One thing is certain, you need to protect your (important) data at all costs. Otherwise, it could come back to haunt you. Luckily there are multiple options to protect your data. Each option has its pros and con and you can also combine some of them for the best security.
- Restrict downloading files from unmanaged devices
- Apply sensitivity labels on all important data
- Apply sensitivity labels when downloading files from unmanaged devices
- Restrict Copy Paste on unmanaged devices
1. Restrict downloading files.
The first option shows you how you can restrict downloading files from unmanaged devices with just an Azure Ad Premium P1 License. You don’t need an MCAS License.
How? Just go into the Sharepoint admin portal –> unmanaged devices –> restrict web access.
When changing these settings, take a look at your conditional access rules. Some conditional access rules were just created. Go check it out!
And yes… it also impacts the Teams browser app. This conditional access rule will configure the session access control to Use app enforced restrictions
It’s certainly a nice option, to begin with… but you’ll notice some problems when opening a PDF file from Exchange Online. But hey, you don’t need an MCAS License.
2. Apply sensitivity labels on all important data.
sensitivity labels are the only next step in securing your data. You can choose to apply your labels manually or fully automate the process. Manually… it speaks for itself. Automatic? Take a look at my previous blog. Of course, an MCAS License is needed
3. Apply sensitivity labels when downloading files from unmanaged devices.
When choosing this option, you’ll need 4 things:
*MCAS license,
*Sensitivity Labels
*Conditional access rule
*MCAS policy.
In my opinion, this option is a better fit than just blocking the downloads!
* Conditional Access Rule
You need to create a conditional access rule to make sure your cloud app session from unmanaged devices will go through Microsoft Cloud App Security. To do so you will need to create a new Conditional Access Policy with these settings
*Users: Target All users (add the exclusion group)
*Cloud Apps: Target All cloud Apps (Or if you only want to apply it to teams, choose Teams)
*Conditions: Make sure you are only selecting the “Browser Client App” and make sure you configure a new Filter to exclude Compliant devices
*Access Controls: Session : “Use Conditional Access App Control” and to “Use Custom Policy”
*MCAS Session Policy
When the CA rule is created, you also have to create an MCAS Session Policy. So, we are going to create one now. First, you define the Source Activity: I selected multiple cloud apps and a device when the tag is not equal to compatible with Intune.
And you have to define the action: In this case, I protect the file with a confidential label when downloading files. So that’s why you need to have already made sure you have configured some nice sensitivity labels!
So, guess what? All files from unmanaged devices are now protected because of this sensitivity label. Cool!! So you are allowing the possibility of downloading files, but you are making sure the files are safe 🙂
4. Restrict copy paste on unmanaged devices
The option to prevent downloading files and the implementation of labeling are certainly some nice options. But what if the user just decides to copy/paste the whole document to his local unmanaged device?
MCAS again to the rescue! Again, you need to have the conditional access rule to make sure MCAS is inspecting the sessions. When the CA is in place you can create an MCAS policy. So, make sure you select the right activity. I made sure that when the activity is cut/paste and the device is tagged not equal to compatible with Intune, MCAS will block it.
When a user tries to copy/paste data something to his clipboard …. It will be blocked.
If you want to see the video describing the whole process? Here it is!
Conclusion:
It’s important to protect your data on unmanaged devices. Make sure you find a balance between ease of use and security. In my opinion, you’ll strike this balance by using sensitivity labels wherever possible.