Tuesday, September 3, 2013

SkyDrive Pro Sync Considerations

Initial Thoughts

I was recently asked is it possible to turn off the sync capability of SkyDrive Pro?

Before we go down the path of showing you how, let’s put this into perspective.

From a historical perspective Microsoft acquired a technology several years ago called Groove which could sync document offline. In SharePoint 2010 timeframe, a solution called the SharePoint Workspace 2010 was created to sync documents and data offline (http://technet.microsoft.com/en-us/library/ee649102(v=office.14).aspx). The SharePoint Workspace 2010 client is a good solution and can still be used with SharePoint 2013 – I wrote a blog about this a few months ago - http://www.astaticstate.com/2013/04/skydrive-pro-sync-and-sharepoint-2010.html.

With SharePoint 2013 (and available in SharePoint Online) there is the new SkyDrive Pro Sync Client. When it was first released there was some confusion. Here are some important points:

So what is the concern as the Sync capability is a great solution to allow end users to work on documents centrally in corporate resource that is managed and discoverable? Well some may have concerns about providing a capability that easily allows users to download large amounts of documents. Let’s address that from multiple different angles as this can be mitigated.

  • Information Architecture – An organization must make a determination of how to manage the content and who will have access to it. SharePoint Online can be configured so that content that is of high business impact is accessible to smaller amounts of people using granular access controls. Additionally there is audit reporting available to track access to content and how it is being utilized.
  • Device Connectivity – I think this overlooked the most. Remember your organization will have IT policies that dictate who can connect to your SharePoint Online and SkyDrive Pro. For instance, if you want to lock access to content by devices, use ADFS Client Access policies to control where devices can connect from to access your cloud content. A common scenario is to only allow specific IP ranges to only allow devices connecting from the corporate network or VPN. As well your IT staff should already have policies around what devices are allowed on the network. They probably have MDM Wipe Solutions or encryption solutions (like BitLocker) to ensure the content is protected on those devices. You can even incorporate solutions such as Forefront Unified Access Gateway (UAG) to do endpoint protection for remote devices connecting. With this, you know that if content is being Sync’ed it is protected by your corporate policies.
  • Authentication - Additionally utilization of ADFS also ensures that a corporate username and password are used to access the content; even two-factor authentication can be required. These policies are under your organization’s control and are not managed by Office 365 or SharePoint Online.
  • Data Loss Protection (DLP) – AD RMS can be incorporated into document libraries which store high impact documents – read up on it here - http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/set-up-information-rights-management-irm-in-sharepoint-online-HA102895193.aspx.
  • Etc.

Ultimately it is of a question of how you want your end users to access your content management services and you have control over your data. Blindly turning of Sync is not really the total answer because remember all Enterprise Content Management systems need to allow their users to download documents.

Configuration

At this point you have still identified scenarios where you need to limit the ability for end users to do Sync of content. There can be numerous reasons why. Let’s talk through how you would do it for SharePoint Online.

Specifically there is a property on a SharePoint List called ExcludeFromOfflineClient. This was originally introduced in SharePoint 2010 to block people using the SharePoint 2010 Workspace. This same property is also used to block SharePoint 2013 Sync capability.

Option - PowerShell

If you are an on-premise SharePoint 2013 customer, no problem PowerShell can easily be written to remove the ability to Sync. Please review this reference - http://technet.microsoft.com/en-us/library/dn169080.aspx

However if you are a SharePoint Online organization, the SharePoint Online PowerShell for SPOSite does not support ExcludeFromOfflineClient - http://technet.microsoft.com/en-us/library/fp161397.aspx.

Option – Turn Off via UI

As many of you know the Sync button is available in the top right hand corner. To get rid of it is pretty simple.

clip_image002

Go to Site Settings >> Search >> Search and Offline Availability >> and turn the Offline Client Accessibility to No.

clip_image003

The result is the Sync button not available removed (see below screen capture). The only consideration for this option is that it removes the Sync capability from the entire site and all the document libraries in that site. It will not remove the Sync button from each sub site.

clip_image005

Option – Using the Sandbox Solution

I did some digging and saw that the ExcludeFromOfflineClient property was available in the SharePoint Sandbox API and is supported in SharePoint Online - http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.excludefromofflineclient(v=office.14).aspx.

I then then looked at the SharePoint 2013 listing of that API to see if it was supported for Sandbox or SharePoint Online but there was no mention - http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.excludefromofflineclient(v=office.15).aspx.

My goal was to create a solution for SharePoint Online administrators that will allow them to disable a large amount of sites without having to manually disable the Sync capability on each and every site. My idea was that you could create a Feature that uses the FeatureActivated event handler to flip the ExcludeFromOfflineClient property to false. I was able to confirm that yes, it does work.

public override void FeatureActivated(SPFeatureReceiverProperties properties) {

SPWeb web = properties.Feature.Parent as SPWeb;

SPList list = web.GetList(“Documents”);

list.ExcludeFromOfflineClient = true;

list.Update();

web.Update();

}

Ultimately you will need to write some code to recursively loop over all the sites and libraries to remove the Sync capability. Only limitation of this solution is that a Site Administrator has the ability to go back turn Sync back on. That issue can be dealt by rerunning the feature or training your Site Administrators.

Since this is a Feature, you can get a lot more creative too. For instance you could build an entire UI to manage the Sync capability on per library basis, you can make library template, you can make a ribbon button, etc.

My colleague Ed Hild created the code snippet for me as I had not installed Visual Studio on my new machine – scary – thanks Ed.

Non-Option – Client Side Object Model

This is something I at least investigated but is not possible. If you look at the CSOM API for List you will see that ExcludeFromOfflineClient is not available - http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.client.list.aspx.

Non-Option – Disable the Sync client

This is something I at least explored but determined it was not the best approach.

As I mentioned earlier, the Sync client I part of Office 2013 and is available as a standalone install of Office 2010, 2007, etc. Yes it is possible that you can create group policies to not allow the standalone Sync client to be installed. However if you are using Office 2013 I did not find a quick solution to block it.

Plus it is just not a realistic option. From a management perspective you should create policies based on your information architecture that drive security which is implemented by your SharePoint Online configuration. You will identify types of content where you may not want to allow syncing and therefore you will turn it off using the options I discussed above.

No comments: