Manage local administrators/groups with CSP

Managing local groups with Workspace ONE is not that complicated. There is a CSP you can use for it. See here.

To use the CSP you need to create an XML for the group configuration. This will look like this:

<groupmembership>     
   <accessgroup desc = "Administrators">    
      <member name = "Administrator" />      
      <member name = "mmworks\RestrictedGroup" />         
      <member name = "mmworks\domain admins" />    
      <member name = "mmworks\admernst" />  
   </accessgroup> 
</groupmembership>

As you can see, in the “accessgroup desc” the target group is selected. For every group member, you need to create a new “<member name =””/>” entry. You can add groups or users.

Beware that restricted groups will remove all other members who are not applied via the CSP.

This means in my example, if there were a user named “Test” member of the local administrators group, the entry would be deleted and the “Test” user is not a member anymore.

If you see this error:

MDM ConfigurationManager: Command failure status. Configuration Source ID: (F485B25C-E2F3-4B3C-B201-62874A8B6CCC), Enrollment Name: (MDMFull), Provider Name: (Policy), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership), Result: (Cannot perform this operation on built-in accounts.).

This means, you haven’t added all the required built-in accounts to the CSP. If you have not added “Administrator” and the domain admins to the members in the CSP, the CSP will return this error.

This is an example CSP:

<Replace>
  <CmdID>c0fdee89-572c-4cd9-ab75-dbdd1cffce32</CmdID>
  <Item>
    <Target>
        <LocURI>./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type>text/plain</Type>
    </Meta>
    <Data><![CDATA[<groupmembership>     <accessgroup desc = "Administrators">    <member name = "Administrator" />      <member name = "mmworks\RestrictedGroup" />         <member name = "mmworks\domain admins" />    <member name = "mmworks\admernst" />  </accessgroup> </groupmembership>]]]]></Data>
  </Item>
</Replace>

After you created a new Profile and assigned it to the device, you will see that the local group is updated.

Written by
+ posts

Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP