Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Security and Privacy Management with Microsoft Office

Jamf
November 13, 2019
29

Advanced Security and Privacy Management with Microsoft Office

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC
    Advanced Security and Privacy Management
    with Microsoft Office

    11:15am - 12:00pm
    UP NEXT

    View full-size slide

  2. © JAMF Software, LLC
    Paul Bowden
    Principal Engineer

    Microsoft
    275x275

    head shot

    View full-size slide

  3. © JAMF Software, LLC
    Security and Privacy Management
    We’ll be taking a common sense approach

    Understand the default product options

    Evaluate your risks and compliance policy

    Implement the changes in Jamf Pro

    View full-size slide

  4. © JAMF Software, LLC
    It’s a balance
    Security
    Privacy
    Features
    Functionality

    View full-size slide

  5. © JAMF Software, LLC
    Privacy

    View full-size slide

  6. © JAMF Software, LLC
    Privacy
    Options were overhauled in the 16.28 (August ’19) update

    Provide better transparency as to what telemetry is sent from the client, and controls for
    changing it

    Provide a choice over usage of different back-end services that Office connects with to deliver
    end-user functionality

    Provide consistency and roaming across desktop and mobile platforms

    See https://aka.ms/macprivacy for full details

    View full-size slide

  7. © JAMF Software, LLC
    Privacy Terminology
    Essential Services

    Required Service Data - Data to support basic product functionality
    Connected Experiences

    In-product features that connect with back-end web services

    Diagnostic Levels

    Basic (aka Required) - Keeps Office secure, up-to-date, and performing as expected

    Full (aka Optional) - Product usage data and enhanced telemetry

    Zero (aka None) - Don’t send any diagnostic data

    View full-size slide

  8. © JAMF Software, LLC
    Privacy Defaults and Options
    Preference Domain Key Type Possible Values
    com.microsoft.office DiagnosticDataTypePreference string
    BasicDiagnosticData

    FullDiagnosticData
    ZeroDiagnosticData
    com.microsoft.office SendAllTelemetryEnabled bool TRUE / FALSE
    com.microsoft.autoupdate2 AcknowledgedDataCollectionPolicy string
    RequiredDataOnly
    RequiredAndOptionalData
    Setting
    Sends ‘Required’
    Diagnostic Data
    Sends ‘Optional’
    Diagnostic Data
    Sends ‘Required’
    Service Data
    BasicDiagnosticData Yes No Yes
    FullDiagnosticData Yes Yes Yes
    ZeroDiagnosticData No No Yes
    SendAllTelemetryEnabled =
    FALSE
    No No No

    View full-size slide

  9. © JAMF Software, LLC
    Connectivity to Office Services
    Most Connected Experiences

    Experiences that analyze content

    Experiences that download content

    Optional Connected Experiences
    Preference Domain Key Type Possible Values
    com.microsoft.offic
    e
    ConnectedOfficeExperiencesPreference bool TRUE / FALSE
    Preference Domain Key Type Possible Values
    com.microsoft.offic
    e
    OfficeExperiencesAnalyzingContentPreference bool TRUE / FALSE
    Preference Domain Key Type Possible Values
    com.microsoft.offic
    e
    OfficeExperiencesDownloadingContentPreferenc
    e
    bool TRUE / FALSE
    Preference Domain Key Type Possible Values
    com.microsoft.offic
    e
    OptionalConnectedExperiencesPreference bool TRUE / FALSE

    View full-size slide

  10. © JAMF Software, LLC
    Service/Feature Essential Services Connected Experiences Analyzing Content Experiences Downloading Content Experiences Optional Connected Experiences
    Alt Text W P W P
    Authentication W X P OL ON
    AutoUpdate (MAU) W X P OL ON
    Cloud Fonts W P OL ON W P OL ON
    Contact Support W X P OL
    Data Types X X
    Designer / Design Ideas P P
    Document Templates W X P W X P
    Error Reporting (MERP) W X P OL ON W X P OL ON
    Flighting (Config Services) W X P OL ON
    Grammar Suggestions P P P
    Help W X P OL ON W X P OL ON
    Ideas X X
    Insert Icon W X P W X P
    Insert Online 3D Model W X P W X P W X P
    Insert Online Picture W X P W X P W X P
    Insert Online Video W X P W X P W X P
    Insert Stickers ON ON ON
    Licensing Service W X P OL ON
    Mailbox Synchronization OL
    Map Charts X X X
    Office Add-ins W X P OL W X P OL
    OneDrive/OneDrive for Business ON W X P
    QuickStarter P P P
    Researcher W W W
    Resume Assistant W W
    Save as PDF (conversion service) W W
    Search Document Templates W X P W X P
    Send a smile W X P OL ON W X P OL ON
    Send to OneNote OL OL
    Smart Lookup W X P OL ON W X P OL ON W X P OL ON
    Subtitles P P
    Translator W X P W X P
    Weather Bar OL OL OL
    What’s New W X P OL

    View full-size slide

  11. © JAMF Software, LLC
    DEMO
    Setting Privacy options with the new
    ‘Application and Custom Settings’ payload

    View full-size slide

  12. © JAMF Software, LLC
    Application and Custom Settings

    View full-size slide

  13. © JAMF Software, LLC
    Security

    View full-size slide

  14. © JAMF Software, LLC
    The Basics
    Sandboxing

    Office 365/2019/2016 apps are sandboxed, regardless of whether you download them from the
    Mac App Store or Microsoft Content Delivery Network (CDN)

    Sandboxing restricts the apps from accessing resources outside the app container

    Notarization

    All Office apps use the hardened runtime and all download packages are notarized

    First piece of advice

    Update your apps monthly to protect against latest threats

    Example: XL4 Auto_Open protection in 16.31 update

    View full-size slide

  15. © JAMF Software, LLC
    Updates are getting easier
    UltraThin and Install on Clone were released a few months ago

    View full-size slide

  16. © JAMF Software, LLC
    VBA Defaults and Options
    Preference Domain Key Type Possible Values
    com.microsoft.office VisualBasicMacroExecutionState string
    DisabledWithoutWarnings

    DisabledWithWarnings
    EnabledWithoutWarnings
    com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE
    com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE
    com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE
    com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE
    com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE

    View full-size slide

  17. © JAMF Software, LLC
    VBA Defaults and Options
    Preference Domain Key Type Possible Values
    com.microsoft.office VisualBasicMacroExecutionState string
    DisabledWithoutWarnings

    DisabledWithWarnings
    EnabledWithoutWarnings
    com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE
    com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE
    com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE
    com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE
    com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE
    Most Secure Value

    View full-size slide

  18. © JAMF Software, LLC
    Use Jamf Pro to strengthen policies
    While we have sensible defaults, remember these are only
    effective in the user space

    Most attacks exploit multiple vectors

    Strengthen the default configuration through Config Profiles

    Use CFPreferences to validate intended implementation

    python -c "from Foundation import CFPreferencesCopyAppValue; print
    CFPreferencesCopyAppValue('VisualBasicMacroExecutionState', 'com.microsoft.office')"
    python -c "from Foundation import CFPreferencesAppValueIsForced; print
    CFPreferencesAppValueIsForced('VisualBasicMacroExecutionState', 'com.microsoft.office')"

    View full-size slide

  19. © JAMF Software, LLC
    DEMO
    Using Jamf Pro to enforce security policies

    View full-size slide

  20. © JAMF Software, LLC

    View full-size slide

  21. © JAMF Software, LLC
    Thank you for listening!
    Give us feedback by
    completing the 2-question
    session survey in the JNUC
    2019 app.
    UP NEXT
    Yin and Yang: The Art of Attack & Defense on macOS
    1:30 - 2:15 PM

    View full-size slide