Application Black\White Listing with ConfigMgr

July 2, 2015 at 7:16 am in Uncategorized by nsienaert

 

Hi All,

Since the release of the latest Configuration Manager Service Pack (CM12SP2 or CM12R2SP1) it’s possible to black and white list applications (aka Compliant and non-Compliant applications) on Windows Phone by creating Compliancy Rules through Configuration items.

Before you could already do something similar through OMA-DM but now you have a nice interface within the Configuration Manager Console without the need of looking up and modifying XML code. But that is still supported of course. You can find more info in one of my earlier blogs.

In this blog I’m not gonna go in detail on how you create such application lists other people did that already for you but I will focus more on how they actually work.

My attention was caught since I saw following errors in the Configuration Manager console when deploying such Applications lists.

Untitled

An important word in the previous sentence is “Lists”. It’s of course supported to create several Lists but it’s not supported to deploy more than one List to a device or user. That can result in such conflicts.

If you send two Lists to a device, the first one that arrives will apply but as soon the second comes into the picture you will see a conflict error as above.

So the best practice if you want to allow (deny) Applications create one list and add software titles to that list or remove titles from the list.

Untitled1

Some detailed behaviour:

1) Application Black List 1 applied –> Apps disabled

2) Application Black List 2 applied –> Apps of list 1 stay disabled but a conflict error appears

3) Remove Deployment Application Black List 1 –> Apps of list 1 become “allowed” again and Apps of list 2 are now “Denied”.

4) Add a new title to Application Black List 2 –> New title will be disabled, all other Apps stay disabled.

wp_ss_20150702_0001

But what if you want to Allow certain Applications and Block certain Applications on a device? Can you send two lists to a device in that case? The answer is NO.

The reason behind that is the fact that White lists are more restrictive than black lists. If one device has a white list, all apps outside of that list are blocked. So the Black list becomes redundant.

That’s also the reason why you have a Radio Button choice and not Check Boxes for instance:

Untitled2

To conclude, for Android and iOS you have a similar configuration. The main difference is that today this is only a reporting feature. So the non-compliant apps will not be blocked on the device itself but you will have reporting information.

Untitled3

Hope you liked it! Till next time!

Nico Sienaert (@nsienaert)