Tuesday 9 December 2014

Blacklist applications on mobile devices with Microsoft Intune

Back to Microsoft Intune menu

This has also been an eagerly awaited feature in Microsoft Intune. Now we can blacklist and whitelist applications that can be installed on mobile devices.

The following levels of support are available:

Windows Phone 8.1 or later: you can specify blocked applications or you can specify only applications that can be installed. The user will not be able to install blocked applications.

Android 4 or later: you can specify a list of applications that are compliant (or not compliant). Non- compliant applications can still be installed but will be reported as non-compliant in the Noncompliant Apps Report.

iOS: you can specify a list of applications that are compliant (or not compliant). Non- compliant applications can still be installed but will be reported as non-compliant in the Noncompliant Apps Report.

Lets have a look at a managed Windows Phone 8.1 device. The blacklisting/whitelisting works really well.

First we have to create the policy. Navigate to  Policy > Configuration Policies.


Click to Add a new policy and choose Windows > Windows Phone Configuration Policy. Note that is states Windows Phone 8.1 or later). Select "Create Policy".


In this case I want to blacklist all applications (except a single store app - Adobe Reader). Click to Add the app.


Enter the details.


Now Save the policy.


You are prompted to deploy the policy.


You can target a group of users or devices with this policy.

Now let's see what happens on the device.


I haven't enrolled it yet so I have to add a workplace account. After entering my details the device will be enrolled.


This is evidence that the Intune policy has been received. I have to password protect the device (I configured this earlier in the general Intune policy).


Now when I open the Windows Store I can search for Adobe Reader. See that I am allowed to install this app.


I am unable to install any other app. We get the message "The app is not available for your device. Tap here for more info."


This is the "more info". Pretty cool I think.

Note that this feature is currently available in the standalone Intune only. It is not yet available in the unified SCCM 2012/Intune solution (you can use OMA-URI for this but it is a little cumbersome).


References:

Manage devices using configuration policies with Microsoft Intune

http://technet.microsoft.com/en-US/library/dn818906.aspx







1 comment: