For some organizations there is a concern when deploying OneDrive for Business that users will access corporate data from their personal device. I completely understand you!
To address those concerns, it is possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. Normally in this case a policy named “Allow syncing only on PCs joined to specific domains” would be activated in the OneDrive admin module. Jobs DONE!
HOWEVER, you will limit your policy to only include Domain joined or hybrid joined devices. https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains
If you somehow are changing from old school management to the new and more modern management and would like to sync your OneDrive data and use features like known folder backup of desktop, documents and pictures. This is prohibited if this policy has been applied. This is what you get:
Not really what you wanted?
How do we prohibit OneDrive sync from happening outside your organization on devices not managed?
Conditional Access comes to the rescue.
Go to your endpoint manager console https://endpoint.microsoft.com
Devices –> Condition Access –> Add
Name: Block non-compliant device from OneDrive Sync
Always, when configuring CA, start small and when working as intended, add more users.
As OneDrive uses same engine as SharePoint, we will choose “Office 365 SharePoint Online” as selected app
As we do not want to block if users are traveling or at home, we will block defined on “Device state”. To access OneDrive your device will need to be either Hybrid domain joined or Compliant. This also means that we need to have Intune in place.
Save your CA and test that it works as intended. Now I have 2 virtual machines, one compliant and one non-compliant.
From a non-compliant windows device:
However, you have the possibility here to gain access if you let Intune manage your device.
From a compliant Windows Device