Search This Blog

Tuesday, June 16, 2020

Block non-compliant devices from syncing corporate data using OneDrive

For some organizations there is a concern when deploying OneDrive for Business that users will access corporate data from their personal device. I completely understand you!

To address those concerns, it is possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. Normally in this case a policy named “Allow syncing only on PCs joined to specific domains” would be activated in the OneDrive admin module. Jobs DONE!

OneDrive-domain-guid-added

HOWEVER, you will limit your policy to only include Domain joined or hybrid joined devices. https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains

If you somehow are changing from old school management to the new and more modern management and would like to sync your OneDrive data and use features like known folder backup of desktop, documents and pictures. This is prohibited if this policy has been applied. This is what you get:

clip_image002

Not really what you wanted?

How do we prohibit OneDrive sync from happening outside your organization on devices not managed?

Conditional Access comes to the rescue.

Go to your endpoint manager console https://endpoint.microsoft.com

Devices –> Condition Access –> Add

Name: Block non-compliant device from OneDrive Sync

image

Always, when configuring CA, start small and when working as intended, add more users.

 

image

As OneDrive uses same engine as SharePoint, we will choose “Office 365 SharePoint Online” as selected app

 

image

image

As we do not want to block if users are traveling or at home, we will block defined on “Device state”. To access OneDrive your device will need to be either Hybrid domain joined or Compliant. This also means that we need to have Intune in place.

 

image

image

 

image

Save your CA and test that it works as intended. Now I have 2 virtual machines, one compliant and one non-compliant.

 

From a non-compliant windows device:

image

      

From a non-compliant mobile device (iOS) (text in Danish clip_image001)

image

However, you have the possibility here to gain access if you let Intune manage your device.

From a compliant Windows Device

image

image

image

Success

Happy testing! Winking smile

No comments:

Post a Comment