Block un-enrollment Windows Phone devices by Microsoft Intune
With the December update of Microsoft Intune a cool feature OMA-URI support has been added. This seemingly small feature introduces ‘endless’ management capabilities and scenario’s which allows you to take full advantage of managing Windows Phone devices with Microsoft Intune. This is useful when the setting you need is not configurable in a mobile device security policy.
A good example is to block the removal of Workplace of your managed Windows Phones. By default users are able to un-enroll their devices and thus become unmanaged. In this blog I’ll show you how to prevent un-enrollement and the ability to factory reset Windows Phone device by an OMA-URI policy template.
From the Policy pane create a new policy and select Windows Phone OMA-URI Policy template.
Provide a meaningful description for further reference as a policy can be used to configure one or more settings.
Next step is to add a OMA-URI settings, is this example we’ll add restictions for both workplace un-enrollement and factory reset. Hereby we’ll prevent the Windows Phone becomes in an unmanaged state. These device settings can be found in the Windows Phone 8.1 MDM Protocol guide.
First we disable the un-enrollment of Window Phone devices by using the following OMA-URI string:
- ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
Secondly we disable the ability to factory reset by using the following OMA-URI string:
- ./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone
We configured two settings using OMA-URI. This can be extended with desired settings/restrictions.
After deploying the policy to Windows Phone devices we’ll notice that both un-enrollment of Workplace nor factory reset of your Windows Phone device is possible.
By using these setting you are able to prevent Windows Phones devices in one way or another and not be taken out of management. This simple example shows the power of using OMA-URI! For an overview of all OMA-URI for Windows Phone settings see PolicyManager configuration service provider and Windows Phone 8.1 MDM Protocol documentation.
Categories
Thanks for writing this. I am trying to prevent user access to location settings. I have found the path to calling up the setting, but not toggling on/off condition or preventing access to entirely as desired.
Thanks for any help.
Thomas
For Windows 10 devices should use:
./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Data Type: Integer
Value: 0
Per: https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune