Either my google-fu leaves something to be desired or I have stumbled across an issue which no one has deemed it worth posting about.

I have a client which wants to prevent users from downloading files from office 365 space as their files have moved from an on prem server to SharePoint.

This is simple enough to set up- Create a GPO to enroll company devices to InTune, Create a Conditional Access policy to block downloads on devices that aren't Joined/Registered, create a session policy to block downloads/printing files in O365. Everything was working like a charm until I get a call from a manager saying that every time he tries to view a PDF on his home computer (not print), it tells him hes not allowed to download the file and it loops trying to download the "you've been naughty" message you get when you try to download a file from O365.

We open up FireFox and.... it works fine. He can preview the pdf, not print. We open up edge... same issue with Chrome.

I check the temp folder and there are 0b .tmp files created when you try to preview any pdf in Chrome or Edge. I suspect this is triggering the Session policy and causing it to eat shit.

I tried to edit the Session policy to ignore files with .tmp in their name and that didn't work. I tried to make it so files <1MB are ignored, but that opens up a new can of worms since that is as low as that number goes (files messured in MB, and anything less than 1 in the configuration wizard gets deleted).

I tried adding the Adobe for Chrome extension hoping that would fix the issue, but it didn't work.

The only thing I can reasonably think of off the top of my head right now outside of getting microsoft to let more granular control of the Session Control policy wizard is to tell Chrome to stop creating these .tmp files in my temp directory. Neither of those options seem doable this century.

Idk, has anyone ever experienced this before?