Feb 09 2018 11:06 AM
We have a client who is planning to roll out OneDrive for Business and SharePoint. The goal is to allow users to synchronize [SharePoint/OneDrive] libraries on their laptops, using the sync app.
We already put in place policies to prevent users from syncing from non-domain-joined computers, and their hard drives are also encrypted (in case a laptop is stolen). We know you can limit actions on data in the portal, such as copying, forwarding, saving-as, downloading, etc.
The main concern, however, is how do we prevent users from making copies of the files that will reside in their laptops once the libraries have been synced on their laptops.
The focus of this post is not on an outside attacker, but rather on the employee itself. For instance, a user may not necessarily need to get fired to be disgruntled and make copies of the data before departing, s/he may make a copy of the data anytime prior to the termination. How do we prevent this? or is it even possible?
Feb 09 2018 01:29 PM
SolutionFeb 10 2018 07:57 AM
Consider using IRM.
OneDrive sync on Windows now supports IRM protected SharePoint document libraries:
Feb 10 2018 08:45 AM
IRM can limit actions on downloaded files for users with Read Only permissions, but users with Edit or Full Control will be able to take the data wherever they want
Feb 10 2018 08:52 AM
If necessary, access to IRM protected documents can be revoked, which is what @Marcelo Gonzalez needs, if I understand well...
Feb 10 2018 09:00 AM
Feb 10 2018 09:18 AM
My understanding is instead that he wants to revoke access after the firing of an employee, which is exactly what IRM allows...
Feb 12 2018 07:18 AM
That's correct, Pablo. The goal is for users to work normally on their synced files, but prevent them from taking the data somewhere else by making copies of it. It's very hard to strike such balance, as users want to work with their data locally, but we don't want them to make copies of it.
So, even with Windows 10 + IRM, users will still be able to copy the data huh?
Feb 12 2018 07:22 AM
Thanks for the feedback and the contribution, @Salvatore Biscari.
To clarify the goal: the goal is to to prevent employees from making copies of the data; not necessarily when an employee termination takes place, but at any time. Revoking access is the easy part, the hard part is to provide access to the data, without allowing the data to be copied.
Feb 12 2018 07:24 AM
Jan 07 2019 07:31 PM
Hi Marcelo, we are looking for similar capabilities. Could you please let know if this served your needs?
Feb 09 2018 01:29 PM
Solution