New IT management controls added to OneDrive for Business

Today’s post was written by Reuben Krippner, director of product management for Office 365, focused primarily on OneDrive for Business.

The OneDrive for Business team has been working to deliver the most commonly requested controls by IT admins. Today, we’ll highlight new management options you have to protect and control the flow of your information using OneDrive for Business.

In addition, this week’s Office Mechanics show walks through the new controls and how to implement them as IT admin:

Limiting file sync to domain joined PCs

OneDrive for Business enables users to synchronize their files for offline use across their PCs or Macs. One of the most common requests from IT admins is to have the ability to block sync on unmanaged PCs. Now you can enable file sync to work only on domain-joined PCs (and you can even specify which of your domains you want to allow to sync), thereby blocking file sync on personally owned or unmanaged PCs. Note that using this setting means that you will disable file sync on all Macs as they cannot be domain-joined and managed like PCs.

This new control uses PowerShell to limit file sync to a list of permitted domains and, if your organization uses multiple domains, you can select the individual domains from which you allow sync requests.

The PowerShell cmdlet and syntax you use is:

Set-SPOTenantSyncClientRestriction  -Enable -DomainGuids "786548DD-877B-4760-A749-6B1EFBC1190A; 877564FF-877B-4760-A749-6B1EFBC1190A"

The “DomainGuids” value represents the domain you are allowing. You can find more details on TechNet, including how to determine your domain GUIDs. We also demonstrate this on the show.

Auditing all actions taken against OneDrive for Business files

New auditing controls rolling into the Office 365 compliance center allow you to audit all actions taken against files stored in OneDrive for Business. If you want to monitor activities like which PCs or Macs attempted to sync with OneDrive or who viewed and shared files, the auditing controls provide that visibility. You can learn more in this recent Office Blogs post, and we demonstrate some of the auditing capabilities on the show.

Managing mobile devices connecting to OneDrive for Business data

As more people move to OneDrive for Business to store and access their files, email-based mobile device management (MDM) policies may not suffice to protect data. Now using MDM in Office 365, you can ensure that devices connecting to your OneDrive for Business data are managed. After you’ve set up MDM policies, a device will need to enroll in MDM for Office 365 when it tries to connect to your data using OneDrive for Business or Office Mobile apps. This ensures that the device meets security requirements, enforces PIN log-in and other chosen configurations on the device. You can find out more about MDM for Office 365 and see it in action on the show.

Setting storage quotas in OneDrive for Business

Even though the prospect of having 1 TB of data in the cloud is attractive for many people, several organizations have requested the ability to set smaller quota limits. It could be to limit the amount of data stored, for information protection reasons, or simply to ensure that what people store in OneDrive for Business can sync (and fit) on their PC’s hard drive.

In this case, PowerShell is again used to determine the storage quota. Here’s an example:

Set-SPOSite –Identity https://yourdomain-my.sharepoint.com/personal/username_yourdomain_com 

 -StorageQuota 512000

We demonstrate this feature on the show, and you’ll find more information for the Set-SPOSite cmdlet on TechNet.

Preventing unintentional sharing to “Everyone” or “All Users” in OneDrive for Business

OneDrive for Business is designed to ensure that only those with viewing or editing permissions can view or edit a file. Many organizations want sharing with people to be a very specific and targeted action. For example, they want their users to determine the specific people they need to share a file with and explicitly invite them through the sharing dialog. We’ve also offered the “Shared with Everyone” folder, which means files placed in this folder automatically grant users permissions and are publically discoverable through Delve. We had a lot of feedback from customers that this folder was an all-too-simple way to avoid specifically nominating people who should get access to a file. Based on this feedback, for all new tenants and users, the “Shared with everyone” folder will no longer be created by default; however, IT admins have the ability to override this setting.

If this is something you’ve been waiting for to protect information, you’ll also be happy to know that there are controls to remove “Everyone,” “All Users” and “Everyone except external users” from the people picker in OneDrive for Business and SharePoint Online. Again, you would use PowerShell to disable these entries from the people picker with the following settings:

Set-SPOTenant -ShowEveryoneClaim $false
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false
Set-SPOTenant -ShowAllUsersClaim $false

More information about the Set-SPOTenant cmdlet is on TechNet and we highlight this as well as the resulting user experience on the show.

More to come in OneDrive for Business

These new controls, all based on your feedback, provide more capabilities to protect corporate information in OneDrive for Business. In the coming months, we’ll deliver a whole range of new user experiences including our new sync client (featuring selective sync), new web client refresh and offline file support for mobile devices. We’ll also bring in new controls for IT admins to manage the scope or span of sharing outside the organization as well as other controls that provide additional ways to protect key business files. So keep checking back; be sure to try out the new management controls today and let us know what you think.

–Reuben Krippner