Edit: A new admin centre for OneDrive has been launched as of December 2016, and allows for much more granular control over what can be synchronised, and where from. Check it out at admin.onedrive.com
A question which I get asked quite frequently is whether OneDrive for Business can be blocked, locked down, or restricted. Whatever your reasons for doing this, there are some things you can do to restrict access.
As a little bit of background information, OneDrive for Business is not the same as your personal OneDrive, and is essentially your own private SharePoint library. If you have no plans to use SharePoint Online, then the easiest way to block access to OneDrive for Business is to simply remove the SharePoint Online license from the users in question. This is done in the sub menu of the licensing options for a user and can be applied on a per user basis.
Another thing you can do is to hide the OneDrive button from the portal. This is done under the SharePoint Admin section of the Office 365 portal, under the Settings Tab. This setting applies to all users.
With this option selected, OneDrive will not show up in the Portal menu, along with the Office Web Apps.
We can also stop users from being able to create a personal site at all, by going into the User Profiles area of the SharePoint admin center. Go into Manage User Permissions and remove ‘Everyone except external users’. This will stop any users from being able to create their own OneDrive for Business sites. If you like, you can then add users or groups into this list who you would like to be able to create a OneDrive for Business site.
This doesn’t stop any users who have already created their OneDrive for Business sites from accessing it if they know the direct URL or have added it as a favourite into their Internet Browser. I won’t be covering that scenario here, however if this is something you would like more information on, let me know in the comments and I will put a post together!
Reblogged this on SutoCom Solutions.
LikeLike
How about this: I want to allow OD4B access from my user’s business laptop but not from the client app on their home computer. Can this be done?
LikeLike
Hi Dave,
Sorry it took me so long to respond. You can control the availability of the sync client based on whether the machine is domain joined or not (see http://doubledit.co.uk/2015/08/28/restrict-onedrive-for-business-synchronisation-to-domain-joined-machines-only/), but you cannot control what machine a user can use to login to the O4B website and view/download files. You may be able to control this using ADFS Client Access Policies if your domain is federated, but doing it this way would be likely to affect more than just O4B. Hope this helps 🙂
LikeLike
I think MS need to supply a filter so we can add allowed IP address ranges to O4B – this would solve a lot of data leakage concerns. The ADFS method is overkill IMO
LikeLike