Block un-enrollment Windows Phone devices by Microsoft Intune


With the December update of Microsoft Intune a cool feature OMA-URI support has been added. This seemingly small feature introduces ‘endless’ management capabilities and scenario’s which allows you to take full advantage of managing Windows Phone devices with Microsoft Intune. This is useful when the setting you need is not configurable in a mobile device security policy.

image

A good example is to block the removal of Workplace of your managed Windows Phones. By default users are able to un-enroll their devices and thus become unmanaged.  In this blog I’ll show you how to prevent un-enrollement and the ability to factory reset Windows Phone device by an OMA-URI policy template.

From the Policy pane create a new policy and select Windows Phone OMA-URI Policy template.

clip_image001

Provide a meaningful description for further reference as a policy can be used to configure one or more settings.

image

Next step is to add a OMA-URI settings, is this example we’ll add restictions for both workplace un-enrollement and factory reset. Hereby we’ll prevent the Windows Phone becomes in an unmanaged state. These device settings can be found in the Windows Phone 8.1 MDM Protocol guide.

First we disable the un-enrollment of Window Phone devices by using the following OMA-URI string:

  • ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

image

Secondly we disable the ability to factory reset by using the following OMA-URI string:

  • ./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone

image

We configured two settings using OMA-URI. This can be extended with desired settings/restrictions.

image

After deploying the policy to Windows Phone devices we’ll notice that both un-enrollment of Workplace nor factory reset of your Windows Phone device is possible.

wp_ss_20150115_0001  wp_ss_20150115_0003

By using these setting you are able to prevent Windows Phones devices in one way or another and not be taken out of management. This simple example shows the power of using OMA-URI! For an overview of all OMA-URI for Windows Phone settings see PolicyManager configuration service provider and Windows Phone 8.1 MDM Protocol documentation.

Advertisements

3 thoughts on “Block un-enrollment Windows Phone devices by Microsoft Intune

  1. Thanks for writing this. I am trying to prevent user access to location settings. I have found the path to calling up the setting, but not toggling on/off condition or preventing access to entirely as desired.

    Thanks for any help.

    Thomas

  2. Pingback: Prevent users from Removing a Workplace Account on Windows Phone with Intune - dave.harris.uno

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s