Prevent personal devices from synchronizing OneDrive for Business files

Let me start this post by saying I’ve been using OneDrive for so long that my personal OneDrive account still ends in hotmail.com. I really like being able to save my files and photos to OneDrive and access them from any device, anywhere. I also use OneDrive for Business daily for my work files. Speaking of, if you haven’t enabled Known Folder Move yet, you should really look into that.

Of course, if you’re an IT Pro or business decision maker, you probably don’t want your users’ personal and work files intermingling where one might be saved or shared in an inappropriate context (either by accident or on purpose). Especially these days with so many people working from home on personal devices, you might want to block non-domain joined, personal PCs from synchronizing OneDrive for Business files locally. If that doesn’t interest you, then you should probably stop reading now because that’s what the remainder of this post is about.

Prerequisites

Before you get to the good stuff, you need to first make sure that the Active Directory module for Windows PowerShell is installed.

If you’re working from a Windows Server, you can check for it in the Add Roles and Features Wizard’s Features page under Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools.

image

If you don’t see it there add it. You can also just run these PowerShell commands:

Import-Module ServerManager
Add-WindowsFeature -Name “RSAT-AD-PowerShell” –IncludeAllSubFeature

On a domain joined Windows 10 PC, you’ll probably have to add it from Settings -> Apps -> Apps & features -> Optional features:

image

Or, just run this PowerShell command (all one line):

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

Get your GUID

OK, so now that you’re sure you have the right PowerShell module installed, let’s use it to grab the GUID of your on-premises domain. You know, the one that you want to allow sync’ing OneDrive for Business.

Run this command (all one line again):

(Get-ADForest).domains | foreach {Get-ADDomain $_ | Select Name,ObjectGuid}

image

Copy that GUID to notepad or someplace handy. You’ll need it in a few minutes.

Configure OneDrive for Business synchronization

Now, armed with your domain GUID, go to https://admin.onedrive.com/. Of course, you’ll need to be an admin to get access here. If you’re not an admin, send whoever is this blog link to continue. In the meantime, check out the cool bicycle access denied message you get if you try this as a non-admin:

image

OK Admin, now go to the Sync settings and you’ll probably see something like these default settings:

clip_image002

At this point, you’re ready to configure OneDrive settings to do a few things. First, you might want to hide the sync button from the OneDrive website (especially if you’re already using Known Folder Move policies). If that’s the case, just uncheck the default option to show the sync button on the OneDrive website.

Next, enable the setting to allow syncing only on PCs joined to specific domains. Copy and paste in the domain GUID (or GUIDs if you have multiple domains to configure here). You can also select the option to block OneDrive from syncing on macOS devices not joined to your domain while you’re here.

clip_image004

Click Save and you’re done. At this point only domain joined PCs (Windows and macOS) should be able to synchronize those OneDrive for Business files.

End-users on their personal PCs at home can still get to the OneDrive website to get their jobs done, but they can’t synchronize any files locally where they probably shouldn’t be.


You’ve seen my blog; want to follow me on Twitter too? @JeffGilb

Loading