That query isn’t going to report settings applied via a Configuration Profile but if the profile is showing as installed on the Mac it should be working. Are you seeing any evidence the profile isn’t allowing OneDrive the necessary access?
That query isn’t going to report settings applied via a Configuration Profile. Are you seeing any evidence the profile isn’t allowing OneDrive the necessary access?
The desktop folder is not automatically being backed up on my test mac. I am going to push to another mac tomorrow to see if it is a “me” issue or something else
@DJJazzyJamf Note that OneDrive will still prompt to start syncing even with the FDA permissions in place, and the user will have to explicitly provide that permission.
Do you have the Jamf PPPC Utility installed?
You can use this to get the correct domain and identifier information but to enable the automatic backing up of the Desktop & Documents folders, you need to enable the Known Folder Move keys
I’ve linked from the KFMBlockOptIn so all are visible but the ones you’ll need are just below but by the sounds of it, if you want it to do it automatically without any user intervention, you’ll need to look at KFMSilentOptIn
To second @sdagley, once you configure KFM, the users will receive a prompt to enable the sync. If they ignore this prompt or close out of it the sync will never begin.
Can you share your configuration profile? Make sure to remove your tenant keys.
To second @sdagley, once you configure KFM, the users will receive a prompt to enable the sync. If they ignore this prompt or close out of it the sync will never begin.
Can you share your configuration profile? Make sure to remove your tenant keys.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>BlockExternalSync</key>
<true />
<key>DefaultFolderLocation</key>
<array>
<dict>
<key>DefaultFolderPath</key>
<string>~/</string>
<key>TenantID</key>
<string>*redacted*</string>
</dict>
</array>
<key>AllowTenantList</key>
<dict>
<key>*redacted*</key>
<true/>
<key>DisableTutorial</key>
<true />
<key>HideDockIcon</key>
<true />
<key>KFMBlockOptOut</key>
<true />
<key>KFMSilentOptIn</key>
<string>*redacted</string>
<key>KFMSilentOptInDesktop</key>
<true />
<key>KFMSilentOptInDocuments</key>
<true />
<key>OpenAtLogin</key>
<true />
<key>PayloadDisplayName</key>
<string>Microsoft OneDrive</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.OneDrive.45ba19d4-b352-4f82-8a2f-a606f87b705d</string>
<key>PayloadType</key>
<string>com.microsoft.OneDrive</string>
<key>PayloadUUID</key>
<string>45ba19d4-b352-4f82-8a2f-a606f87b705d</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Untitled</string>
<key>PayloadIdentifier</key>
<string>*redacted*</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>99e8da09-7f60-48a6-9fc8-b39c2f3451e0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Do you have the Jamf PPPC Utility installed?
You can use this to get the correct domain and identifier information but to enable the automatic backing up of the Desktop & Documents folders, you need to enable the Known Folder Move keys
I’ve linked from the KFMBlockOptIn so all are visible but the ones you’ll need are just below but by the sounds of it, if you want it to do it automatically without any user intervention, you’ll need to look at KFMSilentOptIn
Yes, I initially used the PPPC utility to create the config profile
@DJJazzyJamf Note that OneDrive will still prompt to start syncing even with the FDA permissions in place, and the user will have to explicitly provide that permission.
Even with the KFMSilentOptIn option set to true?
@DJJazzyJamf Note that OneDrive will still prompt to start syncing even with the FDA permissions in place, and the user will have to explicitly provide that permission.
Even with the KFMSilentOptIn option set to true?
Even with that set to true (that disables the MS prompts but has no effect on the macOS prompts)
@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantID</key>
<string>Something awesome here</string>
<key>allow</key>
<true/>
</dict>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DefaultFolder</key>
<array>
<dict>
<key>Path</key>
<string>~/</string>
<key>TenantId</key>
<string>Something awesome here</string>
</dict>
</array>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>DisableFirstDeleteDialog</key>
<integer>1</integer>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>1</integer>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>Something awesome here</string>
<key>OpenAtLogin</key>
<true/>
</dict>
</plist>
@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantID</key>
<string>Something awesome here</string>
<key>allow</key>
<true/>
</dict>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DefaultFolder</key>
<array>
<dict>
<key>Path</key>
<string>~/</string>
<key>TenantId</key>
<string>Something awesome here</string>
</dict>
</array>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>DisableFirstDeleteDialog</key>
<integer>1</integer>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>1</integer>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>Something awesome here</string>
<key>OpenAtLogin</key>
<true/>
</dict>
</plist>
Will give it a shot. Thanks for taking a look!
Let us know if it works for you! I still manually have users backup desktop/documents because I wasn’t able to get it to work.
@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantID</key>
<string>Something awesome here</string>
<key>allow</key>
<true/>
</dict>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DefaultFolder</key>
<array>
<dict>
<key>Path</key>
<string>~/</string>
<key>TenantId</key>
<string>Something awesome here</string>
</dict>
</array>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>DisableFirstDeleteDialog</key>
<integer>1</integer>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>1</integer>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>Something awesome here</string>
<key>OpenAtLogin</key>
<true/>
</dict>
</plist>
Will give it a shot. Thanks for taking a look!
@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantID</key>
<string>Something awesome here</string>
<key>allow</key>
<true/>
</dict>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DefaultFolder</key>
<array>
<dict>
<key>Path</key>
<string>~/</string>
<key>TenantId</key>
<string>Something awesome here</string>
</dict>
</array>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>DisableFirstDeleteDialog</key>
<integer>1</integer>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>1</integer>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>Something awesome here</string>
<key>OpenAtLogin</key>
<true/>
</dict>
</plist>
Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop. I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.
@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantID</key>
<string>Something awesome here</string>
<key>allow</key>
<true/>
</dict>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DefaultFolder</key>
<array>
<dict>
<key>Path</key>
<string>~/</string>
<key>TenantId</key>
<string>Something awesome here</string>
</dict>
</array>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>DisableFirstDeleteDialog</key>
<integer>1</integer>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>1</integer>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>Something awesome here</string>
<key>OpenAtLogin</key>
<true/>
</dict>
</plist>
Will give it a shot. Thanks for taking a look!
@DJJazzyJamf Try this one, add your tenentID. the domain is com.microsoft.onedrive, and add it as a applications & cusom settings > upload payload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantID</key>
<string>Something awesome here</string>
<key>allow</key>
<true/>
</dict>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DefaultFolder</key>
<array>
<dict>
<key>Path</key>
<string>~/</string>
<key>TenantId</key>
<string>Something awesome here</string>
</dict>
</array>
<key>DisableAutoConfig</key>
<integer>0</integer>
<key>HideDockIcon</key>
<true/>
<key>DisableFirstDeleteDialog</key>
<integer>1</integer>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptIn</key>
<integer>1</integer>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>Something awesome here</string>
<key>OpenAtLogin</key>
<true/>
</dict>
</plist>
Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop. I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.
Still no luck after manually enabling full disk access for onedrive.
Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop. I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.
Are you not testing this on your own test device? Ideally you want to test configurations before deploying them to end users.
What are you seeing when you check OneDrive Preferences > Backup > Manage Backup? There are more or less four different states OneDrive can be in
- If you see a notifications about permissions needing to be granted, then the configuration profile to grant disk access is not correct or is missing.
- If you see toggles for Desktop and Documents that can be enabled or disabled then KFM is not enabled correctly.
- If you see toggles for Desktop and Documents that cant be toggled and are disabled then KFM is disabled by the Configuration Profile.
- If you see toggles for Desktop and Documents that are enabled and cant be disabled then KFM is enabled correctly by the Configuration Profile.
If you are seeing scenario 4, you are not dealing with a MDM problem you are dealing with a OneDrive Problem. The OneDrive problem would likely involve:
- The user did not acknowledge the begin sync dialog box and OneDrive is in an errored state.
- The user needs to open OneDrive and interact with the error and tell OneDrive to begin syncing, no KFM does not remove the user interaction requirement.
- The user has a file name or extension that is causing issues with the sync.
- Interacting with OneDrive in the Menu Bar and it should tell you if there are any sync problems with file names.
- Licensing
- Possible insufficient storage space.
Checking in with my test users this morning and OneDrive is still not automatically backing up the desktop. I am out of the office today so when I am back in tomorrow I will manually grant OneDrive dull disk access to see if it makes a difference.
Are you not testing this on your own test device? Ideally you want to test configurations before deploying them to end users.
What are you seeing when you check OneDrive Preferences > Backup > Manage Backup? There are more or less four different states OneDrive can be in
- If you see a notifications about permissions needing to be granted, then the configuration profile to grant disk access is not correct or is missing.
- If you see toggles for Desktop and Documents that can be enabled or disabled then KFM is not enabled correctly.
- If you see toggles for Desktop and Documents that cant be toggled and are disabled then KFM is disabled by the Configuration Profile.
- If you see toggles for Desktop and Documents that are enabled and cant be disabled then KFM is enabled correctly by the Configuration Profile.
If you are seeing scenario 4, you are not dealing with a MDM problem you are dealing with a OneDrive Problem. The OneDrive problem would likely involve:
- The user did not acknowledge the begin sync dialog box and OneDrive is in an errored state.
- The user needs to open OneDrive and interact with the error and tell OneDrive to begin syncing, no KFM does not remove the user interaction requirement.
- The user has a file name or extension that is causing issues with the sync.
- Interacting with OneDrive in the Menu Bar and it should tell you if there are any sync problems with file names.
- Licensing
- Possible insufficient storage space.
I am testing on my own device. My test group is myself, the rest of the endpoint engineering team ( additional Macbooks), and the service desk test mac.
When I check manage backup I am seeing scenario 2.
You're on the right track by using the Jamf PPPC Utility to configure full disk access for OneDrive, but macOS can be particularly strict about applying these permissions, especially for third-party apps like OneDrive. One common issue is that the TCC (Transparency, Consent, and Control) database doesn't always reflect changes made via configuration profiles immediately, or may not apply them if the bundle identifier or code signature in the PPPC profile is incorrect.
So it turns out that KFMSilentOptIn is the culprit. I deployed a new configuration profile using the KFMSilentOptinWizard option and OneDrive is now doing what I want it to do. Thanks for the feedback everyone.
