Administrative Control to Block Folders or Files from being Sync'd by Clients

I have NC13 loaded with Ubuntu 16.04 LAMP server with a need to block specific Folders and Files from being Synchronized by the clients.

I have created a User and a Group for the purposes of segregating data and to function as read only information. However, I cannot find a way to prevent that data from synchronizing with user’s Clients once it’s shared with them.

The only limits I can find are with the end-users un-checking that folder in the client. Furthermore, if they remove an existing Sync-Connection and create a new one, then it doesn’t do anything to prevent the segregated files or folders from synchronizing upon establishing the new Sync-connection.

Shared files have the ability to be downloaded as it is, which is fine in our case, but this folder is nearly a terabyte in size. It’s historical data that we have to protect from user changes but not from viewing.

We want users restricted from accessing this data accept through a web browser, only those users we’ve added to the group for this access, able to download individual files or folders, but not able to synchronize this folder with their client.

Is there any method (and what would that be?), from the server/Administrative side, to prevent shared folders and files from being synchronized?

Thank you,

Currently syncing can’t be prevented, only obfuscated. You can limit access to certain client names, etc.
Background is that WebDAV is used any there are many clients which provide sync functionalities.
If obfuscation is good enough for you, there are tricks with the file access app etc.

Thank you for the reply. I’ll look at the obfuscations you mention to see if I can use it to prevent my users from downloading this content, but it sounds like I’ll have to go with Samba file shares for that. I was really hoping to achieve this with one access point.


Shouldn’t this option from the File Access Control app help here?

If you add a rule for each client (Android, iOS, Desktop), these agents should be blocked.

I can try that and see if it works they way we need it to.

I don’t want to actually block the users from everything. I need to block their access to sync one specific folder and it’s contents that I need to share to them, but of course they still need to be able to view that folder and it’s contents from their web browsers when they log into our cloud.

I’ll try this and see if I can get there.

Thank you for your knowledge.

Thanks so much for the help. It looks like it’s going to work.
For anyone wanting to know how I did it:

From the account I shared the folder from:

  1. I had to go to the folder I shared and select the three dots to the right of the folder.
  2. Click on details on the drop down menu.
  3. In the new field to the right I entered “DoNotSync” as the tag name and pressed Enter.

From the Administrator account:

  1. Under File Access Control I clicked on Add Rule Group created a group called DoNotSync.
  2. I clicked Add Rule and selected Request User Agent from the first drop down.
  3. In the second drop down I selected “is”.
  4. in the third drop down I selected “Desktop Client”.
  5. I clicked Add Rule again and selected “File System Tag”.
  6. In the second drop down I selected “Is tagged with”.
  7. In the third drop down I selected the tag I’d previously made “DoNotSync”.

I repeated the entire procedures for Android and iSO.

I tested with Android first and it did download the Folder that is shared, but none of the contents.When I tried to manually sync that folder from my phone it gave a pop-up error “FORBIDDEN”.

Then I testing from my laptop and the client refused to Sync the folder’s contents. Under the Tab for “Not Synced” the client showed in the action column; “Access Forbidden”.

This method works to restrict folder contents from Synchronizing very well.

Thank you for your help.:sunglasses::sunglasses::sunglasses:

1 Like

In addition an important note. Make sure the tag “DoNotSync” is invisible or restricted (haven’t actually tested the difference here). By that you want to make sure that these users cannot remove the tag when accessing the folder with the browser.

1 Like

Making the Tags invisible?
I’ll have to ask how that’s done.
From what I’ve read, users make their own tags and that tag is then disseminated to all users.

All tags are system tags, and are shared by all users on your Nextcloud server.

I’ll keep reading. If you know how to do it, I’d like to know what you know, please.


In the admin section under “Workflow” you can create tags and assign them an access level:

The levels available are

  • public
  • invisible
  • restricted

Tags with level public can be seen, added and removed by everybody.

So from the documentation I’d rather use “restricted”. Invisible might work as well, but I haven’t played around with them yet and can’t tell for sure.

1 Like

Thank you very much. That’s going to make my life so much easier now. You are a very helpful person. I really appreciate your time and knowledge.



1 Like

Thank you so much for these warm and kind words :blush: This is keeping me motivated :slight_smile:
I’m glad your life is going to be easier now :smiley:


1 Like

Hi guys,

I realize this comment is quite old, but it speaks to my exact requirements.

When a client has already synced a shared folder, and the folder is then tagged for purposes of no longer allowing for client sync as per the above, is any already-synced content deleted on the client machine?


As I understand your question; If you deselect a folder for sync on your device from within the Desktop or mobile app will it delete that content? The answer in my experience is no. In my experience with this the data is persistent until you delete the files or the folder/directory it resides within.

I have this exact issue, did you find a solution?