Microsoft 365: OneDrive/Sharepoint

  • Microsoft 365 web applications provide an option for users to open the file they are accessing in their desktop app. This feature uses binary protocols to sync the files with their apps and as such Forcepoint ONE SSE does not decode/apply DLP to these protocols since they are not going over standard HTTPs. To account for this, admins should be applying granular policy controls depending on your level of trust about the context of the user's access (managed vs unmanaged devices, etc).
    • Managed Devices via Client Cert: For managed devices that are identified via the client cert checking Forcepoint ONE SSE recommends configuring policies to be direct app access for both Web and Modern Auth Apps. This is recommended since the admin already trusts the device since it is a managed/secured by the company and also to keep the access method consistent to prevent possible issues when sharing links (i.e. sharing a proxied link to a user accessing directly not being able to navigate to the proxied link page). This will allow users to download files without DLP and will also allow them to use the Open in Desktop app option without issue.


    • Managed Devices via SmartEdge Forward Proxy Agent: Admins have a couple of options when using the SmartEdge agent for managing the device and forward proxying traffic. They can either send the user through the proxy for both Web and Modern Auth access thus proxying their access to the M365 web apps and their desktop applications. Admins will configure policies this way if they wish to apply DLP policies over files downloaded, however this will still not apply DLP to files that are opened in Desktop app but will allow users to use that option without issue. Conversely admins can configure policies similar to Client Cert above where users are given Direct App Access to both Web apps and Modern Auth Apps. Again this will allow them full access to the file on the web or in their desktop app and to use the Open in Desktop app feature without issue.


    • Unmanaged Devices: For unmanaged devices, Forcepoint ONE SSE recommends blocking users access to Modern Auth apps altogether which will prevent them from being able to use the Open in Desktop app option (thus avoiding them circumventing DLP). Admins should configure policies to be secure app access for Web traffic with Modern Auth apps set to Deny. Users must be logged into their Modern Auth apps in order for the Open in Desktop app feature to work so this will prevent them from authenticating in their Modern Auth app and block access altogether. Users will still be able to download files from the web where the file download will be subject to your DLP policy.


    • A combined policy will look like:


  • When using client certificate checking, users on Windows 7 must have OneDrive version 19.103.0527.0003 or above.