Managing Offline Sync in OneDrive for Business

Yesterday, I released a post explaining how we can control and manage some of the sharing capabilities of SharePoint Online. Those changes applied not only to SharePoint Online but also to OneDrive for Business such as whether or not a user can share a file publicly with an anonymous link.

In this post, I am going to focus on the offline sync capability of OneDrive for Business. This feature allows a user to have access to their OneDrive for Business files on their PC or Mac device and work on them offline and when they come back online, changes are synchronised back up to OneDrive for Business. The OneDrive for Business client allows not only syncing for offline access of a users personal site folders but also of team site folders and data. In some cases, people are even using this feature to replace their Folder Redirection shares on the local network to a file server and have users work go up to OneDrive for Business by default making the most of that 1TB per user allowance and reducing your on-premise storage management and purchasing costs. In other cases, you could use this to allow employees working remotely to have access to a central team site that contains all of your document templates or marketing collateral.

While this offline sync capability is very useful, it also comes with a price. Imagine a scenario with a disgruntled employee: Using their home PC, they login to OneDrive for Business and configure their client to sync their folders and files at home. Now, this user has copies of all of their corporate work product at home, free to take it or sell it to a competitor or such. Another scenario is that somebody gains access to your SharePoint Online environment and takes a copy of a sensitive folder of documents and then publishes them online, exposing your company.

Luckily, after all this scaremongering, we can control it although this is a new feature so it’s not something we could have done before.

Turn Off Offline Sync for a Library

The easiest way to protect sensitive content is to prevent it from being synchronised for offline access so that OneDrive for Business clients cannot take copies of it with them offline. Yes, this method as no neither of the methods given stop someone physically downloading a copy of files but it stops them doing it en-masse using the OneDrive for Business client as a bulk collection tool.

Within SharePoint Online, access the Library Settings for your particular library type and then head into the Advanced Settings section.

As you can see, in the Advanced Settings, we have the option to disable offline sync. As I said before, this is a great option for really sensitive areas that you just flat-out do not want kept offline but it’s not ideal for your honest corporate employee nor is it very scalable as this is a per library setting so unless you want to iterate all your libraries with PowerShell or some automation tool, this will get old and very time consuming fast.

Limiting Offline Sync to Domain Clients

With this new feature for OneDrive for Business, we can now control whether or not a client is able to sync offline content based on whether their computer is a member of a given number of Active Directory domains. With this feature, we can allow our employees to sync files offline but we can limit the scope of it to our domain managed client PCs.

There are two caveats that come with this new capability. First, this is a tenant-wide setting so once you apply this, you will not be able to perform offline sync with OneDrive for Business for any library in your tenant outside of one of the configured domains. The second is in the detail in the previous paragraph – PCs. Because a domain joined Mac client is not really a fully-fledged domain member like a Windows Client OS, changing this setting disables offline sync for Mac devices regardless of whether they are joined to your domain or not. We can hope this is something that might get fixed in the future as this is the first release of this feature but we just don’t know right now.

Right now, this change does not effect or limit mobile OneDrive for Business apps in any way just as an FYI but that is where Office 365 MDM comes in to play which I will hopefully get a chance to cover in a future post.

So to get started implementing this, we first need to get the GUIDs for our domains. These are unique hexadecimal strings which uniquely identify our domain. To get the GUIDs for all of the domains in our forest, we can use the following PowerShell Cmdlets from a PC with the Active Directory PowerShell Module installed from the RSAT Tools.

Import-Module ActiveDirectory
$Domains = (Get-ADForest).Domains; ForEach($D in $Domains) {Get-ADDomain -Identity $D | Select Name, ObjectGuid}

This Cmdlet comes from the Microsoft TechNet page at https://technet.microsoft.com/en-us/library/dn938435.aspx on how to get domain GUIDs but I have added the Name column to the output. I know that it is likely in the real world that we may have resource or selected domains that we don’t want to allow sync to occur in so this way, we can see which domains relate to which GUID and we can filter them out as needed.

With the domain GUIDs in hand, we can now configure SharePoint Online. Using a PC with the SharePoint Online PowerShell Module installed, enter the following Cmdlets:

Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential admin@domain.com
Set-SPOTenantSyncClientRestriction  -Enable -DomainGuids "786548DD-877B-4760-A749-6B1EFBC1190A; 877564FF-877B-4760-A749-6B1EFBC1190A"

So as you will be able to see in the example above, firstly, you need to change the Url parameter to match your Tenant Admin URL and you also need to enter your Global Administrator or SharePoint Online Administrator credentials. On the second line, I’ve entering the domain GUID for two domains which are semi-colon separated. If you have just one then omit the semi-colon.

Once the change is applied, users will no longer be able to sync content for offline access with OneDrive for Business unless they are using a corporate managed, domain joined machine in one of the domains you have specified or from any Mac clients. Any users who have configured offline sync with OneDrive for Business on non-domain joined machines prior to the change will stop syncing any new changes but the existing content will not be deleted from the client so it is important to implement this change early if you are starting out in Office 365 today.