Nextcloud should not allow local synchronization. How to make it?

Sensitive patient data is stored in certain Nextcloud folders. Under no circumstances may they be synchronized with any local folders in order to ensure the greatest possible security / data protection.

What can I do to prohibit certain folders (or the entire Nextcloud) from being able to connect local Nextcloud clients to synchronize - even if they have the access data and password for an account?

Editing of the files should only take place in the cloud itself (with only office).

Regards, Kallle

How about killing all the ports but 443 (https)…?
But this won’t prevent legit users from manually downloading…
Take the computer offline and kill the USB ports…?

EDIT:
I don’t think you can achieve this using Nextcloud only, without an intermediary.

A simple way would be to have a Windows PC to RDP into.
While this PC - and only it! - has the right to communicate with Nextcloud…
Don’t forget to kill copy/paste and SMB between local and remote computers.
If you are serious about security - sandbox everything behind a firewall. Add 2FA…

VMware Horizon would be another (more expensive) way to do this…

I found a way: In the config.php I set the parameter ‘minimum.supported.desktop.version’ => '99 .0.0 ’

Version 99 will certainly not be around for decades. (Hopefully)! I.e. Nextcloud will not allow any desktop client to come near it.
In addition, we simply have to trust users that they are not dragging copies of files down to their hard drives.
In view of the impending GDPR fines, experienced psychotherapists should know how to deal with data protection. The only thing that matters to me is that there is no longer any convenient automatic synchronization.

You must be new to this…

Using Nextcloud as the security platform and “trust” is NOT the way to protect “sensitive patient data” by a long shot… Even in non-EU countries…

Trust me…:laughing:

The “official” way: you can use fileaccesscontrol (https://apps.nextcloud.com/apps/files_accesscontrol) to restrict access based on certain clients, networks or other conditions. Without knowing your setup, perhaps it is better to keep sensitive information on a different setup and secure this properly (if the current setup doesn’t fulfill these standards already).

Unfortunately, there are often ways around something and if your solution is not working well for users, they keep finding other ways.