Skip to main content

We’re Trying to force OneDrive to sync Desktop and Documents on our Macs using Jamf. machines aren’t domain-joined. They’re already signed into Outlook/Teams with their work accounts.

Here’s what I’m trying to do:

  • Auto sign users into OneDrive

  • Turn on Known Folder Move (KFM) for Desktop/Documents

  • Avoid macOS prompts asking for folder access

What I’ve done so far:

  1. PPPC profile – I used the correct code signature from the OneDrive app (verified with codesign). Gave access to Desktop, Documents, and Downloads. But the profile fails to apply in Jamf with a status of “Failed”.

  2. Script – I’ve got a script that reads the signed-in email from Office apps and uses the odopen:// URL to trigger OneDrive login. It runs, but OneDrive either doesn’t sign in or doesn’t start syncing unless the user manually clicks through prompts.

Where I'm stuck:

  • PPPC profile won’t install, even though the code signature looks right.

  • Even if OneDrive opens, syncing doesn’t start unless the user allows folder access manually.

  • I want this to be completely silent, no user interaction.

Anyone get this working with Jamf ? Not sure if I’m missing something in the PPPC or the script.

Appreciate any advice. Thanks!

Got this working — turns out the issue was with folder-specific permissions (Desktop/Documents). Instead of trying to grant access to each one, I gave OneDrive full disk access using SystemPolicyAllFiles in the PPPC config.

@MoJo Awesome job. Could you share the script that you used to auto-enabled the syncing?

@drewcymek  

#!/bin/bash

# This script grabs the user's Office email by
# checking Outlook and Teams config folders.
# - Just pulls the first email it finds
# - User needs to have opened Outlook or Teams before
# - If there are multiple accounts, it grabs the first one

loggedInUser=$(stat -f "%Su" /dev/console)

outlookPath="/Users/$loggedInUser/Library/Group Containers/UBF8T346G9.Office/Outlook/Account Configuration"
teamsPath="/Users/$loggedInUser/Library/Group Containers/UBF8T346G9.Office/Teams/IdentityCache"

userEmail=""

# Check Outlook first
if [ -d "$outlookPath" ]; then
    echo "Looking in Outlook config..."
    userEmail=$(grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" "$outlookPath"/* 2>/dev/null | head -n1)
fi

# If not found, try Teams
if [ -z "$userEmail" ] && [ -d "$teamsPath" ]; then
    echo "Looking in Teams cache..."
    userEmail=$(grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" "$teamsPath"/* 2>/dev/null | head -n1)
fi

if [ -z "$userEmail" ]; then
    echo "No email found for $loggedInUser. Exiting."
    exit 1
fi

echo "Found email: $userEmail"
 

#!/bin/bash

# This script grabs the user's Office email by
# checking Outlook and Teams config folders.
# - Just pulls the first email it finds
# - User needs to have opened Outlook or Teams before
# - If there are multiple accounts, it grabs the first one

loggedInUser=$(stat -f "%Su" /dev/console)

outlookPath="/Users/$loggedInUser/Library/Group Containers/UBF8T346G9.Office/Outlook/Account Configuration"
teamsPath="/Users/$loggedInUser/Library/Group Containers/UBF8T346G9.Office/Teams/IdentityCache"

userEmail=""

# Check Outlook first
if [ -d "$outlookPath" ]; then
    echo "Looking in Outlook config..."
    userEmail=$(grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" "$outlookPath"/* 2>/dev/null | head -n1)
fi

# If not found, try Teams
if [ -z "$userEmail" ] && [ -d "$teamsPath" ]; then
    echo "Looking in Teams cache..."
    userEmail=$(grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" "$teamsPath"/* 2>/dev/null | head -n1)
fi

if [ -z "$userEmail" ]; then
    echo "No email found for $loggedInUser. Exiting."
    exit 1
fi

echo "Found email: $userEma

 

Thanks for that. It seem the script only includes grabbing the user’s email. Is there an additional portion for these steps?
 

  • Turn on Known Folder Move (KFM) for Desktop/Documents

  • Avoid macOS prompts asking for folder access

 

Terms & ConditionsCookie settingsAccessibility statement