Manage local administrators/groups with CSP
Managing local groups with Workspace ONE is not that complicated. There is a CSP you can use for it. See here.
To use the CSP you need to create an XML for the group configuration. This will look like this:
<groupmembership> <accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "mmworks\RestrictedGroup" /> <member name = "mmworks\domain admins" /> <member name = "mmworks\admernst" /> </accessgroup> </groupmembership>
As you can see, in the “accessgroup desc” the target group is selected. For every group member, you need to create a new “<member name =””/>” entry. You can add groups or users.
Beware that restricted groups will remove all other members who are not applied via the CSP.
This means in my example, if there were a user named “Test” member of the local administrators group, the entry would be deleted and the “Test” user is not a member anymore.
If you see this error:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (F485B25C-E2F3-4B3C-B201-62874A8B6CCC), Enrollment Name: (MDMFull), Provider Name: (Policy), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership), Result: (Cannot perform this operation on built-in accounts.).
This means, you haven’t added all the required built-in accounts to the CSP. If you have not added “Administrator” and the domain admins to the members in the CSP, the CSP will return this error.
This is an example CSP:
<Replace> <CmdID>c0fdee89-572c-4cd9-ab75-dbdd1cffce32</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> <Type>text/plain</Type> </Meta> <Data><![CDATA[<groupmembership> <accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "mmworks\RestrictedGroup" /> <member name = "mmworks\domain admins" /> <member name = "mmworks\admernst" /> </accessgroup> </groupmembership>]]]]></Data> </Item> </Replace>
After you created a new Profile and assigned it to the device, you will see that the local group is updated.