Skip to main content

Finding the right balance: Microsoft security, privacy and functionality

Paul Bowden of Microsoft helped Jamf Nation User Conference (JNUC) attendees understand how to get the most out of security, privacy via Microsoft, and go through new approaches and features in Jamf Pro. As was mentioned in the opening keynote, there are now Microsoft Office setting features now baked into Jamf Pro.

Bowden mentioned to attendees that he would be taking them through a ‘commonsense approach’ and to ask themselves, “What would I do to make Office more secure, less vulnerable to attacks, and how to understand risks to comply?”

To do this, Bowden mentioned they would need to:

  • Understand the default product options
  • Evaluate your risks and compliance policy
  • Implement the changes in Jamf Pro

“It’s a balance, between security and privacy,” Bowden said and showed a balance scale with security and privacy on opposite sides. Bowden continued telling attendees "the offset is on features and functionality.” If admins want to lock things down, the trade off is in functionality.

Bowden mentioned a goal of Microsoft is to collect feedback to better understand what their customers need. This has allowed Microsoft to provide better overall transparency and give customers a choice to determine the data they want to provide Microsoft.

Office includes in-product features that connect with back-end web services. You install Word on your local machine and you don’t really know or notice how many of those features are executed locally or how many are calling a web service. Some are more obvious than others.

In terms of the data Microsoft receives from users, they bucket them in three categories:

  1. Basic (aka Required) — Keeps Office secure, up-to-date and performing as expected.
  2. Full (aka Optional) — Product usage data and enhanced telemetry. Things you can optionally send to Microsoft to help make it better.
  3. Zero (aka None) — Don’t send any diagnostic data. “I bought the product, I don’t want this to phone home or send any data.” There are some trade-offs: If you don’t send Microsoft data, it’s more challenging to make products better since they won’t know what is being used and what is important to users.

Bowden next walked attendees through a demo of setting privacy options with the new ‘Application and Custom Settings’ payload.

Connectivity to Office Services:

  • Most connected experiences — Do I want to be on or offline?
  • Experiences that analyze the content — When you type into Office, a translation is a service that analyzes content.
  • Experiences that download content — when you go to insert the online picture, say, tractors, you get a picture that you insert. That is an experience that would download content.
  • Optional Connected Experiences — This could be third-party solutions or add-ins. When you launch Office and agree to terms and conditions, you are not actually agreeing to things like “sending results to Bing,” so any web service that uses Bing, is an optional service since it is outside the original agreement.

Bowden mentioned they also have have a beta build of Office baked into Jamf Pro:

Under Configuration Profiles > Application and Custom Settings > and Configure. Instead of upload PLIST and having to handcraft, you can now configure settings from an S3 bucket, Jamf repository and goes by preference name. Here, you can require which data gets collected or turn connected experiences off.

Bowden continued that the schema based on open sourced JSON editor. “This schema defines that visual properties and values of what is displayed and the meta data of what’s shown,” Bowden explained.

You can go through the form and set things, but you may wonder, “What result will this have? What will this look like at the end of the day” He praised, “Jamf Pro will have the key list of what is constructed."

Security basics with Sandboxing

Office 365/2019/2016 apps are sandboxed, regardless of whether you download them from the Mac App Store or Microsoft Content Delivery Network (CDN). The job of sandboxing is to restrict the app from getting out. The fact that “Word” is sandboxed, if something got compromised, the problem won’t spread to other apps. Most people think, it means other apps can’t affect it. “That is not the case. If you are running some app that is not sandboxed, it could potentially infiltrate any other app. But think of it more of stopping things from going out of the sandbox,” Bowden advised.

Sandboxing restricts the apps from accessing resources outside the app container notarization. All Office apps use the hardened runtime and all download packages are notarized. Piece of advice: If you could leave with one thing is to keep partaking in the monthly updates to protect against any vulnerability.

Use Jamf Pro to strengthen policies

“Don’t rely on just one knob to protect you,” Bowden cautioned “There are ways to coerce the system. Jamf Pro is where it comes in to block. I'm in a sandbox, but preferences also live in that. Because pipes are open, you can open other holes on the system. I wanted to frighten you, and show what bad stuff can happen and how to protect against this.” Bowden then pivots to how Jamf Pro comes in to enforce:

“If I go to terminal and show a recon, you can start to see how the macro has started to mess around and it has re-written the preference.”

Bowden continued, “If Word got compromised, the threat will only stay inside Word. Why sandboxing is so important. XL 2011 was not sandboxed, as an example where you could start doing anything in the system. What I would recommend in how to protect yourself is to set configuration profiles to enforce these settings: I have a config called VBA lockdown, and this is where I stop the pipe calls and setting macros to a good state. You can see when things get pushed down, the UI is disabled.”

As Bowden walked the audience through the demo, “If I go to ‘file open’ and try to get more page views, I get a run-time error to prove it. That is what configuration profiles can do for you. Don’t just accept the defaults, you need to enforce those defaults and that’s where Jamf Pro is helpful.”

After updating the audience on new features, providing pro tips, Bowden concluded with, “I hope this helps to understand what we are doing in the security and privacy space. We worked closely with the Jamf Pro engineering team to bring this together.”

Check back in a couple of weeks to view this session video.