Changes Made by Cloud App Security

Cloud App Security adds some data to Office 365, Box, Dropbox, Google Drive, Gmail, and Salesforce when provisioning service accounts or running those cloud applications and services. If your license expires, Cloud App Security automatically deprovisions service accounts for you and cleans up most of the data. You must manually remove the remaining data.

The following table lists all the actions that Cloud App Security performs in the Office 365 environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Office 365

Other Changes

Office 365 Admin Center

Exchange/SharePoint/OneDrive/Microsoft Teams

Provisioning

Creates Cloud App Security service accounts for Office 365 users.

  • Exchange: None.

  • SharePoint/OneDrive:

    • Adds a remote event receiver to each site collection.

    • Adds service accounts to each site collection's administrator group. (for Delegate Account provisioning only)

    • Uses OAuth 2.0 to obtain SharePoint Online's or OneDrive' access token. (for Authorized Account provisioning only)

  • Microsoft Teams:

    • Uses OAuth 2.0 to obtain Microsoft Teams' access token.

    • Adds a remote event receiver to each team site.

  • Teams Chat: Uses OAuth 2.0 to obtain Teams Chat's access token.

  • The SharePoint/OneDrive user list and user profiles are updated upon service account creation.

  • Exchange user information is updated upon service account creation.

  • The teams data is updated to the Cloud App Security database.

Service running

Synchronizes with Office 365 daily to obtain information about new users, groups, SharePoint sites, and teams.

Note:

Cloud App Security synchronizes with Office 365 at 00:15 a.m. UTC for both the EU and UK sites, 05:15 a.m. UTC for the Canada site, 08:15 a.m. UTC for the US site, 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites, 05:15 p.m. UTC for the Singapore site, and 00:15 p.m. UTC for the India site.

  • Exchange:

    • Creates hidden folders for mailboxes if there are quarantined files.

    • Moves files between the quarantine and user folders.

  • SharePoint/OneDrive:

    • Adds service accounts or the remote event receiver for new site collections.

    • Creates the hidden document library for each site if there are quarantined files.

    • Moves files between the quarantine and site folders.

  • Microsoft Teams:

    • Adds the remote event receiver for new team sites.

    • Creates the hidden document library for each site if there are quarantined files.

    • Moves files between the quarantine and site folders.

  • Teams Chat:

    • Subscribes to changes (create, update) to chat messages in the tenant.

    • Blocks chat message if needed.

  • The access or operation logs are updated for service accounts during scanning.

  • The LastLogonTime property is updated for each mailbox.

  • SharePoint/OneDrive notification files are created if Cloud App Security takes actions against certain files.

  • The access token for Microsoft Teams is refreshed every hour.

  • The access token for Teams Chat is refreshed every hour.

Deprovisioning

  • Stops daily synchronization with Office 365.

  • Stops generating scheduled reports.
  • Exchange: Removes the quarantine folder.

  • SharePoint/OneDrive:

    • Removes the remote event receiver from each site collection. (for Delegate Account provisioning only)

    • Removes service accounts from each site collection's administrator group. (for Delegate Account provisioning only)

      Note:

      To remove service accounts from the administrator group, make sure that the service accounts have been promoted Global Administrator privileges during the provisioning.

    • Removes the access token obtained. (for Authorized Account provisioning only)

    • Removes the quarantine document library.

  • Microsoft Teams:

    • Removes teams data.

    • Removes the access token obtained.

  • Teams Chat: Removes the access token obtained.

Note:

Cloud App Security recommends that you delete quarantine logs before deprovisioning.

None.

Manual cleanup

Removes service accounts from the Office 365 user list.

None.

  • Microsoft removes the SharePoint user profiles 30 days after service account removal.

  • Customers need to manually remove service account users from the SharePoint/OneDrive user list.

  • Customers need to manually remove the Cloud App Security notification files.

  • Microsoft Teams: none.

  • Teams Chat: none.

The following table lists all the actions that Cloud App Security performs in the Box, Dropbox and Google Drive environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Box/Dropbox/Google Drive

Other Changes

Provisioning

  • Uses OAuth 2.0 to obtain Box's, Dropbox's or Google Drive's access token.

  • Uses the access token to create the following folders:

    • Quarantine folder: trendmicro_cas_quarantine__dont_change_or_delete

    • Temporary folder: trendmicro_cas_temp__dont_change_or_delete

  • Shares the temporary folder with all users in the current organization.

Saves user and group information to the Cloud App Security database.

Service running

  • Synchronizes with Box, Dropbox and Google Drive daily to obtain information about new users and groups.

    Note:

    Cloud App Security synchronizes with Box, Dropbox and Google Drive at 03:32 a.m. UTC for both the EU and UK sites, 07:32 a.m. UTC for the Canada site, 10:32 a.m. UTC for the US site, 06:32 p.m. UTC for both the Japan and the Australia and New Zealand sites, 07:32 p.m. UTC for the Singapore site, and 02:32 p.m. UTC for the India site.

  • If a file violates a policy that specifies the "Quarantine" action:

    1. Renames the file and moves it to the temporary folder.

    2. Moves the file to the quarantine folder.

    3. Replaces the file with a text file in the original path.

  • Updates the access or operation logs for service accounts during scanning.

  • Refreshes the access token every hour.

Note:

In addition, for Google Drive, Cloud App Security keeps subscribing to Google's event notifications every 5 hours.

Deprovisioning

  • Stops daily synchronization with Box, Dropbox or Google Drive.

  • Stops generating scheduled reports.

  • Stops running manual scans.

  • Removes administrator-set policies.

  • Removes user and group information.

  • Removes the access tokens obtained.

Manual cleanup

  • Removes the Cloud App Security application from the Box or Dropbox admin console.

  • Removes the Cloud App Security application from the Google admin console and from the admin's Google Account.

    Note:

    You can ignore this if you need to use the Gmail protection functionality.

  • Removes the quarantine folder and temporary folder.

  • Removes the replacement text files if necessary.

None.

The following table lists all the actions that Cloud App Security performs in the Gmail environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Gmail

Other Changes

Provisioning

Uses OAuth 2.0 to obtain Gmail's access token.

Saves user and group information to the Cloud App Security database.

Service running

  • Synchronizes with Gmail daily to obtain information about new users and groups.

    Note:

    Cloud App Security synchronizes with Gmail at 00:15 a.m. UTC for both the EU and UK sites, 05:15 a.m. UTC for the Canada site, 08:15 a.m. UTC for the US site, 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites, 05:15 p.m. UTC for the Singapore site, and 00:15 p.m. UTC for the India site.

  • If an email message violates a policy that specifies the "Label email" action: Creates a label called "Risky (by Trend Micro)" and labels the message.

  • Updates the access or operation logs for the service account during scanning.

  • Refreshes the access token every hour.

  • Cloud App Security refreshes the subscription to all mailboxes' event notifications during scheduled synchronization every day.

Deprovisioning

  • Stops daily synchronization with Gmail.

  • Stops generating scheduled reports.

  • Removes administrator-set policies.

  • Removes user and group information.

  • Removes the access token obtained.

Manual cleanup

Removes the Cloud App Security application from the Google admin console and from the admin's Google Account.

Note:

You can ignore this if you need to use the Google Drive protection functionality.

None.

The following table lists all the actions that Cloud App Security performs in the Salesforce environment and other changes made by Cloud App Security.

Stage

Cloud App Security Changes to Salesforce

Other Changes

Provisioning

  • Adds the Cloud App Security application from AppExchange.

  • Adds a remote site setting to receive events.

  • Adds Apex triggers to generate events.

  • Uses OAuth 2.0 to obtain Salesforce's access token.

  • Adds custom settings to verify event integrity.

The Salesforce objects list and profiles are updated upon service account creation.

Service running

Synchronizes with Gmail daily to obtain information about new objects and profiles.

Note:

Cloud App Security synchronizes with Salesforce at 03:32 a.m. UTC for both the EU and UK sites, 07:32 a.m. UTC for the Canada site, 10:32 a.m. UTC for the US site, 06:32 p.m. UTC for both the Japan and the Australia and New Zealand sites, 07:32 p.m. UTC for the Singapore site, and 02:32 p.m. UTC for the India site.

  • Updates the access or operation logs for the service account during scanning.

  • Refreshes the access token every hour.

Deprovisioning

  • Stops daily synchronization with Salesforce.

  • Stops generating scheduled reports.

  • Removes the remote site setting.

  • Removes the Apex triggers.

  • Removes the access token obtained.

  • Removes the custom settings.

Manual cleanup

Removes the Cloud App Security application from the Salesforce admin console.

None.

When your license is about to expire, Cloud App Security will send notifications to remind you. For details about license information, see License.

If your license has reached the end of the grace period, note the following:

  • Cloud App Security management console is no longer accessible.

  • Cloud App Security performs deprovisioning and does not protect your applications or services any more.

  • Quarantined items cannot be restored or downloaded.