Home

Block Downloads In MS TEAMS Thick Client For Non Managed Computers

How to remove the download, save as or print option from the MS Teams thick client application on unmanaged device, logged into your corporate tenancy via a conditional access policy.

  1. Create a group : Block_Teams_Thick_Client_Downloads
  2. Add users to the group you want to block access to download, save as or print.
  3. Create a new conditional access policy – Example : Block Teams Thick Client Downloads
    1. Users and Groups add “Block_Teams_Thick_Client_Downloads”
    2. Cloud Apps or Actions – Select Apps – MS Teams
    3. Conditions – Select Client Apps> Configure >Yes> Tick : Mobile Apps, Exchange and Other Clients. Untick Browser.
    4. Device state (Currently in preview) > Set exclude > Tick : Hybrid Azure AD joined and Device marked as compliant
    5. Grant – Select > Block Access and For Multiple controls > “Require one of the selected controls”

Useful links:

Block Access From Unmanaged Devices To SharePoint or Specific Sites

Block Access From Unmanaged Devices To SharePoint

From SharePoint Admin Center > Polices > Access Control

Click Unmanaged Devices

Note “To use this setting, get a subscription to Enterprise Mobility + Security and assign a license to yourself. ” See Microsoft Endpoint Manager | Microsoft 365 for more information

Select Block Access > Save

Block Access From Unmanaged Devices To SharePoint Specific Sites and Limit access using PowerShell.

Examples block download, save and print on unmanaged devices for a specific SharePoint site (SharePoint, OneDrive)

  • Limit access to a single site: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess

     

  • Block access to a single site: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy BlockAccess

     

  • Update multiple sites at once: (Get-SPOSite -IncludePersonalSite
    $true -Limit all -Filter
    “Url -like ‘-my.sharepoint.com/personal/'”) | Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess

How to Enable “Security Defaults” in Azure and Office 365

Security Defaults in Azure Portal. IMPORTANT, SECURITY DEFAULTS IS NOT ALWAYS ENABLED BY DEFAULT. YOU MUST CHECK YOUR SETTINGS

What does Security Defaults give you? Security Defaults when enabled provide the following preconfigured security settings:

  • Requiring all users to register for Azure AD Multi-Factor Authentication.
  • Requiring administrators to perform multi-factor authentication.
  • Blocking legacy authentication protocols.
  • Requiring users to perform multi-factor authentication when necessary.
  • Protecting privileged activities like access to the Azure portal.

Azure Active Directory security defaults | Microsoft Docs

How do you enable? Azure Active Directory > Properties > Manage Security Defaults > Yes > Save

Useful links:

Discovering and blocking legacy auth:
Discovering and blocking legacy authentication in your Azure and Microsoft 365 subscriptions – Jussi Roine

Understanding Modern vs Legacy auth:
Understanding Modern vs. Legacy Authentication in Microsoft 365 – Ru365 (campbell.scot)

PowerCLI with a GUI – Clone a machine, add DHCP…

A #PowerShell script with a GUI form to Connect to a vCenter Clone a virtual machine Select the datastore Select the host Set the new VM name Create an IP reservation in both the Production and DR DHCP Scopes #PowerCli #Automation #GUI #vSphere #ESXi #Clone

PowerCLI with a GUI – Clone a machine, add DHCP…

This blog post walks you through how to create a PowerCLI script for deploying a virtual machine with advanced configuration options and GUI.


VMware Social Media Advocacy

New Course & Exam Announcements in October

Good to see new training paths for anyone interested in security/vulnerability management and VMware Carbon Black #VMware #CarbonBlack #AlwaysBeLearning #CyberSecurity

New Course & Exam Announcements in October

This month, VMware Learning released 9 courses and 2 exams to help you develop your skills and increase your knowledge. Don’t let the restriction of working from home stop you from learning how to take full advantage of the innovative VMware technologies that will help your organization work […]


VMware Social Media Advocacy

VMware Horizon and Zero Clients Enabling Rapid…

VMware Horizon & Zero Clients Enabling Rapid Remote Secure IT Working. Watch the video. #DemoToDeployed #VMware #Horizon #10ZiG #ZeroClient #Secuirty #EUC #InformationSecurity #WorkingFromHome

VMware Horizon and Zero Clients Enabling Rapid…

2020, the year where the country went into lock down. In the UK we were told to work from home. This got me thinking more about options for rapid deployment of remote working without missing end user / device security. […]


VMware Social Media Advocacy

VMware Horizon and Zero Clients Enabling Rapid Remote Secure IT Working

10ZiG Zero Client 6048q2020, the year where the country went into lock down. In the UK we were told to work from home. This got me thinking more about options for rapid deployment of remote working without missing end user / device security.

Lock down and those with laptops and remote access, off they went. The desktop systems users, started looking to purchase laptops, but there was limited availability. The laptop, a great short-term fix, but do not forget the bigger picture, security of end users/devices and working conditions.

Is there an alternative, potentially faster and more secure out the box option which could also be explored? Something which is quick to deploy and manage than the time it takes to build, deploy and lock down a laptop.

Now if you host a Citrix environment or VMware Horizon then you might find you have an alternative option. Consider Thin / Zero Clients, in this example we are looking at the 10ZiG 6000q series offering. One of the nice features that 10ZiG offer is a FREE 10ZiG Manager tool which can control your devices over the internet. Anyone who has used Thin or Zero Clients before will already know that you can centrally manage and apply security controls over all the devices, but maybe you didn’t know an end user could use the device from home with a few tweaks using the cloud agent included in 10 ZiG Manager.

Does you environment already use VMware Horizon? Could you extend your VMware Horizon environment to be internet facing with VMware Unified Access Gateway in place? VMware Unified Access Gateway will allow you to secure external access to your corporate VDI desktops and applications on VMware Horizon® 7 on-premise instance.

However before running out and buying 10ZiG devices for everyone and saving on future laptop and desktop costs, consider the end users and build up scenarios for each type of device. There are various models of 10ZiG devices that can support an office user to a power user. Below you can see some thoughts around how end users might work during lock down.

In the scenarios, I found anyone who previously regularly worked from the office with a desktop could start working from home using a Zero client. The experience is like using a laptop, but I was forced into office working mode.

If you are working from home for long periods of time, things that you may have taken for granted in the office now become a concern for home. People should use an external monitor, keyboard and mouse. Have a comfy chair and desk to work at. Also a more important topic over looked and there isn’t a technical solution to resolve, finding a way of controlling Work and Home life. A desk / dedicated space to work from is the ideal way to identify to yourself the difference between work and home. If you were considering how some one works from home, ship the 10ZiG device with a monitor, keyboard and mouse. A laptop would add flexibility to roam around but you cant enforce a good working environment.

With all the above in mind 10 ZiG offer a FREE demo device to trial for 30days.

So I took this FREE demo, utilised my VMware vExpert skills, connected to the VMware Horizon environment from home and deployed a 10ZiG Zero Client, managed by a cloud agent and running in kiosk mode.

Now, I’ve just completed the trial of a 10ZiG demo device, utilising the kiosk style VMware Horizon end user experience when working from home. If your interested to see how simple the process was, take a moment to watch the 10 min video “Demo to Deployed” by Stephen Hackers.

This video shows how I ordered and configured a demo device and connected to the VMware Horizon desktop when working from home.