Microsoft Office 16.28, released Tuesday, includes a new privacy dialog for users and a number of changes to the preferences that control privacy and telemetry settings. This new dialog cannot be directly suppressed for Office 365 users, but can for those with a 2019 Volume License.
Microsoft has provided documentation, Use preferences to manage privacy controls for Office for Mac, of these new preferences and Paul Bowden provided a Keynote slide deck, Privacy and Consent Controls (PDF version), from a set of video conferences he hosted last week. (Unfortunately video recordings of the calls are not available.)
Thanks to the hard work of the Office for Mac team most of these preferences can be managed via configuration profiles. Read on for an overview of the changes and items of note.
The documentation does a good job of outlining the new options and the slide deck helps tie it all together visually. Make sure to read both thoroughly as this post is not intended to replace them. My hope is to simply cover the high points and help consolidate information that was relayed verbally or through a myriad of different Slack channels and threads over the past week.
MacAdmins are likely to spend the most time trying to decode which services correspond to which new preference key and mapping out what needs to be enabled or disabled in their environments.
Items of note (with references to the slide/page from Paul’s presentation):
• The DiagnosticDataTypePreferences and SendAllTelemetryEnabled keys have moved from the individual application preference domains to a suite-wide setting in com.microsoft.office. In the case of the former a new option has been added as well. This will simplify the profiles and allow the settings to be controlled from a single place across all applications. [Slides 2, 6]
• You can leave these existing keys in your com.microsoft.<appname> profiles and add them to com.microsoft.office during the upgrade period to make sure both old and new versions of Office are configured. There will be no harm in leaving them in com.microsoft.<appname> for future versions, they will be ignored. [Slide 4]
» The word All in the SendAllTelemetryEnabled key is somewhat of a misnomer. At first glance it might appear that setting this value to TRUE means you will send all telemetry data. Instead think of this as an on/off switch to control wether any telemetry is sent. If left unmanaged or set to TRUE, what data is sent will then depend on the value specified for DiagnosticDataTypePreferences. (The “Decoder Ring” in the slide deck helps map out the possibilities here.) A setting of FALSE will turn off all telemetry, so no configuration would be needed for DiagnosticDataTypePreferences. [Slide 6]
• SendAllTelemetryEnabled is no longer applicable to the com.microsoft.autoupdate2 preference domain. It has been replaced by the new AcknowledgedDataCollectionPolicy key I covered in my post last month, Disabling Microsoft AutoUpdate’s new Required Data Notice in managed environments. [Slide 7]
• Both the PII_And_Intelligent_Services_Preference and kFREIntelligenceServicesConsentV2Key keys have been removed from the individual application preference domains and are no longer used anywhere. [Slide 8]
• The kFREEnterpriseTelemetryInfoKey key was recycled from the 16.13 release temporarily in July’s 16.27 update and will not apply going forward. If you are upgrading to 16.28 you can ignore or remove this key completely. [Slide 9]
• The bulk of the new options come in the form of four new keys, all in the com.microsoft.office preference domain: ConnectedOfficeExperiencesPreference, OfficeExperiencesAnalyzingContentPreference, OfficeExperiencesDownloadingContentPreference and OptionalConnectedExperiencesPreference. These four are individually configured to be either on or off. [Slide 10]
• Figuring out which services fall under which preference as well as mixing and matching the settings will the the tricky part. The documentation covers the applicable services in detail (make sure to follow the links deeper into the rabbit hole) and Paul has a chart which makes it easier to visualize the features. [Slide 11]
• Setting OptionalConnectedExperiencesPreference to FALSE will disable any O365 provided Add-Ins configured on the tenant such as phishing reporting tools or Send to OneNote in Outlook. [h/t Eric Holtam]
» It is very important to note that for Office 365 users these new preference settings are tied to the O365 identity, not the device, and will “roam” from computer to computer with the user. This means they cannot be reliably set with a defaults write command. A configuration profile will override the roaming settings and should be used for any management. [Slide 13]
• The UI and dialogs that a user will see are determined by the how Office is licensed. Paul has provided three great walkthroughs with screenshots to illustrate the different experiences. [Slides 12, 14-27]
• As mentioned in the lede, the new First Run Experience dialog titled, “Your privacy option,” cannot be directly suppressed for O365 users. However, if you disable OptionalConnectedExperiencesPreference then the dialog will not appear as it only applies to those services. Thankfully this dialog will only be displayed to O365 users once across all their devices (macOS, iOS, Windows and Android) as acknowledgment of the dialog “roams” with the identity. [Slide 15]
» For 2019 Volume License users this dialog can be suppressed. Most of the Optional Connected Experiences are unavailable for VL users. Setting the key HasUserSeenEnterpriseFREDialog in com.microsoft.office to TRUE will suppress the dialog. [Slide 19]
These and other preferences are listed in a community-maintained Google Sheet for easy reference. I’ll be working to add the new options to ProfileCreator as time allows in the next several days and Paul has provided nine example configuration profiles on Github.
If you are looking for help with how to best apply these new configuration options in your environment please join the #microsoft-office channel on the MacAdmins Slack where myself and others will be happy to help.
UPDATE 8/18/19: I have added all of these new preferences into ProfileCreator.
This post would not have been possible without the collaboration of my colleagues in the community, Eric Holtam in particular deserves credit for helping sort out these changes. And as always we owe a debt of gratitude to Microsoft’s Paul Bowden for maintaining an open dialog with MacAdmins and championing for our needs inside the company.