Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Security and Privacy Management with Microsoft Office

9d350fa2294e1192f8f12b0ebf1a1d8b?s=47 Jamf
November 13, 2019
21

Advanced Security and Privacy Management with Microsoft Office

9d350fa2294e1192f8f12b0ebf1a1d8b?s=128

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC Advanced Security and Privacy Management with

    Microsoft Office 11:15am - 12:00pm UP NEXT
  2. None
  3. © JAMF Software, LLC Paul Bowden Principal Engineer Microsoft 275x275

    head shot
  4. © JAMF Software, LLC Security and Privacy Management We’ll be

    taking a common sense approach Understand the default product options Evaluate your risks and compliance policy Implement the changes in Jamf Pro
  5. © JAMF Software, LLC It’s a balance Security Privacy Features

    Functionality
  6. © JAMF Software, LLC Privacy

  7. © JAMF Software, LLC Privacy Options were overhauled in the

    16.28 (August ’19) update Provide better transparency as to what telemetry is sent from the client, and controls for changing it Provide a choice over usage of different back-end services that Office connects with to deliver end-user functionality Provide consistency and roaming across desktop and mobile platforms See https://aka.ms/macprivacy for full details
  8. © JAMF Software, LLC Privacy Terminology Essential Services Required Service

    Data - Data to support basic product functionality Connected Experiences In-product features that connect with back-end web services Diagnostic Levels Basic (aka Required) - Keeps Office secure, up-to-date, and performing as expected Full (aka Optional) - Product usage data and enhanced telemetry Zero (aka None) - Don’t send any diagnostic data
  9. © JAMF Software, LLC Privacy Defaults and Options Preference Domain

    Key Type Possible Values com.microsoft.office DiagnosticDataTypePreference string BasicDiagnosticData
 FullDiagnosticData ZeroDiagnosticData com.microsoft.office SendAllTelemetryEnabled bool TRUE / FALSE com.microsoft.autoupdate2 AcknowledgedDataCollectionPolicy string RequiredDataOnly RequiredAndOptionalData Setting Sends ‘Required’ Diagnostic Data Sends ‘Optional’ Diagnostic Data Sends ‘Required’ Service Data BasicDiagnosticData Yes No Yes FullDiagnosticData Yes Yes Yes ZeroDiagnosticData No No Yes SendAllTelemetryEnabled = FALSE No No No
  10. © JAMF Software, LLC Connectivity to Office Services Most Connected

    Experiences Experiences that analyze content Experiences that download content Optional Connected Experiences Preference Domain Key Type Possible Values com.microsoft.offic e ConnectedOfficeExperiencesPreference bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OfficeExperiencesAnalyzingContentPreference bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OfficeExperiencesDownloadingContentPreferenc e bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OptionalConnectedExperiencesPreference bool TRUE / FALSE
  11. © JAMF Software, LLC Service/Feature Essential Services Connected Experiences Analyzing

    Content Experiences Downloading Content Experiences Optional Connected Experiences Alt Text W P W P Authentication W X P OL ON AutoUpdate (MAU) W X P OL ON Cloud Fonts W P OL ON W P OL ON Contact Support W X P OL Data Types X X Designer / Design Ideas P P Document Templates W X P W X P Error Reporting (MERP) W X P OL ON W X P OL ON Flighting (Config Services) W X P OL ON Grammar Suggestions P P P Help W X P OL ON W X P OL ON Ideas X X Insert Icon W X P W X P Insert Online 3D Model W X P W X P W X P Insert Online Picture W X P W X P W X P Insert Online Video W X P W X P W X P Insert Stickers ON ON ON Licensing Service W X P OL ON Mailbox Synchronization OL Map Charts X X X Office Add-ins W X P OL W X P OL OneDrive/OneDrive for Business ON W X P QuickStarter P P P Researcher W W W Resume Assistant W W Save as PDF (conversion service) W W Search Document Templates W X P W X P Send a smile W X P OL ON W X P OL ON Send to OneNote OL OL Smart Lookup W X P OL ON W X P OL ON W X P OL ON Subtitles P P Translator W X P W X P Weather Bar OL OL OL What’s New W X P OL
  12. © JAMF Software, LLC DEMO Setting Privacy options with the

    new ‘Application and Custom Settings’ payload
  13. © JAMF Software, LLC Application and Custom Settings

  14. © JAMF Software, LLC Security

  15. © JAMF Software, LLC The Basics Sandboxing Office 365/2019/2016 apps

    are sandboxed, regardless of whether you download them from the Mac App Store or Microsoft Content Delivery Network (CDN) Sandboxing restricts the apps from accessing resources outside the app container Notarization All Office apps use the hardened runtime and all download packages are notarized First piece of advice Update your apps monthly to protect against latest threats Example: XL4 Auto_Open protection in 16.31 update
  16. © JAMF Software, LLC Updates are getting easier UltraThin and

    Install on Clone were released a few months ago
  17. © JAMF Software, LLC VBA Defaults and Options Preference Domain

    Key Type Possible Values com.microsoft.office VisualBasicMacroExecutionState string DisabledWithoutWarnings
 DisabledWithWarnings EnabledWithoutWarnings com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE
  18. © JAMF Software, LLC VBA Defaults and Options Preference Domain

    Key Type Possible Values com.microsoft.office VisualBasicMacroExecutionState string DisabledWithoutWarnings
 DisabledWithWarnings EnabledWithoutWarnings com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE Most Secure Value
  19. © JAMF Software, LLC Use Jamf Pro to strengthen policies

    While we have sensible defaults, remember these are only effective in the user space Most attacks exploit multiple vectors Strengthen the default configuration through Config Profiles Use CFPreferences to validate intended implementation python -c "from Foundation import CFPreferencesCopyAppValue; print CFPreferencesCopyAppValue('VisualBasicMacroExecutionState', 'com.microsoft.office')" python -c "from Foundation import CFPreferencesAppValueIsForced; print CFPreferencesAppValueIsForced('VisualBasicMacroExecutionState', 'com.microsoft.office')"
  20. © JAMF Software, LLC DEMO Using Jamf Pro to enforce

    security policies
  21. © JAMF Software, LLC

  22. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Yin and Yang: The Art of Attack & Defense on macOS 1:30 - 2:15 PM