Microsoft has a history of releasing new custom payloads, or CSPs, for Windows 10 devices every new release, posing a challenge for UEM vendors to keep pace. Though we implement many CSPs through the MaaS360 portal at a rapid pace, customers still might need support for some CSPs that are not yet available through the portal. We’re happy to announce that IBM Security MaaS360 with Watson supports Custom OMA configuration settings to address this gap.

Through this workflow, the IT administrators can push CSPs as OMA configuration files as part of a Windows policy to Win10 devices.  With this capability administrators can try out brand new CSPs on zero day of its release or any new Win10 release. Welcome to the world of Custom OMA!

Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure different features or settings on Windows 10 devices. It is available only on Windows 10. This uses modern management techniques to push the custom settings.

Here is the workflow to push custom OMA settings through MaaS360:

1) Contact IBM Support to enable this feature for your account.

2) Secondly, you need to create a custom OMA xml file based on the CSPs that you’re interested in.  Custom OMA settings are deployed to devices in the form of these XML files. One XML file can contain one or more CSPs configured inside it. Here’s an example of an XML file for Device Password enabled of DeviceLock policy:

<Sequence>
    <CmdID>$CMD_ID$</CmdID>
    <Delete>
      <CmdID>DEVICE_PASSWORD_ENABLED</CmdID>
      <Item>
         <Target>
            <LocURI>
               ./Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled</LocURI>
         </Target>
         <Meta>
            <Format xmlns="syncml:metinf">int</Format>
         </Meta>
         <Data>1</Data>
      </Item>
   </Delete>
   </Sequence>

We suggest that you consult the Microsoft documentation when you are creating these XML files. The Microsoft Windows 10 CSPs for Desktops and Phones, sample code, and supported values are available from the following links:

• https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
• https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management

 
Once you create this XML file, you need to upload it via the policy files workflow in the portal: Security -> Policy -> More -> Policy Files -> Upload Policy Content. Among different options available in the ‘type’ drop down, select ‘Custom OMA Settings

3) Once it’s uploaded, go to Policies -> Your Windows Policy -> Advanced Settings -> custom OMA settings and select the file you had uploaded in Step (2) above. If you want to configure any additional settings present in the Windows policy (like passcode, restrictions, VPN, Wi-Fi, Windows Information Protection, etc.), you can configure them in addition to selecting this Custom OMA file. Once the policy settings are fully configured, you can publish it.

There are some precautions that one needs to take while pushing Custom OMA:

If a policy setting (CSP) is already implemented in the Windows MDM policy, do not configure this same setting as a custom OMA setting. For example, you configured the Antivirus policy setting Scan Type > Quick Scan. Do not create a custom OMA XML file for the Antivirus policy setting that implements a different configuration, where Scan Type = Full Scan.

After publishing the policy, you can distribute this policy to a device or a group. The custom   OMA XML file that was uploaded as part of this policy will be pushed to the Windows 10 endpoints and the right settings will be applied to the device based on the settings.

MaaS360 also supports the removal of any custom OMA settings that were pushed. The only difference is that for the same XML, there are some tags that need to be changed to ‘delete’. Here is a sample XML File for delete:

<Sequence>
    <CmdID>$CMD_ID$</CmdID>
    <Add>
      <CmdID>DEVICE_PASSWORD_ENABLED</CmdID>
      <Item>
         <Target>
            <LocURI>
               ./Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled</LocURI>
         </Target>
         <Meta>
            <Format xmlns="syncml:metinf">int</Format>
         </Meta>
         <Data>0</Data>
      </Item>
   </Add>
   </Sequence>
  

Once you distribute the policy with this delete XML file, the respective Custom OMA settings will be removed on the devices.

This feature will give a sigh of relief for many administrators as they have a way to play with new CSPs on test devices, right on the day of the release of the CSP or a new version of Win10 or new hardware. 

MaaS360 offers similar support for MAC. ‘Import MobileConfig’  is under MAC Policy -> Advanced Settings. I’ll write about this in the future. 

We hope you try this out and will let us know if you have any comments or feedback. You can post a query in the forum or write to us. As always, we’ll be happy to answer.