Determine if a user is accessing a web app from a company machine

Question

I'm working with a large enterprise client that's using office 365 we have an application that runs in azure that we need to prevent certain actions if they're not logged in from their company machine..

Principally we want to disable the 'Export as Excel' function when the user is not using their company managed laptop.

for example if I try to login to OUTLOOK from my home machine I get the image below, how can I achieve a similar for our application?

Answer 1

What you probably want is some sort of DRM (Digital Rights Management). Since disabling export won't prevent users from exporting document on the company laptop, then copy it to another PC.

Checkout Azure Information Protection.

Answer 2

Maybe you should publish your internal code at a webserver that is accessible in your corporate network only. This limits access to computers in your company network, but it's also possible to access with a guest computer.

1. Set up a company-internal webserver that delivers HTML-/JavaScript-code for your button
2. Within your webapp you load the HTML-/JavaScript code for your button from that internal webserver. Everybody outside the company network won't have access to it as long as your admin doesn't say so in your corporate firewall.
3. The webservice that delivers your export file when a user pushes that button also runs at that internal webserver that is not accessible from outside.

Here is a second (not secure! but more lightweight) approach to detect whether the computer is in your company network (but maybe it's a guest machine):

1. Set up a local webserver in your company network
2. This webserver only delivers a tiny JavaScript that sets a variable. Something like window.computerIsInCorporateNetwork=true
3. Check this variable in your webapp and active/deactivate your Excel-button (or whatever you want to hide/disable).

This is not secure because everybody who knows the name of your variable can set it via browser console.

And a third approach is that you ...

1. do a JavaScript GET-call to a local webserver and ask for an empty.html or something like that.
2. decide dependent on whether you reached your local webserver (HTTP response code equals 200) to activate/deactivate your Excel-button.

This is not secure because everybody could manipulate the JavaScript directly in the browser.

Answer 3

I think you should apply a jumpserver if you are so care about company secrets.

You can confine user who can only make operation on jumpserver (limit the accessable ip address to the jumpserver ip) . Through a jumpserver, you can monitor all operation of an user, include screen recording , network access record, command history and so on.

There is an opensource jumnpserver , support features more than what I mentioned . But unfortunately, the document is written by Chinese . Or you may have an interest in payment service like azure-bastion .