Technical Tip: Blocking Personal OneDrive on Managed Endpoints

Method - Windows (GPO):

1. Install the OneDrive sync app for Windows and browse to %localappdata%\Microsoft\OneDrive\\*BuildNumber*\adm\ (for the per-user sync app, which is the default download). or %ProgramFiles(x86)%\Microsoft Onedrive\*BuildNumber*\adm\ or %ProgramFiles%\Microsoft Onedrive\*BuildNumber*\adm\  (for per-machine sync app).
2. Copy OneDrive.admx to the domain's Central Store, A, and OneDrive.adml to the appropriate languages subfolder, such as en-us.
3. It is now possible to find the OneDrive settings under User Configuration -> Administrative Templates when configuring a new Group Policy Object. Navigate here and set Prevent users from syncing personal OneDrive accounts to enabled.
4. When a user attempts to log into the OneDrive sync app with a personal account, an error message saying 'the organization doesn't allow you to sync your personal OneDrive on this computer' will be displayed, and they will be denied login.

Method - macOS (jamf):

If a user has the OneDrive sync app for MAC downloaded, a property list (plist) file will be generated, containing the configuration/preferences for the app. This can be configured to contain the relevant setting for denying personal sync and deployed to the desired devices.

1. Create an XML file with the values needed. The key part is including the following, which enables the Disable Personal Sync setting:

<key>DisablePersonalSync</key><True/>

See OneDrive.mobileconfig (below) for an example file.

2. On jamf, head to Computers -> Configuration Profiles -> Upload and select the .mobileconfig file.
3. Ensure that the profile is applied to the necessary computers under Scope.
4. When a user attempts to log into the OneDrive sync app with a personal account, an error message saying 'Your organization doesn't allow you to sync your personal OneDrive on this computer' will be displayed, and they will be denied login.