Joe Rainone & Matt Williams have created an awesome piece of work called Workspace ONE SCIM Adapter, it has been released as a fling, read more about here: https://blog.virtualprivateer.com/2019/06/08/ws1-uem-scim-adapter/
In a nutshell, it provides capability to do SCIM provisioning into Workspace ONE UEM.
This blog post is about installing this component on VMware Photon OS, it is meant to be educational so no script here :).
Deep Dive – ADMX Ingestion on Windows 10
As I have solved the issue on ingesting the Office16.admx, I thought I would review the whole ingestion process to help understand how it works under the hood and how to manage it.
Since Windows 10 1703, ADMX can be ingested and processed by the MDM layer via the policy CSP with the URI
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/For this article, I will use ADMX files that I have created for each situation. The name of the example application is CamilleApp and published by DebayCorp company.
Continue readingMDM, EAS Profile and ActiveSync Policies
Back in the past to secure mobile devices, ActiveSync allow to apply some policies around passcode and other security settings.
While we can deploy EAS profile on the Windows Mail client, it will behave the same way as an EAS client even if the profile is installed by a MDM server.
Mobile SSO iOS and Bundle ID: the Wildcard option
When we configure Mobile SSO on iOS with VMware Identity Manager, the documentation indicate that, you have to list the applications bundle IDs that will do Mobile SSO, however sometime it can be cumbersome to every single one of them.
Application installation in Workspace ONE UEM, do you need admin rights ?
One of the thing that come back often is: do I need admin rights or not ?!. While most of the people will think that this question can only be asked for a user context, it is not true and this apply to device context too.
What “Make Commands Atomic” means in Workspace ONE UEM?
When you are creating custom xml for specific CSP and import it, you probably wondered what “Make Commands Atomic” tick box means, especially as it is ticked by default.
Theory
Windows 10 use OMA-DM (Open Mobile Alliance-Device Management) protocol for MDM, the OMA-DM protocol use the SyncML representation protocol format to pass instructions and stay in sync, SyncML is XML-based so easy to read.
In the SyncML format, Atomic is a container attribute, this mean that it can contain 1 or more instructions within it.
When you create a custom profile with multiple command, some command may fail, some other may succeed, so you may end up with a profile half-applied. This is where Atomic attribute come in play, it validate that all the command succeed or it will fail entirely.
Some CSPs require to use atomic in order to be used, Firewall CSP is one of them, no one want a firewall half-configured…
Example
Let’s say I want to apply 2 settings but it’s fine if one of them is failing then I should create 2 profile for each settings.
Now imagine that you need to run an exec command, apply 2 other settings to make a feature working then Atomic is the “safeguard” to make sure that the exec command run and the other 2 settings are applied as well otherwise if 1 fail the whole profile fail and no settings are applied.
How to disable XBOX and HomeGroup services with Workspace ONE UEM
Since Windows 10 embedded a lot of feature some consumer feature are available in the enterprise space like Xbox services and Homegroup, this article explain how do we block these with UEM.
Since Windows 10 1803, we can change the services start type using CSP. This available for any support MDM managed Windows Desktop, (Pro, Business, Enterprise, Education)
Note : Xbox Game Monitoring service is missing from the list but this service depends on Xbox Live Auth Manager and this one is going to be disabled so the service itself won’t be able to start even if the by default the start is on Manual.
