Learn how to control upload and synchronization with cloud drives, particularly with SharePoint online, SharePoint on-prem, OneDrive Personal, and OneDrive for Business.
Information in this article applies to Safetica 10 or older.
Safetica 10 allows you to control multiple SharePoint instances connected to one computer and configure each of them separately. You can control not only upload to SharePoint and OneDrive via web browsers, but also synchronization of files via local synchronized folders and OneDrive Sync Client.
This might come in handy for example when you have several different SharePoint instances and one of them contains sensitive files. You can protect these files from being transferred to another SharePoint instance.
In this article, you will learn:
- How to control SharePoint and OneDrive in general
- How to control individual SharePoint instances
- What will the admin see in logs
- FAQ
Controlling SharePoint and OneDrive
SharePoint (both online and on-prem) and OneDrive (both Personal and Business) can be allowed, logged, or blocked either in general as a whole channel, or specifically as individual instances.
How to control SharePoint and OneDrive in general
Using general DLP policies, you can configure different levels of protection for OneDrive Personal that your employees may use for private purposes and OneDrive Business used by your company.
To control OneDrive Personal, OneDrive Business, or SharePoint as whole communication channels for a specific user, a group of users, or the whole company:
- Go to Protection > DLP policies and click New policy.
- In Policy type, select General.
- Set the Policy mode as needed.
- In Policy rules, click Customize and select OneDrive Personal, OneDrive Business, or SharePoint.
- Click the Custom link next to the Cloud drives slider, and configure as needed.
How to control individual SharePoint instances
If your company uses several different SharePoint instances and you want to control each of them separately, you need to use Safetica Zones in Safetica Management Console.
Go to Protection > Zones and add the address of the desired SharePoint or OneDrive instance into a zone. Each zone is a list that you can later use to create DLP policies.
How to add a SharePoint into a zone
- Go to Protection > Zones and click Add zone.
- Name the zone and decide whether you will consider the SharePoint instances added to it to be safe. Then click OK.
- In the list on the left, select the newly created zone and click Add item.
- Add each individual SharePoint instance by clicking Web address.
- Fill in the needed information and confirm with Finish.
- Click the confirmation button in the upper right corner of the screen.
How to use zones to control SharePoint instances
The created zone can be used when setting up DLP policies to control SharePoint.
Both upload via web browsers and synchronization via local synchronization folders and OneDrive Sync Client will be controlled:
- Go to Protection > DLP policies and click New policy.
- In Policy rules, use the Upload slider and choose Safe zones allowed.
- Decide whether you want to allow all safe zones or whether you want to set each zone individually.
- Place this new policy above the cloud drive restrictive one so it works as an exclusion.
-For this exclusion to work, it must be implemented as two separate DLP Policies. The first policy allows upload to a safe zone with the instance as described above and the second policy with lower priority restricts access to the desired services.
What will the admin see in logs
If you want to find out for which file uploads or synchronizations to cloud were allowed or blocked, go to Protection > DLP logs. In the Records table, filter out Cloud drive in the Destination type column. You will see the name of the file, who initiated the upload/sync, whether upload/sync was allowed, blocked, or logged, whether the file contained sensitive data and many other details.
FAQ
What SharePoint versions does Safetica 10 support?
We support SharePoint Online and SharePoint on-prem 2019. For older SharePoint versions support is not guaranteed.
When I want to control individual instances of SharePoint, why do I need to set up the Upload policy rule instead of the Cloud drives rule?
The Cloud drives policy rule does not have the Allow safe zones option. Therefore, to control individual instances of SharePoint, you must use the Upload option.
How do I set up different rules for SharePoint instances and other cloud drives?
It is not possible to block specific SharePoint instances and allow other cloud drives (and vice versa) within one policy. The reason is that policy rules are matched from top to bottom of the list and the first matched rule always applies. Therefore, the Cloud drives rule always has higher priority than the Upload rule, matches first, and stops the evaluation.
To set different rules for SharePoint instances and other cloud drives, you must create 2 separate policies – one for blocking SharePoint instances and one for allowing other cloud drives (or vice versa). In the list of DLP policies, the SharePoint blocking policy must be placed higher than the policy for allowing other cloud drives.