Enforce Group Policy Settings on Managed Devices


In MDM, implement Group Policy settings as an extension of the native Group Policy object (GPO) of Active Directory. Group Policy Management Console (GPMC) with SP1 is an important element that you must install. You install GPMC on the same server on which you installed MDM Administrator Tools.

In the available managed device settings view, any user-modified settings are saved to the Registry.pol file in the GPO. When the GPO is applied, MDM Device Management Server reads the user settings and the device settings and then stores the results. The Active Directory Group Policy (ADGP) Service in MDM Device Management Server translates these results into the Open Mobile Alliance Device Management (OMA DM) XML format that MDM Device Management Server sends over the air (OTA) to the managed Windows Mobile device.

Managed device Group Policy settings that are specific to MDM are included in three locations in the GPMC snap-in:

  • The user interface (UI) extensions for network connections and certificates are under Windows Mobile Settings in the Computer Configuration section.
  • The MDM settings are under Administrative Templates in both the Computer Configuration and User Configuration sections:
    • MDM Group Policy settings that are related to security considerations, encryption, and device management are under Computer Configuration.
    • MDM Group Policy settings that are related to users are under User Configuration.

By using Group Policy, you can enable or disable many managed device capabilities. For example, you could use Group Policy to disable all cameras as a default setting and the managed device user will be unable to override this setting.

To view tables of the features and capabilities you can enable or disable by using MDM, see Security Policies in MDM and Messaging Policies in MDM in MDM Operations at this Microsoft Web page: http://go.microsoft.com/.

For third-party applications, you can use certificates to restrict the applications to install or run on a managed device. There is an application-approved list included in MDM that in turn references the Group Policy settings for security in MDM. Conversely, you can prohibit an application from installing or, if already installed, prohibit it from running.

You can prevent applications from running on managed devices by using a Group Policy setting together with a SHA-1/MD5 hash code. MDM Application Hash Code Tool is a command-line tool generates the SHA1 hash code that you add to an Allow list in a Group Policy setting to disallow the application from running on the device. To download MDM Application Hash Code Tool, see MDM Server Tools at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=127030.