Managing local groups with Workspace ONE is not that complicated. There is a CSP you can use for it. See here.
To use the CSP you need to create an XML for the group configuration. This will look like this:
<groupmembership> <accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "mmworks\RestrictedGroup" /> <member name = "mmworks\domain admins" /> <member name = "mmworks\admernst" /> </accessgroup> </groupmembership>
As you can see, in the “accessgroup desc” the target group is selected. For every group member, you need to create a new “<member name =””/>” entry. You can add groups or users.
Be ware that restricted groups will remove all other members that are not applied via the CSP.
This means in my example, if there were an user named “Test” member of the local administrators group, the entry would be deleted and the “Test” user is not member any more.
If you see this error:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (F485B25C-E2F3-4B3C-B201-62874A8B6CCC), Enrollment Name: (MDMFull), Provider Name: (Policy), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership), Result: (Cannot perform this operation on built-in accounts.).
This means, you haven’t added all required built-in accounts to the CSP. If you have not added “Administrator” and the domain admins to the member in the CSP, the CSP will return this error.
This is an example CSP:
<Replace> <CmdID>c0fdee89-572c-4cd9-ab75-dbdd1cffce32</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership</LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">chr</Format> <Type>text/plain</Type> </Meta> <Data><![CDATA[<groupmembership> <accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "mmworks\RestrictedGroup" /> <member name = "mmworks\domain admins" /> <member name = "mmworks\admernst" /> </accessgroup> </groupmembership>]]></Data> </Item> </Replace>
After you created a new Profile and assigned it to the device, you see a behavior like this: