Advanced Security and Privacy Management with Microsoft Office

Transcript

1. © JAMF Software, LLC Advanced Security and Privacy Management with

   Microsoft Office 11:15am - 12:00pm UP NEXT
2. None

3. © JAMF Software, LLC Paul Bowden Principal Engineer Microsoft 275x275

   head shot

4. © JAMF Software, LLC Security and Privacy Management We’ll be

   taking a common sense approach Understand the default product options Evaluate your risks and compliance policy Implement the changes in Jamf Pro

5. © JAMF Software, LLC It’s a balance Security Privacy Features

   Functionality

6. © JAMF Software, LLC Privacy

7. © JAMF Software, LLC Privacy Options were overhauled in the

   16.28 (August ’19) update Provide better transparency as to what telemetry is sent from the client, and controls for changing it Provide a choice over usage of different back-end services that Office connects with to deliver end-user functionality Provide consistency and roaming across desktop and mobile platforms See https://aka.ms/macprivacy for full details

8. © JAMF Software, LLC Privacy Terminology Essential Services Required Service

   Data - Data to support basic product functionality Connected Experiences In-product features that connect with back-end web services Diagnostic Levels Basic (aka Required) - Keeps Office secure, up-to-date, and performing as expected Full (aka Optional) - Product usage data and enhanced telemetry Zero (aka None) - Don’t send any diagnostic data

9. © JAMF Software, LLC Privacy Defaults and Options Preference Domain

   Key Type Possible Values com.microsoft.office DiagnosticDataTypePreference string BasicDiagnosticData
 FullDiagnosticData ZeroDiagnosticData com.microsoft.office SendAllTelemetryEnabled bool TRUE / FALSE com.microsoft.autoupdate2 AcknowledgedDataCollectionPolicy string RequiredDataOnly RequiredAndOptionalData Setting Sends ‘Required’ Diagnostic Data Sends ‘Optional’ Diagnostic Data Sends ‘Required’ Service Data BasicDiagnosticData Yes No Yes FullDiagnosticData Yes Yes Yes ZeroDiagnosticData No No Yes SendAllTelemetryEnabled = FALSE No No No

10. © JAMF Software, LLC Connectivity to Office Services Most Connected

    Experiences Experiences that analyze content Experiences that download content Optional Connected Experiences Preference Domain Key Type Possible Values com.microsoft.offic e ConnectedOfficeExperiencesPreference bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OfficeExperiencesAnalyzingContentPreference bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OfficeExperiencesDownloadingContentPreferenc e bool TRUE / FALSE Preference Domain Key Type Possible Values com.microsoft.offic e OptionalConnectedExperiencesPreference bool TRUE / FALSE

11. © JAMF Software, LLC Service/Feature Essential Services Connected Experiences Analyzing

    Content Experiences Downloading Content Experiences Optional Connected Experiences Alt Text W P W P Authentication W X P OL ON AutoUpdate (MAU) W X P OL ON Cloud Fonts W P OL ON W P OL ON Contact Support W X P OL Data Types X X Designer / Design Ideas P P Document Templates W X P W X P Error Reporting (MERP) W X P OL ON W X P OL ON Flighting (Config Services) W X P OL ON Grammar Suggestions P P P Help W X P OL ON W X P OL ON Ideas X X Insert Icon W X P W X P Insert Online 3D Model W X P W X P W X P Insert Online Picture W X P W X P W X P Insert Online Video W X P W X P W X P Insert Stickers ON ON ON Licensing Service W X P OL ON Mailbox Synchronization OL Map Charts X X X Office Add-ins W X P OL W X P OL OneDrive/OneDrive for Business ON W X P QuickStarter P P P Researcher W W W Resume Assistant W W Save as PDF (conversion service) W W Search Document Templates W X P W X P Send a smile W X P OL ON W X P OL ON Send to OneNote OL OL Smart Lookup W X P OL ON W X P OL ON W X P OL ON Subtitles P P Translator W X P W X P Weather Bar OL OL OL What’s New W X P OL

12. © JAMF Software, LLC DEMO Setting Privacy options with the

    new ‘Application and Custom Settings’ payload

13. © JAMF Software, LLC Application and Custom Settings

14. © JAMF Software, LLC Security

15. © JAMF Software, LLC The Basics Sandboxing Office 365/2019/2016 apps

    are sandboxed, regardless of whether you download them from the Mac App Store or Microsoft Content Delivery Network (CDN) Sandboxing restricts the apps from accessing resources outside the app container Notarization All Office apps use the hardened runtime and all download packages are notarized First piece of advice Update your apps monthly to protect against latest threats Example: XL4 Auto_Open protection in 16.31 update

16. © JAMF Software, LLC Updates are getting easier UltraThin and

    Install on Clone were released a few months ago

17. © JAMF Software, LLC VBA Defaults and Options Preference Domain

    Key Type Possible Values com.microsoft.office VisualBasicMacroExecutionState string DisabledWithoutWarnings
 DisabledWithWarnings EnabledWithoutWarnings com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE

18. © JAMF Software, LLC VBA Defaults and Options Preference Domain

    Key Type Possible Values com.microsoft.office VisualBasicMacroExecutionState string DisabledWithoutWarnings
 DisabledWithWarnings EnabledWithoutWarnings com.microsoft.office DisableVisualBasicExternalDylibs bool TRUE / FALSE com.microsoft.office AllowVisualBasicToBindToSystem bool TRUE / FALSE com.microsoft.office DisableVisualBasicToBindToPopen bool TRUE / FALSE com.microsoft.office DisableVisualBasicMacScript bool TRUE / FALSE com.microsoft.office VBAObjectModelIsTrusted bool TRUE / FALSE Most Secure Value

19. © JAMF Software, LLC Use Jamf Pro to strengthen policies

    While we have sensible defaults, remember these are only effective in the user space Most attacks exploit multiple vectors Strengthen the default configuration through Config Profiles Use CFPreferences to validate intended implementation python -c "from Foundation import CFPreferencesCopyAppValue; print CFPreferencesCopyAppValue('VisualBasicMacroExecutionState', 'com.microsoft.office')" python -c "from Foundation import CFPreferencesAppValueIsForced; print CFPreferencesAppValueIsForced('VisualBasicMacroExecutionState', 'com.microsoft.office')"

20. © JAMF Software, LLC DEMO Using Jamf Pro to enforce

    security policies

21. © JAMF Software, LLC

22. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT Yin and Yang: The Art of Attack & Defense on macOS 1:30 - 2:15 PM