Grant_H15h ago
David Chisnall (*Now with 50% more sarcasm!*)

Lots of things are popping up as sovereign alternatives to M365. Very few of them seem to focus on the things that lock corporate users into the M365 ecosystem. For anyone looking at these things, here are a few things I’d regard as table stakes for a lot of current M365 users (note: not a complete list):

  • Autosaving to an organisation-controlled (and backed up) storage location. Can be hosted by a third party (small companies don’t want to do this themselves).
  • Version tagging of documents.
  • Native apps for Windows, macOS, Android and iOS.
  • Web apps for all of the same functionality as the native apps.
  • Collaborative editing that works between both web and native views of the same document.
  • Integrated account management.
  • Sharing with both anonymous (anyone with the link) and externally authorised (partner org via OAuth or whatever) entities outside the company
  • Auditable access control, with mechanisms for revoking access to, or limiting sharing of, documents, at different granularities.
  • Easy integration with third-party document management systems (for ISO 9001 and similar compliance).
  • Presenter mode for the presenter app in the video conferencing system, so the slides are rendered locally at the other end and work with accessibility tools (this is a legal requirement in some jurisdictions).
  • Easy file sharing in the integrated chat system.
  • Server-side search across documents (the SharePoint one isn’t good, but it’s better than nothing).
  • Easy extension mechanism adding in-house workflow-specific behaviours.
  • Export and import of OOXML (yes, OOXML sucks. But I often need to send a PowerPoint presentation to be compiled in someone else’s deck at a different company or at a conference and I need to know it will work. Keynote, impressively, can export PowerPoint files that crash the PowerPoint web viewer).
  • GDPR-compliant ways of deleting things.
  • Multi-factor authentication.
  • Automatic updates for security patches.
  • Don’t send everyone 30 emails to everyone not in your ecosystem when someone adds an agenda to a meeting invitation (yes, Google Calendar, I’m looking at you).

Note that a couple of these effectively preclude anything AGPL’d. If a company adds some extensions to the system and shares a link with another company, AGPL means that they have to share the code for those extensions. Even without extensions, AGPL imposes conditions that mean someone needs to talk to a lawyer before allowing link sharing with external entities. GPL is fine for this (extensions are not distributed, so the issues don’t arise) but AGPL comes with too much legal risk to be considered.

Some things that M365 does that probably aren’t essential but are nice:

  • Integration with OS remote-file mechanism on macOS and Windows so sets of files can be locally ‘sync’d’ but actually loaded on demand and automatically excluded from backups.
  • Collaborative editing of all documents in the video-conferencing system. Sometimes it’s really useful to bring up a shared view and let everyone type in, say, a spreadsheet.

Some people use InTune for Cyber Essentials and ISO 27001 but it’s such a complete security disaster that no one should ever deploy it in any situation, especially not for security certification. Something written by people who actually know what the principle least privilege is would be useful.

And a few things where M365 is bad (there are many of these, but from the top of my head) and you could easily do much better:

  • Calendars with events owned by a team, not an individual, so anyone can cancel a meeting if there isn’t quorum, or can reschedule it if the organiser leaves the company.
  • Search that actually works.
  • An Improv-like spreadsheet.
  • Proper semantic markup in the word processor with clear separation of stylesheets.
  • A modern typesetting system. And, by modern, I mean ‘algorithms designed for 1970s minicomputers’, not the more limited versions cut down for 1980s microcomputers.
  • A consistent set of editing tools, along the lines of ClarisWorks, so drawing in a word processor and a presenter aren’t different, and a table view in a word processor or presentation is a spreadsheet.
  • PowerPoint has morph transitions for doing key frame animation. This is better than PowerPoint used to be, but it’s worse than Flash was in 1996. Catch up with 30-year-old technology.
  • Actually respect the HIGs on macOS.
  • Don’t be Exchange. This one is easy. But Exchange remains the absolute worst at everything it does.
  • Add a mechanism for flagging personal info in emails. Outlook has no way of being GDPR-compliant if, for example, someone emails a CV. At MS, we were told to simply delete the email and tell the person to apply through another system. But what I want is to be able to tag the email as personal information for the sender and have it deleted and expunged if a GDPR request to do so is filed.
  • Actually, better GDPR-compliance tooling throughout would be nice.
  • Anomaly detection in the back end to trigger reauthentication if a client device appears to be accessing things unusually, including out-of-band notification of what the user has accessed so they can confirm that it’s intentional.
  • Default to opening files in ‘view only’ mode.
  • An integrated document-management system so you don’t need to buy a third-party one for ISO 9001.
  • A clear export flow for sharing a version of a document with no history, while the internal version has complete history available.
Apr 4 at 10:05amWeb
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)15h ago

Oh, and I forgot my main reason for hating SharePoint!

You should share documents, not paths. If I share a document and then move it, links should keep working. If I share a document and delete it, links should stop working. If I share a document, delete it, and then create a new document with the same name links to the old document should not work for the new one.

Show threadBruce Simpson, Ph.D.16h ago
@david_chisnall I am halfway turned up on Nextcloud and have an item to look at Collabora Online for these reasons
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)16h ago

@bms48 NextCloud is AGPL. I use it for personal stuff, but that’s a blocker for corporate use where we absolutely would want custom extensions that we wouldn’t want to share with everyone who went to the site.

I had a glance at Collabora yesterday and need to give it a proper spin.

Show threadViktor Nagornyy11h ago
@david_chisnall @bms48 Thousands of private and public orgs use Nextcloud Enterprise in mission-critical setups. AGPL has never been an issue. Millions more use the free community edition. I would highly recommend speaking to the sales team, they can explain what other orgs are doing with custom apps.
https://nextcloud.com/request-demo/
Request a personalized Nextcloud Enterprise demo

Get a personalized Nextcloud Enterprise demo to see how you can control your data, meet compliance requirements, and replace Microsoft 365.

Nextcloud
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)11h ago

@viktor @bms48

Sorry, I’m not going to take legal advice from a sales team. Good luck to the folks who are using NextCloud with custom extensions in a corporate setting, I hope they talked to their lawyers first. I don’t want to have to talk to a lawyer before deploying or using such a system, which is why I’ll avoid it. I’m happy to use NextCloud for personal use, but I wouldn’t use it in any setting where the obligations under the AGPL would apply to third parties.

Show threadViktor Nagornyy10h ago
@david_chisnall @bms48 only lawyers can provide legal advice. Sales can provide guidance on what other customers have done, but it's always up to you to ensure legal and regulatory compliance.
Show threadWulfy—Speaker to the machines16h ago

@david_chisnall

Excellent analysis and recommendations!

Good start to denazify your office.

Show threadNiceMicro16h ago

@david_chisnall and let's not forget, that Microsoft is not really good in some of these points, so there could even be a competitive advantage.

I.e., for version tagging, if you open a document from a SharePoint in the web app, and keep it open for like 3 minutes in edit mode, even if you change nothing, it tags a new version under your name, and makes it a nightmare to see who actually changed the document and when.

Show threadDavid Chisnall (*Now with 50% more sarcasm!*)16h ago

@nicemicro

You’re understating it. Microsoft Office is staggeringly bad at most of these. It amazes me that people keep looking at MS Office and saying ‘well, this is pretty terrible, I wonder how we make something worse?’. So many alternative office suites copy the worst bits of MS Office, ignore the few good things, and somehow add other things that make it worse. If MS Office hadn’t done such a good job of lowering expectations for everyone, they would be laughed out of the room.

There’s a huge opportunity for an alternative that actually builds what people need. If I were building a sovereign office suite, I would start by looking at what companies need for ISO 9001 and 27001 and GPDR (and maybe CE-mark) compliance and look at a few flows like:

  • Getting a CV into a GDPR-compliant hiring flow.
  • Product management signing off on the content of a spec sheet and marketing doing layout and publishing with 9001-compliant reporting.
  • Integrating expense reporting into the accounting flow.
  • Creating budget-tracking spreadsheets that have a sign-off flow and export data from updated project-level reporting up the org chart.
  • Confidential project documentation that becomes internal-public after a product launch with some parts being published externally.
  • Collaborating between two companies on a bid submission.
  • Having a meeting about a secret project, where the name of the meeting is hidden from everyone except the attendees and everything shared in it has tighter access control, but where the project lead who created the meeting leaves part way through the project.

M365 (including things like PowerBI / PowerApps) can do these things, kind of, and often with third-party tools integrated. But it’s so bad at all of them. There’s a huge opportunity to build something better.

Oh, and the EU is responsible for a load of the regulations that M365 is bad at complying with and so could easily take the lead in creating an office suite that makes the compliance easy.

Show threadEdwin Török16h ago

@david_chisnall I think M365 fails at the sharing part though. I got a form to fill out via email, so I uploaded it to office.com, filled it in, and shared it with someone else in the company via the web interface.

They couldn't open it.

I tried exporting as PDF, but security policies prevented it, because it detected sensitive data (it had my home address and phone number).
I could save it to OneDrive, and download it from there, but then I couldn't open it myself on a Mac (I was able to open the original without a problem).

In the end I just downloaded LibreOffice, edited the original document, emailed it back as both document and PDF form, and then they could finally open it.

I don't know what MS has done here, but they seem to have completely broken compatibility with their own format (or maybe they broke the security checks, and sharing of sensitive documents doesn't work anymore, I didn't try to debug why the other person failed to open it). I would've thought that at least the web version (somewhere on SharePoint) would always work. But actually LibreOffice is more compatible than MS's online suite...

Show threadDavid Chisnall (*Now with 50% more sarcasm!*)16h ago

@edwintorok

That’s an org policy problem. All of those flows can work.

The M365 problem is that configuring an org-level policy that enables this and doesn’t make accidentally leaking everything is really hard. Again, this is easy to fix but requires the developers understanding basic security usability concepts.

Show threadEdwin Török15h ago
@david_chisnall I still think it is a bug though, because I didn't get any error message when sharing the file within the web interface, and it allowed me to generate a link (both of us had emails on the same company domain).
If the org policy is configured such that you cannot share these files within the org either, then it should've given me an error message during the share operation.
Show threadMartin Wüthrich 14h ago
@david_chisnall i had recently took a look on #opendesk
it sells itself as a browser only suite, this "avoids" deeper questions about client/data management outside the suite.
https://www.opendesk.eu/en/product
Product

Modular, flexible, secure: the openDesk office and collaboration suite bundles digital tools for public administration in one integrated environment.

openDesk
Show threadkauer13h ago

@david_chisnall I'm with you 100% BUT: In discussion about change, I am constantly met with a specification of the desired system that is effectively just - the current system. No two systems are 100% alike, nor 100% compatible. If you are unprepared to move unless every single feature of the current system is present in the alternative, you will never move.

Related, people will allow an assumed flaw to be treated as an actual flaw. "Sometimes I need to exchange documents with people who can't read an ODF file". Ok - how often? Quantify it. Give it a value. Compare that value to the gains that change would bring (also quantified). And if the former is smaller than the latter - it's not a showstopper.

All too often the debate just stops because a loud voice says "nup" and is not challenged.

Show threadDavid Chisnall (*Now with 50% more sarcasm!*)13h ago

@kauer

This one in particular:

Sometimes I need to exchange documents with people who can't read an ODF file

Never. MS Office can open ODF. But sending PowerPoint files to some process that requires a PowerPoint file, will display it with PowerPoint, and where any conversion errors will be blamed on me accounts for about 20% of my PowerPoint usage, higher for some of my colleagues.

Word is an interesting one because Word Online completely messes up formatting of Word, to the degree that short documents have different page counts on the two. For anything where presentation matters, I’ll exchange PDFs (and, if presentation really matters, not start in Word), so I don’t care there.

I don’t exchange non-trivial spreadsheets outside the company, but our finance people might.

Show threadkauer12h ago

@david_chisnall I was not saying that was necessarily a trivial matter; it was just an example. For some organisations it might really be a showstopper, for others it may be a mirage when inspected. The point is that in discussing change, advantages and disadvantages should be quantified and assessed properly, not just assumed to be important because one loud voice says so, or because everyone just assumes they are.

To take your example - how many people exchange non-trivial spreadsheets with people outside the company? How often do they do so? What counts as trivial? What proportion of spreadsheets in internal use are trivial or cannot be converted? Has anyone actually checked whether the alternative spreadsheet program can create, read and edit the current spreadsheets that are in use? Has anyone checked whether the external people can read/edit sheets created by the alternative program? And so on and so forth. Quantify, quantify, quantify.

Again - I'm not challenging your own assertions and I don't care what your answers to those questions would be 🙂 I'm just using it as an example. I have no idea at all what features would be must-haves in your organisation. I'm just saying that if change is desired, it has to be approached properly, and that means fairly quantifying its costs and benefits, without making assumptions - especially about things perceived as showstoppers.

Show threadMarcus Müller9h ago
@david_chisnall could we add:
- calendar-email integration that actually works (as in: I don't see the emails exchanged to update shared calendar entries, I see the changed calendar entries),
- basic, really basic org calendar features (i.e., seeing whether others are busy/free, without seeing the specifics)
- slightly advanced or calendar features (finding 1 to 5 timeslots where all invited parties are not explicitly marked as blocked, and having a poll with an automated resolution datetime)