Skip to main content
Solved

OneDrive PLIST Issue

  • November 28, 2024
  • 10 replies
  • 94 views
RDowson
Forum|alt.badge.img+9

I'm deploying the following PLIST config to Macs but users can still sign into other OneDrive Business accounts and they can still disable folder backup.

Is there anything wrong with the below config?

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<string>482a4ef9-66e4-4e76-9f24-6da09a713ee5</string>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key> KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>482a4ef9-66e4-4e76-9f24-6da09a713e5</string>
</dict>
</plist>

Best answer by wakco11

The Tenant ID in AllowTenantList, should be a key set to true, and is a dict instead of an array, i.e.

 

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AllowTenantList</key> <dict> <key>12345678-1234-1234-1234-1234567890zx</key> <true/> </dict> <key>BlockExternalSync</key> <true/> <key>DisablePersonalSync</key> <true/> <key>DisableTutorial</key> <true/> <key>KFMBlockOptOut</key> <true/> <key>KFMSilentOptIn</key> <string>12345678-1234-1234-1234-1234567890zx</string> </dict> </plist>

 

Also it should be noted the KFMBlockOptOut key had a space at the beginning, so that might also have been invalidating that plist key.

Ref: deploy-and-configure-on-macos

    10 replies

    wakco11
    Forum|alt.badge.img+9
    • wakco11
    • Valued Contributor
    • Answer
    • November 28, 2024

    The Tenant ID in AllowTenantList, should be a key set to true, and is a dict instead of an array, i.e.

     

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AllowTenantList</key> <dict> <key>12345678-1234-1234-1234-1234567890zx</key> <true/> </dict> <key>BlockExternalSync</key> <true/> <key>DisablePersonalSync</key> <true/> <key>DisableTutorial</key> <true/> <key>KFMBlockOptOut</key> <true/> <key>KFMSilentOptIn</key> <string>12345678-1234-1234-1234-1234567890zx</string> </dict> </plist>

     

    Also it should be noted the KFMBlockOptOut key had a space at the beginning, so that might also have been invalidating that plist key.

    Ref: deploy-and-configure-on-macos

    RDowson
    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • November 29, 2024

    Hey, just a heads up, if the AllowTenantList value in your post is real, you should probably remove it. Sharing your organization's tenant ID online could make it a target for malicious actors.

    wakco11
    wakco11
    Forum|alt.badge.img+9
    • wakco11
    • Valued Contributor
    • November 29, 2024

    Hey, just a heads up, if the AllowTenantList value in your post is real, you should probably remove it. Sharing your organization's tenant ID online could make it a target for malicious actors.


    Thanks to MacAdmins Slack, I just noticed moderator @talkingmoose fudged the last couple of characters of the tenant ID before I responded, because they are no longer identacle. That said, Thanks, I had a thought about it for a sadly fleeting moment when I wrote my response, but forgot to mention or do anything about it my response, so I have now edited the response to something very unlikely.

    AJPinto
    RDowson
    Forum|alt.badge.img+9
    • RDowson
    • Author
    • Contributor
    • November 29, 2024

    Hey, just a heads up, if the AllowTenantList value in your post is real, you should probably remove it. Sharing your organization's tenant ID online could make it a target for malicious actors.


    It's not a real Tenant ID

    AJPinto
    wakco11
    RDowson
    Forum|alt.badge.img+9
    • RDowson
    • Author
    • Contributor
    • November 29, 2024

    The Tenant ID in AllowTenantList, should be a key set to true, and is a dict instead of an array, i.e.

     

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AllowTenantList</key> <dict> <key>12345678-1234-1234-1234-1234567890zx</key> <true/> </dict> <key>BlockExternalSync</key> <true/> <key>DisablePersonalSync</key> <true/> <key>DisableTutorial</key> <true/> <key>KFMBlockOptOut</key> <true/> <key>KFMSilentOptIn</key> <string>12345678-1234-1234-1234-1234567890zx</string> </dict> </plist>

     

    Also it should be noted the KFMBlockOptOut key had a space at the beginning, so that might also have been invalidating that plist key.

    Ref: deploy-and-configure-on-macos


    Thanks. I've changed it to a key set to true, and I've also removed the space at the beginning of KFMBlockOptOut but I'm not seeing any difference when I deploy that to the Mac. I can still turn off the backup of the Desktop and Documents as well as sign in with a OneDrive for Business account from another organisation.

    For clarity, here is the updated PLIST I'm using:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>AllowTenantList</key>
    <array>
    <key>TENANT ID</key>
    <true/>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>TENANT ID</string>
    <key>KFMBlockOptOut</key>
    <true/>
    </dict>
    </plist>

    wakco11
    Forum|alt.badge.img+9
    • wakco11
    • Valued Contributor
    • November 29, 2024

    Thanks. I've changed it to a key set to true, and I've also removed the space at the beginning of KFMBlockOptOut but I'm not seeing any difference when I deploy that to the Mac. I can still turn off the backup of the Desktop and Documents as well as sign in with a OneDrive for Business account from another organisation.

    For clarity, here is the updated PLIST I'm using:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>AllowTenantList</key>
    <array>
    <key>TENANT ID</key>
    <true/>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>KFMSilentOptIn</key>
    <string>TENANT ID</string>
    <key>KFMBlockOptOut</key>
    <true/>
    </dict>
    </plist>


    What version of OneDrive is installed? Mac App Store or downloaded from Microsoft? To check try ls /Applications/OneDrive.app/Contents/_MASReceipt, in Terminal, if it doesn't complain with No such file or directory, It's the App Store version, which is not the version to be managing, and as such is probably why the settings are not applying.
    Also check the settings are being applied to: com.microsoft.OneDrive 

    The App Store versions of the Microsoft Office apps do miss several business related features, and as such should not be used in a managed environment.

    RDowson
    Forum|alt.badge.img+9
    • RDowson
    • Author
    • Contributor
    • November 29, 2024

    What version of OneDrive is installed? Mac App Store or downloaded from Microsoft? To check try ls /Applications/OneDrive.app/Contents/_MASReceipt, in Terminal, if it doesn't complain with No such file or directory, It's the App Store version, which is not the version to be managing, and as such is probably why the settings are not applying.
    Also check the settings are being applied to: com.microsoft.OneDrive 

    The App Store versions of the Microsoft Office apps do miss several business related features, and as such should not be used in a managed environment.


    It's not the Mac App Store version. It's downloaded from the Jamf App Catalog.

    It seems to be working now. I'll do some more testing to make sure it's consistent.

    wakco11
    RDowson
    Forum|alt.badge.img+9
    • RDowson
    • Author
    • Contributor
    • November 29, 2024

    What version of OneDrive is installed? Mac App Store or downloaded from Microsoft? To check try ls /Applications/OneDrive.app/Contents/_MASReceipt, in Terminal, if it doesn't complain with No such file or directory, It's the App Store version, which is not the version to be managing, and as such is probably why the settings are not applying.
    Also check the settings are being applied to: com.microsoft.OneDrive 

    The App Store versions of the Microsoft Office apps do miss several business related features, and as such should not be used in a managed environment.


    Blocking the KFM Opt Out is working now.

    I can still sign in with another OneDrive account though so just that part to fix now.

    wakco11
    Forum|alt.badge.img+9
    • wakco11
    • Valued Contributor
    • November 29, 2024

    Blocking the KFM Opt Out is working now.

    I can still sign in with another OneDrive account though so just that part to fix now.


    From deploy-and-configure-on-macos I just noticed one other detail, AllowTenantList is a dict, not an array, I've corrected my example above.

    RDowson
    Forum|alt.badge.img+9
    • RDowson
    • Author
    • Contributor
    • November 29, 2024

    From deploy-and-configure-on-macos I just noticed one other detail, AllowTenantList is a dict, not an array, I've corrected my example above.


    That did the trick! Thank you

    wakco11
    Terms & ConditionsCookie settingsAccessibility statement