Question for clarification - You showed 2 parts to the Block download, a policy and a PowerShell "ReadOnly" command. Does the PowerShell "RO" enforce RO for all Web Application users or does it work together with the CA policy which is assigned to a specific user/group?
I've followed this tutorial (and many others!) and I still end up with the same issue. The issue is that this policy applies to ALL devices, regardless of whether they're compliant or not. I'm pulling my hair out.
Is this sort of configuration also possible when the Exchange is on-premise 2016? I am planning to build the Intune exchange Connector, but not sure how to enforce the DLP. Please share your viewpoint.
This is only supported in OWA but if you were looking to block download to untrusted locations then you would want to set up a windows information protection policy for unenrolled devices: th-cam.com/video/EVmQH3DPbe4/w-d-xo.html
I too am trying to block all attachments and downloads from the Outlook thick client. The reason phishing is so successful is that people stand up the Outlook fat client on their local subnet, and users click on links and attachments and malware executes on the same subnet as the file server. But there is no good way to block attachments from the insecure outlook client. OWA is intentionally dumbed down by Microsoft (if OWA worked nearly as well as the fat Outlook client many people would not buy office so Microsoft has chosen dollars over security. We need legislation here -- another subject) so users will not totally accept OWA. If OWA was nearly as capable as the fat client you could gap/proxy your browser and open malware all day long and not affect your local network. But users like that stinking fat Outlook client because OWA sucks so bad. You can add extensions to the list of prohibited outlook attachment files via GPO, but this is easily defeated by changing the extension. If we could solve this problem hardly anyone would get ransomwared anymore,. But Microsoft is standing in the way. There are minimum standards of security and compliance for say, banks, and there should be minimum security for oligopolies like Microsoft. Microsoft's intransigence is the a huge factor in why ransomware has been so prevalent. .
How can I stop them from downloads on IOS devices and where did you added the condition to block downloads?
How to this in modern UI example microsoft entra
Question for clarification - You showed 2 parts to the Block download, a policy and a PowerShell "ReadOnly" command. Does the PowerShell "RO" enforce RO for all Web Application users or does it work together with the CA policy which is assigned to a specific user/group?
Only to the users or groups scoped in the CA policy you set up!
The security block is faded for me and I can’t click it
I've followed this tutorial (and many others!) and I still end up with the same issue. The issue is that this policy applies to ALL devices, regardless of whether they're compliant or not. I'm pulling my hair out.
Is this sort of configuration also possible when the Exchange is on-premise 2016? I am planning to build the Intune exchange Connector, but not sure how to enforce the DLP. Please share your viewpoint.
Hey Pranshu, these settings only work in Exchange Online
@@t-minus365 If we setup the Hybrid Exchange configuration and dont migrate the mailboxes to online. Will it work ?
@@ThePranshuarora It will only work with exchange online mailboxes
@@t-minus365 Thanks for the quick reply.
Unless I'm missing something this is barely usable in the real world if it requires any agent to be installed on an employee's personal device.
There is no agent involved. It detects whether or not the device is corporate enrolled or not and applies controls accordingly
How about the outlook thick client - How to block download from outlook thick client
This is only supported in OWA but if you were looking to block download to untrusted locations then you would want to set up a windows information protection policy for unenrolled devices: th-cam.com/video/EVmQH3DPbe4/w-d-xo.html
I too am trying to block all attachments and downloads from the Outlook thick client. The reason phishing is so successful is that people stand up the Outlook fat client on their local subnet, and users click on links and attachments and malware executes on the same subnet as the file server. But there is no good way to block attachments from the insecure outlook client. OWA is intentionally dumbed down by Microsoft (if OWA worked nearly as well as the fat Outlook client many people would not buy office so Microsoft has chosen dollars over security. We need legislation here -- another subject) so users will not totally accept OWA. If OWA was nearly as capable as the fat client you could gap/proxy your browser and open malware all day long and not affect your local network. But users like that stinking fat Outlook client because OWA sucks so bad. You can add extensions to the list of prohibited outlook attachment files via GPO, but this is easily defeated by changing the extension. If we could solve this problem hardly anyone would get ransomwared anymore,. But Microsoft is standing in the way. There are minimum standards of security and compliance for say, banks, and there should be minimum security for oligopolies like Microsoft. Microsoft's intransigence is the a huge factor in why ransomware has been so prevalent. .
Thx 4 sharing
Thanks for watching!