualified application publisher name. Same behavior. My issue is happening when reading any file on a network file server mapped to my profile. My inclination is that its either not seeing my domain boundary or IP boundary. When I open the file with Excel, it becomes read-only and when I bring up "Task Manager ---> Details ---> Enterprise Context" Excel.exe is listed as Enlightened and Work Owned, so I figured that I had the Protected Apps set up correctly. I was hoping the domain portion of this project would be the easy part, because I know when I start adding cloud service boundaries it is going to get hairyWIP w/ MDM Office 365 Licences
Greetings Everyone, I am attempting to get a WIP policy set up for my company to protect our files in this new "work-from-home" era. Our devices are MDM enrolled and the policy I have created is working mostly as intended for my test group. Biggest issue is this: all files labeled File Ownership - "work-domain" are opening as read-only with the following message in Office apps. If I click on Activate, it completely messes up my computer's Office activation, I become un-activated on all profiles and have to completely re-install to fix the issue. What am I missing? Is this a network boundary issue? An enrollment issue? Or some other setting I have overlooked, perhaps on a different window? Any help would be grand!
