Creating ADMX profiles for Workspace ONE UEM can be a time consuming and frustrating task. Luckily for us, there are great articles that explain how to construct these profiles like this one from Grischa Ernst. But even then, the slightest typo can cost you a lot of precious time.
So I decided to take it a step further and build something that takes most of the pain away. Here’s a quick demo of what I came up with:
How does it work
You’ll need three items to get started:
- The portable app that I’ve built. You can download it here.
- An ADMX file
- It’s corresponding ADML file
Just upload the ADMX + ADML files to the app. They will be parsed, stored in a DB and the policies will be rendered in the UI.
Next, start configuring the policies you need and hit save.
Lastly, hit the export buttons to download your work and put them in a custom payload profile in UEM!
Conclusion
Please note that I am by no means a professional developer and I’ve built all this when I should have been sleeping. So there’s gotta be bugs in there. If you find one, let me know and I’ll try to get it sorted out whenever I find some time!
No need to tell you you should triple test everything before rolling it out to production…
Enjoy!
release notes
v1.0: initial release. Tested with most popular ADMX files like Edge, Chrome, Firefox, Office 365.
v1.0.1 – March 27 2024
- modified <add> to <replace> for ADMX Install pofile
- modified <LocURI> path of ADMX Install and remove profiles
v1.0.2 – April 19 2024
addresses an issue with JSON strings inside a policy
Hello Wannes,
First, amazing job to have built this super tool (evione is such a big fan of building syncml codes manually). Some colleagues and I were previously tring to reach your result without success so CONGRATS!!!
Two observations:
1- the install profile build uses the “ADD” command. I personnally use the “REPLACE” command since it add or upload a setting value in register.
2- I tested the Edge ADMX remove profile but weirdly the built locURI shows an “1” caracter at the end. I tried with and without the “1” caracter but Edge ADMX was not removed / deleted from the register
FYI, here the built locURI with your tool:
20240326-01
chr
text/plain
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/microsoft_edge/Policy/1
When the ADMX is properly installed on a device, this is the locURI used in the syncml code:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/EDGE/Policy/EdgeAdmx
So we can see some differences in the path.
I didn’t check the install syncml code your tool is generating but it seems you did for Edge and some common apps (thank you !) but I am specially concerned about the REMOVE code too.
This because in user end point management with MDM / UEM tools, for me one of the most important rules is: when deploing any ressource on devices, you should be able to:
– install the ressource
– detect the install status of the ressource
– delete the ressource if needed
This in order to be able to trully able to manage fully devices life cycle.
Anyway, again amazing work, I bet a lot of people will use your tool, such a speed up tool to manage ADMX settings in MDM /UEM tools, so thank you Wannes !
Hello Lowkey,
Thanks for your positive and constructive feedback!
I’ve published a new version of the app that addresses your feedback!
Best regards,
Wannes
Hello Wannes,
Thank you for the edit of your tool, I tested Edge delete SyncML code and I just confirm that, the LocURI in the delete code generated was correct with v1.01!
Also thank you for the “Add” changed to “Replace”, it will save some time to not change it with notepad 🙂
I’ll keep testing your wonderful tull and, if needed, I’ll make a feedback here.
Thank you again Wannes!
I followed the steps to create the xml files. Do I have to put everything in one payload or can I put the ADMX install and settings in two payloads?
Hello Anton,
In WS1 UEM you should create at least two profiles:
– one that installs the ADMX policy file on the devices
– one or more profile(s) to configure the actual settings
Personally I tend to put all configurations that tend to never change or apply to everyone in the organization in one profile.
Policies that might change or only apply to a subset of your devices go into seperate profiles (think of bookmarks, blocklists,…).
Thanks. I tried the following
I created an profile for the admx installation and a new one with some settings for Google Chrome.
However the settings profile hangs on the status pending install.
Any ideas?
Best place to start looking if the profile doesn’t install is event viewer on the Windows client side -> Applications and services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics -> Admin. Look for errors there. If one of your policies is misconfigured (or there’s a bug in my app), it will be shown here.
I see the following errors:
MDM PolicyManager: Set policy string, Policy: (AutoSelectCertificateForUrls), Area: (Googlechrome~Policy~googlechrome~ContentSettings), EnrollmentID requesting set: (F394B692-421C-4952-97ED-CFF780782D30), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80004005) Unspecified error.
—————————————————————-
MDM ConfigurationManager: Command failure status. Configuration Source ID: (F394B692-421C-4952-97ED-CFF780782D30), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/Googlechrome~Policy~googlechrome~ContentSettings/AutoSelectCertificateForUrls), Result: (Unspecified error).
Hi Anton,
Thanks for your input. v1.0.2 was uploaded to Github, it should address the problems you encountered.
Best regards,
Wannes
Pingback: Week 16-2024 VMware Enduser Computing Updates – Welcome to the anywhere workspace