ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1
April 24, 2014 at 8:30 pm in 2012R2, 8.1, Compliance Management, configmgr 2012 R2, intune, MDM, OMA-DM, OMA-URI, policy, sccm 2012 R2, UDM, Windows Intune, Windows Intune Extensions, windows inune, Windows Phone 8.1, Windws Intune, WP 8.1 by Kenny Buntinx [MVP]
Last week we had a discussion at a customer during a Windows Intune UDM Proof of concept and the customer was willing to order about 3000 corporate owned Nokia Lumia 630 Windows Phones. He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.
As this seemed a logic request to me , we couldn’t do it out of the box with windows phone 8 or with Windows Intune. Missed opportunity , I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.
At this stage , the writing and the testing of the blog post is being done with a developer edition of Windows Phone 8.1. I doubt that when being rolled out as RTM , these policies will be changed.
Solution to problem :
First of all , you will need to know what OMA-DM is . OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here .
Microsoft has released together with WP 8.1 , a comprehensive guide called ; ‘Windows Phone 8.1 MDM protocol documentation’ . You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here .
Panu Saukko , a good friend and fellow Enterprise Client Management MVP , pointed me in the right direction inside the document on how to reach the goal : Blocking a user from un-enrolling their device. Without the golden tip from Panu , we would never succeed as there is an Typo in the document.
Panu pointed out that according to the document, the OMA-URI should be according to page 133 & 143 inside the ‘Windows Phone 8.1 MDM protocol documentation’ :
Again there is a typo in that document , it should be
Now that we have found the error in the OMA-URI , Let’s show some magic with Compliance settings , Configuration Items and Configuration Baselines in CM 12 R2 :
Creating the ‘Configuration Item’ :
1. Go to “Asset & Compliance” , click on “Compliance Settings” , go to “Compliance Items” and create a New Configuration Item as shown below
2. Give the new Compliance item the following Name : ‘Deny WP8.1 MDM UnEnrollment’ and hit “next”
3. Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ and click “next” to continue
4. In the next window that opens , click the ‘Add’ button.
5. Hit the “Create Setting” tab.
6. Now comes the interesting stuff .
- Give it a Name
- 1. Settings Type : OMA-URI
- 2. Data Type : Integer
- 3. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
7. Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button
8. Now comes the interesting stuff again
- 1. Rule Type : Value
- 2. Data Type : 0 (0 = un-enroll not allowed / 1 = enroll allowed)
- 3. Set ‘Remediate noncompliant rules when supported’
- 4. Set Noncompliance severity for reports to ‘Warning’
9. Click next to continue.
10. As this setting is only applicable for Windows Phone , we select only this platform and click ‘next’ to continue.
11. Click next to continue , until the end .
Once created , you will see something like this in the screenshot below . After creating the ‘Configuration Item’ , we are going to create and deploy the ‘Configuration Baseline’
Creating the ‘Configuration Baseline’ :
1. Now go to baselines and create a new ‘Configuration Baseline’
2. Give the ‘Configuration Baseline’ a name and click “Add” to add your ‘’Configuration Item’’
3. Search for your previously created ‘Configuration Item’ and click add.
4. Hit OK , to continue
5. Click ‘OK’ to continue
When created , you will see something similar in your console as show below in the screenshot :
Deployment of the ‘Configuration Baseline’ ONLY to the ‘Corporate Owned’ devices :
As we only wanted to prevent un-enrollment when a ‘device owner’ in CM12 R2 is set to “corporate” , we first need to create a collection that contains only devices set to corporate as shown below . Devices enrolled using the ConfigMgr 2012/Windows Intune UDM solution can be assigned to be either "Company" or "Personal" devices. Note that a device is automatically assigned to be Personal by default.
Now that that is done , create a ‘Device collection’ that is only containing resources that are ‘Company’ devices. To do that , use the following query where ‘System Resource – Device Owner’ is set to ‘1’ for ‘Company’ . Value 2 is “personal”
Now deploy your ‘Compliance baseline – Deny wp8.1 UnEnrollment’ to the collection called ‘All Mobile Devices set as Corporate Owned Devices’
The END Result ? :
As the policies come down from Configuration Manager 2012 R2 with Windows Intune on the WP8.1 device and the user tries to un-enroll , following message is shown :
Hope it Helps ,
Enterprise Client Management MVP