SCCM 2012 R2 – Windows Phone 8.1 Black/White Listing of Apps and Vendors

Martin Wüthrich Application Management, MDM, SCCM 2012

With the Windows Phone 8.1 Extension for Windows Phone 8.1 in System Center 2012 Configuration Manager R2 we are able to manage Black or White-Listing for those Devices. In this Blog post, I would like to Show, how you can achieve Blacklisting of Publishers and/or applications.

In this process we have to create a compliance Setting and a baseline, and afterwards, we have to deploy the baseline to a Device Collection, keep this in mind. Because it means, that the Intune Server has to sync back the Device to SCCM first, before it can send the Policy to the Device, thus the Device get the policy some minutes after adding to the Company.
Here is what you Need:

  • Windows Phone 8.1 Device (Emulator would work also)
  • The Product ID of the application or the exact Vendor Name

This is how you get the application ID:

Open the store, and get the last string of the URL from the specific Application:
Windows Store App ID
In this case, the ID would be: 6a37f087-e4d5-43e7-96c9-eeea9d22e445
Or if you want to deny a whole Publisher take the Publisher (here I took the app Bioscoop Film Agenda): “Bruno B”

Now you can go on and create your Deny XML-line to add it afterwards to the compliance Rule.

<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy">
<Deny>
<App ProductId="{6a37f087-e4d5-43e7-96c9-eeea9d22e445}"/>
<Publisher PublisherName="Bruno B"/>
</Deny>
</AppPolicy>

You can also deny a Publisher and make an exemption for a specific app of this Publisher:

<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy">
<Deny>
<App ProductId="{6a37f087-e4d5-43e7-96c9-eeea9d22e445}"/>
<Publisher PublisherName="Bruno B"/>
<AllowApp ProductId="{b79fb25e-ea4a-4dda-bbba-66c282377105}" />
</Publisher>
</Deny>
</AppPolicy>

Be sure to remove all line feeds, return characters, and carriage returns in the XML string, and mind, that the “ProductId” is case sensitive:

<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{6a37f087-e4d5-43e7-96c9-eeea9d22e445}"/><Publisher PublisherName="Bruno B"/></Deny></AppPolicy>

When you got your string together, it is time to create the Configuration Item. Start in the SCCM 2012 R2 Console with creating the item:
Configuration Item
Next, choose “Configure additional Settings that….”:
Configure Additional settings
Click on “Add…” and in the appearing “Browse Settings” click on “Create Setting…”. Then Configure the the wizard as following:
Name: Black/White Listing for Windows Phone 8.1
Setting Type: OMA URI
Data Type: String
OMA-URI (Case-Sensitive): ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
Create Setting
Click OK and search for you newly created Setting and click on select:
BW-Lists05
Now you can copy your prepared string to the Value Input, be sure that “Remediate noncompliant rules when supported” is selected:
Create Rule
Click on OK and Close the “Browse Settings” wizard by clicking on “Close”. Then click “next” in the “Create Configuration Item Wizard”:
Step Next
Choose “All Windows Phone 8.1” as supported Models:
Supported Models
Finish the Wizard by clicking next third times and Close afterwards. Now your configuration Item is created, and can be used in a configuration Baseline:
Configuration Baseline
Now it is time to deploy the Baseline, and for this, be sure, that you try to deploy the Baseline to a Device Collection as mentioned earlier. The OMU-URI Settings are Device Settings and can’t be deployed to a user.
The Deployment is quite easy, but make sure, that you have enabled the Option “Remediate noncompliant rules when supported”:
Baseline Deployment

Now you can go on to the Phone, but before, please check the following seriously:

  • The Device has to reside in the Collection where you have deployed the configuration Baseline
  • SCCM should have successfully uploaded the Information to Intune (see dmpuploader.log)

If you are really sure, then go ahead, and download the policy on the phone:
Policy Download
Now your compliance Settings are active, see the following Screens, the first one Show you, how the app is presented in the Store furthermore, you can’t install it, and a message is shown in the center of the Description. And the second and third one Shows you, what happens with already installed applications (they are grayed out, and when trying to start, a message appears).
App in Store Disabled App View Disabled App Message

The restriction is immediately no longer active, when you remove the device from the Company Management. When you remove the deployment from the device, nothing happens after a policy refresh, because the Setting will not be removed. But you can simply Change the value of the OMA-URI to “” and the Apps will be available again:
Empty

This means that you can only deploy one Setting to a Device.

Hope this helps.
Martin

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.