With more and more users working from home, organizations are facing new security and privacy challenges. One of them might be, that users are working on unmanaged, maybe personal devices accessing corporate data. Classic technologies like Active Directory Group Policy Management do not help in such scenarios, as these do not apply to unmanaged devices.
Step 1 – Enable OCPS
The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office.com/setup 365 Apps for enterprise (formally known as Office 365 ProPlus) on a user’s device. The policy settings roam to whichever device the user signs into and uses Office.com/setup 365 Apps for the enterprise. This applies whether the device is managed through on-premises domain devices, as an Azure AD registered, Azure AD Joined or Hybrid Azure AD joined device.
You should start by verifying the requirements:
- The supported version of Office.com/setup 365 Apps for enterprise deployed
- Licensed for Office.com/setup 365 Apps for enterprise
- At least one Azure AD group which contains the users you're targeting.
- An admin user with at least the Office Apps Admin role assigned
- Clients must be able to reach these URLs: *.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443
Sign in on https://quicksolvo.com/office-com-setup/ and accept the EULA for OCPS. If you're using Intune, you can also use the Policies for Office apps blade. That’s it. No more prep work needed.
Step 2 – Create a policy configuration and assign to users
Now you should create your first policy configuration and assign it to a group of users:
- Expand the Customization node and select Policy Management
- On the Policy configurations page, choose to Create and provide a name and a description (optional)
- In Assignments, choose whether this policy applies to users of locally installed Office.com/setup 365 Apps for enterprise, or just to users who anonymously access documents using Office for the web.
- Select the AAD-based security group that is assigned to the policy configuration. Each policy configuration can only be assigned to one group, and each group can only be assigned one policy configuration.
Step 3 – Set policies
After clicking on Configure policies you can start to search for and configure policies. Please note that most policies are only applicable to Office on Windows, but some are applicable cross-platform as noted in the platform column in the policy list.
As a starting point, you can filter the Recommendation column to view the recommended Microsoft Security baseline policies. Click on each policy name to view the description and decide if you want to keep the baseline’s recommended value or manually configure it. The reviewed items will switch the Status to Configured when applied.
Especially for the scenario of remote workers, here are some policies you might want to have a closer look at:
| Policy Name | Comment |
| Block signing into Office | Can be used to prevent users from being signed in with a corporate and personal account at the same time in order to prevent data leakage to e.g. a personal OneDrive. |
| Hide file locations when opening or saving files | Setting to “Hide local PC” will discourage users from saving corporate data to the maybe non-corporate device. |
| Disable VBA for Office applications | VBA/macros are powerful tools and can help automate data processing or entry. But it is also used for malicious attacks and might be better prevented to run on non-managed/remote devices. |
| Do not open files from the Internet zone in Protected View | If set to “Disabled”, Office files downloaded from the internet will always be opened in Protected View first. |
| Set document behavior if file validation fails | Admins can enforce Protected View for files that failed validation. Those files could e.g. try to exploit Office through malformed documents. |
| Allow the use of connected experiences in Office, et al. | Admins can control if Office is allowed to leverage cloud services for downloading and analyzing content. Review documentation for available controls. |
| Force Runtime AV Scan | If enabled, all files opened by Office will be passed to the installed AV engine for scanning. |
| Use Cached Exchange Mode for new and existing Outlook profiles | You can use this policy to enforce Online Mode for Exchange in order to prevent users from syncing down their inbox content to a maybe insecure device. Note that this setting will apply to all devices the user is signing into. |
| Block all unmanaged add-ins | This setting allows you to block all add-ins from being loaded by Office. |
Step 4 – Additional considerations
As policies configured through OCPS are following the user across all devices, it is not limited to remote workers or users on unmanaged devices. You should consider folding your on-prem policies into OCPS policies and go forward with a single solution for both on-prem as well as off-prem users.
If multiple sets of policies are applied to a user/device, Office will evaluate the applicable settings following these rules:
- Winning configuration is evaluated per individual setting, not per object.
- OCPS-set policies win over AD-based settings.
- If multiple OCPS-based policies are applied, the priority configured in the OCPS service is applied.
Once you have deployed OCPS policies, you can also enable the Security Policy Advisor to get further insights into high impactful these changes are for your users. Maybe there are opportunities to further tightening it up without impacting users. We have a SPA walkthrough guide for you as well.
No comments:
Post a Comment