Maybe Financials

Maybe Financials

Maybe, Just Maybe, someone will enjoy Maybe Financials. It’s a powerfull self hosted financial system and it’s something I need. I’m switching from my factory IT job to a School system. The school system moves me from a weekly paycheck to a monthly paycheck and a pay cut and a big pay cut. However, it’s worth it as this is my end goal. One thing I have always struggled with is knowing when money will leave the account. Last time paid my amazon card, it took a full 2 weeks to come out of my account. This hurt me when coming down to prodictable budgeting. I tried different tools and all of them just couldn’t cut it. The core issue is I’m a spender.

Thus, being monthly, it’s time to try another software. However, I want something self hosted, something I can reach by a domain name. Thus, I tried a few out and landed with Maybe Financials. This guide will show you how to install it and set it up so a ssl will work. I am running it through my apache reverse proxy that lives in the cloud and hosting in docker on a local computer. Lets get started.

Installing Maybe

The setup

We are assuming you have a docker setup. This install is pretty quick and simple as well. Here is the offical documentation. First, you want to create your directory for your maybe install. Then you want to download the compose example into that folder. I suggest being in it. After which you will want to secure it. Lets begin with the compose file.

mkdir /maybe
cd maybe
curl -o compose.yml https://raw.githubusercontent.com/maybe-finance/maybe/main/compose.example.yml

Now we have the example file. We need to set the passwords needed for it. If you open the compose.yml file, you will find postgres and rails are part of the system. Items like ${blah:something} are variables that will be found in the .env file. As you can see, the password and hash are both there. So, it’s time to grab a hash and a password.

openssl rand -hex 64

Now we take that information and put it inside the env file by using the following command.

nano .env

The file should look like this:

SECRET_KEY_BASE="replace me with the generated string from the prior step"
POSTGRES_PASSWORD="replace me with your desired database password"

Another way to do this is by using this one liner. It will prompt for a custom password.

read -s -p "Enter your desired Postgres password: " DB_PASS && echo -e "SECRET_KEY_BASE=\"$(openssl rand -hex 64)\"\nPOSTGRES_PASSWORD=\"$DB_PASS\"" > .env && echo -e "\n.env file created."

Note:

  • This is when you can change the port number you want maybe to run on. Do it by editing the compose.yml file with nano. Change the Port from 3000:3000 to 3000:<Your Custom Port>

Run docker

Once you have the env file in place, it’s time to run the docker commands.

docker compose up -d
docker compose ls

Now, you can navigate to yoru machines IP address at the port you wanted. For example http://192.168.0.5:3000. You will setup your email from this point.

Accessing it from a greater network.

If you want to go to your instance of Maybe Financials outside your home, you will have to set it up to do so. In my case, if you haven’t followed, I’m Gnatted. So, I have a reverse proxy up in the cloud that points back. For me, this is the process I went through to set it up to be reached from the outside. I have already pointed my dns to the reverse proxy.

  1. cd /etc/apache2/sites-available.
  2. nano maybe.therandomadmin.com.conf
  3. Pasted the below
<VirtualHost *:80>
    ServerName maybe.therandomadmin.com

    ProxyPreserveHost On
    ProxyPass / http://100.100.100.100:3000/
    ProxyPassReverse / http://100.100.100.100:3000/

    # Optional headers
    RequestHeader set X-Forwarded-Proto "http"
    RequestHeader set X-Forwarded-Port "80"

    ErrorLog ${APACHE_LOG_DIR}/maybe.therandomadmin.com-error.log
    CustomLog ${APACHE_LOG_DIR}/maybe.therandomadmin.com-access.log combined
</VirtualHost>

This is a basic reverse proxy virtual host. It’s very important to see the requestheader. If it doesn’t like such, it will not work. Not sure why, it’s soemthing to do with rails.

  1. a2ensite maybe.therandomadmin.com.conf
  2. systemctl reload apache2
  3. certbot –apache
  4. Selected the maybe.therandomadmin.com
  5. Once it finished, I was able to navigate to the site.

This is where the requestheaders were important. Take a look at the virutal host that was generated by the cert bot:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName maybe.therandomadmin.com

    ProxyPreserveHost On
    ProxyPass / http://100.100.100.100:3000/
    ProxyPassReverse / http://100.100.100.100:3000/

    # Optional headers
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"

    ErrorLog ${APACHE_LOG_DIR}/maybe.therandomadmin.com-error.log
    CustomLog ${APACHE_LOG_DIR}/maybe.therandomadmin.com-access.log combined
                           <Items removed due to security>
</VirtualHost>
</IfModule>

Notice the port is not there. It’s important to change it and then reload apache. Maybe Financials should allow you to log in without any issues.

Remember, if you don’t change the requestheaders, you will get the following error message

What can we learn as a person

Knowing is half the battle. It took me about 30 minutes to figure out the error message I got. The change you wanted was rejected was as useful as a box of pins in a bollon shop. I found an abscure reference to ngnix proxy which lead me to figure out the requestheader issue. Since the logs are very unhelpful. If you tried installing maybe, you might run into the same issue when giving it it’s domain name. But thanks to this blog, you have the answer. Thus, no time wasted.

To solve a problem, the more you know at the start of the problem, the quicker you will resolve the issue. I have a problem with two credit cards. I used them to buy things that were needed in the house. At the time, I didn’t realize it can take 3 weeks to process a single payment. Which is ugly to say the least. This little program has already helped me understand some spending habbits I have. Can you guess what eats my money? Eating out. No suprise, an IT guy likes to eat. With knowing these patterns, I now have a plan that will get me debt free by this time next year while still having christmas.

Almost every single issue can be quickly resolved by having preknowledge. Take a step back, breath and see what’s going on.

Global Reader Role Security Concerns

Global Reader Role Security Concerns

It started like most of my learning sessions do. I cracked open a cold Dr Pepper and decided to poke around Microsoft 365 Explorer just to see how it really works. Not trying to solve a ticket or check alerts, just digging through the Security & Compliance Center to see what kind of metadata I could pull from email traffic. That’s when I saw it. A Teams meeting link. Right there in the email metadata. Not the email body. Not some phishing attempt. Just… a clean, clickable Teams URL, and that’s where the Global Reader role security concerns really hit me.

See, I didn’t have access to the email content. That part is locked down like it should be. But the URLs? Totally visible. Which means any Teams meeting link that comes through email can technically be seen and opened by someone with Global Reader rights. No secret sauce. No elevated permissions. Just the system doing exactly what it was told to do. I didn’t click it. But I could’ve. That’s what stuck with me.

Nobody talks about this kind of thing. We throw these roles around, Global Reader, Security Reader, assuming they’re “read-only” and safe. But safe for who? Because when that read-only view includes working meeting links, especially the ones that don’t require authentication, you’ve got more than just visibility. You’ve got access. Quiet access. That’s not a broken system. It’s just… something we didn’t think all the way through.

What Explorer Actually Shows You

So for anyone who hasn’t wandered into it before, Explorer lives inside Microsoft 365 Defender at https://security.microsoft.com. You head over to Email & Collaboration, click on Explorer, and boom, you’re staring at mail flow. What came in, who it went to, who clicked what, and when it all happened. It’s surprisingly deep.

Now, I didn’t expect much when I first started messing with it. I thought it would show headers, basic sender and recipient info, that kind of thing. But once I started looking closer, I noticed the URLs section. These aren’t just logs. They’re functional. You see the real URLs from real emails. And if one of those is a Teams meeting? Yep, you can open it. And this is with the Global Reader role. You don’t need to be an Exchange Admin or have a bunch of elevated rights. Just Global Reader. That’s where the Global Reader role security concerns really start to matter.

The assumption is that “read-only” means “safe.” But URLs aren’t static. They’re doorways. And if that doorway leads to a Teams meeting, and the meeting doesn’t require you to be on the invite or authenticate, then yeah; you’re walking into places you probably shouldn’t be. So now I’m sitting here thinking… how many people have this role in our org? And how many of them know what they’re really looking at?

When Metadata Becomes a Backdoor

Let’s be real, this isn’t some obscure flaw buried deep in the Microsoft 365 stack. It’s just… there. Working as designed.

When Explorer pulls up an email trace, you can click into the message summary and find a list of all the URLs Microsoft scraped from that email. They’re broken down under the “URLs” section and logged for security scanning. This is great for catching phishing links. But not so great when those URLs are to internal resources.

That’s how I found the Teams meeting link.

It looked like this:

https://teams.microsoft.com/l/meetup-join/19%3ameeting_YES_THIS_IS_REAL%40thread.v2/0?context=%7b%22Tid%22%3a%22tenant-id%22%2c%22Oid%22%3a%22organizer-id%22%7d

Clean. Clickable. No auth required, depending on how the meeting was set up. Some orgs have meetings open by default. So yeah, I could’ve joined. Muted my mic, changed my name to “System,” and just lurked. Not that I did. But again, the option was right there. And it’s not just meetings.

I’ve seen password reset URLs, temporary sign-in links, private SharePoint shares, direct file download links. All kinds of things that don’t need full message content to be risky. These links are meant for the recipient, but they’re exposed in the metadata. And the kicker? This isn’t some “Exchange Admin has all the power” situation. This is happening with Global Reader role permissions. Read-only, sure, but reading live, sensitive URLs that can sometimes skip authentication entirely.

That’s where Global Reader role security concerns stop being hypothetical and start being real risk. This is metadata turning into a potential access path. Not because the system is broken, but because it’s quietly giving away more than we think.

What You Can Do About It

Let’s say you’ve just realized what I did—that Global Reader isn’t exactly as harmless as it sounds. The good news? You can do something about it. The bad news? Most orgs don’t, because they assume “read-only” is low risk.

First things first. You need to know who actually has this role. It’s not always obvious in the portal, especially if folks got assigned via nested groups or role assignments that were done years ago. PowerShell to the rescue:

# Requires Microsoft Graph PowerShell Module
Get-MgRoleManagementDirectoryRoleAssignment |
Where-Object {$_.RoleDefinitionDisplayName -like "*Global*"} |
Select-Object PrincipalDisplayName, RoleDefinitionDisplayName

This will pull a list of users with any role containing “Global” in the name. Look out for Global Reader, Global Admin, and anything custom that might have full visibility. Once you know who’s got the keys, ask the hard question: Do they still need it? If the answer is no, yank it. If they only need it occasionally, roll out Privileged Identity Management (PIM) and require just-in-time access. Make them activate it, justify it. Then make it expire.

Another overlooked option is role-specific access. Instead of giving someone full tenant visibility with Global Reader, give them Security Reader, Compliance Viewer, or another scoped role that aligns with their actual job. You don’t give someone a master key to your building just because they need to water a plant in one office. Same idea.

Also, while you’re at it, check your Teams meeting policies. Make sure unauthenticated users can’t just join meetings by URL. A lot of companies leave this wide open because it’s the default. Finally, start the culture shift. Just because someone can see a URL doesn’t mean they know what that link leads to. And if it leads to sensitive content or a live session? That’s a problem waiting to happen.

What Can We Learn as a Person

Let’s be honest. Most of us in IT have had that moment. You see something you weren’t supposed to see—an email subject, a calendar event, a shared file name and suddenly your brain starts filling in the blanks. It’s rarely something major. It’s usually a half-story. A piece of a conversation. Just enough to spark a thought like, “Huh, that’s interesting…”

This is where gossip starts. And this is where it can wreck people. Not just the person you’re looking at, but you too. When you’ve got a role like Global Reader, it’s incredibly easy to see things you shouldn’t. Even if you never touch the actual email content, those metadata breadcrumbs can pile up quick. Meeting titles, URLs, file names, sender names. Your brain builds a story whether you want it to or not.

And the worst part? You don’t even have the full picture.

That’s where the danger really is. Partial visibility creates false narratives. It makes you assume things. It can mess with how you view coworkers, how you talk about them, and how you carry yourself as an admin. I’ve caught myself starting to spiral into “what if” scenarios based on a Teams meeting name I wasn’t supposed to see. It’s not healthy. And it’s not professional.

The power to see isn’t just technical. It’s emotional. And if you don’t check yourself, it’ll eat at your mental health before you realize it. So what can we learn? That being trusted with access means being trusted with restraint. That curiosity can turn toxic if it isn’t managed. And that sometimes, the most responsible thing you can do as an admin… is look away.

Additional Links

DeepSite Review

DeepSite Review

Not much takes me by Suprise, but this little tool has really done just that. I want to do a Deepsite Review in today’s post. Deepsite is a unique AI tool that builds websites. Unlike chat gpt, you don’t have to feed it a complex prompt to make one page look decent. I am going to give you some examples of what I was able to make with it and the prompts used.

So what is deep site. Deep site is a hugging face tool made by enzostvs. https://enzostvs-deepsite.hf.space/. It uses deepseek’s AI to help create fairly simple sites to complex sits. I have made everything from flappy bird games to sites about possums. If it can be done inside a browser, deepsite can do it. When you first come to deepsite, this is what you get. A simple prompt, and a page. The HTML will be generated in the side. So lets look at some examples.

DeepSite Review Examples

Flappy Bird

Link: CyberFlap – Cyberpunk Flappy Bird

Prompt: create a cyberpunk flappy bird clone

It took about 5 minutes and wrote each line of code. You can play this clone at CyberFlap – Cyberpunk Flappy Bird. Is it perfect, no, but is it dang amazing, yes. This would have taken me a full day or two to code. It only took 5 minutes and it was a single file. So no copying and pasting multiple files and folder structing.

One and Two Liberty Square

Link: One&Two Liberty Square Greenville | Premier Property Management

Prompt: Create a website for a company called one and two liberty square. Here is the content (content from the previous site).

What amazed me here is it got most of the content together. It’s not the best layout, but it’s useable. The downside can be seen here. The longer the site, the harder it takes to make the site be creatively clean. It did poorly on the dots and sounds the same in a lot of places. That’s where the human charm comes into play.

What I would do to improve this site is change the menu to go to each building. I would also flip the images from one side to another. Then make a section for the corporate partners for it’s own.

One big thing to remember, this can only create the surface level. So, you see that contact us? Yeah, that doesn’t work. So, if your backend guy doesn’t know how to do the back end stuff, good luck.

Meme Generator

Link: Meme Maker Pro

Prompt: Create a dark themed meme generator where I can upload a picture and add text to the top and bottom and save it to my computer.

So, This was pretty cool. It made it within 5 minutes and only had 1 problem and it still does. It can’t save the three memes it shows in the left hand window because they are not in memory. However, you upload something and add your text, and click save, bam. Quick and easy. Some of the protriat shaped images will have odd text, but for the most part, it works.

Task Manager

Link: ZenFocus Pro – Advanced Todo App

Prompt: Make a Zen focus task manager with a dark mode.

Guess what, it will keep as long as you keep your cache. After that it forgets, and the dark mode sucks. So, if you clear your cache or move to a different browser, your stuff will not be there.

Deepsite Review

Pros

  • Create a basic website in seconds with little interaction
  • HTML code is split up the site using sections. Which allows for easy editing
  • The system users tailwindcss.com
  • Can create unique games with a simple command
  • Keeps standard praticies
  • Single html site file.
  • System will response

Cons

  • Creates a basic site, but nothing bigger
  • Keeps standard practices but not best practices
  • Odd formatting.
  • No backend

Final thoughts

This tool is great for simple sites and nothing more. If you want more than one page, this tool can’t do that. If you want a fully functioning back and front end product. This isn’t for you. However, front end development, is a yeppers. I personally like making cool 404 pages with this tool. I don’t do reviews often and the main reason why I wanted to bring this tool up is because it’s the beginning. If AI doesn’t eat itself and die, we will see the end of an industry. My last blog post was me asking questions to gpt and it giving me a response. I just told it to make it a blog post and bam, it did it. Which took the fun out of blogging. These tools are powerful and deepsite is just the beginning of replacing front end development. That’s my thinking on this Deepsite Review.

What we can learn as a person

When I was a child, I was told I will never have a calculator. I had to learn the division, exponets, square roots, and more by hand. (Yes, I know I just dated myself). I’m greatful for learning those things. Now when I am working with complex problems, I use the same structures and a lot of times the same formulas. Over the past 20 years, I have used my phone’s calculator. I am noticing a decline in my ability to preform simple maths. More I use chat gpt, I notice a skill drain.

Technology can replace our need to have a skill set over time. Is this a good thing? Sometimes, however, sometimes it’s not. I use AI in my daily life for a lot of things. But I don’t lean 100% into it like many of my peers do. The reason why is because I love to discover what I learn. I enjoy making the mistakes and correcting them. At the end of the day, i want the brain tingles. When I’m in my 70s, that love will keep my brain on track. I have seen a decline as I have gotten older. We all know that one day we will not be able to think like we did when we were 25 and that’s ok.

Two keeps to success

I have learned in this life there are two keys to success. Adaptability and Work. We have the adapt to the world around us. If it takes me 1 hour to code a deployment, but AI takes 5 seconds, might as well use the ai, but make sure I understand the ai’s code. So I can fix it later when it breaks. Adapting is imporatnt, but putting in the work is also as importatnt. Like this Deepsite Review, I could have had gpt do it, but I wanted to figure it out. So, I can see the full scope of what deepsite could do for me. If you don’t work at what you have in life, it doesn’t happen. Sometimes that means we have to work at being adaptable as well. That could mean a 15k paycut to escape a trauma inducing job. Other times it’s using a weed eater instead of a push mower. It means different things for different situations.

So, learn how to adapt. Work at what you do and enjoy. I find joy in work. It’s a simple concept. Seeing a clean room knowing I just did that, is a simple joy. It’s like putting back into myself. It’s worth it and so are you.

Intune devices vs app policies

Intune devices vs app policies

Ever feel like you’re just guessing which Intune policy to use?

You go into Microsoft Intune thinking, “I just want to block copy/paste from Teams to a student’s phone,” and suddenly you’re knee-deep in device configs, app restrictions, compliance policies, and something called MAM-WE (which sounds like a failed robot uprising).

If you’ve ever been stumped by the difference between Intune device vs app policies, you’re not alone. And you’re not doing it wrong — the naming is genuinely confusing.

So, let’s break it down the way it actually clicks — using real-world scenarios instead of theory and tech jargon. If you know what you want to do, you’ll know what to use. Lets dive into intune devices vs app policies.

The Three Intune Policy Buckets

Device Configuration Policies – You Own It, You Control It

Think of this like setting the house rules — but only for houses you own.

Device configuration policies give you OS-level control. You can push BitLocker, set PIN rules, enforce Delivery Optimization, apply VPN profiles, and more. But they only work if the device is enrolled in Intune — like, actually enrolled. Not “kinda managed.” Full enrollment.

Lets take a look at a real world senerio. Imagine you have 200 windows 11 laptops and want to enable delivery optimization for windows updates. This would be a Device Configuration Profile. Another example would be if you have 1000 windows 11 laptops that you want to encrypt their fixed drive with bit-locker. Once again, this is another device configuration profile.

If the deivce is apersonal and not enrolled, this policy type is off-limits. No Bitlocker, no VPN, nothing. You don’t own it, you don’t get a say.

App Protection Policies – Protecting the Data, Not the Device

This one is magic for BYOD situations. Think of it like zipping up your company’s data in a fireproff pouch, even if it’son someone else’s device. App protection polcies don’t care who owns the device. They care about your data. These policies apply to managed apps. Things like outlook, teams, onedrive, and lets you do things like bloc copy and paste. Require PINs to open apps, wipe work data and more.

Lets take a look at a few real world senerios. Students are copying teams messagers and pasting them into discord on their phones. You can block this using App Protection Policy. Lets say you have truck drivers with ipads with outlook on them. You can force the user to enter a pin each time they check their email. That’s a App Protection Policy.

App Configuration Policies – Pre-setting the Knobs

Here we are putting the settings into place for different apps. We are not locking down the device. So, if you need a pin for the device, you do this with a device configuration policy. If you need chrome to open on a set website, that’s the App Configuration Policy. App configuratin policies let you predefine how apps behave. It’s not about control, but it’s about consistency. You can push bookmarks, force outlook to use only work accounts, set default browsers for teams, and more.

Lets look at a real world. You have 500 Android Zebra scanners, you need to make sure they all open chrome to a local site. This can be done through the App Configuration Policy. One thing we did for was setup auto updates with zebra on our scanners. We did this with a App configuration profile.

The problem with it is the BYOD. App Configuration policies only work with managed apps. This means, if a user installs outlook through the company portal via intune, then you can manage it. However, if you install outlook through the store app, it just doesn’t work.

Why it gets confussing

Let’s be real, the names don’t help. “App Protection” and “App Configuration” sound way to similar. So here’s a simple mental hack to seperating devices vs app policies.

  • Device Configuration = Control the device itself.
  • App Configuration = Setup how the app works.
  • App Protection = Lock down the data inside the app.

Lets test this thinking out with a few senerios.

  • Possible Answers
    • Device Configuration Policy
    • App Configuration Policy
    • App Protection Policy
  1. You want to prevent employees from copying data from teams to another non-company app.
  2. Your factory has 300 kiosk devices. You want to make sure that the devices can’t be logged into by non-it users.
  3. Doctors are using outlook on their personal phones. You need to prevent attachments from being saved locally.
  4. Your compamy users Android enterprise, and you want to push bookmarks to chrome.
  5. You want to rotate the local admin password on all of your windows 11 devices using windows LAPS
  6. Force outlook to only use work accounts
  7. Encrypt phones and force a pin lock on bring your own devices.

Here is a nice little chart to help with these.

Do I manage the entire device?
   ↳ Yes ➡ Device Configuration
   ↳ No ➡ Do I want to protect corporate data?
            ↳ Yes ➡ App Protection
            ↳ No ➡ Do I want to change how the app behaves?
                     ↳ Yes ➡ App Configuration

Here are the answers.

  1. App Protection
  2. Device Configuration
  3. App Protection
  4. App Configuration
  5. Device Configuration
  6. App Configuration
  7. None of the above, Yep, I tricked you, maybe. If it wasn’t a bring your own device, then you would be correct if you say device configruation profiles. Other than that, it’s nothing really.

Final Thoughts – “You Know More Than You Think”

This stuff is confusing, and Microsoft doesn’t always make it easy. But now, you’ve got the mental framework:

  • Device Config = You own the device
  • App Protection = You own the data
  • App Config = You shape the experience

Don’t worry about getting it perfect on the first try. Intune is meant to be layered. Pilot first, then scale.

If you ever get stuck again, just ask: “What exactly am I trying to control here?”
The answer will almost always tell you the policy you need.

You’ve got this, lets get those devices vs app policies.

What can we learn as a person

In IT, we have access to a lot. More than most people will ever know.

We can shut down Windows Hello, enforce biometric logins, or require ID badges scanned by a camera just to unlock a screen. As system administrators, we often hold keys to every digital door. I could, right now, grant myself full access to every mailbox in the company — all in the name of “making admin easier.” I could quietly assign myself as an owner on every user’s OneDrive and SharePoint site using policies that no one would even notice.

That level of control? It’s terrifying, if you’re honest about it.

Because with great power doesn’t just come great responsibility.
It comes with weight. A psychological and emotional load that most people never talk about.

Knowing that you can access someone’s private data — and choosing not to — becomes a moral and mental burden. It sits on your nervous system like a background process you can’t kill. Over time, that mental load becomes stress. That stress becomes anxiety. That anxiety becomes burnout, or worse — panic attacks that don’t go away.

Let’s go back to those access examples:

If you make yourself owner of every mailbox, and something illegal ends up in one — say, child pornography in OneDrive — you’re now not just an admin. You’re a co-owner of that content. You’re legally implicated. That’s not just a technical decision. That’s jail time.

When you hold that kind of access, your body knows, even if your conscious mind tries to ignore it. It keeps a tally. And that tally eventually tips the scale — panic attacks, heart strain, and real, physical damage.

The Illusion of Total Control

I’ve seen brilliant people collapse under the pressure of trying to control everything — juggling complex networks, hybrid systems, countless endpoints, compliance rules, and impossible expectations.

They thought the job was about mastery. But really, it’s about boundaries.

Technology is growing faster than any one human can keep up with. We’re now expected to specialize and generalize. To know cloud, on-prem, security, devices, data — and also keep every system running 24/7 with no mistakes.

That pressure? It breaks people.

So What Can We Learn?

Here’s what I’ve learned — sometimes the hard way:

  • Control less. Not because you’re lazy — but because your health matters more than a perfect config.
  • Set boundaries. Just because you can access something doesn’t mean you should.
  • Say no to full access. Delegate. Distribute. Limit yourself.
  • Audit yourself. Regularly review what you have access to, and ask: Do I really need this?
  • Let go. Systems don’t have to be perfect. People don’t have to be flawless. Neither do you.

You’re not here to own everything. You’re here to protect what matters — and that includes you.

So the next time you feel the urge to control every setting, script every failover, and be the hero of the whole system…
Pause.
Breathe.
And remember: the best admins don’t control everything. They know what not to control — and they sleep better because of it.

Additional Content

Upcoming OneDrive changes

Upcoming OneDrive changes

Oh Microsoft, we love you, and sometimes we can’t stand you. Announced on Microsoft Roadmaps, Upcoming OneDrive changes are going to be a mess. (Link) The skinny on this one is simple, You will be able to sync your personal one drive files with your company OneDrive files.

The danger

Let’s talk about how dangerous this is.

Think about users like me who have personal projects that are not safe for work. For example, I have a little .NET program in my personal OneDrive that places a form on the screen and blocks all input but still lets you see the display. It’s great when I’m watching a fractal render and don’t want my cat stepping on the keyboard and messing it up.

Now imagine this program syncing to my company’s OneDrive. Imagine that executable file getting loose in a business environment. Yeah … exactly.

Then there’s HIPAA, PII, and more to consider. If Bob from Accounting links his personal OneDrive to his business OneDrive, his child’s medical documents or sensitive family files might be exposed to corporate systems. Most personal OneDrives contain things like resumes, tax documents, and payment info. That means the company could suddenly have access to those files, whether it wants to or not.

Here’s the biggest problem: file accountability.

Let’s say a user unknowingly syncs illicit files. Now those files are on the business network. Who’s responsible for them? The user? The company? Anyone with access? It’s a legal and security nightmare. This is how companies get wrecked and Microsoft seems to be ignoring the massive risk.

The solution so far

Microsoft has proposed a fix, but it’s far from elegant. You can create a Device Configuration policy in Intune to block personal OneDrive syncing. Here’s how:

How to Block Personal OneDrive in Intune

  1. Go to https://intune.microsoft.com
  2. Click Devices
  3. Under By Platform, select Windows
  4. Under Manage, select Configuration
  5. Click Create > New Policy
  6. In the “Create a Profile” pane:
    • Platform: Windows 10 and later
    • Profile Type: Settings Catalog
    • Click Create
  7. Name the policy (e.g., OneDrive – Block Personal Sync)
  8. Add a description (optional)
  9. Click Next
  10. Click Add Settings
    • Search for OneDrive (scroll past the “Microsoft” section)
    • Check Prevent users from syncing personal OneDrive accounts (User)
  11. Set the toggle from Disabled to Enabled
  12. Click Next (Scope Tags)
    • You can leave this blank unless you use tags for special groups like the CEO
  13. Click Next (Assignments)
    • Click Add All Users
    • Add any exclusion groups as needed
  14. Click Next (Review + Create)
  15. If everything looks good, click Create

What does this setting do?

This is what microsoft offically says: This setting lets you block users from signing in with a Microsoft account to sync their personal OneDrive files. If you enable this setting, users will be prevented from setting up a sync relationship for their personal OneDrive account. Users who are already syncing their personal OneDrive when you enable this setting won’t be able to continue syncing (and will be shown a message that syncing has stopped), but any files synced to the computer will remain on the computer. If you disable or do not configure this setting, users can sync their personal OneDrive accounts.

These Upcoming OneDrive changes sucks for some, and is awesome for others. Lets keep ourselves protected by stopping it before it gets any worse.

Update

While searching for other options, I did find a GPO. GPO works great with internal items like desktops, and devices that don’t leave. However, if a GPO fails to load, and it’s your only option, then it will fail. The GPO is located Users Configuration > Policies > Administrative Templates > OneDrive > Prevent Users From synchronizing personal OneDrive Accounts. Just enabled this policy and apply it to your users, and it will do the same.

What can we learn as a person?

Let’s do some math. We all get 24 hours in a day. We need at least 8 hours of sleep, leaving us with 16. If you work an 8–5 job, that’s 9 hours gone. Add commute time, say 1 hour round trip, and you’re now down 11 hours.

Now subtract 1.5 hours for meals. You’re left with 3.5 hours per day. That’s all the time you have for your family, friends, hobbies, self-care, or personal growth. I’m not even counting weekends here. Most Americans live on the weekends and just exist during the week.

And here’s the part I want to challenge. Growing up, I was told, “Don’t make friends at work.” Honestly, that’s dumb. Who do you spend the most time with? Your coworkers. It’s okay to build friendships with them. It’s healthy to enjoy your work culture.

Additional Items to read