Document library OneDrive sync security

%3CLINGO-SUB%20id%3D%22lingo-sub-2359501%22%20slang%3D%22en-US%22%3EDocument%20library%20OneDrive%20sync%20security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2359501%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20document%20library%20in%20SharePoint%20online%20which%20will%20contain%20confidential%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20we%20reduce%20security%20risks%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20starters%2C%20MFA%20is%20enforced%20for%20all%20users%20that%20have%20access%20to%20this%20document%20library.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20biggest%20concern%2C%20however%2C%20is%20the%20entire%20document%20library%20getting%20synced%20to%20a%20laptop%20and%20that%20laptop%20getting%20stolen.%26nbsp%3B%20Files-on-demand%20greatly%20reduces%20this%20risk%3A%20only%20the%20documents%20that%20were%20worked%20on%20by%20that%20employee%20would%20be%20downloaded%20to%20the%20hard%20disk.%26nbsp%3B%20This%20may%20be%20an%20acceptable%20risk%2C%20but%20is%20there%20a%20way%20we%20can%20force%20the%20document%20library%20to%20be%20set%20to%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fsave-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%22Online-only%20files%22%3C%2FA%3E%20and%20prevent%20them%20from%20setting%20the%20entire%20document%20library%20to%20%3CSPAN%3E%22Always%20keep%20on%20this%20device%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20safer%20alternative%20to%20OneDrive%20app%20sync%20would%20be%20to%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fmap-a-network-drive-to-a-sharepoint-library-751148de-f579-42f9-bc8c-fcd80ccf0f53%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMap%20a%20network%20drive%20to%20a%20SharePoint%20library%3C%2FA%3E%2C%20that%20way%2C%20they%20see%20it%20in%20Windows%20File%20Explorer%20as%20if%20it's%20a%20file%20share%2C%20but%20the%20information%20is%20never%20copied%20to%20their%20local%20machine%2C%20however%2C%20Microsoft%20says%3A%20%22this%20is%20legacy%20technology%20and%20it%20may%20be%20affected%20by%20the%20deprecation%20of%20Internet%20Explorer%20in%20August%202021%22.%26nbsp%3B%20What%20would%20be%20the%20equivalent%20alternative%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20there%20are%20pretty%20good%20controls%20over%20OneDrive%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fonedrive%2Fuse-group-policy%3Ftoc%3D%2FSharePoint%2Ftoc.json%26amp%3Bbc%3D%2FSharePoint%2Fbreadcrumb%2Ftoc.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Egroup%20policy%3C%2FA%3E%2C%20however%2C%20some%20of%20our%20Windows%20computers%20that%20will%20be%20using%20these%20document%20libraries%20are%20not%20joined%20to%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20%22Search%20and%20offline%20availability%22%20can%20be%20disabled%2C%20but%20users%20want%20to%20be%20able%20to%20access%20the%20documents%20through%20Windows%20File%20Explorer%2C%20and%20not%20via%20the%20web%20interface.%26nbsp%3B%20Users%20also%20need%20to%20work%20directly%20on%20spreadsheets%20using%20their%20local%20Excel%20app%20installations%2C%20not%20limited%20online%20Excel.%26nbsp%3B%20%26nbsp%3BIs%26nbsp%3Bit%20possible%20to%20use%20locally%20installed%20Excel%20on%20Windows%20to%20edit%20spreadsheets%20in%20a%20document%20library%20when%20%22search%20and%20offline%20availability%22%20is%20disabled%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20recommendations%20of%20how%20to%20best%20secure%20document%20libraries%20when%20a%20requirement%20is%20for%20users%20to%20access%20the%20files%20through%20Windows%20File%20explorer%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2359501%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2359709%22%20slang%3D%22en-US%22%3ERe%3A%20Document%20library%20OneDrive%20sync%20security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2359709%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170055%22%20target%3D%22_blank%22%3E%40Daniel%20Mare%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20area%20not%20may%20folks%20are%20concerned%20about%20but%20they%20should%20be.%20Good%20to%20see%20you%20are%20aware%20of%20this.%3C%2FP%3E%3CUL%3E%3CLI%3E%22Files%20On-demand%22%20is%20not%20a%20robust%20solution.%20Users%20can%20simply%20modify%20the%20settings%20on%20the%20their%20computer.%3C%2FLI%3E%3CLI%3EUsing%20%22Storage%20Sense%22%20to%20limit%20the%20availability%20of%20local%20content%20(e.g.%20automatically%20remove%20the%20local%20version%20after%201%20day%20inactivity)%20is%20also%20not%20a%20solution%3A%20users%20can%20also%20simply%20change%20these%20local%20settings.%3C%2FLI%3E%3CLI%3EMap%20network%20drive%3A%20this%20is%20major%20source%20for%20incidents%20tickets%20and%20the%20blocking%20of%20IE11%20to%20access%20Office%20365%20as%20of%2017%20August%202021%20will%20not%20help.%3C%2FLI%3E%3CLI%3EI%20would%20consider%20InTune%20but%20that%20will%20not%20work%20(AFAIK)%20if%20the%20computers%20are%20not%20joined%20to%20your%20AD%20domain.%20It%20may%20also%20require%20additional%20licenses.%3C%2FLI%3E%3CLI%3EDisabling%20offline%20capability%20per%20library%20or%20per%20site%20may%20help.%20This%20reduces%20the%20risk%20but%20there%20is%20still%20the%20option%20to%20download%20all%20content.%20Plus%20it%20affects%20functionality%20available%20to%20your%20users.%3C%2FLI%3E%3CLI%3EUse%20browser-based%20tools%20that%20work%20like%20File%20Explorer.%20See%20e.g.%20%3CA%20href%3D%22https%3A%2F%2Fwww.slimapplications.com%2Fwp-content%2Fuploads%2F2020%2F12%2FExplorerEditInAppOffice.png%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.slimapplications.com%2Fwp-content%2Fuploads%2F2020%2F12%2FExplorerEditInAppOffice.png%3C%2FA%3E%3CBR%20%2F%3EThe%20%22Edit%20in%20App%22%20allows%20users%20to%20edit%20Office%20files%20using%20the%20local%20Office%20app%20and%20changes%20are%20automatically%20saved%20to%20SharePoint.%20i.e.%20no%20need%20to%20have%20offline%20content.%3C%2FLI%3E%3CLI%3EUse%20sensitivity%20labels%20and%20encryption.%20This%20requires%20proper%20planning%2C%20possibly%20additional%20licenses%20and%20training%20users%20(probably%20also%20outside%20your%20company).%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESummary%3A%20this%20is%20not%20an%20easy%20problem%20to%20fix.%3C%2FP%3E%3CP%3EPaul%20%7C%20SLIM%20Applications%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have a document library in SharePoint online which will contain confidential information.

 

How can we reduce security risks?

 

For starters, MFA is enforced for all users that have access to this document library.

 

My biggest concern, however, is the entire document library getting synced to a laptop and that laptop getting stolen.  Files-on-demand greatly reduces this risk: only the documents that were worked on by that employee would be downloaded to the hard disk.  This may be an acceptable risk, but is there a way we can force the document library to be set to "Online-only files" and prevent them from setting the entire document library to "Always keep on this device"?

 

One safer alternative to OneDrive app sync would be to Map a network drive to a SharePoint library, that way, they see it in Windows File Explorer as if it's a file share, but the information is never copied to their local machine, however, Microsoft says: "this is legacy technology and it may be affected by the deprecation of Internet Explorer in August 2021".  What would be the equivalent alternative?

 

I understand there are pretty good controls over OneDrive with group policy, however, some of our Windows computers that will be using these document libraries are not joined to AD.

 

I understand "Search and offline availability" can be disabled, but users want to be able to access the documents through Windows File Explorer, and not via the web interface.  Users also need to work directly on spreadsheets using their local Excel app installations, not limited online Excel.   Is it possible to use locally installed Excel on Windows to edit spreadsheets in a document library when "search and offline availability" is disabled?

 

Any recommendations of how to best secure document libraries when a requirement is for users to access the files through Windows File explorer?

 

2 Replies

@Daniel Mare 

This is an area not many folks are concerned about but they should be. Good to see you are aware of this.

  • "Files On-demand" is not a robust solution. Users can simply modify the settings on the their computer.
  • Using "Storage Sense" to limit the availability of local content (e.g. automatically remove the local version after 1 day inactivity) is also not a solution: users can also simply change these local settings.
  • Map network drive: this is major source for incidents tickets and the blocking of IE11 to access Office 365 as of 17 August 2021 will not help.
  • I would consider InTune but that will not work (AFAIK) if the computers are not joined to your AD domain. It may also require additional licenses.
  • Disabling offline capability per library or per site may help. This reduces the risk but there is still the option to download all content. Plus it negatively affects functionality available to your users.
  • Use browser-based tools that work like File Explorer. See e.g. https://www.slimapplications.com/wp-content/uploads/2020/12/ExplorerEditInAppOffice.png
    The "Edit in App" allows users to edit Office files using the local Office app and changes are automatically saved to SharePoint. i.e. no need to have offline content.
  • Use sensitivity labels and encryption. This requires proper planning, possibly additional licenses and training users (probably also outside your company).

Summary: this is not an easy problem to fix.

Paul | SLIM Applications

Thanks for your advice @Paul_HK_de_Jong 

 

I think we will have to joined those laptops that need access to an AD domain and then use OneDrive sync domain restriction: https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains, plus the many group policy options to secure it.