What is a CSP and what is a Custom OMA-URI? (and how do I deploy one in Intune)?
CSP stands for Configuration Service Provider. You might think Intune i somehow a CSP but that would be incorrect.
Intune is an MDM service.
A CSP is a component of the Windows 10 operating system; kind of like a Client Side Extension (CSE) is to Group Policy.
The CSP is what gives IT personnel the ability to apply device-specific settings to Windows devices. In our case, that means using Intune to do it. In doing so, IT can be assured that all company devices are compliant with the standards and policies set forth by the organization. Keep in mind that you can deliver setting configurations to CSPs through other means than an MDM such as Windows Configuration Designer, which is used to create provisioning packages.
So what are these CSP’s? Well, you can go to Microsoft’s website and look them up at https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference.
Notice that not all operating system editions support each CSP because some settings are unique to select OS versions. In addition, many CSP’s contain settings introduced in designated Windows versions. This means that the settings are not supported in versions prior to that release.
So let’s look at the inner workings of a CSP. Let’s say you want to enable BitLocker for all the mobile devices used by your HR and Finance personnel. Well, there is a CSP for that called BitLocker CSP. If we look at the available settings for that CSP, they look like this:
CSP settings accept some sort of data type value to enable or disable the setting. In this case, the data types are integers, either a 0 or a 1. A value of 0 disables the settings while a value of 1 enables it. The setting RequireDeviceEncryption for instance allows an administrator to require the use of BitLocker encryption on designated devices.
So let’s say our security minded administrator wants to deliver an integer data value of “1” to the BitLocker CSP contained within the HR and Finance devices. That administrator just needs an interface to configure, assign and deliver them, and that is where Intune comes in. Below, a Profile was created called “BitLocker Settings” that now delivers the selected Windows Encryption settings.
How easy was that? Ridiculously simple indeed.
Keep in mind that not all CSP settings are "surfaced" as settings within Intune.
So what happens when we want to configure settings on a CSP that doesn’t appear in Intune? Well, there are two options. The first would be to sit and wait around with our fingers crossed and hope that Microsoft Intune developers will add our desired settings soon. The other way is to take matters into our own hands and make a Custom OMA-URL. So how do we do this?
A key (and useful) example is how to make MDM vs. GP more deterministic. Starting with 1803 however, a policy called “ControlPolicyConflict/MDMWinsOverGP” was created to give you control over which one won. So while the policy setting doesn’t appear by default, we can create a customized URI for it that will enforce the outcome we want.
Intune provides an interface to create Custom OMA-URI policies within a profile. We just have to provide some information which is outlined below.
- Data Type
In the case of this CSP, the possible values are
- 0 (default)
- 1 - The MDM policy is used and the GP policy is blocked
In the case the creation process will look like this:
For more information concerning this particular CSP:
But the point is: Don't have a "knob" for the setting? Make a custom OMA-URA and you're off to the races.