Great content delivered right to your mailbox

Thank you! Check your inbox for our monthly recap!

OneDrive for Business is a big part of every Office 365 plan. As an IT administrator, you need to find ways to more efficiently set up such solutions.

We already discussed how to set up OneDrive for Business for all your tenants. Now, let’s look at how you can deploy the OneDrive Sync client in your work environments. We will focus on deployment methods and security controls.

 

Sync client requirements and configuration

Before we start deploying the client, we need to understand its software requirements. The OneDrive sync client is supported on Windows 10, Windows 8.1, Windows 8, and Windows 7. It’s also available for Mac OS; however, the deployment process is slightly different, and we will cover this in one of our future articles. Microsoft recommends using Office 2013 or 2016 for better experience and compatibility.

 

14 configurations in OneDrive for Business

1) Deploy security and configuration settings

To set registry keys on computers in your domain, you can use the OneDrive.admx and OneDrive.adml Group Policy files in the OneDrive Deployment Package provided by Microsoft. This helps you configure all the Group Policy based settings, which we’ll discuss next.

 

2) Use System Center Configuration Manager (SCCM) to deploy OneDrive Sync Client

To deploy through SCCM, you can save the OneDrive setup installer for Windows to the network share. The installer is available here.

To install the OneDrive sync client on Windows, run the following command using the System Center Configuration Manager:

Execute <pathToExecutable>\OneDriveSetup.exe /silent

The installer will place the OneDrive executable file under %localappdata%\Microsoft\OneDrive.

As OneDrive does not support single sign-ins using Windows credentials, you can help users sign in to the Sync client via SCCM.

Run the following command using the System Center Configuration Manager (SCCM) script to start the OneDrive process: %localappdata%\Microsoft\OneDrive\OneDrive.exe

If your users haven’t set up any accounts, executing the above command will display OneDrive Setup. To display OneDrive Setup specifically for users who haven’t set up any accounts for your tenant, use the following command-line parameter: /configure_business:<tenantId>

 

3) Access OneDrive admin center

Some of the security controls can be managed via the OneDrive admin center. To do so, you should have global administrator rights. Here’s how to access the OneDrive admin center:

  1. Log in to https://portal.office.com/adminportal/home
  2. Choose Admin centers from the left-hand navigation and click on Select OneDrive.
  3. In the OneDrive admin center, you should see the following options:

Access OneDrive Admin Center

 

4) Set default storage space

By default, OneDrive sites have 1 TB of storage for every user. Organizations with E3, E4, E5,SharePoint Online Plan 2, or OneDrive for Business Plan 2 can increase their storage limits up to 5 TB. Follow these steps to manage this setting:

  1. Click on Storage
  2. Enter the default storage amountSet Default Storage Space
  3. Click Save when you’re done.

 

5) Set default location for folder and prevent users from changing it

You can choose a location for OneDrive for Business files. However, you should have one common location for Sync folders to help you troubleshoot and locate missing files.

 

Set default location

You can set a specific path as the default location for a folder. By default, the path is under %userprofile%.

To enable this, set the following registry key value to 1:

Path: [HKCU\SOFTWARE\Microsoft\OneDrive\Tenants\tenant ID]

Value: “DefaultRootDir”=”D:\\CompanyData”

Once this is done, the local folder will default to the path that you specify in the OneDrive ADMX file.

Note: if you work with shared computers, you should keep the default location under %userprofile%.

 

Prevent users from changing the default location

This lets you prevent users from changing the locations of their folders. Enabling this policy requires setting the following registry key value to 1:

Path: [HKCU\SOFTWARE\Microsoft\OneDrive\Tenants\1111-2222-3333-4444-5555-6666]

Value: “DisableCustomRoot”=dword:00000001

To use this policy, you must update the OneDrive.admx file in your Group Policy central store and add your tenant ID.

 

6) Allow syncing only on domain-joined machines

To make sure that users sync files only on managed computers, you can configure OneDrive to sync only on PCs that are part of specific domains. Follow these steps to configure this option:

  1. Click on Sync.
  2. Under Sync Settings, check the “Allow Syncing only on PCs joined to specific domains” option.Allow Syncing only on PCs joined
  3. Click on Edit Domains and add the Company Domain GUID in the box. Save your changes when you’re done.Allow Syncing Only on Domain Joined Machines

This policy allows users to only use the company machine when syncing files.

 

7) Prevent users from synchronizing OneDrive personal account

Microsoft can synchronize personal OneDrive accounts. However, your business might ask that your remove access to personal cloud storage. This is why Microsoft included this setting.

By default, users are allowed to sync personal OneDrive accounts.

To disable synchronizing, set the the following registry key value to 1:

Path: [HKCU\SOFTWARE\Microsoft\OneDrive]

Value: “DisablePersonalSync”=dword:00000001

Prevent Users from Synchronizing OneDrive Personal Account

Once this is enabled, your users will see an error if they try to synchronize their personal OneDrive accounts. Their files will remain on the computer but will be unsynchronized.

 

8) Block syncing of specific file types

Administrators can prevent users from syncing specific file types when they sync their OneDrive for Business files. Use these steps to manage this setting:

  1. Click on Sync
  2. Under Sync Settings, check the “Block Syncing of specific file types” option.Block Syncing of specific file types
  3. Click on “Edit extensions” andadd yourextensions on separate lines. Click Save when you’re done.

Edit extensions

 

9) Set the maximum percentage of upload bandwidth

This policy is helpful if you have poor bandwidth, as it lets you configure the maximum percentage of bandwidth that a computer can use to upload files.

Because the bandwidth available to a computer is constantly changing, a specified percentage allows Sync to respond to fluctuations in bandwidth availability while synchronizing in the background. The lower the percentage, the slower it will synchronize files.

It is recommended that you keep a value of 50% or higher. By default, OneDrive uses 99% bandwidth.

This policy allows synchronization at full speed for one minute, after which it will slow down to the specified upload speed. This means that a very small file will be uploaded quickly because it fits within the one-minute synchronization, whereas large files will be uploaded while keeping your bandwidth usable.

To enable this policy, sets the following registry key value to a number from 10 to 99. Use hexadecimal values. For instance, to set your bandwidth percentage to 50%, use the hexadecimal value for 50 (which is 00000032).

Path: [HKLM\SOFTWARE·\Microsoft\OneDrive]

Value: “AutomaticUploadBandwidthPercentage=dword:00000032

 

10) Control access based on network location

This policy helps administrators to prevent users from accessing OneDrive and SharePoint content on devices outside of specific domains and networks.

  1. Click on Device Access
  2. In order to control access based on a network location, select the “Allow access only from specific IP address locations” checkbox and then click Add locations directly below.Control Access Based On Network Location
  3. Scroll through, and click Save when you’re done.

 

11) File collaboration policy

The coauthoring feature was initially unavailable, but it’s now available as a policy that you can configure. It’s recommended that you enable this feature.

To do so, set the following registry key value to 1:

Path: [HKCU\SOFTWARE\Microsoft\OneDrive]

Value: “EnableAllOcsiClients”=dword:00000001

File Collaboration Policy

 

12) Sync conflict policy

This policy defines what happens when there’s a conflict between file versions during synchronization.

By default, users decide if they want to merge, change, or keep both copies. They can also configure the Sync client to always keep both copies.

Sync Conflict Policy

Set the following registry key value to 1 to enable this policy:

Path: [HKCU\SOFTWARE\Microsoft\OneDrive]

Value: “EnableHoldTheFile”=dword:00000001

You need to enable the file collaboration policy (step 4) in order to access this option.

 

13) External sharing

External sharing has recently become a key attraction in Office 365 Storage services. The following 4 configuration options are currently available for external files:

  1. Completely disable external sharing
  2. Only existing external users can access the services
  3. Files and sites can be shared with new and existing users
  4. Anyone, including anonymous users, can access the files without logging in

External Sharing

We recommend using the third option to allow internal users to invite new external users. The fourth option will increase the chances of confidential data loss because file links can be accessed by unauthorized users.

 

14) Preserve OneDrive files after users leave the organization

This setting preserves content for a longer duration, even if the user has left the organization. By default, Microsoft keeps OneDrive data for 30 days after the deletion of an Office 365 account. Now, administrators can decide for how long they’d like to keep files. The maximum value is 3650 days (ten years). Follow these steps to manage this setting:

  1. Click on Storage
  2. Enter the number of days in the “Days to retain files in OneDrive after a user account is marked for deletion” box.Preserve OneDrive Files after Users Leave the Organization
  3. Click on Save to update your changes.

Written by The Sherweb Team Collaborators @ Sherweb