Slide 1

Slide 1 text

© JAMF Software, LLC Advanced Security and Privacy Management with Microsoft Office 11:15am - 12:00pm UP NEXT

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

© JAMF Software, LLC Paul Bowden Principal Engineer Microsoft 275x275 head shot

Slide 4

Slide 4 text

© JAMF Software, LLC Security and Privacy Management We’ll be taking a common sense approach Understand the default product options Evaluate your risks and compliance policy Implement the changes in Jamf Pro

Slide 5

Slide 5 text

© JAMF Software, LLC It’s a balance Security Privacy Features Functionality

Slide 6

Slide 6 text

© JAMF Software, LLC Privacy

Slide 7

Slide 7 text

© JAMF Software, LLC Privacy Options were overhauled in the 16.28 (August ’19) update Provide better transparency as to what telemetry is sent from the client, and controls for changing it Provide a choice over usage of different back-end services that Office connects with to deliver end-user functionality Provide consistency and roaming across desktop and mobile platforms See https://aka.ms/macprivacy for full details

Slide 8

Slide 8 text

© JAMF Software, LLC Privacy Terminology Essential Services Required Service Data - Data to support basic product functionality Connected Experiences In-product features that connect with back-end web services Diagnostic Levels Basic (aka Required) - Keeps Office secure, up-to-date, and performing as expected Full (aka Optional) - Product usage data and enhanced telemetry Zero (aka None) - Don’t send any diagnostic data

Slide 9

Slide 9 text

© JAMF Software, LLC Privacy Defaults and Options Preference Domain Key Type Possible Values com.microsoft.office DiagnosticDataTypePreference string BasicDiagnosticData
 FullDiagnosticData ZeroDiagnosticData com.microsoft.office SendAllTelemetryEnabled bool TRUE / FALSE com.microsoft.autoupdate2 AcknowledgedDataCollectionPolicy string RequiredDataOnly RequiredAndOptionalData Setting Sends ‘Required’ Diagnostic Data Sends ‘Optional’ Diagnostic Data Sends ‘Required’ Service Data BasicDiagnosticData Yes No Yes FullDiagnosticData Yes Yes Yes ZeroDiagnosticData No No Yes SendAllTelemetryEnabled = FALSE No No No

Slide 10

Slide 10 text

© JAMF Software, LLC Connectivity to Office Services Most Connected Experiences Experiences that analyze content Experiences that download content Optional Connected Experiences Preference Domain Key Type Possible Values com.microsoft.offic e ConnectedOfficeExperiencesPreference bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OfficeExperiencesAnalyzingContentPreference bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OfficeExperiencesDownloadingContentPreferenc e bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OptionalConnectedExperiencesPreference bool TRUE / FALSE

Slide 11

Slide 11 text

© JAMF Software, LLC Service/Feature Essential Services Connected Experiences Analyzing Content Experiences Downloading Content Experiences Optional Connected Experiences Alt Text W P W P Authentication W X P OL ON AutoUpdate (MAU) W X P OL ON Cloud Fonts W P OL ON W P OL ON Contact Support W X P OL Data Types X X Designer / Design Ideas P P Document Templates W X P W X P Error Reporting (MERP) W X P OL ON W X P OL ON Flighting (Config Services) W X P OL ON Grammar Suggestions P P P Help W X P OL ON W X P OL ON Ideas X X Insert Icon W X P W X P Insert Online 3D Model W X P W X P W X P Insert Online Picture W X P W X P W X P Insert Online Video W X P W X P W X P Insert Stickers ON ON ON Licensing Service W X P OL ON Mailbox Synchronization OL Map Charts X X X Office Add-ins W X P OL W X P OL OneDrive/OneDrive for Business ON W X P QuickStarter P P P Researcher W W W Resume Assistant W W Save as PDF (conversion service) W W Search Document Templates W X P W X P Send a smile W X P OL ON W X P OL ON Send to OneNote OL OL Smart Lookup W X P OL ON W X P OL ON W X P OL ON Subtitles P P Translator W X P W X P Weather Bar OL OL OL What’s New W X P OL

Slide 12

Slide 12 text

© JAMF Software, LLC DEMO Setting Privacy options with the new ‘Application and Custom Settings’ payload

Slide 13

Slide 13 text

© JAMF Software, LLC Application and Custom Settings

Slide 14

Slide 14 text

© JAMF Software, LLC Security

Slide 15

Slide 15 text

© JAMF Software, LLC The Basics Sandboxing Office 365/2019/2016 apps are sandboxed, regardless of whether you download them from the Mac App Store or Microsoft Content Delivery Network (CDN) Sandboxing restricts the apps from accessing resources outside the app container Notarization All Office apps use the hardened runtime and all download packages are notarized First piece of advice Update your apps monthly to protect against latest threats Example: XL4 Auto_Open protection in 16.31 update

Slide 16

Slide 16 text

© JAMF Software, LLC Updates are getting easier UltraThin and Install on Clone were released a few months ago

Slide 17

Slide 17 text

© JAMF Software, LLC VBA Defaults and Options Preference Domain Key Type Possible Values com.microsoft.office VisualBasicMacroExecutionState string DisabledWithoutWarnings
 DisabledWithWarnings EnabledWithoutWarnings com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE

Slide 18

Slide 18 text

© JAMF Software, LLC VBA Defaults and Options Preference Domain Key Type Possible Values com.microsoft.office VisualBasicMacroExecutionState string DisabledWithoutWarnings
 DisabledWithWarnings EnabledWithoutWarnings com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE Most Secure Value

Slide 19

Slide 19 text

© JAMF Software, LLC Use Jamf Pro to strengthen policies While we have sensible defaults, remember these are only effective in the user space Most attacks exploit multiple vectors Strengthen the default configuration through Config Profiles Use CFPreferences to validate intended implementation python -c "from Foundation import CFPreferencesCopyAppValue; print CFPreferencesCopyAppValue('VisualBasicMacroExecutionState', 'com.microsoft.office')" python -c "from Foundation import CFPreferencesAppValueIsForced; print CFPreferencesAppValueIsForced('VisualBasicMacroExecutionState', 'com.microsoft.office')"

Slide 20

Slide 20 text

© JAMF Software, LLC DEMO Using Jamf Pro to enforce security policies

Slide 21

Slide 21 text

© JAMF Software, LLC

Slide 22

Slide 22 text

© JAMF Software, LLC Thank you for listening! Give us feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Yin and Yang: The Art of Attack & Defense on macOS 1:30 - 2:15 PM