In MDM, implement Group Policy settings as an extension of the native Group Policy object (GPO) of Active Directory®. Group Policy Management Console (GPMC) with SP1 is an important element that you must install. You install GPMC on the same server on which you installed MDM Administrator Tools.
In the available managed device settings view, any user-modified settings are saved to the Registry.pol file in the GPO. When the GPO is applied, MDM Device Management Server reads the user settings and the device settings and then stores the results. The Active Directory Group Policy (ADGP) Service in MDM Device Management Server translates these results into the OMA DM XML format that MDM Device Management Server sends over the air (OTA) to the managed Windows Mobile device.
Managed device Group Policy settings that are specific to MDM are included in three locations in the GPMC snap-in:
- The user interface (UI) extensions for network connections and
certificates are under
Windows Mobile Settingsin the
- The MDM settings are under
Administrative Templatesin both the
- MDM Group Policy settings that are related to security
considerations, encryption, and device management are under
- MDM Group Policy settings that are related to users are under
- MDM Group Policy settings that are related to security considerations, encryption, and device management are under Computer Configuration.
Managed Device Features
By using Group Policy, you can enable or disable many managed device capabilities. For example, you could use Group Policy to disable all cameras as a default setting and the managed device user will be unable to override this setting.
To view tables of the features and capabilities you can
enable or disable by using MDM, see
Policies in MDMand
Policies in MDMin MDM Operations at this Microsoft Web page:
Blocked and Safe Programs
For third-party applications, you can use certificates to restrict the applications to install or run on a managed device. There is an application-approved list included in MDM that in turn references the Group Policy settings for security in MDM. Conversely, you can prohibit an application from installing or, if already installed, prohibit it from running.
|You can prevent applications from running on managed devices by
using a Group Policy setting together with a SHA-1/MD5 hash code.
MDM Application Hash Code Tool is a command-line tool generates the
SHA1 hash code that you add to an Allow list in a Group Policy
setting to disallow the application from running on the device. To
download MDM Application Hash Code Tool, see MDM Server Tools at
this Microsoft Web page: