Deny Windows Phone Apps with Configuration Manager \ Intune

May 22, 2014 at 7:53 am in Uncategorized by nsienaert

Hi All,


Exciting times for Windows Phone are coming with the Enterprise Feature Pack aka Windows Phone 8.1 that is coming soon.

As you might now you can test already the beta version of WP8.1 if you register with a Developer Account.

That being said also the support for Windows Phone 8.1 is getting released. Normally by the end of the week you should all have received the new Windows Phone 8.1 Extension.


It’s time now to explore some new capabilities. The one that I personally was interested in was black & white listing of Applications.

Besides the settings you can manage via the GUI of ConfigMgr, Windows Phone also supports OMA-DM standard which offers quite some extra management capabilities. Fellow MVP Kenny Buntinx explained already in an earlier blog how you an use these OMA-DM to prevent un-enroll of Corporate devices.

Well guess what we need to Deny Applications on Windows Phone…

For the sake of demo I want Deny the not so business critical app Flappy World.

Let’s Configure it

As you know all MDM Settings are stored under the Settings Management node.

Because we will use OMA-DM we need to create a custom setting


You give it a name, eg. “Deny Windows Phone Apps”, you select “OMA URI” as Setting Type and “String” as Data Type:


You type the following path into the OMA-URI field:


This is the path where the specific OMA-DM settings are stored.

Once that is done, it’s time to create a Compliancy Rule where we will define that “Flappy World” is a denied app. Ooh I will miss it :-)


You see that the rule is based on some XML code. Hereunder you can find an example:

<AppPolicy Version=”1″ xmlns=””><Deny><App ProductId=”{2e59d843-22e4-4df1-869e-22adadb8005b}”/></Deny></AppPolicy>

The ProductID is of course the important variable, this is where you define which App you want to deny.

Now, how do you find the Product ID of your App?

Well, if you go the Windows Phone Store via a browser and you select the App you want to deny, you will be able to see the ID in the URL. Just grab it over there.

IMPORTANT: as with all MDM Settings, make sure your “Remediate” check box is checked.

Thanks to the Windows Phone 8.1 Extension we are able to limit this setting to WP8.1.


OK, we are almost there. Next step is to add the CI into a Baseline and deploy it to a User or Device Collection. (Check the ACTION = Remediate!!)


The Experience

Let’s refresh the policy on the phone and see what happens…


My “Flappy World” tile is grayed out, so OK let’s try to use it.


The App is refusing to open because it’s disabled via Company Policy!

That’s all for now, happy Blacklisting!

Till next time,

Nico Sienaert

MVP Small imagesCAIOYXPP