OneDrive for Business is a key workload in Office 365 and is an integral part of your collaboration and content strategy. Whether you are looking to roll-out OneDrive for Business or are already are utilizing it, there are important things that you should know about for administration. Do you know what is possible for admins? Do you know if your content really is secure? Do you know who can and can't share? You also can't have a great OneDrive for Business experience without sync but there are things you need to know about deploying and managing sync across your enterprise. This session will go through real world experiences of managing OneDrive for Business and what you really need to know to be successful.

1. (@dmadelung)

2. What are we going to talk about today?

4. OneDrive

5. OneDrive for Business

6. Communication
Training
Devices
Feedback
Collaboration
Compliance
Security
Lifecycle
Support
Deployment

7. Surveys
Communities
Tips/Tricks
Focus Groups
Content Analysis
Communication Plan
Deployment Plan
Migration Strategy
Security Configuration
Device Strategy
Lifecycle Plan
Compliance Review
Pilot/Phased
Sync Rollout
Config Rollout
Comms/Training
Migration
Testing
Content Pack
UserVoice
What’s New
Service Tickets

8. OneDrive for Business

9. • Manage sharing
• Show/Hide Tile
• View user profiles
• Secondary
administrators
• Secondary owners
• Manage sharing
• Basic sync
• Default storage &
retention
• Mobile & network
access
• Notifications
• DLP
• Retention
• Classification
• Alerts
• Content search
• User management
• Licensing
• Initiate sign-out
• Get access

10. Built on top of SharePoint
Evolution of “My Sites”
from SharePoint on-
premises
Administration tightly
coupled between
SharePoint & OneDrive
Each user’s OneDrive is a
SharePoint Site Collection
OneDrive does not count
against SharePoint Online
tenant storage usage
Created under the
/personal managed path
when a user first accesses

11. Grant Yourself Access
View Usage
Set Sharing
Initiate Sign-out
View Tenant Retention
View Tenant Quota

12. Access
 Default sets ownership to manager declared in user profile
 Follows access delegation set in SP Admin Center
Cleanup
 If user profile manually deleted the site won’t be deleted
 Email sent on initial assignment and 7 days prior to retention
 If site is on eDiscovery hold the site won’t be deleted
 Deletion of user account in Azure AD is only thing to trigger

13. Control of the country a region based
on Preferred Data Location (PDL)
 OneDrive’s can be moved by an administrator
 Personal files are kept in that geo location
 Managed in SharePoint Admin center
 Sets OneDrive to read only (2-6 hours)
 Moved via PowerShell
Good communication is required to improve user experience

15. Technical Planning & Strategy

16. Content & Migration Network
Will you migrate any existing files? Is your network ready?

17. Devices Approach
What devices will access OneDrive? How are we going to roll-out?

18. Limitations Sharing
What are major limitations? What is your sharing strategy?

20. Managing External Sharing

21.  Sharing for OneDrive cannot be LESS restrictive than SPO
 Turning off sharing in SPO stops all shares
 SPO & OneDrive sharing does not control Office 365 Groups (Teams) sharing
Admin Sharing Options
 No external sharing
 Only existing external users (sign-in required)
 New and existing external users (sign-in required)
 Anyone, including anonymous users (on by default)
Your SharePoint Online sharing settings determine which OneDrive
sharing settings are available

22. The following settings apply to both SPO and OneDrive
Default link type
 Direct links
 Only users who have specific permission
 Internal Links
 Only users within your organization
 Sharable access links
 Anyone with a link (anonymous)
Default link permission
 View or Edit
Anonymous access link permission
 Separate for Files & Folders
 View, Edit & Upload
 View Only
Anonymous access link expiration
 Up to 2 years / 730 days

23. The following settings apply to both SPO and OneDrive
Limited external sharing by user
 Only certain users in security group can share with
 External users
 External users + anonymous
Other
 Must accept using same account
 Let external users share items they don’t own
 Require recipients to prove account ownership (days)
 Not anonymous
OneDrive email notifications
 Other users share again
 External users accept
 Anonymous link created or changed

24. Bring everyone together
• Review existing user experiences
• Listen and document requirements
• Demo functionality
• Look at competing tech
• Get consensus on pros and cons
• Start with open and work back
• Anonymous is recommended by secure score
Business
Security Officer
Legal
IT
Employee
OneDrive is just part of your overall Sharing Strategy

25. Questions Answer
What applications will you allow external sharing?
What are the default sharing settings you will configure in SPO & OneDrive?
What are the default sharing settings you will configure in Azure AD?
Do my configurations in both environments align?
What domains will you allow?
What events do you need to audit or report on beyond 90 days?
How will I handle guest accounts in Azure AD?
Do I need to monitor sharing request emails?
How will I manage site collection specific sharing settings for sites?
What DLP policies do I have configured and will they control sharing?
How often should guests in groups be reviewed?
What terms of use should external users accept?
Do I need to manage site collection owners?
What is our training and awareness plan?

27. Configuring OneDrive Sync

28. Groove
O365 Tenant
NGSC

29. Utilizes Windows Push Notification Services (WNS)

30. Invalid characters
 < > : “ | ? * /
Strings in filenames
 Icon .lock CON PRN AUX NUL
 COM1-9, LPT1-9
 Starts with ~$
 Desktop.ini
 _vti_ anywhere in file
Folder names
 _t _w _vti_
 “forms” at the root level
Number of items
 Performance declines after 300,000 files
Size limit
 15 GB
Other
 No .psts
 400 character URL
 Can’t add network/mapped drive as sync location
 Can’t sync as an external user or Shared by me view
 IRM sync requires 17.3.7294.0108
 Checkout & required columns synced as read-only
 Don’t use roaming profileshttp://bit.ly/odsynclimits

31. VDI & OneDrive sync client supports
 Virtual desktops that persist between sessions
 Non-persistent environments that use Windows Virtual Desktop preview
Non-persistent
 FSLogix Apps 2.8 or later, FSLogix Office 365 Container, and a Microsoft 365 or Office 365
subscription for all of the following operating systems:
 Windows 10, 32 or 64-bit (supports VHDX files)
 Windows 7, 32 or 64-bit (supports VHD files)
 Windows Server 2016 R2 or Windows Server 2012 R2 (both support VHDX)
 Windows Server 2008 R2 (supports VHDX and VHD)
 SMB network file share protocol required for Windows Server

32. Hide the sync button
 Helps users install & set up
Allow sync to specific domains
 Add GUID of each domain
Block sync of file types
 Example: mp3, pst
 Do not include periods or punctuation
OneDrive Admin Center

33. Saves space on your device
 Requires Windows 10 Fall Creators
 Unique per device
 Deleting “Online-only” file deletes from the web
 Windows 10 Storage Sense (build 17720+)
Windows 10 Storage Sense
 Build 17720+
 Capability to automatically free up disk space by
making older, unused, locally available OneDrive
files be available online-only
 “deyhydration”
 http://bit.ly/win10storagesense
Files On-Demand

34. Redirects windows known folders
 Desktop, Documents, Pictures
 Requires version 18.111.0603.0004
Users continue to work normally
 Managed via Group Policy
 Windows 7, 8.1, 10
Plan, test and remove redirection if currently exists
 Music & Videos
Known Folder Move

36. Sync Control
 Allow & Block Tenant list
 Prevent changing of sync location
 Set default location
 Disable personal sync
Network
 Manage upload/download limits
 Automatic bandwidth percentage
 Prevent network traffic before sign in
 Overall max limit of all files downloaded
 Continue syncing on metered
 Continued syncing on battery saver
Group Policy
http://bit.ly/onedrivegpo
Files on-demand
 Enabled by default
 Migrate SP sites to on-demand
Known Folder Move
 Prompt users to opt in
 Silently redirect
 Prevent redirect to local
 Prevent redirect to OneDrive
Sign in
 Silent account configuration
 Set default location
 Disable first time tutorial
Office
 Prevent remote file fetch
 Handle office files in conflict
 Coauthoring and in-app
sharing
Admin
 Delay client update to 2nd
release

37. Group Policy

38. Specify SharePoint team site libraries to sync the next time users sign in
 May take up to 8 hours
 Win 10 Fall Creators (1709)
 Do not enable on 1,000 devices
 User won’t be able to stop syncing
 Utilizes the LibraryID
Team site automount

39. Sync libraries or folders that have been shared from other organizations
 Insider ring
 Utilizes Azure Active Directory guest accounts
 Guest accounts can sync
 ADAL must not be enabled on user syncing
 ADAL enabled if silent account config utilized
 Sharing recipients must have O365 work or school account in Azure AD
• `

41. Deploying OneDrive Sync

42. Use enterprise deployment tool
 System Center Configuration Manager (SCCM)
 Intune
 Or manual install
Software requirements
 Windows 7, 8, 8.1, 10
 Sync client included in Windows 10
 macOS
Deploy admin settings
 Use OneDrive Deployment Package
Deploy RMS client
 Enables IRM-protected file sync
Options
 OneDrive NGSC deployment guide
 How to deploy NGSC with SCCM
 Deploy using Intune
Plan your phases and
provide communications

43. Software requirements
 Windows 7, 8, 8.1, 10
 Sync client included in Windows 10
 macOS
Deploy admin settings
 Use OneDrive.admx and OneDrive.adml
 Download with OneDrive Deployment Package
Deploy RMS client
 Enables IRM-protected file sync
Assisting sign in
 odopen://launch
 odopen://sync?useremail=email@domain.com
 odopen://sync?siteId=X&webId=X&listId=X&userEm
ail=x&webUrl=x
 %localappdata%MicrosoftOneDriveOneDrive.exe

44. Use enterprise deployment tool
 MS System Center Configuration Manager
 Intune
 Manual
Options
 OneDrive NGSC deployment guide
 How to deploy NGSC with SCCM
 Deploy using Intune
Plan your phases and provide communications

45. Autopilot
 OEM-optimized Win 10 preinstalled
 Hardware registered in your Azure
 User logs in and machine into Azure AD
 Auto enroll into Intune
 OneDrive installed and starts!
Autopilot base requirements
 Win 10 Pro, Enterprise or Education
 Win 10 1703+
 AD Premium

46. Manage OneDrive settings using property list (Plist) files
 Quit OneDrive
 Define settings
 Deploy settings
 Refresh the preferences cache
Standalone Mac App Store
PList Location ~/Library/Preferences/com.microsoft
.OneDrive.plist
~/Library/Containers/com.microsoft.OneDrive-
mac/Data/Library/Preferences/com.microsoft.OneDriv
e-mac.plist
Domain com.microsoft.OneDrive com.microsoft.OneDrive-mac
http://bit.ly/onedrivemacos
Lots of settings!

47. All profiles on the computer will use the same OneDrive.exe binary
 Installs under “Program Files (x86)”
 Automatic transitioning from the previous OneDrive sync client (groove.exe)
 Automatic conversion from per-user to per-machine
 Automatic updates when a new version is available
 Do not user Enterprise ring while in preview
 Works on all windows versions
 Build 19.043.0304.003 or later
 User client update GPO will not work
 Helpful for multi-user computers
Run OneDriveSetup.exe /allusers

48. If using Groove.exe and starting new OneDrive sync
 OneDrive sync automatically takes over sync if possible
 During a “takeover”
 Groove.exe stops sync
 OneDrive starts sync without re-downloading
 Groove.exe stops running and removes from auto start
 If not successful both will be running
Prerequisites
 Version 17.3.6743.1212+
 Remove SP workspace for Office 2010
Office version Minimum version
Office 365 ProPlus 16.0.7167.2*
Office 2016 MSI 16.0.4432.1*
Office 2013 MSI/C2R 15.0.4859.1*

49. Deploying a takeover
 Automatically and silently using GPO
 Manually ran by the user by clicking Sync
 Automatically using OneDrive.exe /takeover
 Run as user context
 Run for any user that signs in
 If failure, check version of Groove.exe and update
 After takeover rolled out block previous sync client from syncing
Set-SPOTenantSyncClientRestriction [-GrooveBlockOption <String> "OptOut"|"HardOptIn"|"SoftOptIn"]

51. Monitoring & Reporting

52. Control access based on network location
 Allow access only from specific IP addresses
 One IP address per line
 No overlapping IP addresses
Control access from apps that don’t use modern auth
 Without modern auth, can’t enforce device-based restrictions
 Some 3rd party apps
 Office versions prior to 2013
Utilize Azure AD conditional access policies

53. Mobile apps
 Requires Intune
 Admin account requires Intune
license

54. Idle-session timeout for OneDrive and SharePoint
 Mouse movement is not activity
 Idle for SPO & OD4B but will sign out of everything
 WarnAfter and SignOutAfter cannot be the same
 Entire tenant only
Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700)
-SignOutAfter (New-TimeSpan -Seconds 3600)

55. Managed in O365 Security &
Compliance Center
 Helps identify and protect content from
inadvertent disclosure
Runs on search
 After you create a DLP policy in the Security &
Compliance Center, it’s stored in a central policy
store, and then synced to the various content
sources

56. Set retention of files for a user marked for deletion up to 10 years
Set global retention policies
 Retain or delete content in a OneDrive

57. Managed in M365 Security & Compliance Center
 Classify data and enforce retention rules
 Apply manually or automatically based on sensitive information or keyword queries
 Auto apply requires E5
 Content can only have 1 label
 Auto apply can take 7 days
 Can apply to:
 Outlook
 OneDrive for Business
 SharePoint
 O365 Groups

58. AIP or Unified Labels
 Secure at the file level
 Tagged within the app, not OneDrive
 Deployed by user
 Watermarks, encrypt, prevent data loss
Encryption
 O365 cannot get into the content
 Things that don’t work due to content
 Co-authoring
 DLP
 eDiscovery
 Search

59. Usage Reports
Activity Reports
Audit Log Search

60. Unusual activity
External sharing
Malware
Deletion

62. Will you migrate any existing files?
Is your network ready?
How are we going to roll-out?
What devices will access OneDrive?
What are major limitations?
What is your sharing strategy?

63. • xxxx
Help Contribute &
Stay Informed!
OneDrive UserVoice
https://onedrive.uservoice.com/
Microsoft Tech Community
https://techcommunity.microsoft.com
Microsoft 365 Roadmap
https://fasttrack.microsoft.com/roadmap
Office 365 Admin Center – Message Center
https://portal.office.com/AdminPortal
OneDrive Documentation
https://docs.microsoft.com/en-us/OneDrive/onedrive

64. Thank you and please fill out your surveys
Drew Madelung
@dmadelung
drew.madelung@Protiviti.com

65. Thank you Questions
Email: drew.madelung@protiviti.com
Twitter: @dmadelung
Website: drewmadelung.com
Slides: http://bit.ly/DrewSlides