none
EnterpriseModernAppManagement CSP - am I understanding this correctly?

    Question

  • Hi guys,

    Here's my scenario.  I've got a bunch of users who are 100% cloud based. They buy retail Windows 10 1703 machines, power them up, pick the "this device belongs to my organization", punch in their email address, they login and let the machine sit there.  After a few minutes, Intune starts provisioning the machine with apps, compliance policy etc.

    I want to remove (or hide) some of the built-in applications like Xbox, Office Hub, Skype Preview, built-in mail and calendar apps.

    I found a powershell script here: https://social.technet.microsoft.com/Forums/en-US/9c4cac17-1893-49c5-9b30-a6c31ca6e2f9/windows-10-builtin-app-uninstall-for-allusers?forum=win10itprogeneral. I converted it to an MSI, but I've found it's hit and miss.  Sometimes it works, sometimes it doesn't. 

    Trying to find another way to uninstall these apps, I came across the EnterpriseModernAppManagement CSP. Now either I don't understand how to use it, or there's a problem with the examples they've provided - this is where I'd like some help.

    For reference here is the CSP info page: https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisemodernappmanagement-csp

    My understanding is... to use this CSP, in Intune I go to the following..

    Device Compliance -> Profiles -> Create Profile -> Windows 10 & Later -> Custom and here I can add my OMA-URI settings.

    From here I enter the OMA-URI of ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage

    For data type I pick String (XML File)

    Then I upload an XML file (which I made by copying the example on that page) - and it looks like this...

    <Exec>
       <CmdID>10</CmdID>
       <Item>
          <Target>
             <LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage</LocURI>
          </Target>
          <Meta><Format xmlns="syncml:metinf">xml</Format></Meta>
          <Data>
              <Package Name="Microsoft.XboxApp_33.34.30002.0_x64__8wekyb3d8bbwe" RemoveForAllUsers=1 />
          </Data>
       </Item>
    </Exec>

    ^that package name is the name I got from the PackageFullName field when doing get-appxpackage Microsoft.XboxApp in powershell.

    I click OK (obviously filling in all the mandatory fields like Name etc), and when I go to create my profile - it says it failed to save the profile.  In my notifications I get a message about "XML must be well formed".   So obviously it's not liking the XML file.

    My questions are...

    1. Is what I'm doing even possible through this method?

    2. If so... am I doing it the right way, or am I totally misunderstanding how this works?

    3. I copied the XML data verbatim from the CSP page - is it me? Or is the example given not correct? (btw there are also typo's on the page and grammatical errors too - so I wouldn't be surprised if the example given is not entirely accurate).

    4. If this can be done, and I am doing it the right way - can anybody tell me what's wrong with my XML?


    http://www.dreamension.net





    Thursday, November 09, 2017 12:37 PM

Answers

  • Ok just thought I would provide an update to this.  Whilst I didn't work out how to "uninstall" or "hide" the icons - I worked out how to do the next best thing (or maybe the better option).

    I was able to use the AppLocker CSP to block the app from ever running.  Sure the application is still installed and the icon is still there, but the user can't run it and lead themselves astray.

    I found a great article to follow here: https://www.petervanderwoude.nl/post/managing-applocker-on-windows-10-via-oma-dm/ - and I just set that up to block all the out of the box apps I didn't want.  This is the end result - which for me is just as good.


    http://www.dreamension.net

    Sunday, November 12, 2017 6:28 AM

All replies

  • I don't have an explicit comment here on the technical aspect of what you are trying to do but I have a comment on your goal as it simply doesn't align with the whole point of modern management. Modern management is not about micro-managing your user's systems. It's bout empowering them by giving them what they need to be productive and protecting the organization's data. Anything else is just extra time and cost with no value. If you trust your user's to but a computer at Best Buy (or wherever) why don't you trust them with a couple of extraneous, totally non-harmful apps -- that's a contradiction that doesn't compute.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, November 09, 2017 5:37 PM
  • Thanks for your reply Jason, and I totally agree with you. 

    My customer does have a business reason for (at least hiding) these apps though, and it is to reduce confusion and ultimately after hours support costs.  Head Office (and support) is based in Australia but is not manned 24x7 - well it is, but it goes to an on-call person outside of business hours.

    All the users who are being instructed to purchase (and expense back) retail Win10 devices are from all over the world across many different countries and time zones and internet link speeds.  They are all coming from Windows 7 (as a corporate device), and all have various levels of technical capability.  Some are already familiar with Windows 10, some have never seen it before.

    Sure enough when the device is provisioned they'll have Office 2016, Skype for Business etc.  But given everyone's different technical savvy-ness, there are icons presented front and center on the start menu that could confuse users.  e.g. Someone see's the "Mail" app and tries to add their corporate mail to it.  Or clicks the "Get Office" icon thinking they need to get office themselves.  Or....see's "Skype" (thinking it's Skype for Business) and can't log in.  This then triggers a support call which hits Australia out of business hours.   Repeat this 20-30 times and it's suddenly a massive cost to the business (the service desk is handled by a managed service provider).

    Of course there are solutions to all the issues I mentioned (better support contracts, user training and detailed step by step instructions, setting expectation on how long things will take to provision etc) - but there will always be people who don't read the instructions, or English is their second (or third) language and maybe don't fully understand the instructions etc.

    So as a business decision, the (easiest) option is just to remove the icon (or uninstall the app - either way it's the same result), so at the point in time where the user has just logged in and is still waiting for their stuff to come down, and they're poking around - they don't lead themselves astray by trying to configure something that's not meant to be there.  (And yep, I realise that the icon won't disappear until the policy is is applied - but policy does get applied fairly quickly, so it should reduce the likelihood of the the user leading themselves astray).

    Sorry, that response was way longer than it probably had to be - but I just wanted to make it clear that I get it (the modern management story), but there is a business reason behind this request.


    http://www.dreamension.net




    Thursday, November 09, 2017 11:02 PM

  • Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, November 10, 2017 2:22 AM
  • Ok just thought I would provide an update to this.  Whilst I didn't work out how to "uninstall" or "hide" the icons - I worked out how to do the next best thing (or maybe the better option).

    I was able to use the AppLocker CSP to block the app from ever running.  Sure the application is still installed and the icon is still there, but the user can't run it and lead themselves astray.

    I found a great article to follow here: https://www.petervanderwoude.nl/post/managing-applocker-on-windows-10-via-oma-dm/ - and I just set that up to block all the out of the box apps I didn't want.  This is the end result - which for me is just as good.


    http://www.dreamension.net

    Sunday, November 12, 2017 6:28 AM
  • Hi Noel,

    Your question was a very relevant one and I also struggled to achieve the same goal.

    My solution for this was to do the Application deployment with "Uninstall" Assignment type for each built-in app I wanted to remove. So

    1. Add the "Get Office" or whatever app you want to remove to Intune App (I personally added the App to Windows Store for Business first and synced to Intune but directly adding should probably work too)

    2. Create Assignment for the Application with "Uninstall" type and target it to desired users

    The benefit here is that the Application icons will also vanish with this method.


    Monday, November 13, 2017 10:16 AM
  • Oh wow.... that's brilliant!  I never thought of doing it that way.  That's awesome!  I'll give that a try.

    Thanks Jack!


    http://www.dreamension.net

    Monday, November 13, 2017 11:57 AM