Allow OneDrive for Business Sync Client to recognize domain-bound Macs in the Enterprise
Allow OneDrive for Business Sync Client to recognize domain-bound Macs in the Enterprise.
Our company recently adopted the OneDrive for Business (OD4B)next generation sync client. As part of this adoption our internal Information Security team has set a security policy allowing only domain-bound workstations to leverage the OD4B sync client.
We are binding our Mac workstations to our corporate domain, just like our Windows workstations; however, Microsoft has told us that Macs are not truly bound to our corporate domain -- they are simply "associated" with our domain meaning our Mac workstations fall outside of this domain-bound security policy. This is resulting in several thousand Mac workstation owners from being able to leverage the sync client, like the Windows workstation owners can do today. As a result, Mac workstation owners are left with a very poor OD4B experience where managing content from OD4B must be done through the our internal OD4B website.
We are requesting that Microsoft update the OD4B next generation sync client so that it will recognize a Mac workstation bound to a corporate domain allowing Mac workstation owners to have the same sync client experience as Windows workstation owners.
We’ve been working to integrate a new authentication library that will enable this support. Stay tuned!
Any update on this? So you're working on it for more than one year right now with now process on this? We're still not able to connect an AD joined macOS system to sync via native macOS client.
Please don't waste your time on this until you add external drive support.
Eric Steimel commented
Any ETA on when this might be available?
Thomas Suckow commented
It appears OneDrive on Mac cannot see the Workplace Join Key / Certificate from Intune/Company Portal. Even Microsoft Teams can which doesn't support kerberos.
Adeel Ansari commented
Hello MS Team - any updates on this topic? Apparently it is possible to Sync Mac OD, but we need to have a restriction on the Mac that are joined to either Azure AD or on-premise AD. Thanks.
David Grand commented
Hello MS. Do we have any traction on this very important requirement?
Macs need to be treated just like PC's and you have done some remarkable work around the Mac OneDrive client. Thank you!
Update ? Microsoft , you need to be deploying same capabilities across Mac and Windows.
Please provide an update on this.
We need an update please.
Zak P. commented
Update? OneDrive is still not complete for the enterprise world without functionality like this.
Rob Bowman commented
We are currently working with a new feature and partnership functionality with JAMF. JAMF and Intune integrate to help identify "allowed MAC's" of which you can apply conditional access policies to MAC's.
Brian Stetson commented
I agree, this seems like complete oversight by Microsoft to support it on Mac's in Domain environments. Has anyone found a workaround?
Any more recent update to this? We have a need and would like to know if we can expect something or if there is a workaround for this issue
This is ridiculous! Why does it take Microsoft so long for something so simple. It's been over a year this was requested.
Felipe Baez commented
What's the update on this request? Been quite a while and seems to have enough votes to have some proper action taken on it!
Mike Gendreau commented
I am looking for this feature as well. Security team would like us to restrict sync for domain joined machines only. The fact that it only works on PCs is very frustrating.
How does Microsoft handle this? I'm sure they must have a workaround.
Andrew Devlin commented
From this article (https://technet.microsoft.com/en-ca/library/dn917455.aspx) and from my MS rep, Macs shouldn't be blocked from using Sync after you use the Set-SPOTenantSyncClientRestriction -Enable -DomainGuids cmdlet to restrict PCs to certain domains. Is this not the case?
What is the pushback of doing this? You can already manipulate some of the settings (like restricting adding personal accounts, etc). Do you have an MDM or other Mac management tool (like JAMF Casper/JSS) that you can use to push down the configuration in a Managed Preference (MCX) or "plist"? If so then you could also set a profile to block launching the OneDRive process unless the machine was in a "domain joined" smart group within JSS.
Not sure what options you have for "out of the box" functionality, but with JAMF these are/should be possible. Have you reviewed this: