Block Apps on Intune Enrolled Samsung Devices through OMA-URI Settings

Recently one of our customers had a requirement to use Samsung Galaxy Tabs as Kiosk devices. These devices are shared devices that have enrolled to Intune using a Device Enrollment Manager (DEM) account which only used to run a specific LOB application.

The issue that we faced was this specific tab model, Samsung Galaxy Tab E 9.6 (SM-T561) does not have full KNOX capability baked into the OS. Simply there's no KNOX version information in Settings > About device. Because of this, none of the KNOX required policies didn't work on the device because Intune requires Samsung KNOX capable devices.

Since "Kiosk policy" didn't work on this device, the only method to achieve this was block apps from running through OMA-URI settings.


These are the key points with this method.

1. Unlike Kiosk mode this will not hide the apps.
2. Even though Play Store is blocked, automatic app updates working fine (eg. Company Portal app).
3. System updates working fine.
4. Users cannot side load apps because ability to download apk files is blocked (file manager, Drive, email).
5. If admin wants to install a specific Play Store app on a device, he can just push it from Google Play on the web using a browser since all devices has same google account configured.
6. Pushing app through Intune as a Play Store app won't work because Play Store is blocked on the device.
7. Additionally, users cannot unenroll device since it is enrolled by a DEM account.
8. Ability to allow certain needed apps like Calculator, Memo, Weather.

Steps:

1. Log into portal.azure.com

2. Navigate to Intune > Device configuration > Profiles > Create profile.

3. On Create profile blade,
          enter Name, Description
          select Platform -> Android
          select Profile type -> Custom

4. On Settings enter OMA-URI settings as follows by clicking Add.
          enter Name, Description
          enter OMA-URI -> ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/PreventStartPackages
          select Data type -> String
          enter package names in Value box. (To seperate the package names, use ; or : or , or | )



Full list
This list contains most app package names to block in this type of scenario.

com.android.settings;	SETTINGS
com.android.vending;	PLAY STORE
com.android.chrome;	CHROME
com.android.mms;	MESSAGES
com.sec.android.app.myfiles;	MY FILES
com.sec.android.app.samsungapps;	GALAXY APPS
com.android.contacts;	CONTACTS
com.google.android.youtube;	YOUTUBE
com.google.android.apps.docs;	DRIVE
com.android.email;	EMAIL
com.sec.android.gallery3d;	GALLERY
com.google.android.gm;	GMAIL
com.google.android.apps.plus;	GOOGLE+
com.google.android.apps.books;	GOOGLE PLAY BOOKS
com.google.android.play.games;	GOOGLE PLAY GAMES
com.google.android.videos;	GOOGLE PLAY MOVIES & TV
com.google.android.music;	GOOGLE PLAY MUSIC
com.google.android.apps.magazines;	GOOGLE PLAY NEWSSTAND
com.google.android.talk;	HANGOUTS
com.android.calendar;	S PLANNER
com.samsung.video;	VIDEO
com.sec.android.app.videoplayer;	VIDEO PLAYER
com.android.bluetooth;	BLUETOOTH SHARE
com.sec.android.app.sbrowser;	INTERNET BROWSER
com.sec.android.app.music;	MUSIC

5. Click OK and create the profile.

6. Deploy to the appropriate device group.

After the policy has been applied to the device, when you click on an app icon on the app drawer, nothing will happen because apps cannot run.