Users may stay productive while reducing the risk of data loss on unmanaged devices by limiting access. However, there may be certain instances where you want to completely restrict access to file downloads, especially if it’s a user from an unmanaged device. Unmanaged devices are devices that are not regulated by the Office 365 network associated with that company. Users may be productive while reducing the risk of data loss on unmanaged devices by using the restricting access function. With browser-only access, users on unmanaged devices will be unable to download, print, or sync data. These users will also be unable to access information via applications, including Microsoft Office desktop programs. When limiting access, a SharePoint or global admin can opt to allow or disallow editing files in the browser. Follow the steps below to see how you can block file downloads.
Step by step process – How to block file downloads on unmanaged devices SharePoint Online?
- First, sign in to your Microsoft 365 account.
- Click on the app launcher icon located in the top left corner.
- Then select “Admin” from the list of applications.
- Click the menu icon in the top left corner of the Admin center.
- Click on “Show all” to reveal more Admin centers.
- Then select “SharePoint” from the list of Admin centers.
- Go to “Policies” in the left menu of the SharePoint admin center.
- Click “Access control” from the revealed options.
- Then select “Unmanaged devices.”
- Select “Block access.”
- Then click the “Save” button.
Following the steps above will allow users of administrative posts, to restrict access on unmanaged devices. These devices will no longer have access to the application, or the web app if they are completely blocked or will have very limited access if the “Allow limited web-only access” is active. Both the options below will restrict downloads as part of the objective roles carried out by the restrictive functions on unmanaged devices.
Using a policy that impacts all Microsoft 365 services can improve security and provide a better user experience. Users can access the chat in a team with an unmanaged device when you limit access to unmanaged devices in SharePoint alone, but they will lose access when they try to visit the Files tab. Using the Office 365 cloud app can help you avoid service dependency concerns.
Blocking access and limiting the ability to download may have an impact on the user experience in specific programs, including Microsoft Office products, as previously noted. As a result, it’s a good idea to test the experience by enabling the policy for a few people within the company. Also, while your policy is active, keep an eye on the behavior in Flow and PowerApps.
Additional information on Restricted Access, unmanaged devices on SharePoint
Microsoft recommends limiting access from apps that don’t utilize contemporary authentication if you ban or limit access from unmanaged devices. Some third-party programs and Office versions previous to Office 2013 don’t support contemporary authentication, thus device-based limitations aren’t possible. This implies that they allow users to get around conditional access rules set up in Azure. Select Apps that don’t utilize contemporary authentication, select Block access, and then Save in the new SharePoint admin center’s Access control page.
Image web parts won’t display pictures that you add to the site assets library or directly to the web part if you limit access and modify a site from an unmanaged device. To get around this, utilize the SharePoint list to exclude the site assets library from the block download restriction. This enables the web component to access the site assets library and download pictures.
SharePoint files cannot be downloaded but may be previewed when Access Control for Unmanaged Devices in SharePoint is set to Allow restricted web-only access. In SharePoint, previews of Office files function, however, they don’t work in Microsoft Yammer.
People outside the organization will be affected when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific people (who must enter a verification code sent to their email address), you can exempt them from this policy by running the following cmdlet.
Impact on applications
Access and download restrictions may have an impact on the user experience in specific programs, including Microsoft Office products. We propose that you enable the policy for a few users and test the experience with your company’s apps. When your policy is turned on in Office, be sure to examine the behavior in Power Apps and Power Automate.
Apps that use an ACS app-only access token are blocked by default for new tenants. The Azure AD app-only architecture, which is more contemporary and secure, is recommended. However, by running set-potent -DisableCustomAppAuthentication $false’, you may modify the behavior (needs the latest SharePoint admin PowerShell).
In depth – step by step process – How to block file downloads on unmanaged devices SharePoint Online?
Step by step breakdown:
- First, sign in to your Microsoft 365 account.
- Click on the app launcher icon located in the top left corner. (1)
- Then select “Admin” from the list of applications. (2)
- Click the menu icon in the top left corner of the Admin center. (1)
- Click on “Show all” to reveal more Admin centers. (2)
- Then select “SharePoint” from the list of Admin centers. (3)
- Go to “Policies” in the left menu of the SharePoint admin center. (1)
- Click “Access control” from the revealed options. (2)
- Then select “Unmanaged devices.” (3)
- Select “Block access.” (1)
- Then click the “Save” button. (2)
That’s it for this Blog thank you for taking time out to read our content, please feel free to email our team about how it went if you followed the steps or if you need more help with the questions we answered in this Blog.