Workplace offers a lot of flexibility in how people get work done. The most important consideration for Company Managers is controlling how data can cross the Workplace perimeter. This can include working exclusively in a hosted environment, or allowing data on local devices.
Feel free to take notes as you read through this module, which can help you plan the data and workflow design for your company.
Flexibility vs. Control
Depending on your cybersecurity and compliance policies, your team could work exclusively with Hosted Apps and browsers, with natively installed desktop apps and browsers, or with a combination of the two environments (hybrid).
When determining how your team should work, it is important to look at where your people are working and the different types of devices they are using.
For instance, you may have people who travel and don't always have access to a stable internet connection. If they are restricted to using a hosted environment only, an unstable internet connection could really impact their ability to work.
On the other hand, some remote users may work on a shared computer at home, which could leave company data vulnerable. How will you allow your team access to work resources, and ensure they remain flexible, while keeping within your company's security and compliance policies?
Key Areas of Design
Let's talk about the four key areas of data and workflow design, and who they will be designed for. The following settings help control if data is contained in the Workplace hosted environment, or if it is allowed on end user devices:
Apps: Hosted only, Native (locally installed) only, or a combination of the two (hybrid)
Files: They can access their files via Hosted File Manager. Or, by using a hybrid approach that includes:
- On-demand Work Folders: this setting controls multiple things, most noticeably, the ability to access Workplace files from your local computer by mounting a virtual Workplace drive. For Windows users, the Workplace drive is TYPICALLY mounted as a local S:\ drive (if S:\ is already used, the installer will choose another letter that's available).
The setting also controls the ability to download files from the Workplace Web App and enables/disables integration of Workplace mobile device apps with Office 365 mobile apps.
On-demand Work Folders allow you to work locally and sync files back to Workplace. Having the local Workplace drive mounted can mitigate the risk of losing data if computer crashes or if the device is lost or stolen.
- An important note: there are some file types, such as .lnk, hidden files, thumbnails, and shortcuts that are not supported in Modern Workplace. Click here to view a list of unsupported file types.
- Shared files: Workplace allows users to share files with people outside their organization. There are three methods of sharing files. Company Managers can disable this feature entirely, or just turn off the public link type if necessary.
- File uploading: To prevent people from bringing files into Workplace, CMs can disable file uploading for individuals, groups, or the entire company.
- Open websites in local, hosted or hybrid browser:
In a local only workflow, all websites are opened in a locally installed browser.
In a hybrid workflow, Company Managers can set sensitive SaaS apps, such as Salesforce, EMoney, and Redtail, to opened within the hosted environment. However, some hybrid workflows can allow users to open these apps locally, based on their device's compliance status.
After considering your cybersecurity policies, when you assign websites to the team, you can choose where those apps will open - in a local, hosted or hybrid web browser.
- Employee-controlled accounts allow the user to set their own password to assigned websites, or to web accounts they save to Workplace themselves.
- SAML-federated accounts are the best way to control web app data because the user cannot view or edit the password. We'll go into greater detail about this feature in an upcoming module.
Email: Hosted Outlook, local mail client, mobile mail, OWA mail
- ActiveSync: ActiveSync is used for mobile mail clients to connect to Microsoft Exchange servers. Basically, this allows a user to setup their email, contacts, and calendars on their mobile devices. The basic requirements are that their phone is encrypted, and that it has a 6-digit passcode. To audit or change ActiveSync Policies, you will need to reach out to Workplace support.
- Hosted Outlook: User can only access their email via the hosted environment.
- Outlook Web App (OWA): this can be integrated with Workplace as a website, and has the advantage of keeping emails off of a user's computer.
- Enable local Outlook: Company Managers can allow or disallow the use of native Outlook or other mail clients on their computers.
It's important to note that a hybrid configuration can create additional administrative burden due to local system configuration requirements. There may also be unacceptable risk associated with allowing data on endpoint devices. If you would like to confirm your Workplace configuration aligns with your cyber security policies, we recommend reviewing your company, group, and user settings with your Customer Success Manager or Workplace support personnel.
Now that we've explored the the three possible workflow approaches as well as the four areas of data access: apps, files, websites and email, please take your time considering which data and workflow design approach is best for your company, and for your users, before continuing the the next module of the CM:102 course, where we'll take a look at access policies.