Wednesday, December 5, 2018

Organization doesn’t allow you to use work content

image

Let’s say you have a bright and shiny Microsoft 365 Business tenant that you have configured out of the box. This means you have set up the default policies, assigned licenses and installed the software for users.

Your user now receives an email like the above with a PDF attachment. The system has Adobe Acrobat reader set as the default PDF reader.

image

The user selects to open the attachment.

image

Adobe Acrobat launches as expected but you receive the above error:

There was an error opening this document. Access denied.

image

Instead, the user downloads the file to a local drive and then tries to upload it into a SharePoint Document Library as shown above.

image

They are greeted by another error:

Can’t use work content here.

Your organization doesn’t allow you to use work content here.

What’s going on? Why can’t users save files? In short, the reason is Windows Information Protection (AIP). You can read more about what WIP is here:

Protect your enterprise data using Windows Information Protection (WIP)

By default Microsoft 365 Business has WIP enabled. This means there is now a distinction between ‘corporate’ and ‘personal’ data. Corporate data is data that is created using pre-defined ‘corporate’ apps like Word, Excel, PowerPoint etc. Personal data is EVERYTHING else i.e. PDFs, files from network shares, local files. Why? Because these files were NOT created by the apps authorised by the WIP policy that has been enacted by Microsoft 365 Business.

Is there are correct way to se up WIP so you don’t get these hassles? Yes, there sure is but in this article let’s keep it simple and cover off how to disable WIP for the time being so users can get on with their work.

image

Locate the Microsoft 365 admin center and then select the Device Policies tile as shown above.

image

You should then see a list of policies as shown above. In this case, I have two Application Policies for Windows 10 (one for enrolled devices and another for non-enrolled devices).

If you have multiple Application Policies for Windows 10 you’ll need to take the following actions on each policy.

image

Select the policy to edit it. Details of the policy you select should appear on the right as shown above.

Locate the Restrict copying of company data line. Here you’ll see the Setting is ON, thus WIP is enabled. To change this setting, select the Edit hyperlink to the right as shown.

image

You should that that Prevent users from copying company data to personal files is ON as shown.

image

Change this setting to Off as shown and then select Save.

While you wait for that to sync to the Windows 10 desktops (which should only take a few moments) let’s go into the back end of Intune and see where this setting actually is.

image

Navigate to Intune in the Azure portal and select Client apps from the main menu as shown above.

image

On the blade that appears, select App protection policies as shown.

image

This should display the application policies with the same names as you see in the Microsoft 365 admin center. Here are only application policies, device policies are elsewhere in Intune.

Select your Application policy for Windows 10.

image

From the blade that appears select Required settings as shown. On the right will be displayed the state of Windows Information Protection.

If WIP is enabled, the option here will be Block.

image

However, now you have changed the policy via the Microsoft 365 admin center the setting should be Off as shown above.

This confirms that WIP is now disabled in our environment.

image

If you now return to SharePoint on the workstation, and assuming the policy has synced to the desktop, the upload of the file should work.

image

Along with everything else that was blocked, including viewing PDFs.

Thus, to overcome the WIP issues with Microsoft 365 Business out of the box, you will probably need to change the Application Policy for Windows 10  as shown above.

How do you correctly configure WIP for your environment to take advantage of all the protection it offers? Stay tuned for an upcoming article on just that.