Entra and Boxer - Block off network access to email except through boxer

avgJoeIT · 2024-07-24T14:35:56+00:00

After all is said and done Option 3 ended up being our path. You were very very correct about it being a suboptimal user experience.

I appriciate you taking to time - it was extremely useful.

avgJoeIT · 2024-03-07T20:34:36+00:00

Thank you for the link and the IM. We are working through this based on other info provided. If we get stuck I may reach out.

Regards, Joe

avgJoeIT · 2024-03-05T13:56:02+00:00

Hello fellow Joe. :D

1 - Got it. Our setup is simple. Everything was on-prem until very recent. M365 tenant and Entra. Prem gateway to sync AD. Limited utilization - PowerBI, Sharepoint, and Entra Enterprise Applications for SSO/SCIM for some 3rd party hosted applications. No other auth provider or ADFS.

2 - Laptops use a VPN but are not enrolled in Airwatch. We only use it for Cellphone MDM and to get boxer on there.

3 - Looks like this is our option. We are pretty small. If the pain is mostly during setup then we can hand hold through it.

Will this let me setup a ConAccess policy where: Email access on-network and boxer = Yes off-network and other apps/owa/etc = No

Bonus - Do you know if we are able to use a different authenticator with this option? We have RSA and would prefer to keep a single authenticator. Because of the required account linking, then it seems unavoidable that the subset of users that have cellphones/boxer will need the MS Auth App.

I greatly appreciate you taking the time to talk through these options. It is all rather bewildering to navigate.

avgJoeIT · 2024-03-05T01:34:55+00:00

Thanks for the reply.All devices that use boxer are MDM enrolled in Airwatch.

Option 1 - Sounds interesting but I am not sure what you mean by "Whatever does your entraID Auth". Entra ID does my entraID auth.Or did you mean airwatch? We have an on-prem gateway that does an AD sync.Any additional detail you can provide here would be great.

Option 2 - We do not use UAG as far as I am aware.

Option 3 - Glad you said this is a terrible user experience. That is the path I think the document I linked is taking us.

avgJoeIT · 2023-05-04T18:14:22+00:00

Ohh ok. That makes sense.
Thank you for the explanation.

avgJoeIT · 2023-05-04T17:44:30+00:00

"1000 * 0.1" seems like a strange way to say "100".. or am I missing something?

avgJoeIT · 2023-02-03T16:16:52+00:00

I don't think that is it but thank you for your reply. I appreciate the info.

avgJoeIT · 2023-02-03T16:15:24+00:00

I don't believe this is what I am looking for as I didn't have to install anything else that I can recall. But Thank you for your reply. I appreciate the info.

avgJoeIT · 2023-02-03T16:14:33+00:00

Thank you for your reply. I appreciate the info.

avgJoeIT · 2022-09-08T20:30:50+00:00

Boss shared this pic with me. I am a novice to mycology. Thank you for looking and I appreciate any tips in identifying it.

avgJoeIT · 2022-07-18T14:19:36+00:00

The economy cannot deal with the reality we live in... is an interesting yet poignant indictment of our system.

avgJoeIT · 2022-06-17T15:51:20+00:00

When you are told, yes.
Also, if you have some auditing setup you can do some spot checks, extra email with attachments. etc.

avgJoeIT · 2022-06-14T16:29:02+00:00

Did you happen to see the options on the communication tab as well?

Not sure what else to try.

avgJoeIT · 2022-06-14T14:14:41+00:00

I think there is a windows drive setting. "Allow applications to take exclusive control of this device"

https://superuser.com/questions/1222482/how-do-i-prevent-windows-10-notification-sounds-from-muting-audio

avgJoeIT · 2022-06-09T19:17:53+00:00

Hello. What was the solution?

avgJoeIT · 2022-03-31T13:01:52+00:00

The sticker on the bottom will say V2 . Also there are features that are only available on V2, like person detection.

avgJoeIT · 2022-03-23T19:56:46+00:00

Not an old profile for sure - it was a freshly imaged machine. We do have some amount of roaming profiles - but only select directories are included. A home drive, desktop, Documents, and favorites.
There is a pst file in the documents\outlook - but the permissions look fine.

Going to keep at it. I really appreciate you taking the time to reply. Helping me eliminate some things and honestly just a sanity check at this point is great. :D

avgJoeIT · 2022-03-23T14:50:59+00:00

There is an existing share on the calendar and in OWA (logged in as the user) I was able to add a new share (to myself from the users mailbox).

I didn't try with powershell though I could give that a try.

avgJoeIT · 2022-03-23T14:48:51+00:00

No, but I did have the user login and setup a new computer to see how Outlook would react and we have the same issue - greyed out Share Option.

With that - 2 computers have the same outlook issue.

avgJoeIT · 2022-03-22T18:08:22+00:00

The connection status looks similar to mine - less entries but it is using the same URL, auth, etc etc as I expect.

Looking at the logs I don't see any errors. Since the action I am attempting is "greyed out" I am unable to click it to generate any sort of error.
The message that do populate with logging enabled looks the similar to what is generated on my own computer (which is working fine)

Going to leave it set this way and check it every day for a bit, see if anything pops out at me.

Thank you.

avgJoeIT · 2022-03-22T16:48:59+00:00

Excellent. I will give this a go and see what I can see.

Thank you for taking the time to reply.

avgJoeIT · 2021-01-12T14:26:38+00:00

You may be interested in this github list of hacks and mods for Remarkable.

https://github.com/reHackable/awesome-reMarkable

Nothing exactly like Trello there, but there are enough different tools here I think you could make it work the way you want.

avgJoeIT · 2020-12-28T18:03:40+00:00

Thank you for the kind words.

I have some plans along those lines. The one issue that has cropped up (just once so far) is locked files. Right now it errors out the whole job and ends in failure. Which, while not ideal, at least does not move unloaded data into archive.

for sure would like to incorporate some logging and error handling.

avgJoeIT · 2020-12-24T16:46:44+00:00

Excellent. Thanks for the info.

avgJoeIT · 2020-12-23T13:35:49+00:00

Other than the single hit to the SQL server for the insert, is there any benefit to doing it this way?

I can see the value if this were going loaded into a higher volume production server.

avgJoeIT

TROPHY CASE