Organization doesn’t allow you to use work content

Let’s say you have a bright and shiny Microsoft 365 Business tenant that you have configured out of the box. This means you have set up the default policies, assigned licenses and installed the software for users.

Your user now receives an email like the above with a PDF attachment. The system has Adobe Acrobat reader set as the default PDF reader.

The user selects to open the attachment.

Adobe Acrobat launches as expected but you receive the above error:

There was an error opening this document. Access denied.

Instead, the user downloads the file to a local drive and then tries to upload it into a SharePoint Document Library as shown above.

They are greeted by another error:

Can’t use work content here.

Your organization doesn’t allow you to use work content here.

What’s going on? Why can’t users save files? In short, the reason is Windows Information Protection (AIP). You can read more about what WIP is here:

Protect your enterprise data using Windows Information Protection (WIP)

By default Microsoft 365 Business has WIP enabled. This means there is now a distinction between ‘corporate’ and ‘personal’ data. Corporate data is data that is created using pre-defined ‘corporate’ apps like Word, Excel, PowerPoint etc. Personal data is EVERYTHING else i.e. PDFs, files from network shares, local files. Why? Because these files were NOT created by the apps authorised by the WIP policy that has been enacted by Microsoft 365 Business.

Is there are correct way to se up WIP so you don’t get these hassles? Yes, there sure is but in this article let’s keep it simple and cover off how to disable WIP for the time being so users can get on with their work.

Locate the Microsoft 365 admin center and then select the Device Policies tile as shown above.

You should then see a list of policies as shown above. In this case, I have two Application Policies for Windows 10 (one for enrolled devices and another for non-enrolled devices).

If you have multiple Application Policies for Windows 10 you’ll need to take the following actions on each policy.

Select the policy to edit it. Details of the policy you select should appear on the right as shown above.

Locate the Restrict copying of company data line. Here you’ll see the Setting is ON, thus WIP is enabled. To change this setting, select the Edit hyperlink to the right as shown.

You should that that Prevent users from copying company data to personal files is ON as shown.

Change this setting to Off as shown and then select Save.

While you wait for that to sync to the Windows 10 desktops (which should only take a few moments) let’s go into the back end of Intune and see where this setting actually is.

Navigate to Intune in the Azure portal and select Client apps from the main menu as shown above.

On the blade that appears, select App protection policies as shown.

This should display the application policies with the same names as you see in the Microsoft 365 admin center. Here are only application policies, device policies are elsewhere in Intune.

Select your Application policy for Windows 10.

From the blade that appears select Required settings as shown. On the right will be displayed the state of Windows Information Protection.

If WIP is enabled, the option here will be Block.

However, now you have changed the policy via the Microsoft 365 admin center the setting should be Off as shown above.

This confirms that WIP is now disabled in our environment.

If you now return to SharePoint on the workstation, and assuming the policy has synced to the desktop, the upload of the file should work.

Along with everything else that was blocked, including viewing PDFs.

Thus, to overcome the WIP issues with Microsoft 365 Business out of the box, you will probably need to change the Application Policy for Windows 10 as shown above.

How do you correctly configure WIP for your environment to take advantage of all the protection it offers? Stay tuned for an upcoming article on just that.

CIAOPS Need to Know Office 365 Webinar–December

laptop-eyes-technology-computer

For the last webinar of 2018 we are going to take a look back at everything that’s changed with Office 365 and what we can expect to see in 2019. If you want a summary of what’s been and what’s to come then this is webinar for you! There’ll also be the usual detailed updates of everything that’s happened in the Microsoft Cloud for December as well.

You can register for the regular monthly webinar here:

December Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – December 2018
Thursday 20th of December 2018
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

Need to Know podcast–Episode 196

I am joined by a familiar guest to many, previous co-host of the Need to Know podcast, Marc Kean, who shares with us what he has been up to lately and his career journey to now being a full time Microsoft employee. Listen along and you’ll get some insight into one of the technical job roles at Microsoft.

Of course Brenton and I also bring you up to date with the latest Microsoft cloud news including recent a Azure AD multi factor outage and how Microsoft is now more valuable than Apple! Listen on for full details.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-196-marc-kean/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Azure AD MFA outage analysis – look for event on 19th November

Microsoft now more valuable than Apple

Microsoft helps create a secure modern workplace

New management for Microsoft Teams

Windows 1809 rollout continues

SharePoint customisation code will bite you

A very common thing I see when working with many businesses implementing collaboration solutions in Office 365, is their rigid desire to implement customisations via code to SharePoint immediately.

Many have a pre-conceived idea of what they believe an ‘intranet’ should be and operate. Thus, they want to force SharePoint to fit that model. The only way to achieve this typically is to use custom code on the site. They want lots of changes made to not only the look and feel but also the functionality prior to implementing it across the business.

I warn them strongly, that the more you customise with code the more it is likely to break and the more issues you will have down the track. A much better option, at least to start with, is to go with what Microsoft provides you out of the box. Only once you have exhausted all in the out of box options, then look at custom code. Then and only then, and when you do be prepared to continually maintain it.

As further evidence for this stance, if you take a look at this video from the recent Microsoft 2018 Ignite from 47:03

https://www.youtube.com/watch?v=rhYHdYn5jdQ&t=2928s

and listen to what Tracey Haun, Director, IT Collaboration and Privacy from Dupont says:

When we set up SharePoint we were so proud of ourselves for only customizing less than 5% of the environment and that less than 5% customization has come back to bite us time and time again. Every time we upgrade, every time we migrate we have to deal with these customizations. I just want to say that we were so rigid in the way that we in way we wanted to — and this is specifically around our records management and the way we classify the security classification of our sites, we were so rigid and so set in our ways on how we wanted to do that. So I highly recommend, if you are just getting started, go with the industry standard. Don’t force your business model into SharePoint. Let the it adapt to the Microsoft way.

Thus, if you want to make major changes to the way SharePoint Online works out of the box you firstly need to find a developer who is specifically experienced with SharePoint Online. Even after the job is complete, you are going to need to have someone on tap to maintain that code, because sooner or later it will break. Why? Because Microsoft makes changes and improvements to the underlying SharePoint base that will affect the code.

When that happens, and you won’t know when it will, the more you have used custom code the more catastrophic the failure of your site is going to be. If the site has become a critical part of your business, then it means that system will be down until a developer can be found to rectify the problems. That could be quite a while.

Putting your business in that situation, to me, is increasing your risk which is not something you want to do. Going with what Microsoft give you out of the box may not be “exactly” what you want but it is going to keep on working as SharePoint is updated, unlike custom code.

Of late, Microsoft has added many improvements to SharePoint and collaboration in Office 365, that really make me question why you would want custom code at all? Is it really worth the risk and costs involved?

So my STRONGEST advice when it comes to SharePoint is to use what you are given out of the box to it’s fullest. After that, if you still want changes, make sure you FULLY understand the indications and increased risk this places your business under.

I’m sure people would love desktop applications like Excel to do more but they generally don’t go making wholesale customisations via code. They tend to work with what they are given out of the box. So too, it should be with SharePoint.

Ignite 2018 sessions on YouTube

With Microsoft Ignite 2018 now over for 2018 I wanted to let people know that like last year:

Ignite 2017 sessions on YouTube

I’m maintaining a list of links directly to the sessions on Github.

The list is maintained at:

https://github.com/directorcia/general/blob/master/ignite2018.txt

and I will be updating it throughout the year as I find links to new sessions.

Of course, if you have a link to a session that I don’t have up there yet, please send it along so I can add it and we can all benefit.

All the sessions are not there as yet. I add them when I find them and the update this file, so make sure you check back regularly to get the latest list.

Thanks again to Microsoft for doing this and uploading the sessions to YouTube. They are a great source of learning and allows people like me would couldn’t get to Ignite the ability to work through the content.

Enrolling an iOS device into Intune

Before you can actually enrol an iOS device into Intune you typically need to complete the following preliminary steps:

Add an Apple management certificate to Intune

Set up an iOS Intune device compliance policy

Set up an iOS Intune device configuration policy

With all this done, you can now actually configure the device to be managed by Intune.

We’ll be using a newly wiped and configured iPhone as shown above in this walk through.

Note here, that this phone has both Facetime and the Safari browser on the device and available. After the device has been enrolled in Intune they will both be removed as part of the configuration policies that gets applied.

To do Mobile Device Management (MDM) for the device with Intune the user will need to download the Company Portal app and then run it.

There will be a prompt for a user login. This will be the user’s Office 365 credentials typically.

The device will also need to be connected to the Internet so it can verify these credentials and continue.

The user will now be prompted to put the device under management by selecting the Begin as shown above.

The user will then receive notification about what putting a device under management will mean as seen above.

In this scenario, we are assuming it is a bring your own device (BYOD).

The user will be given further instructions and then be required to press the Continue button.

The process will now try and open the Microsoft Intune portal in a browser. The user will need to select Allow to continue.

They will now be taken to a screen and prompted to install a new management profile by selecting the Install button in the top right.

This profile is the one that will be controlled by Intune and provide security over company data on this device.

The user will need to select Install again to continue.

They will then receive a warning about a third party certificate being installed as shown. This a certificate from Intune so the user should select Install in the top right to continue.

The user will be prompted to confirm that they wish their phone to be enabled for remote management.

They should select Trust to continue.

The management profile will complete installation. To finish this process select Done in the top right corner.

The user will be taken back to the Intune Company Portal app, where they will be prompted to continue. They should also now see that the device is now managed.

Select the Continue option.

The device settings will be checked. This is effectively running the compliance policy from Intune over the device to ensure it can be enrolled and meets the requirements to be considered to have the appropriate settings enabled and configured.

The process should complete without warnings or errors. This then indicates that the device is compliant and now has the configuration policies applied to it from Intune.

Select Done to continue.

The user will now see the Apps menu of the Company Portal app as shown above. They can return and use some of the other functionality in the app at any time but for now, simply close the app.

If you now look closely at the home page of the enrolled device now above, you will see, per the Intune Configuration policies that have been applied, both Facetime and Safari are no longer available on the device.

If an administrator now looks in the Intune portal they will see the device that has just been enrolled.

Select it to get more details.

They should see a summary of the device as well as a number of controls for the device across the top on the right.

If they select the Device compliance option from the menu on the left they will see the compliance policies that have been applied to the device and their state.

If they select Device configuration, they’ll see all the configuration policies that have been applied to this device and their current state.

You can select any of these policies on the right to get more information.

When you do you’ll see all the settings that have been applied as part of that policy. Here, you’ll see the policies for Facetime and Safari have been successfully applied (i.e. to be made unavailable on the device).

So, that’s how you put an iOS device under management using Intune. Doing so give you greater control over what is done on the and also the ability to do things like remotely wipe that device if required. A future article will show you how these management task can be accomplished on the the device.

Posting code snippets to Microsoft Teams

If you want to post a snippet of code to Microsoft Teams go to the Conversations tab and then select the Format text icon as shown above.

From this expanded dialog box select the Code icon as shown.

This should display a new dialog like shown above.

If you select the options in the top right you will see a huge range of code selections displayed as shown.

In the above case, I have select PowerShell and you can see that it formats and colours the code snippet for me automatically making it much easier to read.

You can now post the result and that will be added to the Teams Conversations as shown above. You will see that it even automatically add line numbers, which is very handy.

Thus, if you are going to post code into Microsoft Teams Conversations, make sure you do it via the Format Text option so that it is formatted in a way that makes it more readable.

Need to Know podcast–Episode 195

Troy Hunt makes a return to the podcast to talk about the power of serverless compute. We discuss how Troy has been successfully using serverless compute to run his website haveibeenpwned. Troy also shares with us some insights as to the practical day to day operations of running a site with 5 billion breach records. Brenton and I also update you on the latest Microsoft Cloud news including a raft of updates to Microsoft Teams.