OneDrive Configuration Profile

user-sCWTLzSiNn
New Contributor II

I am able to successfully build & deploy custom preferences using the Application and Custom Settings on Configuration Profiles. What's not working is just the AllowTenantList setting. I think it's a syntax problem so any help would be greatly appreciated.

M$ website to deploy & configure on macOS says: The example for this setting in the .plist file is:
<key>AllowTenantList</key>
<array>
<dict>
<key>TenantId1</key>
<Bool>True</Bool>
<key>TenantId2</key>
<Bool>True</Bool>
</dict>
</array>

We only have the one tenant ID so this looks like:
<key>AllowTenantList</key>
<array>
<dict>
<key>My_Company's_Key</key>
<Bool>True</Bool>
</dict>
</array>

Before I save the config profile, Jamf shows a summary of the settings. All the boolean keys are showing their correct true/false, but this string just says " AllowTenantList=[{}] " instead of actually having the string value. That's why I think it's syntax.

Again, any help, insights, or advice would be wonderful. I've been googling & asking jeeves and cannot find any resolution.

1 ACCEPTED SOLUTION

talkingmoose
Moderator
Moderator

@user-sCWTLzSiNn, I think I found the documentation you're following.

https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos#allowtenantlist

Its plist example is incorrect. Instead of specifying true/false using <Bool>True</Bool>, you should be using <true/>.

Here's the plist I created. Copy it and see if it works for you.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AllowTenantList</key>
    <array>
        <dict>
            <key>00000000-0000-0000-0000-0000000000</key>
            <true/>
        </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>FilesOnDemandEnabled</key>
    <true/>
</dict>
</plist>

I see this when I add it to my Mac.

112b945fa6ed44669bb055a2c271413d

To be honest, I'm still dubious this will work. An array is just a list of items. If the purpose of the list is to simply "allow these items", I don't understand why this goes so far as making you specify "true" as well. If this is a list of allowed items, they should all be true, IMHO. But ¯_(ツ)_/¯

If I'm correct and this syntax still doesn't work for you, try this instead:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AllowTenantList</key>
    <array>
        <string>00000000-0000-0000-0000-0000000000</string>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>FilesOnDemandEnabled</key>
    <true/>
</dict>
</plist>

View solution in original post

26 REPLIES 26

talkingmoose
Moderator
Moderator

The documentation I find for that AllowTenantList key is for OneDrive. I don’t see anything for Office. Can you point me to the documentation you’ve found? Happy to take a look and test.

user-sCWTLzSiNn
New Contributor II

It is for just OneDrive. I think of OneDrive being under the Office umbrella. I changed the title. Sorry for the confusion.

talkingmoose
Moderator
Moderator

How are you adding your settings to the Application and Custom Settings payload? Are you pasting in a plist under Upload or using a custom Jamf manifest? And where are you seeing "AllowTenantList=[{}] " appear?

I'll see if I can reproduce things here.

user-sCWTLzSiNn
New Contributor II

I'm uploading the .plist file. Here's what I'm uploading with the key replaced with zeros. It's not keeping the formatting when I preview so also attached an image of the .plist to see exactly what I'm uploading. Only difference is I'm using our actual tenant ID.

Thank you for taking time to look at this.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>AllowTenantList</key> <array> <dict> <key>00000000-0000-0000-0000-0000000000</key> <Bool>True</Bool> </dict> </array>

<key>BlockExternalSync</key> <true/> <key>DisablePersonalSync</key> <true/> <key>DisableTutorial</key> <true/> <key>FilesOnDemandEnabled</key> <true/>
</dict>
</plist>
c7d9b4dafa424d75a47dec9fff06e3e4

4456da0c98d24371936c8ca5a93fbf01

nicholi
New Contributor II

I think I saw this issue before I can't remember what the solution was but out of curiosity can you try this:

Also what are you using to edit the plist?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

<key>HideDockIcon</key> <true/>

<key>OpenAtLogin</key> <true/>

<key>FilesOnDemandEnabled</key> <true/>

<key>AllowTenantList</key> <array> <dict> <key>00000000-0000-0000-0000-0000000000</key> <Bool>True</Bool> </dict> </array>

</dict>
</plist>

nicholi
New Contributor II

I just tried with your syntax I am not not seeing any errors on my end. I am on Jamf 10.28 so I don't know if that makes a difference.

user-sCWTLzSiNn
New Contributor II

@nicholi I am using Notepad on Windows to create/edit. And it's not that I get any syntax errors, it's just not populating the tenant ID. Here's a screenshot of the profile that's on the Mac itself.
12d8f3c1dddf4d37b010656c0fe38407

rubberchicken
New Contributor
New Contributor

.

talkingmoose
Moderator
Moderator

@user-sCWTLzSiNn, I think I found the documentation you're following.

https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos#allowtenantlist

Its plist example is incorrect. Instead of specifying true/false using <Bool>True</Bool>, you should be using <true/>.

Here's the plist I created. Copy it and see if it works for you.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AllowTenantList</key>
    <array>
        <dict>
            <key>00000000-0000-0000-0000-0000000000</key>
            <true/>
        </dict>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>FilesOnDemandEnabled</key>
    <true/>
</dict>
</plist>

I see this when I add it to my Mac.

112b945fa6ed44669bb055a2c271413d

To be honest, I'm still dubious this will work. An array is just a list of items. If the purpose of the list is to simply "allow these items", I don't understand why this goes so far as making you specify "true" as well. If this is a list of allowed items, they should all be true, IMHO. But ¯_(ツ)_/¯

If I'm correct and this syntax still doesn't work for you, try this instead:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AllowTenantList</key>
    <array>
        <string>00000000-0000-0000-0000-0000000000</string>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>FilesOnDemandEnabled</key>
    <true/>
</dict>
</plist>

user-sCWTLzSiNn
New Contributor II

@talkingmoose

Thank you for all the help. I think that reply is enough to get me to the finish line. My guess is that Microsoft made it an array so you can specify multiple tenant IDs. Both of your suggestions are getting the ID from Jamf into the profile on the local machine. I cannot say for certain it's doing what I want, but at this point it's a Microsoft issue. That "DisablePersonalSync" key is generating an error as soon as I enter the email for a personal account. I don't have the password for my old organization's account, but it goes to the next step asking for the password instead of generating the error. I already have a ticket open with Microsoft, so I'll continue troubleshooting on there. But thanks again for taking time to look at this. Really do appreciate your efforts.

FredaPson
New Contributor

Hi. Did you get this to work?
Iam trying this my self and it seems that personal account is blocked but I can still add another Work account.
//Freda

bcbackes
Contributor III

I went ahead and placed all the settings from Microsoft's website into a schema format that can up added to Jamf via the Application & Custom Settings Payload under External Applications > Custom Schema. NOTE: I have NOT tested this yet - was just getting something thrown together.

{
  "title": "com.microsoft.OneDrive",
  "description": "Preference Domain: com.microsoft.OneDrive, Application: OneDrive, Documentation Link: https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos",
  "__version": "21",
  "__feedback": "jmanifest@microsoft.com",
  "type": "object",
  "options": {
    "remove_empty_properties": true
  },
  "definitions": {
    "policy_group": {
      "type": "object",
      "format": "grid",
      "options": {
        "collapsed": true,
        "disable_properties": true
      }
    }
  },
  "properties": {
    "AllowTenantList": {
      "title": "AllowTenantList",
      "description": "This setting prevents the users from uploading files to other organizations by specifying a list of allowed tenant IDs. If you enable this setting, the user gets an error if they attempt to add an account from an organization that isn't in the allowed tenants list. If the user has already added the account, the files stop syncing. This setting takes priority over Block syncing OneDrive accounts for specific organizations setting. Do NOT enable both settings at the same time.The parameter for the AllowTenantList key is TenantID and its value is a string, which determines the tenants for whom the Allow Tenant setting is applicable. For the setting to be complete, this parameter also requires a boolean value to be set to it. If the boolean value is set to True, the tenant is allowed to sync.",
      "property_order": 10,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "array",
          "items": {
            "type": "string",
            "title": "Entries"
          }
        }
      ],
      "options": {
        "infoText": "AllowTenantList"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "AutomaticUploadBandwidthPercentage": {
      "title": "AutomaticUploadBandwidthPercentage",
      "description": "This setting enables the sync app to automatically set the amount of bandwidth that can be used for uploading files, based on available bandwidth.To enable this setting, you must define a number between 1 and 99 that determines the percentage of bandwidth the sync app can use out of the total available bandwidth.",
      "property_order": 15,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer"
        }
      ],
      "options": {
        "infoText": "AutomaticUploadBandwidthPercentage"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "BlockExternalSync": {
      "title": "BlockExternalSync",
      "description": "This setting prevents the sync app from syncing libraries and folders shared from other organizations. Set the setting's value to True, to prevent the users from syncing OneDrive, SharePoint libraries, and folders with organizations other than the user's own organization. Set the value to False or don't enable the setting to allow the OneDrive, and SharePoint files to be synced with other organizations also.",
      "property_order": 20,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "BlockExternalSync"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "BlockTenantList": {
      "title": "BlockTenantList",
      "description": "This setting prevents the users from uploading files to organizations that are included in the blocked tenant IDs list. If you enable this setting, the users get an error if they attempt to add an account from an organization that is blocked. If a user has already added an account for a blocked organization, the files stop syncing. This setting does NOT work if you have Allow syncing OneDrive accounts for only specific organizations setting enabled. Do NOT enable both settings at the same time. Enable this setting by defining IDs for the TenantID parameter, which determines the tenants to whom the block tenant setting is applicable. Also set the boolean value to True for the ID of every tenant you want to prevent from syncing with the OneDrive and SharePoint files and folders. NOTE: In the list, inclusion of the tenant ID alone doesn't suffice. It's mandatoray to set the boolean value to True for the ID of each tenant who is to be blocked.",
      "property_order": 25,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "array",
          "items": {
            "type": "string",
            "title": "Entries"
          }
        }
      ],
      "options": {
        "infoText": "BlockTenantList"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DefaultFolder": {
      "title": "DefaultFolder",
      "description": "This setting specifies the default location of the OneDrive folder for each organization. The parameters are TenantID and DefaultFolderPath. The TenantID value is a string that determines the tenants to whom the default folder location setting is applicable. The DefaultFolderPath value is a string that specifies the default location of the folder. The following are the conditions governing the default folder location: -Mac app store: The path must already exist when the user is setting up the sync app. -Standalone: The path will be created (if it doesn't already exist) after the user sets up the sync app. Only with the Standalone sync app you can prevent users from changing the location.",
      "property_order": 30,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "DefaultFolder"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DisableHydrationToast": {
      "title": "DisableHydrationToast",
      "description": "This setting prevents toasts from appearing when applications cause file contents to be downloaded. If you set the setting's value to True, toasts do not appear when applications trigger the download of file contents.",
      "property_order": 35,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "DisableHydrationToast"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DisablePersonalSync": {
      "title": "DisablePersonalSync",
      "description": "This setting blocks user from signing in and syncing files in personal OneDrive accounts. If this setting has been configured after a user has set up sync with a personal account, the user gets signed out. If you set the setting's value to True, the users are prevented from adding or syncing personal accounts.",
      "property_order": 40,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "DisablePersonalSync"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DisableTutorial": {
      "title": "DisableTutorial",
      "description": "This setting prevents the tutorial from being shown to the users after they set up OneDrive. If you set this setting's value to True, the tutorial is blocked from being shown to the users after they set up the OneDrive.",
      "property_order": 45,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "DisableTutorial"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DownloadBandwidthLimited": {
      "title": "DownloadBandwidthLimited",
      "description": "This setting sets the maximum download throughput rate in kilobytes (KB)/sec for computers running the OneDrive sync app. Set this setting's value to an integer between 50 KB/sec and the maximum rate is 100,000 KB/sec that determines the download throughput in KB/sec that the sync app can use.",
      "property_order": 50,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer"
        }
      ],
      "options": {
        "infoText": "DownloadBandwidthLimited"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "EnableAllOcsiClients": {
      "title": "EnableAllOcsiClients",
      "description": "This setting lets multiple users use the Microsoft 365 Apps for enterprise, Office 2019, or Office 2016 desktop apps to simultaneously edit an Office file stored in OneDrive. It also lets users share files from the Office desktop apps. We recommend keeping this setting enabled to make syncing faster and reduce network bandwidth.If you set this setting to True or don't set this setting, the Office tab appears in OneDrive sync preferences, and Use Office applications to sync Office files that I open is selected, by default. If you set this setting to False, the Office tab is hidden in the sync app, and co-authoring and in-app sharing for Office files are disabled. The User can choose how to handle Office files in conflict setting acts as disabled, and when file conflicts occur, both copies of the file are kept. For more information about the settings in the sync app, see Use Office applications to sync Office files that I open.",
      "property_order": 55,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "EnableAllOcsiClients"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://support.office.com/article/8a409b0c-ebe1-4bfa-a08e-998389a9d823"
        }
      ]
    },
    "EnableODIgnore": {
      "title": "EnableODIgnore",
      "description": "This setting lets you enter keywords to prevent the OneDrive sync app from uploading certain files to OneDrive or SharePoint. You can enter complete names, such as (setup.exe) or use the asterisk (*) as a wildcard character to represent a series of characters, such as *.pst. Keywords aren't case-sensitive. If you enable this setting, the sync app doesn't upload new files that match the keywords you specified. No errors appear for the skipped files, and the files remain in the local OneDrive folder. In Finder, the files appear with an (Excluded from sync icon). Users will also see a message in the OneDrive activity center that explains why the files aren't syncing. Set this setting's value to an integer between 50 KB/sec and the maximum rate of 100,000 KB/sec that determines the download throughput in KB/sec that the sync app can use.",
      "property_order": 60,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "array",
          "items": {
            "type": "string",
            "title": "Entries"
          }
        }
      ],
      "options": {
        "infoText": "EnableODIgnore"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "FilesOnDemandEnabled": {
      "title": "FilesOnDemandEnabled",
      "description": "This setting specifies whether Files On-Demand is enabled. We recommend keeping Files On-Demand enabled. See all our recommendations for configuring the sync app. If you don't set this setting, Files On-Demand will be enabled automatically as we roll out the feature, and users can turn the setting on or off. If you set this setting to True, FilesOnDemand is enabled and the users who set up the sync app can view the online-only files, by default. If you set this setting to False, FilesOnDemand is disabled and the users won't be able to turn it on.",
      "property_order": 65,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "FilesOnDemandEnabled"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/ideal-state-configuration"
        }
      ]
    },
    "HideDockIcon": {
      "title": "HideDockIcon",
      "description": "This setting specifies whether a dock icon for OneDrive is shown. If you set this setting's value to True, the OneDrive dock icon is hidden even if the app is running.",
      "property_order": 70,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "HideDockIcon"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "HydrationDisallowedApps": {
      "title": "HydrationDisallowedApps",
      "description": "This setting prevents apps from automatically downloading online-only files. You can use this setting to lock down apps that don't work correctly with your deployment of Files On-Demand. To enable this setting, you must define a string in JSON format as described below: [{(ApplicationId):(appId),(MaxBundleVersion):(1.1),(MaxBuildVersion):(1.0)}] (appID) can be either the BSD process name or the bundle display name. (MaxBuildVersion) denotes the maximum build version of the app that will be blocked. (MaxBundleVersion) denotes the maximum bundle version of the app that will be blocked.",
      "property_order": 75,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "HydrationDisallowedApps"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "OpenAtLogin": {
      "title": "OpenAtLogin",
      "description": "This setting specifies whether OneDrive starts automatically when the user logs in. If you set this setting's value to True, OneDrive starts automatically when the user logs in on Mac.",
      "property_order": 80,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "OpenAtLogin"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "SharePointOnPremFrontDoorUrl": {
      "title": "SharePointOnPremFrontDoorUrl",
      "description": "This setting specifies the SharePoint Server 2019 on-premises URL that the OneDrive sync app must try to authenticate and sync against. To enable this setting, you must define a string containing the URL of the on-premises SharePoint Server. Example: https://Contoso.SharePoint.com",
      "property_order": 85,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "SharePointOnPremFrontDoorUrl"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "SharePointOnPremPrioritizationPolicy": {
      "title": "SharePointOnPremPrioritizationPolicy",
      "description": "This setting determines whether or not the client should set up sync for SharePoint Server or SharePoint in Microsoft 365 first during the first-run scenario when the email is the same for both SharePoint Server on-premises and SharePoint in Microsoft 365 in a hybrid scenario. If you set this setting's value to 1, it is an indication that OneDrive should set up SharePoint Server on-premises first, followed by SharePoint in Microsoft 365.",
      "property_order": 90,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer",
          "options": {
            "enum_titles": [
              "OneDrive should set up SharePoint in Microsoft 365 (Cloud Based) first",
              "OneDrive should set up SharePoint Server on-premises first"
            ]
          },
          "enum": [
            0,
            1
          ]
        }
      ]
    },
    "SharePointOnPremTenantName": {
      "title": "SharePointOnPremTenantName",
      "description": "This setting enables you to specify the name of the folder created for syncing the SharePoint Server 2019 files specified in the Front Door URL. If this setting is enabled, you can specify a TenantName that is the name the folder will use in the following convention:[OneDrive – TenantName] (specified by you)or [TenantName] (specified by you). If you do not specify any TenantName, the folder will use the first segment of the FrontDoorURL as its name. For example, https://Contoso.SharePoint.com will use Contoso as the Tenant Name in the following convention:[OneDrive – Contoso] or [Contoso]",
      "property_order": 95,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "SharePointOnPremTenantName"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "Tier": {
      "title": "Tier",
      "description": "You can configure the OneDrive Standalone sync app to receive delayed updates. Defines the update ring for the computer. UpdateRing (String): This parameter has two different values. [Production] - The default update ring for OneDrive updates. [Insiders] - This update ring receives updates that are (pre-production) and that allow you to play with features before they are released. Note that builds from this ring may be less stable. [Enterprise] - This update ring (now called [Deferred]) receives updates after they have been rolled out through the Production ring. It also lets you control the deployment of updates. For more information about the update rings and the procedure used by the sync app for checking for updates, see The OneDrive sync app update process.",
      "property_order": 100,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "Tier"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "UploadBandwidthLimited": {
      "title": "UploadBandwidthLimited",
      "description": "This setting defines the maximum upload throughput rate in KB/sec for computers running the OneDrive sync app. To enable this setting, set a value between 50 and 100,000 that is the upload throughput rate the sync app can use.",
      "property_order": 105,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer"
        }
      ],
      "options": {
        "infoText": "UploadBandwidthLimited"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    }
  }
}

Hopefully people can find this useful. @talkingmoose let me know if you see any issues with my schema - I'm still green behind the ears. I should note that I copied the format from the schema that Microsoft has for Edge.

talkingmoose
Moderator
Moderator

@bcbackes, great minds were definitely thinking alike this weekend because I did the same thing! And, even better, I borrowed from Gray's Microsoft Edge manifest too because I like the addition of InfoText and Links.

I do know there are a few items that require a couple of settings — like AllowTenantList and BockTenantList. There's a note on the documentation page that calls out these need the <true/> setting applied as well. (It's a strange way to create a list, but I added the settings to my manifest.)

FYI, I also opened a couple of issues with documentation on GitHub for EnableODIgnore and HydrationDisallowedApps. I don't understand why the documentation includes a dictionary in the example for the first one and the second one has an extra value that shouldn't be there. I made my manifests items the same way you did.

I do like the way you designed the SharePointOnPremPrioritizationPolicy item. I should've done that.

Here's what I put together: https://github.com/talkingmoose/jamf-manifests/blob/master/Microsoft%20Office%20supplemental%20prope...

I'll have to get feedback from folks too, because I don't have a good way to test either.

juliej
New Contributor II

Love your work, thankyou was in the process of doing the same when I found this.

Hopefully this will get published to Jamf Pro's Configuration Profiles | Application & Custom Settings | Jamf Repository etc 

Am gradually replacing plist files with managed json configs in (Jamf repository or custom), easier for our Windows Admins to manage/understand without breaking stuff... 😀

bcbackes
Contributor III

@talkingmoose That's funny! I'm hoping you didn't spend as much time as I did (4-5 hours). I don't do these enough to remember what I did last time so I have to reteach myself each time. I too like the addition of the InfoText and Links used in the Edge manifest and now use that as a guide.

I especially like what you did having the link go right to the URL spot - I didn't know how to do that. Same for the "true" setting in the AllowTenantList - not sure why that is needed. It should be true by default. And I wasn't sure how to add the Tenant to the "DefaultFolderLocation" setting, but, you nailed that. I like the descriptions you used as well "Ignored File or Filetype 1" for the "Enabled Ignored Files" setting. Didn't even dawn on me to make it more descriptive for the person adding the info. Not to mention you changed the title for that setting from the original "EnableODIgnore". It's more user friendly and tells the person viewing it what it does if you don't have your secret decoder ring on you and don't know what EnableODIgnore means.

I was able to test my configuration profile for a little bit yesterday. I didn't get a chance to run all the settings through the ringer, but, I did verify I couldn't add my personal OneDrive account to it and I also verified that it pulled in my Tenant info even without the "True" setting for the Allowed Tenants.

The only thing I found missing on yours was the "BlockExternalSync" setting and the "Tier" setting. I'll test yours out on my VM and see what happens. I'm glad I wasn't too far off the mark and was somewhat similar to yours.

PieQuest
New Contributor II

Here is what we use, the major difference is that the key name's for 'AllowTenantList' & 'BlockTenantList' need to be the tenant ID.

https://pastecode.io/s/34721iky

EDIT: Updated code to include KFM and sync health options.

brownni
New Contributor

Hello.  Is there an updated manifest script that include the KFM (Known Folder Move) options?

KFMBlockOptIn
KFMBlockOptOut
KFMOptInWithWizard
KFMSilentOptIn

Look at the accepted solution. You should be able to manipulate that to add the keys/values you want. Probably look something like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AllowTenantList</key>
    <array>
        <string>00000000-0000-0000-0000-0000000000</string>
    </array>
    <key>BlockExternalSync</key>
    <true/>
    <key>DisablePersonalSync</key>
    <true/>
    <key>DisableTutorial</key>
    <true/>
    <key>FilesOnDemandEnabled</key>
    <true/>
    <key>KFMBlockOptIn</key>
    <true/>
</dict>
</plist>

Can we use this example in the Talking Moose file to completely block the Use of Onedrive on macOS?

Thank you.

To block end users from running OneDrive, just use Restricted Software in Jamf Pro. You wouldn’t use a configuration profile for this.

I am not sure why I did not think of that, so silly.

Thank you!

PieQuest
New Contributor II

Ya, here is our updated one, https://pastecode.io/s/34721iky

It also includes the OneDrive sync health opt-in option, which has been super handy.

brownni
New Contributor

Thanks everyone.

blacktip
New Contributor II

@talkingmoose Very handy what you built. Is there an updated release that supports KFM? We're trying to programmatically push this to all users.

Lately, I’ve been pointing folks to the Jamf manifests at https://github.com/Jamf-Custom-Profile-Schemas/ProfileManifestsMirror/. These are automatically generated from the manifests created for Profile Creator and iMazing Profile Editor, which are well maintained.

I see several KFM keys in this Jamf manifest. See if this meets your needs.

https://github.com/Jamf-Custom-Profile-Schemas/ProfileManifestsMirror/blob/main/manifests/ManagedPre...

blacktip
New Contributor II

Thank you so much! Great tip on the ProfileManifestsMirror as well.