You are browsing the archive for 2014 May.

Deny Windows Phone Apps with Configuration Manager \ Intune

7:53 am in Uncategorized by nsienaert

Hi All,


Exciting times for Windows Phone are coming with the Enterprise Feature Pack aka Windows Phone 8.1 that is coming soon.

As you might now you can test already the beta version of WP8.1 if you register with a Developer Account.

That being said also the support for Windows Phone 8.1 is getting released. Normally by the end of the week you should all have received the new Windows Phone 8.1 Extension.


It’s time now to explore some new capabilities. The one that I personally was interested in was black & white listing of Applications.

Besides the settings you can manage via the GUI of ConfigMgr, Windows Phone also supports OMA-DM standard which offers quite some extra management capabilities. Fellow MVP Kenny Buntinx explained already in an earlier blog how you an use these OMA-DM to prevent un-enroll of Corporate devices.

Well guess what we need to Deny Applications on Windows Phone…

For the sake of demo I want Deny the not so business critical app Flappy World.

Let’s Configure it

As you know all MDM Settings are stored under the Settings Management node.

Because we will use OMA-DM we need to create a custom setting


You give it a name, eg. “Deny Windows Phone Apps”, you select “OMA URI” as Setting Type and “String” as Data Type:


You type the following path into the OMA-URI field:


This is the path where the specific OMA-DM settings are stored.

Once that is done, it’s time to create a Compliancy Rule where we will define that “Flappy World” is a denied app. Ooh I will miss it :-)


You see that the rule is based on some XML code. Hereunder you can find an example:

<AppPolicy Version=”1″ xmlns=””><Deny><App ProductId=”{2e59d843-22e4-4df1-869e-22adadb8005b}”/></Deny></AppPolicy>

The ProductID is of course the important variable, this is where you define which App you want to deny.

Now, how do you find the Product ID of your App?

Well, if you go the Windows Phone Store via a browser and you select the App you want to deny, you will be able to see the ID in the URL. Just grab it over there.

IMPORTANT: as with all MDM Settings, make sure your “Remediate” check box is checked.

Thanks to the Windows Phone 8.1 Extension we are able to limit this setting to WP8.1.


OK, we are almost there. Next step is to add the CI into a Baseline and deploy it to a User or Device Collection. (Check the ACTION = Remediate!!)


The Experience

Let’s refresh the policy on the phone and see what happens…


My “Flappy World” tile is grayed out, so OK let’s try to use it.


The App is refusing to open because it’s disabled via Company Policy!

That’s all for now, happy Blacklisting!

Till next time,

Nico Sienaert

MVP Small imagesCAIOYXPP

Windows Intune: unable to remove verified domain

7:56 am in Uncategorized by nsienaert


Hi all,

This might probably an issue where some of you bump into if you have a Windows Intune trial running. That’s why I decided to write this quickly down.

As you probably know you can link your public domain name into Windows Intune mainly to improve the Single-Sign on experience of your users.

Imaging that you have a verified domain linked to your trial tenant and for some reason you will not extend the trial or you want to link your domain to another tenant. In that case you need to remove your domain from the Intune tenant as you cannot link your public domain name to different tenants.

The first thing you need to do is delete all your Users and Security Groups that you have synced into Microsoft Azure Active Directory (so the new acronym will be MAAD :-)) with DirSync, so you have no associations anymore between your domain and MAAD.

If your try to remove your domain then it might happen that you receive following error:


So for some reason there is apparently still an association which you need to “disconnect” before you can remove the domain.

As always these days Powershell can help us to have a look more under the hood.

First step is to download and install the O365 Powershell CMD lets.

Secondly execute the following Powershell commands:

Connect-Msolservice (Provide your credentials)
Get-MsolGroup  (Interesting is that this command shows mail-enabled Security Groups which apparently are not visible in the Intune interface)
Remove-MsolGroup -ObjectID <ObjectID> The Object ID is shown during Get-Msolgroup, this command will remove the  mail-enabled Security Groups

If everything goes well you should be able now to remove your domain from the Windows Intune tenant.

I can case you still have issues you can execute the following command.

Get-MsolUser -ReturnDeletedUsers -All | foreach { Remove-MsolUser -ObjectId $_.ObjectId -RemoveFromRecycleBin -Force }

If you delete Users and Security Groups, you will notice that they are still listed under “Deleted” items. So actually they are dropped in a kind of Recycle Bin. If you still encounter issues it might help that you execute a “shift-delete” with the -ReturnDeletedUsers switch.


I never had to use this last command but it might be your plan B.

Till next time!

Nico Sienaert


MVP Small imagesCAIOYXPP