Some companies’ security policies recommend that it must be ensured that no company data will be saved on “non-company” devices. A first step to achieve that is to disable attachment download.  To do this, you can just remove the checkbox in ECP:

OWA file access


You can also create a new OWA policy and specify the following:

OWA file access2


If you are more the PowerShell Guy:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -DirectFileAccessOnPublicComputersEnabled $false -DirectFileAccessOnPrivateComputersEnabled $false


The result is that the attachments cannot be downloded any more:

OWA file access3

The cool thing is that viewing attachments in Office Online is still possible.


There are more features which can be disabled to gain more security which will be discussed in separate articles.