Using the custom OMA settings policy to push ADMX-backed policies to Windows devices
MaaS360® provides a new workflow where administrators can use custom OMA XML configuration files as part of the Windows policy to push Group Policy administrative templates (ADMX-backed policies) to Windows 10 devices. This feature is supported on Windows 10 version 1703 and later.
About Open Mobile Alliance Uniform Resource Identifier (OMA-URI)
Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure different features that are used by mobile device manufacturers to control features on a device.
The MaaS360 Custom OMA policy includes many built-in settings that allow you to control different features on devices in your organization. Use this policy when you want to use device settings and features that are not built in to the Windows MDM policy. For more information about the MaaS360 custom OMA settings policy, see Custom OMA settings.
About ADMX-backed policies (administrative templates)
An ADMX-backed policy, also referred to as an administrative template, specifies the registry keys (and their values) that are associated with a Group Policy and defines the Windows settings that are managed by the policy. Group Policy settings are defined in a standard XML file format known as an ADMX file. ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe application settings that are separate from the operating system and are downloaded and installed on a Windows device.
For more information about ADMX-backed policies, see Understanding ADMX-backed policies at https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies.
Example of using a custom OMA configuration file to deliver an ADMX-backed policy (AppVirtualization/PublishingAllowServer2) to Windows 10 devices
The PublishingAllowServer2 ADMX policy contains descriptions of each policy setting that is possible through that policy area and also specific information about that particular ADMX. The ADMX information for PublishingAllowServer2 is as follows:
- GP English name: Publishing Server 2 Settings
- GP name: Publishing_Server2_Policy
- GP path: System/App-V/Publishing
- GP ADMX file name: appv.admx
- Locate the appv.admx file at C:/Windows/PolicyDefinitions. (If the file is missing from that folder, you can download the administrative template from Administrative Templates (.admx) for Windows 10 at https://www.microsoft.com/en-in/download/details.aspx?id=48257.
- In the appv.admx file, search for GP name -
Publishing_Server2_Policy. The XML version of the
PublishingAllowServer2
policy:
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)" explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)" key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2"> <parentCategory ref="CAT_Publishing" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/> <text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/> <enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled"> <item displayName="$(string.False)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.True)"> <value> <decimal value="1"/> </value> </item> </enum> <enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh"> <item displayName="$(string.False)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.True)"> <value> <decimal value="1"/> </value> </item> </enum> <decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/> <enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit"> <item displayName="$(string.Hour)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.Day)"> <value> <decimal value="1"/> </value> </item> </enum> <enum id="User_Publishing_Refresh_Options" valueName="UserEnabled"> <item displayName="$(string.False)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.True)"> <value> <decimal value="1"/> </value> </item> </enum> <enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh"> <item displayName="$(string.False)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.True)"> <value> <decimal value="1"/> </value> </item> </enum> <decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/> <enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit"> <item displayName="$(string.Hour)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.Day)"> <value> <decimal value="1"/> </value> </item> </enum> </elements> </policy>
There are also different types of data that you must set such as decimal and text. For more information about how to set values for these types of data, see Understanding ADMX-backed policies at https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies.
Windows maps the name and the category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, .\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>, this metadata is referenced and determines which registry keys are set or removed.
For the PublishingAllowServer2 example, policy area = AppVirtualization and policy = PublishingAllowServer2. The LocURI is ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2.
- To set values for PublishingAllowServer2, form a SyncML XML file with the
following required values:
<enabled/> <data id="Publishing_Server2_Name_Prompt" value="Name"/> <data id="Publishing_Server_URL_Prompt" value="http://someuri"/> <data id="Global_Publishing_Refresh_Options" value="1"/> <data id="Global_Refresh_OnLogon_Options" value="0"/> <data id="Global_Refresh_Interval_Prompt" value="15"/> <data id="Global_Refresh_Unit_Options" value="0"/> <data id="User_Publishing_Refresh_Options" value="0"/> <data id="User_Refresh_OnLogon_Options" value="0"/> <data id="User_Refresh_Interval_Prompt" value="15"/> <data id="User_Refresh_Unit_Options" value="1"/>
The enabled setting indicates that you are setting the values.
Based on the SyncML XML values in the previous example, the Custom OMA SyncML file for PublishingAllowServer2 uses the following values:<Sequence> <CmdID>$CMD_ID$</CmdID> <Replace> <CmdID>test_AppVirtualization_PublishingAllowServer2</CmdID> <Item> <Meta> <Format>chr</Format> <Type>text/plain</Type> </Meta> <Target> <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI> </Target> <Data> <![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data id="Publishing_Server_URL_Prompt" value="URL prompt"/><data id="Global_Publishing_Refresh_Options" value="1"/><data id="Global_Refresh_OnLogon_Options" value="0"/><data id="Global_Refresh_Interval_Prompt" value="15"/><data id="Global_Refresh_Unit_Options" value="0"/><data id="User_Publishing_Refresh_Options" value="0"/><data id="User_Refresh_OnLogon_Options" value="0"/><data id="User_Refresh_Interval_Prompt" value="15"/><data id="User_Refresh_Unit_Options" value="1"/>]]> </Data> </Item> </Replace> </Sequence>
If you want to delete this policy, use the following code in the <Data> parameter, and also delete the registry key:<Data><![CDATA[<disable/>]]></Data>
- Upload the content of the Custom OMA SyncML file to the MaaS360 Portal using the custom OMA settings policy. Go to .
- From the Policies page, select a Windows MDM policy. Go to and select the file that you updated in step 3.
- Click Save and Publish.