“Your organization doesn’t allow you to download, print, or sync using this device. To use these actions, use a device that’s joined to a domain or marked compliant by Intune.”
This message was displayed, if i shared a file in onedrive with a person who has a private mail account. The person was not able to download the file. The file could be edited but not download. So i tested it out myself. I shared a file with my private file on my business pc. It was the same message:
It was strange. The same computer which was managed by intune. There was no conditional access policy which was causing it and no endpoint protection or other policy. It was still blocking the download.
The solution is in SharePoint Admin Center
The solution is really simple, but not easy to find. In the SharePoint Admin Center in the section Policies / Access Control (https://yourdomain-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/accessControl)
In the section about unmanaged devices: Restrict access from devices that aren’t complaint or joined a domain you have three options:
If you activate Allow limited web-only access, this behaviour is configured. You shoud Allow full access (first option). Then your user with private mail account will be able to download the file. If you change the setting it might take some minutes, till it will be reflected. So the solution is to activate “Allow full access from desktop apps, mobile apps and the web”
Important Note
If you change one of those settings in SharePoint Online Admin Center, you should be aware that this will create a conditional access policy. Depends on what you are select and save there will be two or more conditional access policies. You can find them at this link in your azure portal: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
In my personal view the note in the SharePoint Online Admin center where you configure the unmanaged device setting is not clearly enough stating that this will happen as there is written:
The setting you select here will apply to all users in your organization. Learn more. To customize conditional access policies, save your selection and go to the Azure AD admin center.
I would prefer if this statement would be more clear, that this will create conditional access policies and that you should check if they fit to your organizational settings. But if you delete on of those conditional acess policies, the setting in SharePoint Online Admin center for “Allow limited, web-only access” seems to work in any kind of way anyway.
Leave a Reply
You must be logged in to post a comment.