Managing local groups with Workspace ONE is not that complicated. There is a CSP you can use for it. See here.

To use the CSP you need to create an XML for the group configuration. This will look like this:

     
       
            
               
          
        
    

As you can see, in the “accessgroup desc” the target group is selected. For every group member, you need to create a new “<member name =””/>” entry. You can add groups or users.

Be ware that restricted groups will remove all other members that are not applied via the CSP.

This means in my example, if there were an user named “Test” member of the local administrators group, the entry would be deleted and the “Test” user is not member any more.

If you see this error:

MDM ConfigurationManager: Command failure status. Configuration Source ID: (F485B25C-E2F3-4B3C-B201-62874A8B6CCC), Enrollment Name: (MDMFull), Provider Name: (Policy), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership), Result: (Cannot perform this operation on built-in accounts.).

This means, you haven’t added all required built-in accounts to the CSP. If you have not added “Administrator” and the domain admins to the member in the CSP, the CSP will return this error.

This is an example CSP:


  c0fdee89-572c-4cd9-ab75-dbdd1cffce32
  
    
        ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
      
    
      chr
      text/plain
    
                                   ]]>
  

After you created a new Profile and assigned it to the device, you see a behavior like this:

Please follow and like us:

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *