Black or Whitelist applications on Windows Phone 8.1 with Windows Intune

Do you want to blacklist a specific application from being installed or started on Windows Phone 8.1? Today it’s possible to:

  • Black or whitelist a specific application
  • Black or whitelist a specific vendor

Bear in mind that as of today, we can only do this using Intune UDM (Windows Intune in combination with ConfigMgr).
In this example we will prohibit users from installing or starting a specific app.

Step 1 – Create a new Configuration Item

Create a new Configuration Item and specify something a “Name”. Make sure you select “Mobile device” in the drop-down list box. Hit “Next”.


Select “Configure additional settings that are not in the default settings group” and hit “Next”.


In the next dialog, hit “add” followed by “Create setting”.


Enter a descriptive name, select “OMA URI” in the “Setting Type” drop-down list box. 
Select “String” in the “Data Type” drop-down list box. 
In the “OMA-URI” field, copy and past the following line:


Hit “OK”.


Search for the setting we just created and hit “Select”.


In the “Create Rule” dialog, make sure that:

  • The “Rule type” is set to “Value”
  • The second drop-down list box contains “Equals”
  • The “the following values” textfield contains the line of XML required to blacklist (or whitelist) the product ID.

In our example, the XML required will be:

<AppPolicy Version="1" xmlns="" ><Deny><App ProductId="{9168c4f3-217b-4a29-b543-7513bb4ae2ed}" /></Deny></AppPolicy>

Notice the two variables in this line of XML:

  1. <Deny></Deny>           
  2. ProductId

You can either blacklist by using “Deny” or whitelist by using “Allow”

How to find the product ID:

  • Open a browser and navigate to the Windows Phone store
  • Search for the game/application, open the link to the specific game/application if you get multiple hits.
  • Look at the URL, this contains a GUID. This GUID is the ProductId.


After entering the line of XML according to the desired behaviour, the dialog should look similair to this:


Select “OK” and “Close”. Afterwards hit “Next”.


Select “Windows Phone 8.1” and hit “Summary”. Followed by “Next” and “Close”


Navigate to “Configuration Baselines”, create a new Baseline and select “add” followed by “Configuration Items”


Add the Configuration Item we just created and hit “OK”


Select “Remediate noncomplaint rules when supported” and select a collection to target this policy against.


Wait until the policy is applied on the device, you can speed this up by going to “Workplace” on the Windows Phone and pressing the “sync” icon.


Now when browsing the store, users will get a notification and will be unable to install an app. If the app is already installed – users will be unable to start the app.

wp_ss_20140604_0004    wp_ss_20140604_0005

A big thanks for the great information goes out to my fellow TSP’s Bjorn Axell, Paul Goodson, Dan Andersen and Bob Roudebush.

Please consider leaving a reply in case this post helped you.