Skip to main content

I'm deploying the following PLIST config to Macs but users can still sign into other OneDrive Business accounts and they can still disable folder backup.


Is there anything wrong with the below config?


 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<string>482a4ef9-66e4-4e76-9f24-6da09a713ee5</string>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key> KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>482a4ef9-66e4-4e76-9f24-6da09a713e5</string>
</dict>
</plist>

The Tenant ID in AllowTenantList, should be a key set to true, and is a dict instead of an array, i.e.


 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<dict>
<key>12345678-1234-1234-1234-1234567890zx</key>
<true/>
</dict>
<key>BlockExternalSync</key>
<true/>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>12345678-1234-1234-1234-1234567890zx</string>
</dict>
</plist>

 


Also it should be noted the KFMBlockOptOut key had a space at the beginning, so that might also have been invalidating that plist key.


Ref: deploy-and-configure-on-macos

Hey, just a heads up, if the AllowTenantList value in your post is real, you should probably remove it. Sharing your organization's tenant ID online could make it a target for malicious actors.

Hey, just a heads up, if the AllowTenantList value in your post is real, you should probably remove it. Sharing your organization's tenant ID online could make it a target for malicious actors.


Thanks to MacAdmins Slack, I just noticed moderator @talkingmoose fudged the last couple of characters of the tenant ID before I responded, because they are no longer identacle. That said, Thanks, I had a thought about it for a sadly fleeting moment when I wrote my response, but forgot to mention or do anything about it my response, so I have now edited the response to something very unlikely.

Hey, just a heads up, if the AllowTenantList value in your post is real, you should probably remove it. Sharing your organization's tenant ID online could make it a target for malicious actors.


It's not a real Tenant ID

The Tenant ID in AllowTenantList, should be a key set to true, and is a dict instead of an array, i.e.


 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<dict>
<key>12345678-1234-1234-1234-1234567890zx</key>
<true/>
</dict>
<key>BlockExternalSync</key>
<true/>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMBlockOptOut</key>
<true/>
<key>KFMSilentOptIn</key>
<string>12345678-1234-1234-1234-1234567890zx</string>
</dict>
</plist>

 


Also it should be noted the KFMBlockOptOut key had a space at the beginning, so that might also have been invalidating that plist key.


Ref: deploy-and-configure-on-macos


Thanks. I've changed it to a key set to true, and I've also removed the space at the beginning of KFMBlockOptOut but I'm not seeing any difference when I deploy that to the Mac. I can still turn off the backup of the Desktop and Documents as well as sign in with a OneDrive for Business account from another organisation.


For clarity, here is the updated PLIST I'm using:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<key>TENANT ID</key>
<true/>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMSilentOptIn</key>
<string>TENANT ID</string>
<key>KFMBlockOptOut</key>
<true/>
</dict>
</plist>

Thanks. I've changed it to a key set to true, and I've also removed the space at the beginning of KFMBlockOptOut but I'm not seeing any difference when I deploy that to the Mac. I can still turn off the backup of the Desktop and Documents as well as sign in with a OneDrive for Business account from another organisation.


For clarity, here is the updated PLIST I'm using:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowTenantList</key>
<array>
<key>TENANT ID</key>
<true/>
</array>
<key>BlockExternalSync</key>
<true/>
<key>DisablePersonalSync</key>
<true/>
<key>DisableTutorial</key>
<true/>
<key>KFMSilentOptIn</key>
<string>TENANT ID</string>
<key>KFMBlockOptOut</key>
<true/>
</dict>
</plist>


What version of OneDrive is installed? Mac App Store or downloaded from Microsoft? To check try ls /Applications/OneDrive.app/Contents/_MASReceipt, in Terminal, if it doesn't complain with No such file or directory, It's the App Store version, which is not the version to be managing, and as such is probably why the settings are not applying.
Also check the settings are being applied to: com.microsoft.OneDrive 


The App Store versions of the Microsoft Office apps do miss several business related features, and as such should not be used in a managed environment.

What version of OneDrive is installed? Mac App Store or downloaded from Microsoft? To check try ls /Applications/OneDrive.app/Contents/_MASReceipt, in Terminal, if it doesn't complain with No such file or directory, It's the App Store version, which is not the version to be managing, and as such is probably why the settings are not applying.
Also check the settings are being applied to: com.microsoft.OneDrive 


The App Store versions of the Microsoft Office apps do miss several business related features, and as such should not be used in a managed environment.


It's not the Mac App Store version. It's downloaded from the Jamf App Catalog.


It seems to be working now. I'll do some more testing to make sure it's consistent.

What version of OneDrive is installed? Mac App Store or downloaded from Microsoft? To check try ls /Applications/OneDrive.app/Contents/_MASReceipt, in Terminal, if it doesn't complain with No such file or directory, It's the App Store version, which is not the version to be managing, and as such is probably why the settings are not applying.
Also check the settings are being applied to: com.microsoft.OneDrive 


The App Store versions of the Microsoft Office apps do miss several business related features, and as such should not be used in a managed environment.


Blocking the KFM Opt Out is working now.


I can still sign in with another OneDrive account though so just that part to fix now.

Blocking the KFM Opt Out is working now.


I can still sign in with another OneDrive account though so just that part to fix now.


From deploy-and-configure-on-macos I just noticed one other detail, AllowTenantList is a dict, not an array, I've corrected my example above.

From deploy-and-configure-on-macos I just noticed one other detail, AllowTenantList is a dict, not an array, I've corrected my example above.


That did the trick! Thank you

Reply


Terms & ConditionsCookie settings