CloudConnect Documentation
General Technical Overview
Profiles are configured and updated through the cloud web interface.
Device profiles apply machine-based settings, such as deploy OneDrive with single sign on and automatically cleanup disk space when users have not logged in recently.
User profiles apply user-based settings, such as redirect common folders, and connect specific drives at logon.
Our agent msi is then deployed to your devices containing your subscription identifier, which allows the agent to always read your latest profile configuration from the cloud.
Contents
- Requirements & Compatibility
- Profiles
- Overview
- Configuring Device Profiles
- Configuring User Profiles
- Configuring Folder Redirection
- Configuring Shared Locations
- Assigning Profiles and Priorities
- Duplicating Profiles
- Devices
- Users
- Account
- Notifications and Troubleshooting
- Overview
- Agent Communications
- Agent Sync
- Agent Flags
- External Folder Redirection policies
- Folder Redirection failures detected
- Group Policy: Microsoft Edge Control where developer tools can be used is blocking Web Client
- Group Policy: Prevent access to drives from My Computer might be blocking C
- Group Policy: Prohibit User from manually redirecting Profile Folders might be preventing redirection
- Group Policy: Prevent the usage of OneDrive for file storage is enabled
- Low disk space on device
- OneDrive Client not found as per machine installation
- OneDrive Sync Folder for user not found
- Shared PC mode is enabled which prevents the usage of OneDrive for file storage
- User Profile: Temporary, roaming or mandatory user profile detected
- Web Client installation could not be validated
- Agent helper
- Limitations and Expected Behaviour
Requirements & Compatibility
- An active Office 365 Subscription with OneDrive for Business licences assigned to your users.
- Windows based devices for MSI deployment of the CloudConnect agent.
- Microsoft Azure AD Connect with seamless single sign on or ADFS for on-prem domain joined devices (not required if Azure AD joined).
- Compatible with Windows 10 x64 build 1809 to 24H2, Windows 11 x64 build 21H2 to 24H2 and session based Remote Desktop Services on Windows Server 2022.
- Web Client requires Microsoft Edge Browser v96 to v126.
- Roaming, Mandatory, and Temporary user profiles are not supported.
Additional configuration considerations can been seen under agent flags.
Profiles
A single device profile can apply to a device, and a single user profile can apply on each logon session, with precedence controlled by priorities.
Device profiles apply machine-based settings, such as deploy OneDrive client with single sign on and automatically cleanup disk space when users have not logged in recently.
User profiles apply user-based settings, such as redirect common folders, and connect specific drives at logon.
Profile Name
Each profile has a name, this is the name you see in the web-based management. The profile name also writes to the event log on the local machine as it is applied.
Profile Priority
Where multiple profiles are assigned, the priority can be used to control which profile will take precedence over another. The default is 10, a lower number will have a higher priority over other assigned profiles. For more detail, see assigning profiles and priorities.
Notes
Can be used to store useful administrative information about the profile, such as "created to connect engineering drives for joe bloggs".
Device Profiles
Device profiles apply to the machine the agent is deployed to, affecting all users who logon to that device.
OneDrive for Business
Configure OneDrive as per machine installation
By default, Microsoft Windows installs OneDrive per user, in the local app data for each user. Enabling this option will trigger the download and install the latest OneDrive client into C:\Program Files\Microsoft OneDrive, accessible to all users without re-install each new logon.
Enable Single Sign On
Configures OneDrive client to automatically sign in the logged on user into their OneDrive via Azure AD Connect SSO, ADFS or Azure AD Joined.
OneDrive Connection Timeout
By default, the agent will wait 120 seconds for OneDrive to connect, before throwing an on-screen error. For devices connected over VPN, or machines that install lots of apps on first logon, you may wish to extend this timeout.
Disk Cleanup
Disk cleanup runs in the background to cleanup locally cached OneDrive data when the user is not logged in.
You can configure a number of days to keep local cached data and/or configure free space to maintained at a percentage.
This function cleans up OneDrive data only and does not remove any other local profile settings. The next time the user logs in, OneDrive will be reconfigured automatically.
Assignments
See assigning profiles and priorities.
User Profiles
User profiles apply to the user that logs onto the device.
OneDrive for Business
Enable Files on Demand
Configures OneDrive to only sync files locally as you need them. This reduces the local disk space requirement, as only the accessed data is cached locally.
Disable Tutorial
Does not show the "first run" tutorial when users first logon.
Disable Notification deleted files are removed from everywhere
Prevents the notification that when you delete a file from OneDrive, it is being deleted from all other devices and cloud storage too.
Disable Office File Collaboration
By default Microsoft Applications such as Office connect directly to your documents and not via the OneDrive client, this is a requirement for features such as real time collaborative working. However, some third party apps may not support this, so this can be disabled if required.
Assign Drive Letter
Select the drive letter you would like the users OneDrive to appear as under This PC, and also the desired drive label.
Folder Redirection
Folder redirection will redirect the selected folders to the user's OneDrive\Foldername on connection to OneDrive.
Enable Folder Redirection
By default when enabled, folders will be directed to subfolders of a users OneDrive.
For example:
Documents would be redirected to OneDrive\Documents
Desktop would be redirected to OneDrive\Desktop
If you wanted to redirect locations to be within a parent "Profile" folder within a users OneDrive, you would enter the redirection location for Desktop to be Profile\Desktop
In this instance, the Desktop would be redirected to OneDrive\Profile\Desktop
Create Folder Redirection Placeholders
Creates placeholder shortcuts in the pre-redirected location to show "OneDrive is connecting..." until connected.
Launch Microsoft Edge after Folder Redirection
Waits for folder redirection to complete, before then launching the Edge Browser. This is useful if you want to auto start the web browser on logon, waiting until "Downloads" has redirected before the browser launches.
Use Assigned Drive Letter instead of native OneDrive location for Folder Redirection
Redirects folders to the mapped drive letter location, instead of the default OneDrive client sync location.
Shared Locations
Shared locations can be used to connect cloud storage to "This PC".
Connect As
Location Only
Connects the selected cloud storage location to "Network Location" or a "OneDrive Sync Location".
Assigned Drive Letter
Connects the selected cloud storage location to a root of a drive letter.
Subfolder of Assigned Drive Letter
Connects the selected cloud storage location to a subfolder of a drive letter. You can add multiple subfolders for each cloud storage location. For example, you could have a "Departments" drive, and then add each department cloud storage location as a subfolder of that drive.
Connection Method
Sync Location
Configures the OneDrive client to connect the location through the OneDrive sync client using files on demand.
Microsoft recommends that you do not sync shared libraries with more than 5,000 files or folders, or sync same library to more than 1,000 devices.
Web Client
Connects to your storage without using the OneDrive sync client, instead using the built in explorer web client, authenticating silently through the Microsoft Edge browser (required).
Connect to Site
Connects to the site URL specified.
Connect all Sites
Queries Office 365 on logon to see which sites and team document libraries you have access to, and connects them as subfolders of the specified drive letter.
Connect OneDrive
Connects to your personal OneDrive through the web client (for use when not using the OneDrive sync client).
Obtaining Site URLs and Document Library IDs
We have built the CloudConnect Utility, which is a standalone tool that can be used to query your Microsoft tenant to retrieve all of your Document Libraries IDs and Web Link URLs for all locations and export them to an excel file.
Click the Download Utility button from the shared tab to obtain the tool.
Once downloaded, you can install on a single device, and use the tool to logon to your Office 365 tenant and retrieve a list of all of your SharePoint and Team document libraries.
You can then right click and copy the desired Web URLs and DocumentID's directly from the interface to paste into the web based Shared Location profile configuration.
You can also save a copy of your Web URLs and Document ID's to an Excel CSV for future reference.
Alternatively OneDrive Sync Document Library ID's can be found by following:
https://docs.microsoft.com/en-us/onedrive/use-group-policy#configure-team-site-libraries-to-sync-automatically
Web Link URLs can be found by accessing the shared document location via SharePoint through your web browser, for example:
https://yourtenant.sharepoint.com/sites/SharedSiteName/Shared%20Documents
Merge Shared Locations
When enabled, this allows the shared locations from multiple user profiles to be combined at user logon, allowing a granular addition of shared locations for specific scenarios based on membership/assignments.
Each assigned user profile will need Merge Shared Locations enabled, to change from the default "winning" profile behaviour of Profiles and Priorities.
This feature allows you to add additional shared locations to specific user types. For example, add the additional shared locations for "Management" in addition to "General Staff", without having to replicate all of the locations in each individual user profile.
Agent
Enable Notification UI while connecting
Shows an on screen notification when OneDrive and shared locations are being connected.
Enable Notification UI while saving to OneDrive
Shows an on screen notification when OneDrive is syncing files, this is useful so that users don't attempt to log off, before their work is saved back to the cloud. You can also display a hide button, to allow the end user to dismiss the dialog.
Add Trusted SSO Zone to Internet Settings
Adds the required zones for the machine to trust either your ADFS domain, or Microsoft SSO domains for auto logon to OneDrive.
Hide the First-Run Experience in Edge
Disables the first run Edge dialogue which is useful when using the Web Client to connect to storage.
Use CloudConnect as the default PDF handler when using Chromium based browsers
Updates the User Default App file handler for pdf files to fix opening paths from a Web Client subfolder where Edge/Chrome is configured as the default PDF reader.
Do not configure OneDrive for Business features
Configured the agent to only connect drives using the Web Client, and not to use or configure the OneDrive client.
Assigning Profiles and Priorities
For each device, only one device profile configuration can be applied at any one time.
For each user logon session, only one user profile can be applied for that session.
With the exception of the Merge Shared Locations feature, profile settings are not merged, with priorities being used to control the "winning" profile.
The priority between 1 and 20 can be set from the General tab for each profile.
Profiles with a lowest priority number will take precedence over other profiles, with 1 being "first priority".
For example, a profile with priority 9 will take precedence over a profile with priority 10.
Profiles with priority 20, will be chosen last.
The applied profile is visible on the device in the application event log when a user logs on.
To force the agent to sync configuration, you can run "C:\Program Files\ODCM\Agent\ODCMAgentHelper.exe" to trigger an on-demand sync/re-run.
Custom Assignments
AND
All assignments listed must match.
If any don't match, the profile will be considered out of scope, and therefore not applied.
Username Starts With joebloggs
AND
StationName Equals STATION01
Will only apply when joebloggs logs onto STATION01
OR
If any assignment matches, the profile will be considered in scope, and its priority assessed to see if it's the winning profile.
Username Starts With joebloggs
OR
StationName Equals STATION01
Will apply when joebloggs logs onto any station on the network, or when any user logs into STATION01.
Azure AD Group Membership assignments can also be assigned, after configuring Azure Active Directory Group Sync.
If you have a specific scenario for assignments you need assistance with, contact support and we will be more than happy to advise the best way to configure your profile assignments.
Duplicating Profiles
Open an existing profile, from the General tab, select the Copy Profile button.
An exact copy of the profile will be created with todays date in the name, and opened for editing.
See assigning profiles and priorities for details on how the "winning" profile is selected.
Devices
Devices provides an overview of all agent deployments you network.
Use the search box to find a specific device.
Click a column heading to sort by, or click the Export button for a CSV.
Here you can find the amount of OneDrive space used on each device, and troubleshoot any issues.
Click or tap on a device entry to get more details about that deployment.
You can see the OneDrive cache space being used for each user.
Device specific Agent flags are also visiable from this view.
You can also request an agent cleanup job by clicking the cross next to the user you want to remove the local OneDrive cache data for.
Agent Deployment
From the Devices tab, click the Download Agent button to get your subscription specific MSI.
This downloads your deployment MSI, which will automatically link to your subscription when installed.
Manual Installation
You can manually deploy this MSI by double clicking manually on each device.
Automate Installation through Group Policy
Automate deployment of your MSI through a Group Policy software installation.
Automate Installation through a Cloud Deployment tool
Automate deployment of your MSI through Endpoint Manager for Microsoft InTune, as a Line-of-business app.
Once the intial Agent MSI is deployed, all configuration changes and updates are made through the cloud.
Agent Jobs
Cleanup local OneDrive data for specific user
If there is a particular user that is using a larger than expected amount of disk space, it might be they have just backed up a USB device, or saved a large amount of data from that device, leaving the files local as well as in Cloud.
From the Devices tab, open a specific device that has a larger than expected OneDrive used amount.
Scroll down so you can see each user on that device and the amount of OneDrive space used.
Click the cross next to the username to create a "Delete the local OneDrive data" job for the specific user on that device. The agent will pick this up in the next 15 mins and will only run the job when the user is not logged on.
Users
Users provides an overview of all users reported on your network.
Use the search box to find a specific user.
Click a column heading to sort by, or click the Export button for a CSV.
Here you can find the amount of OneDrive space used for each user.
Click or tap on a user entry to get more details about that user, including where they have locally cached OneDrive data and the space used.
If you see a particularly large local cache of data on a specific device, click on the station name, to take you to the device to create an agent cleanup job.
Account
Settings and Password
You can update your logon e-mail, password, and Microsoft SSO options under the account menu.
Azure Active Directory Group Sync
When joining a Windows device directly into to Azure Active Directory, with no on-premise domain, you can use Azure AD Groups to assign both device and user profiles.
To allow CloudConnect to read these groups and their memberships, you must first authorise CloudConnect Group Sync in your Azure Active Directory organisation.
You can see the Azure AD groups that are synced with CloudConnect with the number of members.
Azure AD groups are synced each time a user logs into an Azure AD joined device as an Azure AD cloud user.
You can also run a manual group sync from here.
Azure AD group memberships can only be read for Azure AD cloud logons. An on-premise hybrid logon does not directly authenticate against Azure AD, in this scenario you should use domain groups or a LDAP path to assign profiles.
Click Authorise Tenant, and login with your Office 365 Global Admin Account.
Your will first need to click Accept as the current user, then on the following screen, you will then have a checkbox to "Consent on behalf of your organisation".
This prevents the Accept dialog being presently to every new user that logs in, when syncing group memberships.
Notifications and Troubleshooting
An overview of all agent notifications can be found on the home screen.
Click or tap on any notification to go to the device view.
See agent flags, for more information on reported flags.
Agent Communications
The agent communicates with the CloudConnect servers over the https secure web protocol.
The service will attempt to retreive the configuration pre-logon in the local machine context, if this unsucsesful, it will fall back to current user context when a user logs on.
The agent will attempt to retrieve its configuration from our severs at:
- https://cloudconnect.software
- https://agent.cloudconnect.software
- https://update.cloudconnect.software
- https://ukeast.cloudconnect.software
- https://ukwest.cloudconnect.software
- https://uksouth.cloudconnect.software
On first sync, the agent may also attempt to download OneDriveSetup.exe from Microsoft if required via:
- https://go.microsoft.com
- https://oneclient.sfx.ms
When using Web Client the agent will attempt to download the latest MSEdgeDriver.exe each time the browser is updated from:
- https://msedgedriver.azureedge.net
- https://msedgewebdriverstorage.blob.core.windows.net
Agent Sync
The agent syncs with the CloudConnect servers every 15 minutes, verifying the locally cached configuration profiles.
To force the agent to sync its configuration on demand, you can run the Agent Helper from "C:\Program Files\ODCM\Agent\ODCMAgentHelper.exe" to trigger an on-demand sync/re-run.
Agent Flags
Agent flags are raised when third-party configuration concerns are detected that might be affecting the configured profile options.
The flags and their common causes are listed below:
External Folder Redirection policies
The agent has detected that something else is trying to set folder redirection as well as the agent.
This is most commonly caused by Group Policy folder redirection policies under:
User Configuration | Policies | Windows Settings | Folder Redirection
Change each folder to: Not Configured
Folder Redirection failures detected
Some folders were redirected, but not all could be redirected successfully.
This is most commonly caused by a configured user folder redirection policies under:
User Configuration | Policies | Windows Settings | Folder Redirection
Change each folder to: Not Configured
Group Policy: Microsoft Edge Control where developer tools can be used is blocking Web Client
A policy is applied that is stopping Web Client client from working.
This is most commonly configured either under a Group Policy or Intune Administrative Template:
User Configuration | Policies | Administrative Templates | Microsoft Edge
Computer Configuration | Policies | Administrative Templates | Microsoft Edge
Control where developer tools can be used
Change to: Block on Enterprise Policy Extensions or Allow
Group Policy: Prevent access to drives from My Computer might be blocking C
A group policy is applied that is stopping OneDrive client from working.
This is most commonly configured under a user policy:
User Configuration | Policies | Administrative Templates | Windows Components | Windows Explorer
Prevent access to drives from My Computer
Change to: Disabled
Preventing access stops the native OneDrive client from working, you are however safe to "Hide access to drives from My Computer" to remove the C drive from the visible view as desired.
Group Policy: Prohibit User from manually redirecting Profile Folders might be preventing redirection
A group policy is applied that is stopping the agent from completing folder redirection.
This is most commonly configured under a user policy:
User Configuration | Policies | Administrative Templates | Desktop
Prohibit User from manually redirecting Profile Folders
Change to: Disabled
Group Policy: Prevent the usage of OneDrive for file storage is enabled
A group policy is applied that is stopping OneDrive client from working.
This is most commonly configured under a computer policy:
Computer Configuration | Policies | Administrative Templates | Windows Components | OneDrive
Prevent the usage of OneDrive for file storage
Change to: Disabled
Low disk space on device
See agent cleanup jobs to identify if locally cached OneDrive data is the cause, and send an agent cleanup job if required.
OneDrive Client not found as per machine installation
A working OneDrive client was not found in Program Files on the device, and it has not yet succesfully downloaded and installed, or OneDrive is running per user.
OneDrive Sync Folder for user not found
During logon, the agent was unable to detect a successful connection to OneDrive, this might be because the user is not licensed for OneDrive, or authentication has failed within the defined device configuration OneDrive connection timeout window.
Shared PC mode is enabled which prevents the usage of OneDrive for file storage
The default Shared PC mode Endpoint/InTune/Provisioning policy setting sets "Prevent the usage of OneDrive for file storage", which prevents OneDrive client from running.
We would suggest this is policy is disabled to allow the use of OneDrive.
For more information, see https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc
Temporary, Roaming or Mandatory User Profile Detected
Roaming, Mandatory, and Temporary user profiles are not supported. The OneDrive sync app only supports users who can write to OneDrive application directories.
We would suggest migrating away from the use of windows user profiles on your network.
For more information, see https://support.microsoft.com/en-us/office/restrictions-and-limitations-in-onedrive-and-sharepoint-64883a5d-228e-48f5-b3d2-eb39e07630fa
Web Client installation could not be validated
This indicates the Web Client feature is not working on the device for Shared Locations.
This is most commonly caused by either the Microsoft Edge Browser missing, or in the case of a Windows Server OS, the WebDAV Redirector feature may not be installed.
Install-WindowsFeature WebDAV-Redirector
Agent Helper
The agent helper can be used to perform various commands on demand by use of a command parameter.
For restricted logons, we would recommend creating a shortcut as required.
"C:\Program Files\ODCM\Agent\ODCMAgentHelper.exe"
The agent syncs with the CloudConnect servers every 15 minutes. To force it to sync now, run the agent helper without any command parameters.
"C:\Program Files\ODCM\Agent\ODCMAgentHelper.exe" resetsso
Will reset OneDrive the Microsoft recommended way, and also remove the SSO has completed flag.
"C:\Program Files\ODCM\Agent\ODCMAgentHelper.exe" resetfull
Will reset OneDrive the Microsoft recommended way, remove the SSO has completed flag, pre-signin settings, accounts and remove existing appdata and local sync history databases.
"C:\Program Files\ODCM\Agent\ODCMAgentHelper.exe" clearwebauth
Will clear all cached credentials and tokens for Web Client connected shared drives, and force a re-authentication attempt.
Limitations
The following may assist with troubleshooting known limitations and expected behaviours.
Enforced Multi-factor Authentication
"The Microsoft OneDrive silent account configuration won't work on devices for users who require multi-factor authentication.
https://learn.microsoft.com/en-us/sharepoint/use-silent-account-configuration#VerifySilentAccountConfig
CloudConnect expects single sign on to work, and requires it for an automated seamless end user logon experience.
We would normally recommend you trust enterprise owned devices either by conditional access rules in Azure AD, or by static public IP address, allowing the first time/initial logon configuration to complete without the requirement for MFA. This improves the overall end user experience with all Microsoft applications on first logon.
Folders may appear empty when using WebClient
Folders may appear empty or files may appear to be missing when using WebClient and browsing with other non office applications.
Folder paths including your https://tenentname.sharepoint.com/site/library prefix should not exceed 260 characters.
While technically OneDrive supports up to 400 characters, many software products still remain limited in their ability to read long lengths, so we would recommend you keep below 260 characters for compatibility reasons. Lengths over 260 characters can be navigated to/adjusted when browsing SharePoint/OneDrive using your web browser.
https://learn.microsoft.com/en-US/office/troubleshoot/office-suite-issues/error-open-document
Please contact support with any additional queries and we will be more than happy to assist