From c8495ea5b4c047076386effceb09835a7f3b8640 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 10 Aug 2017 17:03:42 +0000 Subject: [PATCH] Merged PR 2653: AppLocker CSP - added two new SyncML whitelist examples --- .../client-management/mdm/applocker-csp.md | 66 ++++++++++++++++++- ...ew-in-windows-mdm-enrollment-management.md | 6 +- 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 8f7f3dd2f0..7564c89e41 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/10/2017 --- # AppLocker CSP @@ -791,8 +791,70 @@ The following list shows the apps that may be included in the inbox.   -## Whitelist example +## Whitelist examples +The following example disables the calendar application. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + <AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/></Deny></AppPolicy> + + + + + + +``` + +The following example blocks the usage of the map application. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy + + + chr + + + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + </RuleCollection> + + + + + + +``` The following example for Windows 10 Mobile denies all apps and allows the following apps: diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 2fe500388f..4c92784d4b 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/04/2017 +ms.date: 08/10/2017 --- # What's new in MDM enrollment and management @@ -1332,6 +1332,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
    • + +[AppLocker CSP](applocker-csp.md) +

    Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).

    + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709: