Protect SharePoint Data From Unmanaged Devices.

When working with confidential files in any company size it’s very important to protect data from leaving the company to unwanted people or competitors. Microsoft has a lot of different technologies to help this from happening, but today we are taking a look at securing SharePoint data from unmanaged devices.

There is two settings we can choose from when it comes to disabling or limiting SharePoint access on unmanaged devices.

Block Access

Blocking access will completely block users from accessing your SharePoint data from unmanaged devices.

The experience when access is blocked

Limit Access (Allow limited, web-only access)

Limiting access will allow your users to access, edit, and read the data from web-only office programs, but they are not allowed to print, download or sync any of the data down on their devices. This will give the users a yellow bar at the top of their browser windows explaining that they are using an unmanaged device and their access is limited.

The experience when web access is limited

What is an unmanged device?

An unmanaged device can be any device that has not been configured to be a part of your organization, more specifically Intune or AzureAD. The engine makes a check toward the computer to check if this device is a known device in the Azure AD infrastructure.

if it is not a known or trusted device it wont be allowed access to the full features.

How to configure the settings

Start by logging in to your tenant using your SharePoint Administrator account and open up “Access Control” under policies.
Here you will find the access control settings for your SharePoint, keep in mind that these settings are set “ORG-WIDE”

Chose the right configuration for your organisation.

After clicking safe, the policy is now activated and running on your tenant.
You might want to go take a look at the conditional access rules that have been created and modify them as you like. I recommend changing the policy to only target a specific group instead of all users which is set by default.

Important information to keep in mind

Enabling the policy will block your users from using the “Teams Chat” function on their mobile devices unless they are enrolled in intune.
So keep in mind before enabling the policy, to have your intune enrollment process ready for your users.

When enabling the policy there will be created 2 conditional access rules in Azure AD which is set to target all users.
You might want to change this behavior by applying it to a group only, to ease the deployment process.

If you’re using some kind of remote desktop service with OneDrive running, your users will no longer be able to log in on that server unless you configure it to be intune enrolled or simply allow that IP-address to access SharePoint without going through the conditional access policy.

It is possible to only apply these rules or conditions to sites directly, instead of affecting the entire SharePoint environment.

The policy will take up towards 2 hours before its fully enabled across your organisation.

If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.

Leave a Comment