Known issue: "Your organization doesn't allow you to download, print, or sync using this device."

When accessing OneDrive, SharePoint or other Microsoft 365 Apps in a browser you may see a message displayed on the top of the window that says "Your organization doesn't allow you to download, print, or sync using this device. To use these actions, use a device that's joined to a domain or marked compliant by Intune. For help, contact your IT department." 

This can happen for three different reasons:

  1. Applies to all users:
    Your device is not managed (i.e. not enrolled in Intune device management)
     
  2. Applies only to users in Conditional Access pilot:
    Your device is managed but not meeting minimum requirements as defined in device compliance and conditional access policies. 
     
  3. Applies only to users in Conditional Access pilot:
    Your device is managed and compliant but  you are using Mozilla Firefox or Google Chrome browser rather than Microsoft Edge (recommended).

 

Managed vs. Unmanaged

University of Windsor adopted a comprehensive approach to managing all computers and mobile devices within an organization using best practices and latest technologies. Intune combined with Azure AD provides device and application management, corporate data protection, identity management and directory services. This applies to both - devices that are owned by the University as well as user-owned devices that are used for work or school.

Our current policy is not to allow syncing of OneDrive and SharePoint files to computers that are not managed (i.e. not enrolled in Intune device management platform). This extends to downloading copies of those files as well. This security measure is designed to prevent people from storing sensitive University documents on their home computers that may not be sufficiently secured, that is may be used by multiple family members on a shared Windows profile that does not require any password to be entered, or computers that may be infected with malware because they are lacking adequate virus protection or missing important Windows security updates. Users of unmanaged computers can only view files that you shared with them. They cannot download, print or sync them.

Compliance and Conditional Access

Devices that are managed (i.e. enrolled in Intune), are required to meet certain minimum requirements before they can access sensitive data and/or systems. See these articles for more details:

Users of managed devices that are not meeting these requirements, hence are marked as not compliant, will see this message displayed in the browser when accessing OneDrive or SharePoint files.

Browsers

Mozilla Firefox and Google Chrome browsers do not have native support for Microsoft Single Sign-On (SSO) and Conditional Access. To avoid running into this issue, we recommend using Microsoft Edge browser which is best suited for enterprise environment. Users who want to use Mozilla Firefox and Google Chrome, need to enable this functionality in their browser settings.

Google Chrome

In order for the Google Chrome browser to support the device authentication and conditional access you must install the Windows 10 accounts extension.

  1. Launch Google Chrome browser navigate to Chrome Web Store - Extensions (https://chrome.google.com/webstore/category/extensions)
  2. Type Windows Accounts in the search bar and press enter.
  3. Click on Windows Accounts


     
  4. Click on Add to Chrome button
  5. Click on Add extension button
  6. Click on Turn on sync (optional) to sync this extension to your other devices
  7. To see if this extension was installed, go to Settings.
  8. Click on Extensions on the left side of the window.

Mozilla Firefox

Starting with Firefox version 91, Mozilla is now supporting Single sign-on support (SSO) and device-based Conditional Access. The feature needs to be enabled in Firefox settings.

  1. Launch Firefox browser and go to Settings
  2. Click on Privacy & Security
  3. Scroll down to Logins and Passwords section
  4. Ensure that the box next to "Allow Windows single sign-on, work, and school accounts" is checked. If you do not see this option, you may need to upgrade your Firefox to the most recent version.

Details

Article ID: 142811
Created
Wed 4/20/22 2:54 PM
Modified
Thu 9/15/22 12:02 PM

Related Articles (4)

This article applies to personal Windows 10 computers (i.e. computers purchased with personal funds) that are used for work or school (i.e. that use University of Windsor licensed software to access University systems and data). This scenario is described as "Bring Your Own Device" (BYOD).
At the University of Windsor, Intune combined with Azure AD provides device and application management, corporate data protection, identity management and directory services.
In order for your work computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems.
In order for your work computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems.