ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1

8:30 pm in 2012R2, 8.1, Compliance Management, configmgr 2012 R2, intune, MDM, OMA-DM, OMA-URI, policy, sccm 2012 R2, UDM, Windows Intune, Windows Intune Extensions, windows inune, Windows Phone 8.1, Windws Intune, WP 8.1 by Kenny Buntinx [MVP]

 

Scenario :

Last week we had a discussion at a customer during a  Windows Intune UDM Proof of concept and the customer was willing to order about 3000 corporate owned Nokia Lumia 630 Windows Phones. He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic request to me , we couldn’t do it out of the box with windows phone 8 or with Windows Intune. Missed opportunity , I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

At this stage , the writing and the testing of the blog post  is being done with a developer edition of Windows Phone 8.1. I doubt that when being rolled out as RTM , these policies will be changed.

Solution to problem :

First of all , you will need to know what OMA-DM is . OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here .

Microsoft has released together with WP 8.1 , a comprehensive guide called ; ‘Windows Phone 8.1 MDM protocol documentation’ . You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here .

Panu Saukko , a good friend and fellow Enterprise Client Management MVP , pointed me in the right direction inside the document on how to reach the goal : Blocking a user from un-enrolling their device. Without the golden tip from Panu , we would never succeed as there is an Typo in the document.

Panu pointed out that according to the document, the OMA-URI should be according to page 133 & 143 inside the ‘Windows Phone 8.1 MDM protocol documentation’ :

./Vendor/MSFT/PolicyManager/My/Experience/AllowManulMDMUnenrollment

Again there is a typo in that document , it should be

./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

Now that we have found the error in the OMA-URI , Let’s show some magic with Compliance settings , Configuration Items and Configuration Baselines in CM 12 R2 :

Creating the ‘Configuration Item’ :

1. Go to “Asset & Compliance” , click on “Compliance Settings” , go to “Compliance Items” and create a New Configuration Item as shown below

image

2. Give the new Compliance item the following Name : ‘Deny WP8.1 MDM UnEnrollment’ and hit “next”

image

3. Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ and click “next” to continue

SNAGHTMLa70f0d3

4. In the next window that opens , click the ‘Add’ button.

image

5. Hit the “Create Setting” tab.

image

6. Now comes the interesting stuff .

    • Give it a Name
    • 1. Settings Type : OMA-URI
    • 2. Data Type : Integer
    • 3. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

image

7. Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button

image

8. Now comes the interesting stuff again

    • 1. Rule Type : Value
    • 2. Data Type : 0 (0 = un-enroll not allowed / 1 =  enroll allowed)
    • 3. Set ‘Remediate noncompliant rules when supported’
    • 4. Set Noncompliance severity for reports to ‘Warning’ 

SNAGHTMLa838aba

9. Click next to continue.

image

10. As this setting is only applicable for Windows Phone , we select only this platform and click ‘next’ to continue.

SNAGHTMLa8ee6fe

11. Click next to continue , until the end .

SNAGHTMLa901184

Once created , you will see something like this in the screenshot below . After creating the ‘Configuration Item’ , we are going to create and deploy the ‘Configuration Baseline’

image 

Creating the ‘Configuration Baseline’ :

1. Now go to baselines and create a new ‘Configuration Baseline’

image

2. Give the ‘Configuration Baseline’ a name and click “Add” to add your ‘’Configuration Item’’

SNAGHTMLa979112

3. Search for your previously created ‘Configuration Item’ and click add.

SNAGHTMLa996df0[5]

4. Hit OK , to continue

SNAGHTMLa9b28cf

5. Click ‘OK’ to continue

SNAGHTMLa9be549

When created , you will see something similar in your console as show below in the screenshot :

image

Deployment of the ‘Configuration Baseline’ ONLY to the ‘Corporate Owned’ devices :

As we only wanted to prevent un-enrollment when a ‘device owner’ in CM12 R2 is set to “corporate” , we first need to create a collection that contains only devices set to corporate as shown below . Devices enrolled using the ConfigMgr 2012/Windows Intune UDM solution can be assigned to be either "Company" or "Personal" devices. Note that a device is automatically assigned to be Personal by default.

image

image

Now that that is done , create a ‘Device collection’ that is only containing resources that are ‘Company’ devices. To do that , use the following query where ‘System Resource – Device Owner’ is set to ‘1’ for ‘Company’ . Value 2 is “personal”

image

Now deploy your ‘Compliance baseline – Deny wp8.1 UnEnrollment’ to the collection called ‘All Mobile Devices set as Corporate Owned Devices

The END Result ? :

As the policies come down from Configuration Manager 2012 R2 with Windows Intune on the WP8.1 device and the user tries to un-enroll , following message is shown :

clip_image002

images

Hope it  Helps ,

Kenny Buntinx

Enterprise Client Management MVP