OneDrive for Business is a key workload in Office 365 and is an integral part of your collaboration and content strategy. Whether you are looking to roll-out OneDrive for Business or are already are utilizing it, there are important things that you should know about for administration. Do you know what is possible for admins? Do you know if your content really is secure? Do you know who can and can't share?
You also can't have a great OneDrive for Business experience without sync but there are things you need to know about deploying and managing sync across your enterprise.
This session will go through real world experiences of managing OneDrive for Business and what you really need to know to be successful.
10. Built on top of SharePoint
Evolution of “My Sites”
from SharePoint on-
premises
Administration tightly
coupled between
SharePoint & OneDrive
Each user’s OneDrive is a
SharePoint Site Collection
OneDrive does not count
against SharePoint Online
tenant storage usage
Created under the
/personal managed path
when a user first accesses
12. Access
Default sets ownership to manager declared in user profile
Follows access delegation set in SP Admin Center
Cleanup
If user profile manually deleted the site won’t be deleted
Email sent on initial assignment and 7 days prior to retention
If site is on eDiscovery hold the site won’t be deleted
Deletion of user account in Azure AD is only thing to trigger
13. Control of the country a region based
on Preferred Data Location (PDL)
OneDrive’s can be moved by an administrator
Personal files are kept in that geo location
Managed in SharePoint Admin center
Sets OneDrive to read only (2-6 hours)
Moved via PowerShell
Good communication is required to improve user experience
21. Sharing for OneDrive cannot be LESS restrictive than SPO
Turning off sharing in SPO stops all shares
SPO & OneDrive sharing does not control Office 365 Groups (Teams) sharing
Admin Sharing Options
No external sharing
Only existing external users (sign-in required)
New and existing external users (sign-in required)
Anyone, including anonymous users (on by default)
Your SharePoint Online sharing settings determine which OneDrive
sharing settings are available
22. The following settings apply to both SPO and OneDrive
Default link type
Direct links
Only users who have specific permission
Internal Links
Only users within your organization
Sharable access links
Anyone with a link (anonymous)
Default link permission
View or Edit
Anonymous access link permission
Separate for Files & Folders
View, Edit & Upload
View Only
Anonymous access link expiration
Up to 2 years / 730 days
23. The following settings apply to both SPO and OneDrive
Limited external sharing by user
Only certain users in security group can share with
External users
External users + anonymous
Other
Must accept using same account
Let external users share items they don’t own
Require recipients to prove account ownership (days)
Not anonymous
OneDrive email notifications
Other users share again
External users accept
Anonymous link created or changed
24. Bring everyone together
• Review existing user experiences
• Listen and document requirements
• Demo functionality
• Look at competing tech
• Get consensus on pros and cons
• Start with open and work back
• Anonymous is recommended by secure score
Business
Security Officer
Legal
IT
Employee
OneDrive is just part of your overall Sharing Strategy
25. Questions Answer
What applications will you allow external sharing?
What are the default sharing settings you will configure in SPO & OneDrive?
What are the default sharing settings you will configure in Azure AD?
Do my configurations in both environments align?
What domains will you allow?
What events do you need to audit or report on beyond 90 days?
How will I handle guest accounts in Azure AD?
Do I need to monitor sharing request emails?
How will I manage site collection specific sharing settings for sites?
What DLP policies do I have configured and will they control sharing?
How often should guests in groups be reviewed?
What terms of use should external users accept?
Do I need to manage site collection owners?
What is our training and awareness plan?
30. Invalid characters
< > : “ | ? * /
Strings in filenames
Icon .lock CON PRN AUX NUL
COM1-9, LPT1-9
Starts with ~$
Desktop.ini
_vti_ anywhere in file
Folder names
_t _w _vti_
“forms” at the root level
Number of items
Performance declines after 300,000 files
Size limit
15 GB
Other
No .psts
400 character URL
Can’t add network/mapped drive as sync location
Can’t sync as an external user or Shared by me view
IRM sync requires 17.3.7294.0108
Checkout & required columns synced as read-only
Don’t use roaming profileshttp://bit.ly/odsynclimits
31. VDI & OneDrive sync client supports
Virtual desktops that persist between sessions
Non-persistent environments that use Windows Virtual Desktop preview
Non-persistent
FSLogix Apps 2.8 or later, FSLogix Office 365 Container, and a Microsoft 365 or Office 365
subscription for all of the following operating systems:
Windows 10, 32 or 64-bit (supports VHDX files)
Windows 7, 32 or 64-bit (supports VHD files)
Windows Server 2016 R2 or Windows Server 2012 R2 (both support VHDX)
Windows Server 2008 R2 (supports VHDX and VHD)
SMB network file share protocol required for Windows Server
32. Hide the sync button
Helps users install & set up
Allow sync to specific domains
Add GUID of each domain
Block sync of file types
Example: mp3, pst
Do not include periods or punctuation
OneDrive Admin Center
33. Saves space on your device
Requires Windows 10 Fall Creators
Unique per device
Deleting “Online-only” file deletes from the web
Windows 10 Storage Sense (build 17720+)
Windows 10 Storage Sense
Build 17720+
Capability to automatically free up disk space by
making older, unused, locally available OneDrive
files be available online-only
“deyhydration”
http://bit.ly/win10storagesense
Files On-Demand
34. Redirects windows known folders
Desktop, Documents, Pictures
Requires version 18.111.0603.0004
Users continue to work normally
Managed via Group Policy
Windows 7, 8.1, 10
Plan, test and remove redirection if currently exists
Music & Videos
Known Folder Move
35.
36. Sync Control
Allow & Block Tenant list
Prevent changing of sync location
Set default location
Disable personal sync
Network
Manage upload/download limits
Automatic bandwidth percentage
Prevent network traffic before sign in
Overall max limit of all files downloaded
Continue syncing on metered
Continued syncing on battery saver
Group Policy
http://bit.ly/onedrivegpo
Files on-demand
Enabled by default
Migrate SP sites to on-demand
Known Folder Move
Prompt users to opt in
Silently redirect
Prevent redirect to local
Prevent redirect to OneDrive
Sign in
Silent account configuration
Set default location
Disable first time tutorial
Office
Prevent remote file fetch
Handle office files in conflict
Coauthoring and in-app
sharing
Admin
Delay client update to 2nd
release
38. Specify SharePoint team site libraries to sync the next time users sign in
May take up to 8 hours
Win 10 Fall Creators (1709)
Do not enable on 1,000 devices
User won’t be able to stop syncing
Utilizes the LibraryID
Team site automount
39. Sync libraries or folders that have been shared from other organizations
Insider ring
Utilizes Azure Active Directory guest accounts
Guest accounts can sync
ADAL must not be enabled on user syncing
ADAL enabled if silent account config utilized
Sharing recipients must have O365 work or school account in Azure AD
• `
42. Use enterprise deployment tool
System Center Configuration Manager (SCCM)
Intune
Or manual install
Software requirements
Windows 7, 8, 8.1, 10
Sync client included in Windows 10
macOS
Deploy admin settings
Use OneDrive Deployment Package
Deploy RMS client
Enables IRM-protected file sync
Options
OneDrive NGSC deployment guide
How to deploy NGSC with SCCM
Deploy using Intune
Plan your phases and
provide communications
43. Software requirements
Windows 7, 8, 8.1, 10
Sync client included in Windows 10
macOS
Deploy admin settings
Use OneDrive.admx and OneDrive.adml
Download with OneDrive Deployment Package
Deploy RMS client
Enables IRM-protected file sync
Assisting sign in
odopen://launch
odopen://sync?useremail=email@domain.com
odopen://sync?siteId=X&webId=X&listId=X&userEm
ail=x&webUrl=x
%localappdata%MicrosoftOneDriveOneDrive.exe
44. Use enterprise deployment tool
MS System Center Configuration Manager
Intune
Manual
Options
OneDrive NGSC deployment guide
How to deploy NGSC with SCCM
Deploy using Intune
Plan your phases and provide communications
45. Autopilot
OEM-optimized Win 10 preinstalled
Hardware registered in your Azure
User logs in and machine into Azure AD
Auto enroll into Intune
OneDrive installed and starts!
Autopilot base requirements
Win 10 Pro, Enterprise or Education
Win 10 1703+
AD Premium
46. Manage OneDrive settings using property list (Plist) files
Quit OneDrive
Define settings
Deploy settings
Refresh the preferences cache
Standalone Mac App Store
PList Location ~/Library/Preferences/com.microsoft
.OneDrive.plist
~/Library/Containers/com.microsoft.OneDrive-
mac/Data/Library/Preferences/com.microsoft.OneDriv
e-mac.plist
Domain com.microsoft.OneDrive com.microsoft.OneDrive-mac
http://bit.ly/onedrivemacos
Lots of settings!
47. All profiles on the computer will use the same OneDrive.exe binary
Installs under “Program Files (x86)”
Automatic transitioning from the previous OneDrive sync client (groove.exe)
Automatic conversion from per-user to per-machine
Automatic updates when a new version is available
Do not user Enterprise ring while in preview
Works on all windows versions
Build 19.043.0304.003 or later
User client update GPO will not work
Helpful for multi-user computers
Run OneDriveSetup.exe /allusers
48. If using Groove.exe and starting new OneDrive sync
OneDrive sync automatically takes over sync if possible
During a “takeover”
Groove.exe stops sync
OneDrive starts sync without re-downloading
Groove.exe stops running and removes from auto start
If not successful both will be running
Prerequisites
Version 17.3.6743.1212+
Remove SP workspace for Office 2010
Office version Minimum version
Office 365 ProPlus 16.0.7167.2*
Office 2016 MSI 16.0.4432.1*
Office 2013 MSI/C2R 15.0.4859.1*
49. Deploying a takeover
Automatically and silently using GPO
Manually ran by the user by clicking Sync
Automatically using OneDrive.exe /takeover
Run as user context
Run for any user that signs in
If failure, check version of Groove.exe and update
After takeover rolled out block previous sync client from syncing
Set-SPOTenantSyncClientRestriction [-GrooveBlockOption <String> "OptOut"|"HardOptIn"|"SoftOptIn"]
52. Control access based on network location
Allow access only from specific IP addresses
One IP address per line
No overlapping IP addresses
Control access from apps that don’t use modern auth
Without modern auth, can’t enforce device-based restrictions
Some 3rd party apps
Office versions prior to 2013
Utilize Azure AD conditional access policies
54. Idle-session timeout for OneDrive and SharePoint
Mouse movement is not activity
Idle for SPO & OD4B but will sign out of everything
WarnAfter and SignOutAfter cannot be the same
Entire tenant only
Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700)
-SignOutAfter (New-TimeSpan -Seconds 3600)
55. Managed in O365 Security &
Compliance Center
Helps identify and protect content from
inadvertent disclosure
Runs on search
After you create a DLP policy in the Security &
Compliance Center, it’s stored in a central policy
store, and then synced to the various content
sources
56. Set retention of files for a user marked for deletion up to 10 years
Set global retention policies
Retain or delete content in a OneDrive
57. Managed in M365 Security & Compliance Center
Classify data and enforce retention rules
Apply manually or automatically based on sensitive information or keyword queries
Auto apply requires E5
Content can only have 1 label
Auto apply can take 7 days
Can apply to:
Outlook
OneDrive for Business
SharePoint
O365 Groups
58. AIP or Unified Labels
Secure at the file level
Tagged within the app, not OneDrive
Deployed by user
Watermarks, encrypt, prevent data loss
Encryption
O365 cannot get into the content
Things that don’t work due to content
Co-authoring
DLP
eDiscovery
Search
62. Will you migrate any existing files?
Is your network ready?
How are we going to roll-out?
What devices will access OneDrive?
What are major limitations?
What is your sharing strategy?
63. • xxxx
Help Contribute &
Stay Informed!
OneDrive UserVoice
https://onedrive.uservoice.com/
Microsoft Tech Community
https://techcommunity.microsoft.com
Microsoft 365 Roadmap
https://fasttrack.microsoft.com/roadmap
Office 365 Admin Center – Message Center
https://portal.office.com/AdminPortal
OneDrive Documentation
https://docs.microsoft.com/en-us/OneDrive/onedrive
64. Thank you and please fill out your surveys
Drew Madelung
@dmadelung
drew.madelung@Protiviti.com