Install Workspace ONE UEM SCIM Adapter on Photon OS

Joe Rainone & Matt Williams have created an awesome piece of work called Workspace ONE SCIM Adapter, it has been released as a fling, read more about here: https://blog.virtualprivateer.com/2019/06/08/ws1-uem-scim-adapter/
In a nutshell, it provides capability to do SCIM provisioning into Workspace ONE UEM.
This blog post is about installing this component on VMware Photon OS, it is meant to be educational so no script here :).

Continue reading

Deep Dive – ADMX Ingestion on Windows 10

As I have solved the issue on ingesting the Office16.admx, I thought I would review the whole ingestion process to help understand how it works under the hood and how to manage it.

Since Windows 10 1703, ADMX can be ingested and processed by the MDM layer via the policy CSP with the URI

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/

For this article, I will use ADMX files that I have created for each situation. The name of the example application is CamilleApp and published by DebayCorp company.

Continue reading

What “Make Commands Atomic” means in Workspace ONE UEM?

When you are creating custom xml for specific CSP and import it, you probably wondered what “Make Commands Atomic” tick box means, especially as it is ticked by default.

Make-Command-Atomic

Theory

Windows 10 use OMA-DM (Open Mobile Alliance-Device Management) protocol for MDM, the OMA-DM protocol use the SyncML representation protocol format to pass instructions and stay in sync, SyncML is XML-based so easy to read.

In the SyncML format, Atomic is a container attribute, this mean that it can contain 1 or more instructions within it.

When you create a custom profile with multiple command, some command may fail, some other may succeed, so you may end up with a profile half-applied. This is where Atomic attribute come in play, it validate that all the command succeed or it will fail entirely.

Some CSPs require to use atomic in order to be used, Firewall CSP is one of them, no one want a firewall half-configured…

Example

Let’s say I want to apply 2 settings but it’s fine if one of them is failing then I should create 2 profile for each settings.

Now imagine that you need to run an exec command, apply 2 other settings to make a feature working then Atomic is the “safeguard” to make sure that the exec command run and the other 2 settings are applied as well otherwise if 1 fail the whole profile fail and no settings are applied.

How to disable XBOX and HomeGroup services with Workspace ONE UEM

Since Windows 10 embedded a lot of feature some consumer feature are available in the enterprise space like Xbox services and Homegroup, this article explain how do we block these with UEM.

Since Windows 10 1803, we can change the services start type using CSP. This available for any support MDM managed Windows Desktop, (Pro, Business, Enterprise, Education)

Note : Xbox Game Monitoring service is missing from the list but this service depends on Xbox Live Auth Manager and this one is going to be disabled so the service itself won’t be able to start even if the by default the start is on Manual.

Continue reading