Block non-compliant devices from syncing corporate data using OneDrive

Block non-compliant devices from syncing corporate data using OneDrive

For some organizations there is a concern when deploying OneDrive for Business that users will access corporate data from their personal device. I completely understand you!

To address those concerns, it is possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. Normally in this case a policy named “Allow syncing only on PCs joined to specific domains” would be activated in the OneDrive admin module. Jobs DONE!

HOWEVER, you will limit your policy to only include Domain joined or hybrid joined devices. https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains

If you somehow are changing from old school management to the new and more modern management and would like to sync your OneDrive data and use features like known folder backup of desktop, documents and pictures. This is prohibited if this policy has been applied. This is what you get:

Not really what you wanted?

How do we prohibit OneDrive sync from happening outside your organization on devices not managed?

Conditional Access comes to the rescue.

Go to your endpoint manager console https://endpoint.microsoft.com

Devices –> Condition Access –> Add

Name: Block non-compliant device from OneDrive Sync

Always, when configuring CA, start small and when working as intended, add more users.

 

As OneDrive uses same engine as SharePoint, we will choose “Office 365 SharePoint Online” as selected app

 

As we do not want to block if users are traveling or at home, we will block defined on “Device state”. To access OneDrive your device will need to be either Hybrid domain joined or Compliant. This also means that we need to have Intune in place.

 

 

Save your CA and test that it works as intended. Now I have 2 virtual machines, one compliant and one non-compliant.

 From a non-compliant windows device:

      

From a non-compliant mobile device (iOS) (text in Danish 🙂)

However, you have the possibility here to gain access if you let Intune manage your device.

From a compliant Windows Device

Success

Happy testing! 😉

+ posts

Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.

He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.

Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.

Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

follow us in feedly
Categories

Follow on SoMe