I can't believe I'm saying this, but in Microsoft's defense, those controls are aimed at companies working in regulated industries. They're meant to help those companies prove they they're meeting their legal and/or contractual compliance obligations.
For example, if your company works with healthcare information and is a HIPAA "covered entity", your customers will demand to see proof that you're using data loss prevention (DLP) software. Such software does things like:
- MITMing output email to make sure you're not sending a spreadsheet full of social security numbers.
- The same but for posts to web forms.
- The same but for instant messengers.
...etc. Netskope is a big player in that space. Go read up on what all their stuff can do sometime. As an individual, a donor to the EFF, and a vocal advocate for user privacy, those things make me shudder. As someone responsible for making sure our employees didn't accidentally upload PHI to Facebook from a work computer, I gritted my teeth and accepted that they're a necessary evil.
There's no reminder that "your work laptop belongs to your employer" quite like working in healthtech. I'm willing to cut Microsoft some slack for offering those products to customers.
Don’t get me wrong, I understand that some industries require this level of action logging. However, does Microsoft check whether a company actually needs this type of logging? I didn’t read all of the documentation, just the sections that were posted, but I didn’t see anything about Microsoft verifying if the companies using these tools are vetted.
They call out a bunch of not-relevant-to-compliance uses in the marketing copy, so they lose any good will they might have otherwise maintained.
It's one thing to say “we offer this sketchy service to verified members of this highly regulated industry”, it's quite another to say “this is what that highly regulated industry uses to do the sketchy things they're required to do, and you can get it too!”
You can enable some pretty strict policies with device management and general policies. But actually recording the screen is a big breach of information if the database is not secured.
For example, if your company works with healthcare information and is a HIPAA "covered entity", your customers will demand to see proof that you're using data loss prevention (DLP) software. Such software does things like:
- MITMing output email to make sure you're not sending a spreadsheet full of social security numbers.
- The same but for posts to web forms.
- The same but for instant messengers.
...etc. Netskope is a big player in that space. Go read up on what all their stuff can do sometime. As an individual, a donor to the EFF, and a vocal advocate for user privacy, those things make me shudder. As someone responsible for making sure our employees didn't accidentally upload PHI to Facebook from a work computer, I gritted my teeth and accepted that they're a necessary evil.
There's no reminder that "your work laptop belongs to your employer" quite like working in healthtech. I'm willing to cut Microsoft some slack for offering those products to customers.