We are very excited to announce General Availability (GA) of another set of Windows MDM policies !
Prerequisite : Device must be enrolled in JumpCloud MDM. The supported editions are Pro, Enterprise, Education, Windows SE and IoT Enterprise/IoT Enterprise LTSC.
In the phase, we are Introducing the following new Windows Policies:
Application Restriction
Administrators will now be able to restrict users from accessing applications on the JumpCloud managed Windows devices. Following are the categories through which applications can be added to the list,
- Inbox Apps & Components - Default system applications are available for admin to pick and add the apps to the block list.
- File Extension - Choose the extension (exe, msi, dll, ps1, vbs, js) and provide application details like Publisher, Product name & Binary name to block specific applications. Please be noted that only signed applications can be blocked; if there are any unsigned applications, use File Path category to block.
- File Path - Specify the full path to an application or folder containing applications to add to the block list.
Note - Do not include system applications folder in File Path rule as it can hinder system boot procedure due to dependent files/applications.
|
Windows directory or drive |
AppLocker path variable |
Windows environment variable |
|
Windows |
%WINDIR% |
%SystemRoot% |
|
System32 and sysWOW64 |
%SYSTEM32% |
%SystemDirectory% |
|
Windows installation directory |
%OSDRIVE% |
%SystemDrive% |
|
Program Files |
%PROGRAMFILES% |
%ProgramFiles% and %ProgramFiles(x86)% |
|
Removable media (for example, CD or DVD) |
%REMOVABLE% |
|
|
Removable storage device (for example, USB flash drive) |
%HOT% |
|
- Store App - Choose applications available in MS store to restrict from accessing.
Learn more - https://jumpcloud.com/support/create-a-windows-application-restriction-policy
Key Benefits
- Fine control over which applications can run on specific device/group. Restrict execution of unauthorized applications.
- Reduces risk of malware infections (ransomware, virus & trojans).
- Helps to comply with security regulations & industry standards.
Custom MDM (OMA-URI)
Administrators will now be able to create custom MDM policies that are not available in JumpCloud Windows policy management. Specify OMA-URI (Open Mobile Alliance Uniform Resource Identifier) along with details like Format, Value to enforce the policy on the managed Windows device.
Learn more - https://jumpcloud.com/support/create-custom-windows-mdm-policy
Above policy is configured as per Task Manager CSP documentation.
Key Benefits
- Configure MDM policies that are not part of pre-built MDM policies.
- OMA-URIs allow precise control over specific device settings and functionalities.
- Automate complex device configuration and reduce manual effort for newly enrolled machines.
Bluetooth Allowed Services
To the existing Bluetooth policy, services list that run over Bluetooth are added so as to provide better control over complete Bluetooth functionality on the managed device. By default, File Transfer functionality is blocked as a standard security practice, however administrators can alter as per business requirements. Further, custom services can also be added by following the template mentioned here in the help center article.
Learn more - https://jumpcloud.com/support/create-windows-bluetooth-policy
Key Benefits
- Using specific Bluetooth services, reduce potential attack risk (Ex-Disallow file transfer)
- Prevent unauthorized exfiltration of sensitive data
- Centralized control of complete Bluetooth functionality including services.
Config Refresh
Config Refresh in Windows 11 automates the reapplication of MDM policies at set intervals, ensuring devices consistently adhere to desired configurations. This improves security by minimizing policy drift, enables faster response to threats, and simplifies management by reducing manual intervention. The default time interval set is 30mins.
Learn more - https://jumpcloud.com/support/create-a-windows-config-refresh-policy
Key Benefits
- Frequent policy updates, ensuring devices remain in compliance with set configuration.
- Minimizes policy drift by reapplying policies at regular intervals.
- Reduces administrative overhead in managing device configurations by automating the process of policy reapplication.
Windows Time Service
With this policy administrators can ensure accurate and consistent time across all devices within a network. Accurate time is utmost crucial for various system functions and security measures. In the policy administrator can also configure NTP (Network Time Protocol) servers that devices should synchronise with along with polling and timeouts.
Key Benefits
- Ensures that all devices within a network maintain accurate and consistent time, which is critical for security, stability
- Many applications rely on accurate time for proper functioning, such as databases, scheduling systems, and communication protocols resulting in application performance.
Learn more from following resources,
- IT Hour - The IT Hour | Windows MDM Policy Management V2 1.10.25
- JumpCloud University Course - Enforcing Policies
