We're in discussions with a client who has 10 employees based in Manila. These team members use their personal devices, and the client worries about security since they can't monitor these devices. They're particularly concerned that someone could sync Outlook or OneDrive and take sensitive company data if they leave. We're considering setting up a Terminal Server to host all necessary data and applications, but the employees need to join Teams video calls during work hours, which requires local device access. We need some guidance on how to restrict 365 access to just the Terminal Server while still allowing essential Teams functionality without worrying about data leaks. An initial thought was a Conditional Access Geo Block Policy; however, I'm uncertain how effective that would be given the dependencies of Teams on Exchange and SharePoint.
5 Answers
If you’re looking into more advanced setups, consider a combination of MDA rproxy and managed edge profiles for personal devices. This allows you to control sessions and has the capabilities to block actions like cut/copy/paste and downloads. Plus, make sure to adjust your policy settings to prevent OneDrive sync outside allowed domains. Citrix also works well for many, with minimal issues for Teams integration.
I think the trust issue with your overseas staff goes beyond just technical measures. If there's a significant mistrust, maybe it’s worth having a discussion with HR and management about their overall security policies. Remember, a tech solution might not fully address these concerns—accountability needs to come from management as well.
Have you checked out Forcepoint's tech? They have a cool inline CASB that can reverse proxy 365 usage, letting users access SharePoint and Office online, while preventing downloads based on location or file restrictions.
You might want to look into Azure Virtual Desktop hosted in Singapore. It works well with Teams, and it can redirect multimedia content to the user’s local device while keeping it hardware accelerated. By locking down the user group, you can ensure they can only access Office apps from the AVD workspace using conditional access. They can still log into AVD on their personal machines, but with restrictions on file transfers like copy-paste.
You might also consider using Zoom licenses as an alternative to Teams for video calls. This approach might simplify access control and provide you with more options.
I see your point, but not all companies can enforce strict policies without technical barriers in place. It’s important to secure data, especially when dealing with BYOD environments, using DLP policies and such is a must.