Blocking attachment downloads in Confluence and Jira using Atlassian Guard Standard is a critical data security measure that prevents sensitive files from being saved to unmanaged devices, personal laptops, or external storage locations. In our video, we walk you through exactly how to configure Data Security Policies in Atlassian Administration to block downloads while still allowing users to view attachments directly in the browser, giving your organization a practical balance between security and productivity.
This tutorial covers the full setup process, including how to create product-specific overrides and scope policies to individual Confluence or Jira spaces rather than applying restrictions across your entire organization.
Watch our full walkthrough below to see the configuration in action:
https://youtu.be/WgOQEOWBgcc?si=7pM60tfVZYWwbSIa
Why Attachment Download Blocking Matters
Most organizations invest significant effort into managing who can view content in Confluence pages or Jira work items. Access controls, permission schemes, and space-level restrictions are all common practices. However, there is a critical gap that many teams overlook: even when view access is tightly controlled, users who can see an attachment can often freely download it to their local device. Once a file is downloaded, it can end up on personal devices, external USB drives, cloud storage accounts, or any number of unmanaged locations outside your organization’s control.
This creates a significant security risk, especially for organizations handling confidential information, regulated data, intellectual property, customer records, or sensitive internal documentation. The attachment download block feature in Atlassian Guard Standard closes this gap by allowing users to view files in the browser while completely preventing them from downloading those files to their devices.
What Is the Attachment Download Block?
The attachment download block is a data security feature available in Atlassian Guard Standard. When enabled, it removes the download button from attachments lists, file macros, and file previews across Confluence and Jira. Users covered by the policy can still see and interact with attached files directly in the browser, but they cannot save those files locally. If a user attempts to download a blocked attachment, they will see a message stating that the download is blocked by their organization’s security policy.
This approach preserves productivity because team members can still reference documents, review spreadsheets, and read attached files without interruption. The only thing that changes is their inability to extract files from the Atlassian environment.
How to Configure the Policy in Atlassian Administration
The entire configuration is handled through Data Security Policies in Atlassian Administration. Here is the step-by-step process we demonstrated in our video.
Step 1: Navigate to Data Security Policies
Go to admin.atlassian.com and open the Security tab. From there, navigate to Data Protection and then Data Security Policies. This is where all your active data security controls are listed and managed.
Step 2: Open the Attachment Download Control
In the Data Security Policies section, you will see a list of all active controls. Locate and click on the attachment download control. In our demo, we used an existing policy, but you can also create a new one depending on your organization’s needs.
Step 3: Create a Draft and Edit the Policy
To make changes to any data security policy, you first need to create a draft. This allows you to edit the configuration before activating it. Inside the policy, you will see the attachment download setting, which can be toggled between “allowed” and “blocked.” Set this value to blocked to prevent attachment downloads.
Step 4: Add Product-Specific Overrides
One of the most useful aspects of this feature is the ability to create overrides for specific Atlassian products. For example, in our demo, we added an override for Jira, which meant that attachment downloads were only blocked in Confluence while remaining allowed in Jira. This flexibility lets you tailor restrictions to the specific areas where sensitive content actually resides, rather than applying a blanket rule across all products.
Step 5: Activate the Policy
Once your configuration is set, click Activate. You will be asked to confirm the changes. After a brief moment, the policy will become active, and users covered by it will immediately lose the ability to download attachments in the affected products.
What Users Experience When the Policy Is Active
After activation, the user experience changes in a noticeable but non-disruptive way. When a user navigates to a Confluence page with attachments, they can still see the attached files and preview them in the browser. However, the download button is removed entirely. If they attempt to find a way to download the file, they are met with a clear message: “Download is blocked by your organization security policy.”
In our live demo, we showed an example page where an attachment was fully visible and previewable but completely unable to be downloaded. This demonstrates how the feature maintains usability while enforcing security boundaries.
Scoping Policies to Specific Spaces
Not every Confluence space or Jira project contains sensitive content. Applying download restrictions across your entire organization could create unnecessary friction for teams working with non-sensitive materials. Atlassian Guard Standard addresses this by allowing you to scope data security policies to specific spaces.
To do this, navigate to the overrides section within your policy and click on the Actions option. Create a draft to edit the override. In the first tab, you can select which Atlassian apps the policy applies to, such as Jira or Confluence. But you can also navigate to a second tab for spaces, where you can search for and select dedicated spaces that contain sensitive content. This allows you to apply download restrictions only where they are truly needed, balancing security with usability for less sensitive areas of your organization.
Compliance and Security Benefits
Blocking attachment downloads is one of the easiest and most effective protections you can enable in your Atlassian environment. Whether your organization is working toward SOC 2, ISO 27001, internal compliance requirements, or simply looking to improve your overall security posture, this control directly addresses the risk of sensitive files being copied to unmanaged devices.
By preventing downloads while maintaining browser-based access, organizations can significantly reduce data leakage risks without sacrificing the collaborative workflows that make Confluence and Jira so valuable. It is a practical, low-effort configuration that delivers meaningful security improvements.
Key Takeaways
- Attachment download blocking is a Guard Standard feature configured through Data Security Policies in Atlassian Administration.
- It prevents files from being downloaded from your Atlassian environment while keeping content fully viewable in the browser.
- You can create product-specific overrides to block downloads in Confluence but allow them in Jira, or vice versa.
- Policies can be scoped to specific spaces so that only areas with sensitive content are restricted.
- The configuration path is: Security → Data Protection → Data Security Policies at admin.atlassian.com.
