SOLVED

Non-corporate and sync

%3CLINGO-SUB%20id%3D%22lingo-sub-369876%22%20slang%3D%22en-US%22%3ENon-corporate%20and%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369876%22%20slang%3D%22en-US%22%3E%3CDIV%3EUser%20John%20at%20Fabrikam.com%20have%20utilized%20his%20OneDrive%20for%20Business%20and%20is%20syncing%20files%20to%20his%20corporate%20pc%20running%20Windows%2010%20-%20and%20are%20very%20happy%20of%20the%20functions%20and%20collaborations%20options%20that%20OneDrive%20provides%20%3AD%3C%2Fimg%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ESo%20happy%20that%20John%20one%20day%20forgets%20his%20PC%20at%20the%20office%2C%20instead%20he%20borrows%20his%20Son's%20pc%20(which%20also%20runs%20Windows%2010)%20-%20fires%20up%20OneDrive%20and%20Sign%20in%20with%20his%20Corporate%20Credentials%26nbsp%3B%20(of%20cause%20using%20MFA)%20but%20then%20starts%20working%2Fsyncing%20various%20files%20to%20his%20sons%20PC.%20-%20Fabrikam.com%20is%20now%2C%20not%20happy%20%3AD%3C%2Fimg%3E%26nbsp%3B%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EHow%20do%20Fabrikam.com%20prevent%20their%20users%20from%20syncing%20to%20non-corporate%20devices%3F%20-%20but%20still%20allowing%20e.g.%20the%20CEO's%20iPad%20(which%20is%20unmanaged)%20to%20access%20the%20users%20OneDrive%20and%20without%20setting%20Trusted%20locations%20in%20a%20conditional%20access%20policy%3F%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-369876%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369916%22%20slang%3D%22en-US%22%3ERe%3A%20Non-corporate%20and%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369916%22%20slang%3D%22en-US%22%3EYeah%2C%20that%E2%80%99s%20a%20good%20point%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369906%22%20slang%3D%22en-US%22%3ERe%3A%20Non-corporate%20and%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369906%22%20slang%3D%22en-US%22%3EKeep%20in%20mind%20this%20only%20works%20for%20local%20domain%20joined%20machines.%20Azure%20joined%20can%20still%20access%20as%20well.%20%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20a%20tip.%20Make%20sure%20you%20add%20.pst%20files%20to%20your%20excluded%20list.%20Unless%20you%20know%20that%20no%20one%20uses%20and%20or%20saves%20them%20to%20their%20onedrive%20folders.%20Outlook%20modified%20them%20just%20by%20by%20having%20them%20open%20and%20cause%20a%20constant%20resync%20with%20them%20and%20when%20they%20are%20large%20you%20get%20the%20idea.%20But%20this%20may%20not%20be%20a%20use%20case%20in%20your%20scenario%20but%20something%20to%20think%20about.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369891%22%20slang%3D%22en-US%22%3ERe%3A%20Non-corporate%20and%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369891%22%20slang%3D%22en-US%22%3EYeah%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369886%22%20slang%3D%22en-US%22%3ERe%3A%20Non-corporate%20and%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369886%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F20869%22%20target%3D%22_blank%22%3E%40Adam%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EAnd%20that%20setting%20goes%20only%20on%20the%20sync%20functions%20right%3F%20-%20and%20won't%20prevent%20the%20CEO's%20iPad%20access%3F%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Domain%20should%20be%20inserted%20at%20as%20GUID%3F%20-%20so%20I%20have%20to%20do%20a%20Get-ADDomain%20%3A)%3C%2Fimg%3E%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20this%26nbsp%3B%3CSPAN%3EObjectGUID%20%3A%20%3CSTRONG%3Eb63b4f44-%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22hljs-number%22%3E58%3C%2FSPAN%3Eb9-%3CSPAN%20class%3D%22hljs-number%22%3E49%3C%2FSPAN%3Ecf-%3CSPAN%20class%3D%22hljs-number%22%3E8911%3C%2FSPAN%3E-b36e8575d5eb%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89266i4DEE0162C329BA93%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Picture%201.png%22%20title%3D%22Picture%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369885%22%20slang%3D%22en-US%22%3ERe%3A%20Non-corporate%20and%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369885%22%20slang%3D%22en-US%22%3ENo%20CA%2C%20trusted%20sites%2C%20mdm%3F%20I%20guess%20you%20need%20an%20private%20investigator%20follow%20everyone%20around%20then%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20the%20onedrive%20admin%20center%2C%20you%20can%20actually%20block%20sync%20to%20non%20domain%20computers%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor
User John at Fabrikam.com have utilized his OneDrive for Business and is syncing files to his corporate pc running Windows 10 - and are very happy of the functions and collaborations options that OneDrive provides :D 
 
So happy that John one day forgets his PC at the office, instead he borrows his Son's pc (which also runs Windows 10) - fires up OneDrive and Sign in with his Corporate Credentials  (of cause using MFA) but then starts working/syncing various files to his sons PC. - Fabrikam.com is now, not happy :D  
 
How do Fabrikam.com prevent their users from syncing to non-corporate devices? - but still allowing e.g. the CEO's iPad (which is unmanaged) to access the users OneDrive and without setting Trusted locations in a conditional access policy?
5 Replies
Highlighted
Best Response confirmed by Taen keren (Super Contributor)
Solution
No CA, trusted sites, mdm? I guess you need an private investigator follow everyone around then :)

In the onedrive admin center, you can actually block sync to non domain computers

Highlighted

Hi @Adam 

Thx :)

And that setting goes only on the sync functions right? - and won't prevent the CEO's iPad access? :D

 

The Domain should be inserted at as GUID? - so I have to do a Get-ADDomain :)   

 

so this ObjectGUID : b63b4f44-58b9-49cf-8911-b36e8575d5eb 

 

Picture 1.png

Highlighted
Yeah
Highlighted
Keep in mind this only works for local domain joined machines. Azure joined can still access as well.

Also a tip. Make sure you add .pst files to your excluded list. Unless you know that no one uses and or saves them to their onedrive folders. Outlook modified them just by by having them open and cause a constant resync with them and when they are large you get the idea. But this may not be a use case in your scenario but something to think about.
Highlighted
Yeah, that’s a good point