Restricting OneDrive Sync to Domain Joined PCs

For some organizations there is a concern when deploying OneDrive for Business that users will access corporate data from their personal computers. If the personal computers are not well secured, such as having encrypted drives and good antivirus software, or if the personal computers are shared with unauthorized people, then the corporate data could be exposed.

To address those concerns it’s possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. The general idea is that a domain-joined computer that is within the control of corporate IT will be more secure than the average personal computer that staff own. OneDrive sync restrictions can be configured using the OneDrive admin portal, or the SharePoint Online PowerShell module.

Before you can restrict OneDrive to domain joined computers, you first need to know the GUID of the Active Directory domains that will be allowed to sync. To retrieve the domain GUID, run the following command from a computer or server that has the Active Directory PowerShell module available.

[PS] C:\>(Get-ADForest).domains | foreach {Get-ADDomain $_ | Select Name,ObjectGuid}
Name                                  ObjectGuid
----                                  ----------
exchangeserverpro                     4764a27a-1465-445b-8697-ce1086805439

Next, connect to SharePoint Online and view the current sync restrictions. By default there are no sync restrictions configured.

PS C:\> Get-SPOTenantSyncClientRestriction
TenantRestrictionEnabled   : False
AllowedDomainList          : {}
BlockMacSync               : False
ExcludedFileExtensions     : {}
OptOutOfGrooveBlock        : False
OptOutOfGrooveSoftBlock    : False
DisableReportProblemDialog : False

To enable sync restrictions and add the domain GUID to the allow domain list, run the following command.

PS C:\> Set-SPOTenantSyncClientRestriction -Enable -DomainGuids "4764a27a-1465-445b-8697-ce1086805439"
TenantRestrictionEnabled   : True
AllowedDomainList          : {4764a27a-1465-445b-8697-ce1086805439}
BlockMacSync               : False
ExcludedFileExtensions     : {}
OptOutOfGrooveBlock        : False
OptOutOfGrooveSoftBlock    : False
DisableReportProblemDialog : False

The sync policy change takes around an hour before it is effective. After the new configuration is in place, a user trying to add a OneDrive account to a computer that is not domain joined will receive an error message after they sign in and choose a location to sync to.

Sorry, OneDrive can’t add your folder at this time. Please contact support.

Any existing sync relationships for computers that are not domain joined will begin showing a “sync blocked” message in the system tray, and when OneDrive is opened from the system tray will display a more detailed error message.

Your IT Department requires that you use a computer that is joined to an approved domain to sync this folder. For assistance, contact your IT Department.

When you restrict OneDrive sync to specific domains you should be aware of the following caveats:

• Computers that already have files synced to their local hard drive will not have the files removed.
• The domain join requirement does not apply to Macs, however you can enable or disable Mac sync as a separate restriction in the OneDrive admin portal (or via PowerShell).
• The policy will not restrict sync to mobile devices. For that you should use a device access policy, or use Intune.

The post Restricting OneDrive Sync to Domain Joined PCs appeared first on Practical 365.

       

Related Stories

• Migrate Home Drives to OneDrive for Business