When accessing OneDrive, SharePoint or other Microsoft 365 Apps in a browser you may see a message displayed on the top of the window that says "Your organization doesn't allow you to download, print, or sync using this device. To use these actions, use a device that's joined to a domain or marked compliant by Intune. For help, contact your IT department."
This can happen for three different reasons:
- Applies to all users:
You are using an external email address (one that does not end with @uwindsor.ca) and you have not been added as a guest in the UWindsor Organisation. If you are attempting to share a folder with external colleagues or collaborators and they have not previously been added as a guest, you have two options:
- Share the entire Team with them, which will auto-add them as a guest.
- If you only want to share an individual folder or file, please submit a ticket and request that IT Services add them as a guest.
Once they are guests in the Organization, you won't need to add them again when sharing different folders/files in different Teams in the future.
- Applies only to users in Conditional Access pilot:
Your device is managed but not meeting minimum requirements as defined in device compliance and conditional access policies.
- Applies only to users in Conditional Access pilot:
Your device is managed and compliant but you are using Mozilla Firefox or Google Chrome browser rather than Microsoft Edge (recommended).
Managed vs. Unmanaged
University of Windsor adopted a comprehensive approach to managing all computers and mobile devices within an organization using best practices and latest technologies. Intune combined with Azure AD provides device and application management, corporate data protection, identity management and directory services. This applies to both - devices that are owned by the University as well as user-owned devices that are used for work or school.
Our current policy is not to allow syncing of OneDrive and SharePoint files to computers that are not managed (i.e. not enrolled in Intune device management platform). This security measure is designed to prevent people from storing sensitive University documents on their home computers that may not be sufficiently secured, that is may be used by multiple family members on a shared Windows profile that does not require any password to be entered, or computers that may be infected with malware because they are lacking adequate virus protection or missing important Windows security updates.
Compliance and Conditional Access
Devices that are managed (i.e. enrolled in Intune), are required to meet certain minimum requirements before they can access sensitive data and/or systems. See these articles for more details:
Users of managed devices that are not meeting these requirements, hence are marked as not compliant, will see this message displayed in the browser when accessing OneDrive or SharePoint files.
Browsers
Mozilla Firefox and Google Chrome browsers do not have native support for Microsoft Single Sign-On (SSO) and Conditional Access. To avoid running into this issue, we recommend using Microsoft Edge browser which is best suited for enterprise environment. Users who want to use Mozilla Firefox and Google Chrome, need to enable this functionality in their browser settings.
Google Chrome
In order for the Google Chrome browser to support the device authentication and conditional access you must install the Windows 10 accounts extension.
- Launch Google Chrome browser navigate to Chrome Web Store - Extensions (https://chrome.google.com/webstore/category/extensions)
- Type Windows Accounts in the search bar and press enter.
- Click on Windows Accounts
- Click on Add to Chrome button
- Click on Add extension button
- Click on Turn on sync (optional) to sync this extension to your other devices
- To see if this extension was installed, go to Settings.
- Click on Extensions on the left side of the window.
Mozilla Firefox
Starting with Firefox version 91, Mozilla is now supporting Single sign-on support (SSO) and device-based Conditional Access. The feature needs to be enabled in Firefox settings.
- Launch Firefox browser and go to Settings
- Click on Privacy & Security
- Scroll down to Logins and Passwords section
- Ensure that the box next to "Allow Windows single sign-on, work, and school accounts" is checked. If you do not see this option, you may need to upgrade your Firefox to the most recent version.