Without endpoint security, the enterprise is unable to remotely wipe the data, which may not be protected at all on the endpoint. For these reasons, many enterprises want to allow employee access to the collaboration tools in Office 365 from any device, but limit the ability to download corporate data to only managed devices.

How Skyhigh helps

When users access Office 365, Skyhigh CASB performs a certificate check to validate the device has appropriate endpoint security in the form of an EMM/MDM solution. Skyhigh also goes one step further by integrating with EMM/MDM providers to pull a mapping of users and their trusted devices and validates that not only does the endpoint have a certificate, but that the user is accessing from a known device and not another device. This second-level check ensures that a malicious user or third party has not spoofed a certificate on an untrusted endpoint in order to circumvent device policies.

Blocking download necessitates intermediating the user’s session with a proxy, not just the login event. As highlighted in the architecture diagram below, personal, unmanaged devices can only be intermediated by a reverse proxy and not a forward proxy. However, while reverse proxies can intermediate logins to the web app and native app, they can only intermediate the usage (and therefore enforce download controls) for the web app.

Skyhigh solves this by enforcing a “no access” policy for unmanaged devices across native O365 applications, and a “view but no download” policy for unmanaged devices across web applications. Customers use Skyhigh to block access to corporate Office 365 instances via the native application on personal devices, while permitting web application access. By proxying the session to the web application, Skyhigh can allow employees to preview data and edit files in Word Online, Excel Online, and PowerPoint Online while preventing files from being downloaded to the endpoint.

Skyhigh can also detect device management status with a SAML assertion passed by the identity provider users log in to Office 365 with.

How it works: deployment architecture

When a file is downloaded or synced, there is no pause for an API call so enforcing a download policy requires the CASB to sit inline between the user and the cloud application. Since a personal device is unmanaged, and therefore traffic is not being routed via an endpoint agent, this control requires the reverse proxy mode.

When a user accesses Office 365, Skyhigh CASB checks the certificate and if it is a personal device it blocks access to the native application and proxies traffic to the web application. Sitting inline in reverse proxy mode, Skyhigh blocks download whenever a user attempts a download a file. If the device is managed, Skyhigh’s reverse proxy gets out of line to allow direct access from the user to Office 365.