Skip to main content
Solved

OneDrive Full Disk Access

  • July 28, 2025
  • 19 replies
  • 799 views
D
Forum|alt.badge.img+5

Hello all,

I am in the process of rolling out OneDrive to our Mac environment.  I assigned the app from the Jamf app catalog and put together a plist with all of our settings.  I discovered that OneDrive has to have full disk access in order to automatically back up the desktop folder.  I used the Jamf PPPC tool to grant onedrive full disk access, however it does not seem to take.  I check in system settings → general → device management and I see the config profile, however when I run sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \ 'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"' in Terminal, onedrive is not listed as one of the apps that has full disk access.  Any ideas?

Best answer by DJJazzyJamf

So it turns out that KFMSilentOptIn is the culprit.  I deployed a new configuration profile using the KFMSilentOptinWizard option and OneDrive is now doing what I want it to do.  Thanks for the feedback everyone.

19 replies

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • July 28, 2025

That query isn’t going to report settings applied via a Configuration Profile but if the profile is showing as installed on the Mac it should be working. Are you seeing any evidence the profile isn’t allowing OneDrive the necessary access?

J
D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 28, 2025

That query isn’t going to report settings applied via a Configuration Profile. Are you seeing any evidence the profile isn’t allowing OneDrive the necessary access?

The desktop folder is not automatically being backed up on my test mac.  I am going to push to another mac tomorrow to see if it is a “me” issue or something else

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • July 28, 2025

@DJJazzyJamf Note that OneDrive will still prompt to start syncing even with the FDA permissions in place, and the user will have to explicitly provide that permission.

AJPinto
Tangentism
Forum|alt.badge.img+10
  • Tangentism
  • Honored Contributor
  • July 28, 2025

Do you have the Jamf PPPC Utility installed?

You can use this to get the correct domain and identifier information but to enable the automatic backing up of the Desktop & Documents folders, you need to enable the Known Folder Move keys

I’ve linked from the KFMBlockOptIn so all are visible but the ones you’ll need are just below but by the sounds of it, if you want it to do it automatically without any user intervention, you’ll need to look at KFMSilentOptIn

AJPinto
Forum|alt.badge.img+26
  • AJPinto
  • Legendary Contributor
  • July 28, 2025

To second ​@sdagley, once you configure KFM, the users will receive a prompt to enable the sync. If they ignore this prompt or close out of it the sync will never begin. 

 

Can you share your configuration profile? Make sure to remove your tenant keys.

D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 29, 2025

To second ​@sdagley, once you configure KFM, the users will receive a prompt to enable the sync. If they ignore this prompt or close out of it the sync will never begin. 

 

Can you share your configuration profile? Make sure to remove your tenant keys.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>BlockExternalSync</key>
                <true />
                <key>DefaultFolderLocation</key>
                <array>
                    <dict>
                        <key>DefaultFolderPath</key>
                        <string>~/</string>
                        <key>TenantID</key>
                        <string>*redacted*</string>
                    </dict>
                </array>
                <key>AllowTenantList</key>
                <dict>
                <key>*redacted*</key>
                <true/>
                <key>DisableTutorial</key>
                <true />
                <key>HideDockIcon</key>
                <true />
                <key>KFMBlockOptOut</key>
                <true />
                <key>KFMSilentOptIn</key>
                <string>*redacted</string>
                <key>KFMSilentOptInDesktop</key>
                <true />
                <key>KFMSilentOptInDocuments</key>
                <true />
                <key>OpenAtLogin</key>
                <true />
                <key>PayloadDisplayName</key>
                <string>Microsoft OneDrive</string>
                <key>PayloadIdentifier</key>
                <string>com.microsoft.OneDrive.45ba19d4-b352-4f82-8a2f-a606f87b705d</string>
                <key>PayloadType</key>
                <string>com.microsoft.OneDrive</string>
                <key>PayloadUUID</key>
                <string>45ba19d4-b352-4f82-8a2f-a606f87b705d</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>Untitled</string>
        <key>PayloadIdentifier</key>
        <string>*redacted*</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>99e8da09-7f60-48a6-9fc8-b39c2f3451e0</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
</plist>

D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 29, 2025

Do you have the Jamf PPPC Utility installed?

You can use this to get the correct domain and identifier information but to enable the automatic backing up of the Desktop & Documents folders, you need to enable the Known Folder Move keys

I’ve linked from the KFMBlockOptIn so all are visible but the ones you’ll need are just below but by the sounds of it, if you want it to do it automatically without any user intervention, you’ll need to look at KFMSilentOptIn

Yes, I initially used the PPPC utility to create the config profile

D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 29, 2025

@DJJazzyJamf Note that OneDrive will still prompt to start syncing even with the FDA permissions in place, and the user will have to explicitly provide that permission.

Even with the KFMSilentOptIn option set to true?

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • July 29, 2025

@DJJazzyJamf Note that OneDrive will still prompt to start syncing even with the FDA permissions in place, and the user will have to explicitly provide that permission.

Even with the KFMSilentOptIn option set to true?

Even with that set to true (that disables the MS prompts but has no effect on the macOS prompts)

AJPinto
Forum|alt.badge.img+26
  • AJPinto
  • Legendary Contributor
  • July 29, 2025

@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowTenantList</key>
    <array>
      <dict>
        <key>TenantID</key>
        <string>Something awesome here</string>
        <key>allow</key>
        <true/>
      </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DefaultFolder</key>
    <array>
      <dict>
        <key>Path</key>
        <string>~/</string>
        <key>TenantId</key>
        <string>Something awesome here</string>
      </dict>
    </array>
    <key>DisableAutoConfig</key>
    <integer>0</integer>
    <key>HideDockIcon</key>
    <true/>
    <key>DisableFirstDeleteDialog</key>
    <integer>1</integer>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <integer>1</integer>
    <key>KFMBlockOptOut</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>Something awesome here</string>
    <key>OpenAtLogin</key>
    <true/>
  </dict>
</plist>

 

pete_c
D
D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 29, 2025

@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowTenantList</key>
    <array>
      <dict>
        <key>TenantID</key>
        <string>Something awesome here</string>
        <key>allow</key>
        <true/>
      </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DefaultFolder</key>
    <array>
      <dict>
        <key>Path</key>
        <string>~/</string>
        <key>TenantId</key>
        <string>Something awesome here</string>
      </dict>
    </array>
    <key>DisableAutoConfig</key>
    <integer>0</integer>
    <key>HideDockIcon</key>
    <true/>
    <key>DisableFirstDeleteDialog</key>
    <integer>1</integer>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <integer>1</integer>
    <key>KFMBlockOptOut</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>Something awesome here</string>
    <key>OpenAtLogin</key>
    <true/>
  </dict>
</plist>

 

Will give it a shot.  Thanks for taking a look!

drewcymek
Forum|alt.badge.img+4
  • drewcymek
  • Contributor
  • July 29, 2025

Let us know if it works for you! I still manually have users backup desktop/documents because I wasn’t able to get it to work.

D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 30, 2025

@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowTenantList</key>
    <array>
      <dict>
        <key>TenantID</key>
        <string>Something awesome here</string>
        <key>allow</key>
        <true/>
      </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DefaultFolder</key>
    <array>
      <dict>
        <key>Path</key>
        <string>~/</string>
        <key>TenantId</key>
        <string>Something awesome here</string>
      </dict>
    </array>
    <key>DisableAutoConfig</key>
    <integer>0</integer>
    <key>HideDockIcon</key>
    <true/>
    <key>DisableFirstDeleteDialog</key>
    <integer>1</integer>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <integer>1</integer>
    <key>KFMBlockOptOut</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>Something awesome here</string>
    <key>OpenAtLogin</key>
    <true/>
  </dict>
</plist>

 

Will give it a shot.  Thanks for taking a look!

@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowTenantList</key>
    <array>
      <dict>
        <key>TenantID</key>
        <string>Something awesome here</string>
        <key>allow</key>
        <true/>
      </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DefaultFolder</key>
    <array>
      <dict>
        <key>Path</key>
        <string>~/</string>
        <key>TenantId</key>
        <string>Something awesome here</string>
      </dict>
    </array>
    <key>DisableAutoConfig</key>
    <integer>0</integer>
    <key>HideDockIcon</key>
    <true/>
    <key>DisableFirstDeleteDialog</key>
    <integer>1</integer>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <integer>1</integer>
    <key>KFMBlockOptOut</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>Something awesome here</string>
    <key>OpenAtLogin</key>
    <true/>
  </dict>
</plist>

 

Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop.  I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.

  

D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 31, 2025

@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowTenantList</key>
    <array>
      <dict>
        <key>TenantID</key>
        <string>Something awesome here</string>
        <key>allow</key>
        <true/>
      </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DefaultFolder</key>
    <array>
      <dict>
        <key>Path</key>
        <string>~/</string>
        <key>TenantId</key>
        <string>Something awesome here</string>
      </dict>
    </array>
    <key>DisableAutoConfig</key>
    <integer>0</integer>
    <key>HideDockIcon</key>
    <true/>
    <key>DisableFirstDeleteDialog</key>
    <integer>1</integer>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <integer>1</integer>
    <key>KFMBlockOptOut</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>Something awesome here</string>
    <key>OpenAtLogin</key>
    <true/>
  </dict>
</plist>

 

Will give it a shot.  Thanks for taking a look!

@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowTenantList</key>
    <array>
      <dict>
        <key>TenantID</key>
        <string>Something awesome here</string>
        <key>allow</key>
        <true/>
      </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DefaultFolder</key>
    <array>
      <dict>
        <key>Path</key>
        <string>~/</string>
        <key>TenantId</key>
        <string>Something awesome here</string>
      </dict>
    </array>
    <key>DisableAutoConfig</key>
    <integer>0</integer>
    <key>HideDockIcon</key>
    <true/>
    <key>DisableFirstDeleteDialog</key>
    <integer>1</integer>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <integer>1</integer>
    <key>KFMBlockOptOut</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>Something awesome here</string>
    <key>OpenAtLogin</key>
    <true/>
  </dict>
</plist>

 

Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop.  I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.

  

Still no luck after manually enabling full disk access for onedrive.

AJPinto
Forum|alt.badge.img+26
  • AJPinto
  • Legendary Contributor
  • July 31, 2025

Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop.  I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.

 

Are you not testing this on your own test device? Ideally you want to test configurations before deploying them to end users.

 

What are you seeing when you check OneDrive Preferences > Backup > Manage Backup? There are more or less four different states OneDrive can be in

  1. If you see a notifications about permissions needing to be granted, then the configuration profile to grant disk access is not correct or is missing.
  2. If you see toggles for Desktop and Documents that can be enabled or disabled then KFM is not enabled correctly.
  3. If you see toggles for Desktop and Documents that cant be toggled and are disabled then KFM is disabled by the Configuration Profile.
  4. If you see toggles for Desktop and Documents that are enabled and cant be disabled then KFM is enabled correctly by the Configuration Profile.

 

If you are seeing scenario 4, you are not dealing with a MDM problem you are dealing with a OneDrive Problem. The OneDrive problem would likely involve:

  1. The user did not acknowledge the begin sync dialog box and OneDrive is in an errored state.
    1. The user needs to open OneDrive and interact with the error and tell OneDrive to begin syncing, no KFM does not remove the user interaction requirement.
  2. The user has a file name or extension that is causing issues with the sync.
    1. Interacting with OneDrive in the Menu Bar and it should tell you if there are any sync problems with file names.
  3. Licensing
  4. Possible insufficient storage space.
D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • July 31, 2025

Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop.  I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.

 

Are you not testing this on your own test device? Ideally you want to test configurations before deploying them to end users.

 

What are you seeing when you check OneDrive Preferences > Backup > Manage Backup? There are more or less four different states OneDrive can be in

  1. If you see a notifications about permissions needing to be granted, then the configuration profile to grant disk access is not correct or is missing.
  2. If you see toggles for Desktop and Documents that can be enabled or disabled then KFM is not enabled correctly.
  3. If you see toggles for Desktop and Documents that cant be toggled and are disabled then KFM is disabled by the Configuration Profile.
  4. If you see toggles for Desktop and Documents that are enabled and cant be disabled then KFM is enabled correctly by the Configuration Profile.

 

If you are seeing scenario 4, you are not dealing with a MDM problem you are dealing with a OneDrive Problem. The OneDrive problem would likely involve:

  1. The user did not acknowledge the begin sync dialog box and OneDrive is in an errored state.
    1. The user needs to open OneDrive and interact with the error and tell OneDrive to begin syncing, no KFM does not remove the user interaction requirement.
  2. The user has a file name or extension that is causing issues with the sync.
    1. Interacting with OneDrive in the Menu Bar and it should tell you if there are any sync problems with file names.
  3. Licensing
  4. Possible insufficient storage space.

I am testing on my own device.  My test group is myself, the rest of the endpoint engineering team ( additional Macbooks), and the service desk test mac.

 

When I check manage backup I am seeing scenario 2.

JakobHansen
Forum|alt.badge.img
  • JakobHansen
  • New Contributor
  • August 2, 2025

You're on the right track by using the Jamf PPPC Utility to configure full disk access for OneDrive, but macOS can be particularly strict about applying these permissions, especially for third-party apps like OneDrive. One common issue is that the TCC (Transparency, Consent, and Control) database doesn't always reflect changes made via configuration profiles immediately, or may not apply them if the bundle identifier or code signature in the PPPC profile is incorrect. 

D
Forum|alt.badge.img+5
  • DJJazzyJamf
  • Author
  • Contributor
  • Answer
  • August 4, 2025

So it turns out that KFMSilentOptIn is the culprit.  I deployed a new configuration profile using the KFMSilentOptinWizard option and OneDrive is now doing what I want it to do.  Thanks for the feedback everyone.

sdagley
Mitchell_Gordon
amurbain
Forum|alt.badge.img+2
  • amurbain
  • New Contributor
  • October 15, 2025

So it turns out that KFMSilentOptIn is the culprit.  I deployed a new configuration profile using the KFMSilentOptinWizard option and OneDrive is now doing what I want it to do.  Thanks for the feedback everyone.

So did you remove the KFMSilentOptIn option and just use KFMSilentOptinWizard option? I’ve tried KFMSilentOptIn, KFMSilentOptinWizard, both together and I’m experiencing scenario #2 that ​@AJPinto mentioned where I can still toggle Desktop and Documents folders under OneDrive Preferences → Backup → Manage Backup.

Below is my current settings, tenant ID removed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>AllowTenantList</key>
        <array>
            <dict>
                <key>TenantID</key>
                <string>SuperSecureTenantID</string>
                <key>allow</key>
                <true/>
            </dict>
        </array>
        <key>BlockExternalSync</key>
        <true/>
        <key>DefaultFolder</key>
        <array>
            <dict>
                <key>Path</key>
                <string>~/</string>
                <key>TenantId</key>
                <string>SuperSecureTenantID</string>
            </dict>
        </array>
        <key>DisableAutoConfig</key>
        <integer>0</integer>
        <key>HideDockIcon</key>
        <true/>
        <key>DisableFirstDeleteDialog</key>
        <integer>1</integer>
        <key>DisablePersonalSync</key>
        <true/>
        <key>DisableTutorial</key>
        <true/>
        <key>KFMBlockOptOut</key>
        <true/>
        <key>KFMSilentOptinWizard</key>
        <string>SuperSecureTenantID</string>
        <key>KFMSilentOptIn</key>
        <string>SuperSecureTenantID</string>
        <key>OpenAtLogin</key>
        <true/>
    </dict>
</plist>

 

Terms & ConditionsCookie settingsAccessibility statement