Black or Whitelist applications on Windows Phone 8.1 with Windows Intune


Do you want to blacklist a specific application from being installed or started on Windows Phone 8.1? Today it’s possible to:

  • Black or whitelist a specific application
  • Black or whitelist a specific vendor

Bear in mind that as of today, we can only do this using Intune UDM (Windows Intune in combination with ConfigMgr).
In this example we will prohibit users from installing or starting a specific app.

Step 1 – Create a new Configuration Item

Create a new Configuration Item and specify something a “Name”. Make sure you select “Mobile device” in the drop-down list box. Hit “Next”.

image

Select “Configure additional settings that are not in the default settings group” and hit “Next”.

image

In the next dialog, hit “add” followed by “Create setting”.

image

Enter a descriptive name, select “OMA URI” in the “Setting Type” drop-down list box. 
Select “String” in the “Data Type” drop-down list box. 
In the “OMA-URI” field, copy and past the following line:

./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions

Hit “OK”.

image

Search for the setting we just created and hit “Select”.

image

In the “Create Rule” dialog, make sure that:

  • The “Rule type” is set to “Value”
  • The second drop-down list box contains “Equals”
  • The “the following values” textfield contains the line of XML required to blacklist (or whitelist) the product ID.

In our example, the XML required will be:

<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{9168c4f3-217b-4a29-b543-7513bb4ae2ed}" /></Deny></AppPolicy>

Notice the two variables in this line of XML:

  1. <Deny></Deny>           
  2. ProductId

You can either blacklist by using “Deny” or whitelist by using “Allow”

How to find the product ID:

  • Open a browser and navigate to the Windows Phone store
  • Search for the game/application, open the link to the specific game/application if you get multiple hits.
  • Look at the URL, this contains a GUID. This GUID is the ProductId.

image

After entering the line of XML according to the desired behaviour, the dialog should look similair to this:

image

Select “OK” and “Close”. Afterwards hit “Next”.

image

Select “Windows Phone 8.1” and hit “Summary”. Followed by “Next” and “Close”

image

Navigate to “Configuration Baselines”, create a new Baseline and select “add” followed by “Configuration Items”

image

Add the Configuration Item we just created and hit “OK”

image

Select “Remediate noncomplaint rules when supported” and select a collection to target this policy against.

image

Wait until the policy is applied on the device, you can speed this up by going to “Workplace” on the Windows Phone and pressing the “sync” icon.

image

Now when browsing the store, users will get a notification and will be unable to install an app. If the app is already installed – users will be unable to start the app.

wp_ss_20140604_0004    wp_ss_20140604_0005

A big thanks for the great information goes out to my fellow TSP’s Bjorn Axell, Paul Goodson, Dan Andersen and Bob Roudebush.

Please consider leaving a reply in case this post helped you.


Comments (10)

  1. NB says:

    I am working on a white listing policy and the "Company Portal" is being disabled. I cannot find this in the Windows Store to get the ProductID to whitelist it. Any suggestions?

  2. Pwigle says:

    Hi NB, you could consider to whitelist Microsoft Published apps.

  3. NB says:

    Hi Pwigle, that is an option but I am interested in knowing what alternative methods there are of obtaining the ProductID of an application?

  4. Anonymous says:

    My role has previously primarily focused on Microsoft Intune, nowadays it’s more towards our whole Enterprise

  5. Rob J says:

    So is there a way using this method to blacklist the entire app store without disabling in.
    And then to exclusively whitelist approved apps as requested by users.
    I know this can be done with standalone inTune but doesn’t appear clear if integrated with Config Manager ?

  6. MikeDano says:

    The Windows Phone 8.1 SSP APP GUID is 01914a77-09e7-4f01-88d1-099162777f9b

  7. MikeDano says:

    If you have reason to believe the GUID may have changed or you have another .xap you need the guid for, open the WMAppManifest.xml and look for the App ProductID. The one I posted above is from

    http://www.microsoft.com/en-us/download/details.aspx?id=36060

  8. kim says:

    So uh, the store has changed and no longer shows the guid of an app in the url. How do I find the guid then ?

  9. The_Prisoner says:

    Great change to the store MS. Now it is no longer possible to whitelist new apps. Just waiting for you to block access to existing whitelisted apps. Other than contacting the publisher, is there a way to get the app guid now?

Skip to main content