Security of the OneDrive sync folder files that are sync'd on a local computer
As a 365 Admin for SharePoint and OneDrive I have the following dilemma with the security of the sync'd folder(s) from both onedrive and sharepoint on a users local machine:
Any file that is sync'd to a local computer is vulnerable to a local admin accounts privilege.
In short, if a computer containing sync'd data is stolen, that sync data can easily be accessed with the device in-hand. The permissions on the ["OneDrive or SharePoint" c:\users\<username>\OneDrive <tenant name> folder] inherit from above...and have the Local Administrators group in there by default. More troubling is that another domain user logging on to the same computer that has local admin privilege has the ability to look through anyones sync files that have logged in/sync'd on that computer.
This vulnerability essentially makes the strong case for disabling Sync on almost every SharePoint library on our Tenant.
The problem though is the usability lacks as you become limited to using the web browser to manipulate your files...and when you need to work in bulk..its untenable. Even opening in Explorer now isnt reliable like it used to be. I've seen many cases of the "access denied' error coming up when accessing either your onedrive or a document library within seconds of "opening in explorer".
Microsoft is strongly pushing is all to use the sync client but its vulnerability to theft is still the same as any other file in Windows vis a vis getting your hands on the physical machine and logging in with local admin privilege.
I was at Ignite, and spoke with a SharePoint/OneDrive Program Manager about this and was told that the sync folder IS secure from that kind of access as the files are locked to the users logon + live security token from the Tenant. Is that coming?...because it isn't like that now.
I have also seen the OneDrive "universal app" and am using it in place of file explorer...but only on Win 10 v1607 and above..Eagerly awaiting the ODFB NGSC feature that lets a user view their files regardless of what has been selectively sync'd.
But in the meantime: the ODFB sync'd folders are wide open to theft/compromise with a local admin account.
Looking for any kind of upcoming/planned feature that will alleviate that risk....and eliminate local admin rights to those files by design and make it impossible for anyone even a domain admin or tenant global admin to change those rights.