Group Policy Settings¶

From the Cluster Management Dashboard or the Tenant Management Dashboard choose the Group Policy Home icon.

_images/image_1-1-1.png

Then select Common Settings to access the following settings categories: Security, Sharing, File Locking Client Setting Manager, Retention Policy and Anti-Virus/Ransomware.

_images/image_1-1-2.png

Security¶

Location: Group Policy Home > Common Settings > Security

_images/image_1-2-1.png

Allow Cluster Admin to manage my tenant¶

There are two management scopes, one at the cluster level and one at tenant level. This document is generally about the Cluster Management scope of control and operations; however, if a setting isn’t visible at this level it will be highlighted in this way, Scope = Tenant Management .

Enable authenticating user with Google Apps credential¶

When delegate admin login via server agent, impersonate as tenant admin¶

Accessing management related pages from Intranet Only¶

File upload and download must go through worker node¶

Sharing¶

Location: Group Policy Home > Common Settings > Sharing

_images/image_1-3-1.png

User must login to access file/folder shared to him/her¶

Disable user’s ability to share home directory content externally¶

Enable internal public share URL¶

Disable Public Link¶

Show guest user creation option¶

_images/image_1-3-2.png

Enable distribution group detection in the file/folder sharing’s user interface¶

Show user list in sharing dialog¶

Show guest user list in sharing dialog¶

Show group list in sharing dialog¶

_images/image_1-3-3.png

Allow user to enter share name¶

Don’t append email to shared object name under “Files Shared With Me”¶

Disable folder sharing¶

Enforce password protection¶

Expiration Time for Shared Folder/File (Days)¶

_images/image_1-3-4.png

Maximum Share Expiration Time (Days)¶

Notify share owner n days before share expiring (0 = do not notify)¶

Expiration Time for public links (Days)¶

Don’t create guest user account if the recipent is from following domains¶

_images/image_1-3-5.png

Only allow sending shares to the specified domain(s)¶

Default folder to store attachments from Outlook plugin¶

File Locking¶

Location: Group Policy Home > Common Settings > File Locking

_images/image_1-4-1.png

Enable distributed locking when accessing files¶

Lock file exclusively¶

_images/image_1-4-2.png

Automatically open file in read only mode when file is locked and “Lock file exclusively” is not checked¶

Delay sync until file is unlocked¶

Unlock file after it is uploaded¶

After the file is uploaded, unlock the file.

Lock file natively on network shares¶

Lock file natively for files inside an attached folder from server agent¶

_images/image_1-4-3.png

Enable scheduled sync for files with the following extensions¶

How often to sync the files with above extensions

Apply lock only to following process (lower case)¶

Apply lock only to the following Mac process (lower case)¶

Locking is disabled for files with the following extensions¶

Client Setting Manager¶

Location: Group Policy Home > Common Settings > Client Setting Manager

_images/image_1-5-1.png

Sync Throttle¶

_images/image_1-5-2.png

Enable Throttle Sync

Sync Throttled Upload Bandwidth (KB/s, 0-Unlimited)

Sync Throttled Download Bandwidth (KB/s, 0-Unlimited)

Full Speed Sync Stop Hour (default 7:00)

Full Speed Sync Start Hour (default 20:00)

Scheduled Sync¶

_images/image_1-5-3.png

Enable Scheduled Sync

Pause Sync Start Hour (default 7:00)

Pause Sync End Hour (default 20:00)

Mapped Drive Control¶

_images/image_1-5-4a.png

Hide Large File Download Tracker

Always Allow Picture Preview

Always Allow PDF Preview

Allow shortcuts

Disable mount drive (Server Agent Only)

When starting the client, open the mounted drive Automatically

Do not show file change notifications

_images/image_1-5-4b.png

Do not show file in-place editing/preview disabled notifications

Enable In-Place Open Zip/Exe File

Enable Single Sign On with login windows user identity

Max Size of Zip File Allowed to Open In-Place (MB)

Max Size of File Allowed to Generate Thumbnail (MB)

Cloud Drive Label

Drive Letter

_images/image_1-5-4c.png

Cache Size Limit (MB)

Minimal free disk space (GB)

Purge logging db n days old

Mount Drive in global space (Windows Client Only)

In offline mode, only show files that are cached and available locally

Disable “Check Out”

Encrypt Local Cache

Disable AutoCad Optimization

Large File Upload¶

_images/image_1-5-5.png

Enable chunk uploading when file size larger than (MB)

Chunk file in the unit of (MB)

Use Volume Shadow Copy to Upload Files being Opened

Endpoint Protection¶

_images/image_1-5-6.png

Backup “My Documents” folder

Backup to location

Leave empty for default location. (e.g., myroot/ or or /My Documents)

Backup “My Pictures” folder

Backup to location

Bandwidth Control¶

_images/image_1-5-7.png

Download Bandwidth Limit (KB/s, 0-Unlimited)

Upload Bandwidth Limit (KB/s, 0-Unlimited)

Number of File Transfer Threads

Outlook Plugin¶

_images/image_1-5-8.png

Prompt for conversion only when the file is larger than n KB (0 = unlimited)

Default folder to store attachments from Outlook plugin (/folder/subfolder)

Link expiration time

Client Startup Script¶

_images/image_1-5-9.png

Client Shutdown Script¶

_images/image_1-5-10.png

Mac Client Settings¶

_images/image_1-5-11.png

Do not show Mac Client sync status pop up dialog

Start Mac client automatically

Retention Policy¶

Location: Group Policy Home > Common Settings > Retention Policy

_images/image_1-6-1a.png

Keep last n version(s) of files in versioned folder¶

Only purge versioned files that are more than n day(s) old¶

Purge previous versions that are more than n day(s) old¶

Keep deleted files in versioned folder and/or Trash Can for n day(s)¶

_images/image_1-6-1b.png

Keep file change log for n day(s)¶

There is also a cluster setting about the file change log length. The cluster setting overrides the per-tenant setting.

Keep audit trace for n day(s)¶

Hide purge option from web file browser¶

Don’t send email notifications when purging deleted content¶

Include deleted but not yet purged items in storage quota¶

Anti Virus/Ransomware¶

Location: Group Policy Home > Common Settings > Anti Virus/Ransomware

_images/image_1-7-1.png

Only allow the following processes to update files¶

The following executables will not be allowed to open files directly from the cloud drive¶

Disable a device if the device changes more than n files in 10 minutes¶

Ignore the following processes when applying the above policy¶

Disable uploading of files whose named contain the following text patterns¶

Disable uploading of files whose names start with the following strings¶

Disable uploading of files whose names start with the following strings¶

Account & Login¶

_images/image_2-1-2.png

User Account¶

Location: Group Policy Home > Account & Login > User Account

_images/image_2-2-1.png

Guest User¶

Allow creation of guest user

Account Info¶

Allow user to edit account info

2-Step Verification¶

_images/image_2-2-2.png

Enforce 2-Step Verification on users

Disable 2-Step Verification

_images/image_2-2-3.png

Do NOT enforce 2-Step Verification on guest users

Disable option to request 2-step authentication code by mail

Do not send authentication code in email subject

Login Control¶

_images/image_2-2-4.png

Account Lockout Threshold

Enforce progressively longer waiting times after invalid logon attempts

Send email notification when logging in from a new location/device

Native Client Token Timeout (days, 0 = never timeout)

Web Browser Session Timeout (minutes, 0 = never timeout)

Max Device Count (Concurrent Device Count) for Each User (0-Unlimited)

Password Policy¶

Location: Group Policy Home > Account & Login > Password Policy

_images/image_2-3-1.png

Enforce password policy for non-AD users¶

Minimum password length

Users must change password every n days

Must contain upper-case characters

Must contain lower-case characters

Must contain base10 digits (0-9)

Must contain non-alphanumeric characters: (e.g., ~ ! @ # $ % ^ &)

Single Sign On¶

Location: Group Policy Home > Account & Login > Single Sign On

_images/image_2-4-1.png

Step 1: Register the Cluster Server at IdP

_images/image_2-4-3.png _images/image_2-4-4.png _images/image_2-4-5.png _images/image_2-4-6.png

Step 2: Now SSOCircle at the Cluster Server side

_images/image_2-4-7.png _images/image_2-4-8.png _images/image_2-4-2.png

Step 3: Login at the IdP, but use service at SP

_images/image_2-4-10.png

Azure AD¶

Location: Group Policy Home > Account & Login > Azure AD

_images/image_2-5-1.png

Enable Authentication via Azure AD¶

_images/image_2-5-2.png

Domain Name

_images/image_2-5-2b.png

Native Application Client ID

_images/image_2-5-3.png

_images/image_2-5-4.png

Folder & Storage¶

_images/image_3-1-2.png

Home Directory¶

Location: Group Policy Home > Folder and Storage > Home Directory

_images/image_3-2-1.png

Default storage quota for new user (GB, 0-unlimited)¶

Create default folder (Documents, Pictures)¶

Use user email to generate home directory name¶

Use user’s samAccountName to generate home directory names for Active Directory users¶

Publish user’s home drive¶

Mount user’s home drive as a top level folder

Folder Name

Folder and Storage¶

Location: Group Policy Home > Folder and Storage > Folder and Storage

_images/image_3-3-1.png

Allow users to attach external cloud storage¶

Disable versioned folder¶

Disable Trash Can¶

Don’t show folder that user doesn’t have read permission¶

Don’t show team folder that the user doesn’t have read permission to the underlying folder¶

Don’t show Trash Can for non-admin user¶

Do not append ‘(Team Folder)’ to published folder¶

Attached Folder¶

Location: Group Policy Home > Folder and Storage > Attached Folder

_images/image_3-4-1.png

Disable backup/attach local folder from client device¶

Enable snapshot backup for server agent¶

Allow syncing of empty file¶

Allow syncing of hidden files¶

Enable scheduled sync for files with the following extensions¶

How often to sync the files with above extensions

Allow attaching folders in proxy mode¶

Filters¶

Location: Group Policy Home > Folder and Storage > Filter

_images/image_3-5-1.png

Files with following extension will be excluded from attached local folder¶

Files with following extension will be excluded from directory listing¶

Inplace editing/Preview is disabled for files with following extension¶

Allow file without file name extension¶

Client Control¶

_images/image_4-1-2.png

Web Portal¶

Location: Group Policy Home > Client Control > Web Portal

_images/image_4-1-3a.png

Disable folder download from web client¶

Disable Search¶

Web Browser - Disable Java Uploader¶

Web Browser - Disable Flash Uploader¶

Web Browser - Disable Local Uploader¶

Enable Tabbed-Browsing in User Manager¶

Only show search interface in User Manager¶

Show tutorial page for non-admin users¶

_images/image_4-1-3b.png

Show team folder level permissions in team folder publishing dialog¶

Disable ‘Publish Tenant Home Storage As a Team Folder’¶

Confirm before moving via drag-and-drop¶

Show left tree view by default¶

Do not show “recent activities”¶

Show “link to local” option to non-admin user¶

Show max count of file/folder items¶

Native Client¶

Location: Group Policy Home > Client Control > Native Client

_images/image_4-2-1a.png

Create shortcut in documents library¶

Create shortcut on Desktop¶

Hide Settings in the Windows Client Management Console¶

Don’t Allow Setting Changes in the Windows Client Management Console¶

Disable Windows Client In-Place Drag & Drop Uploading¶

_images/image_4-2-1b.png

Disable ‘Auto-Login next time’¶

Disable drag & drop handler¶

Requiring approval for device access¶

Enable auto-installation of the Outlook Plugin¶

Disable native client for guest users¶