This could be related to a new user setting which was delivered recently in Chrome and Edge updates where the default is to allow websites to access your local filesystem.
Has this already been the unseen default up until recently? That would seem like quite an anti-privacy default and I could imagine that security people would not all have been in favor of it happening without any notification at least. But maybe could have been going on for a while anyway?
Seems like the article is complaining if the default in his setup tools no longer allowed local access by default (without permission) any more, and the collateral damage from that reduced attack surface caught him by surprise. With this in mind maybe notification alone may turn out to be the only resultant hardening of the system but for me things like OneNote are just plain not worth it.
rref•1mo ago
> This could be related to a new user setting which was delivered recently in Chrome and Edge updates where the default is to allow websites to access your local filesystem.
Yep that's the one!
> Has this already been the unseen default up until recently?
I believe the default was to allow which is why users never got prompts in the past on PC. I think that on macOS, one gets a prompt regardless of which browser is used due to the way the OS isolates apps and system resources.
> security people would not all have been in favor of it happening without any notification at least.
This is my understanding of why Chrome(ium) has introduced the change but there may be other motives.
> Seems like the article is complaining if the default in his setup tools no longer allowed local access by default (without permission) any more, and the collateral damage from that reduced attack surface caught him by surprise.
I think his issue is that there is a surprise un-managed - "managed" - policy on endpoints that came from nowhere.
In my opinion it is a decently effective solution from Microsoft to maintain the availability of OneDrive sync when using the offline sync capabilities. However, they didn't do the same for Teams (maybe because they preferred a lighter touch? I'm trying to be generous...) and probably should have put this under-the-hood change in their release notes so admins can be aware of it.
As it stands the un-managed policy can become managed simply by pushing out the same policy, which is pretty clean.
In an enterprise environment it's almost guaranteed for some end-users to click "block" on the pop-up without hesitation, and that would cause loss-of-time troubleshooting for service desks and admins, and possibly loss of data.
From a privacy perspective I don't think this is an issue as only the company SharePoint URLS are added to the allow-list.
fuzzfactor•1mo ago
Has this already been the unseen default up until recently? That would seem like quite an anti-privacy default and I could imagine that security people would not all have been in favor of it happening without any notification at least. But maybe could have been going on for a while anyway?
Seems like the article is complaining if the default in his setup tools no longer allowed local access by default (without permission) any more, and the collateral damage from that reduced attack surface caught him by surprise. With this in mind maybe notification alone may turn out to be the only resultant hardening of the system but for me things like OneNote are just plain not worth it.
rref•1mo ago
Yep that's the one!
> Has this already been the unseen default up until recently?
I believe the default was to allow which is why users never got prompts in the past on PC. I think that on macOS, one gets a prompt regardless of which browser is used due to the way the OS isolates apps and system resources.
> security people would not all have been in favor of it happening without any notification at least.
This is my understanding of why Chrome(ium) has introduced the change but there may be other motives.
> Seems like the article is complaining if the default in his setup tools no longer allowed local access by default (without permission) any more, and the collateral damage from that reduced attack surface caught him by surprise.
I think his issue is that there is a surprise un-managed - "managed" - policy on endpoints that came from nowhere.
In my opinion it is a decently effective solution from Microsoft to maintain the availability of OneDrive sync when using the offline sync capabilities. However, they didn't do the same for Teams (maybe because they preferred a lighter touch? I'm trying to be generous...) and probably should have put this under-the-hood change in their release notes so admins can be aware of it.
As it stands the un-managed policy can become managed simply by pushing out the same policy, which is pretty clean.
In an enterprise environment it's almost guaranteed for some end-users to click "block" on the pop-up without hesitation, and that would cause loss-of-time troubleshooting for service desks and admins, and possibly loss of data.
From a privacy perspective I don't think this is an issue as only the company SharePoint URLS are added to the allow-list.