Hello Alex! Why wouldnt we want users to have their personal windows device enrolled/managed by Intune if they are going to be accessing corporate data?
This should also work for Android devices, right? For restricting mobile devices to use corporate O365 application, it should be done via conditional access? Thanks! 👌
Great video. I’ve successfully limited access to O365 through browser and successfully blocked downloads following your advice. Cut/Copy/Paste still works from the browser - how do I block that too? Thanks!
Thank you, Alex! Amazing video! I followed your tutorial and it worked. However, I have an issue viewing PDF files in Outlook Web. When you click a PDF attachment, it automatically downloads it (blocked). Can you suggest any solution for this? Thanks a lot!
Does this work if you exclude guest users from the policies? We work with several external vendors and they need access to some but not all cloud apps.
Great Video! Thanks for making it. Scenario- BYOD, Business Premium- want to allow users to use the desktop applications, but not save the data locally. Can that be built? Seems like it can with some modifications to the browser example you used. Thanks!
Alex, would your block downloads policy also prevent a person from syncing data on a SharePoint site to their computer? I'm trying to prevent that from happening with consultants on unmanaged devices. Thank you for this video.
I guess Im confused too, you first blocked personal owned devices from being enrolled into Intune, but then you created conditional access/compliance polices and BYOD query rules for personal owned devices. ? Am I missing something?
Maybe it's a silly question. You disabled enrolment of personal devices to Intune. What is the point of having a conditional access policy that excludes personal devices? Since you disabled personal devices enrolment, you should not have any. Am I missing something?
What about a wider range of products? An entire internal intranet is normally what people are connecting to for work. Many different apps than just Microsoft 365. Can you get even more granular than this?
I see that downloads of O365 documents on a web browser of an unmanaged device are blocked, this is good! But, pdf documents are allowed to be downloaded from the web browser outlook of an unmanaged macOS laptop. @Alex, is there a general restriction on web Outlook downloads that could be enforced on unmanaged computers?
Hi elkyu505, the main concern is organizational data being stored on unmanaged devices. PDF's can also contain sensitive information. therefor, we can not filter those out. If you want to get that kind of management, the devices needs to be managed by intune/ms defender for endpoint.
@@azuredude Thank you for your response! My web outlook failed to block pdf document download from an unmanaged macOS laptop :( Any suggestions why it failed to block the download of a pdf?
@@andrewmedcraft - on a BYOD and unenrolled macOS, the pdf attachments on web outlook are NOT blocked, even with E5. But, Office 365 documents and pictures are blocked.
Nice to see you back again 😊
Thank you! 😃
Alex, thank you for making this episode!
And Good Luck with an upcoming Marathon !!!
thank your very much
thx
Hello Alex! Why wouldnt we want users to have their personal windows device enrolled/managed by Intune if they are going to be accessing corporate data?
Would you still do all this if there are no company provided devices and only BYOD?
Wow this video is gold, i wish you could make a more thorough one with demos
This should also work for Android devices, right? For restricting mobile devices to use corporate O365 application, it should be done via conditional access? Thanks! 👌
yes indeed
Great video. I’ve successfully limited access to O365 through browser and successfully blocked downloads following your advice. Cut/Copy/Paste still works from the browser - how do I block that too? Thanks!
Thank you, Alex! Amazing video! I followed your tutorial and it worked. However, I have an issue viewing PDF files in Outlook Web. When you click a PDF attachment, it automatically downloads it (blocked). Can you suggest any solution for this? Thanks a lot!
Does this work if you exclude guest users from the policies? We work with several external vendors and they need access to some but not all cloud apps.
I love your work mate! Keep up the amazing work.
Great Video! Thanks for making it. Scenario- BYOD, Business Premium- want to allow users to use the desktop applications, but not save the data locally. Can that be built? Seems like it can with some modifications to the browser example you used. Thanks!
Hi.. you can built it like this, no matter the browser
Alex, would your block downloads policy also prevent a person from syncing data on a SharePoint site to their computer? I'm trying to prevent that from happening with consultants on unmanaged devices. Thank you for this video.
It will, but you should also block those users from connecting using anything other than a browser. Just to be sure.
Thank you. Yes. I was presuming your earlier steps would have been configured as well.
FANTASTIC video. Thank you very much!
I guess Im confused too, you first blocked personal owned devices from being enrolled into Intune, but then you created conditional access/compliance polices and BYOD query rules for personal owned devices. ? Am I missing something?
I saw this too, but then it mentioned "Accidental Management" , perhaps the alternative is byod enrolment via Company Portal ?
Thank you for your video. How do you wipe company data when the phone is lost or stolen?
how can I exclude Azuread joined devices from conditional access? or any method to identify personal and company devices?
Maybe it's a silly question.
You disabled enrolment of personal devices to Intune.
What is the point of having a conditional access policy that excludes personal devices? Since you disabled personal devices enrolment, you should not have any. Am I missing something?
the ca policy will exclude managed devices from a policy that blocks things for byod devices.
This vid sounds great, however the browser versions of word/excel do not let you encrypt documents with a password. Anyway to bypass that?
What about a wider range of products? An entire internal intranet is normally what people are connecting to for work. Many different apps than just Microsoft 365. Can you get even more granular than this?
I see that downloads of O365 documents on a web browser of an unmanaged device are blocked, this is good!
But, pdf documents are allowed to be downloaded from the web browser outlook of an unmanaged macOS laptop.
@Alex, is there a general restriction on web Outlook downloads that could be enforced on unmanaged computers?
Hi elkyu505,
the main concern is organizational data being stored on unmanaged devices. PDF's can also contain sensitive information. therefor, we can not filter those out. If you want to get that kind of management, the devices needs to be managed by intune/ms defender for endpoint.
@@azuredude Thank you for your response!
My web outlook failed to block pdf document download from an unmanaged macOS laptop :(
Any suggestions why it failed to block the download of a pdf?
@@elkyu505 Alex mentioned in the video something about needed E5 license so might want to check that. Are other downloads being blocked?
thank you Andrew. Yes you need e5 for that to work. It is the integration of ca with defender for cloud apps that makes this possible.
@@andrewmedcraft - on a BYOD and unenrolled macOS, the pdf attachments on web outlook are NOT blocked, even with E5.
But, Office 365 documents and pictures are blocked.
Can i setup step 4 without a e5 license?
Great Video Really appreciated
I need to force any Windows devices to be managed ( MDM ) not registered ( How can i do this ) please
Good Video
Great video!
Glad you enjoyed it