Configure apps on Windows 10 or 11 devices

Push ADMX-backed policies to managed Windows devices

This feature is available with Cloud Identity Premium edition. Compare editions 

For computers enrolled in Windows device management.

As an administrator, you can use custom settings to set ADMX-backed policies for Windows or third-party apps to your organization’s managed Windows 10 or 11 devices. For app settings, you first set a custom setting that lets the app accept policy settings on the managed devices, then you set a custom setting for each app policy.

This article describes the generic steps. For an example, go to Manage Chrome Browser with Windows device management.

Step 1: Add a custom setting to sync the app’s ADMX file to devices

Skip this step if you're setting ADMX-backed policies for Windows.

First, get the app’s ADMX file contents:

  1. On a Windows device, download the ADMX templates for the app.
  2. In a text editor, open the ADMX template and copy the contents. The template is located in the folder you download it to, such as C:\Users\username\Downloads\template\windows\admx\app-name.admx.

Next, set up a custom setting for ingesting the app’s ADMX policy:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile and endpointsand thenSettingsand thenWindows.
  3. Click Custom settings.
  4. Click Add a custom setting.
  5. Enter text into the fields:
    • Name–A descriptive name for the setting, such as “App-name ADMX ingestion”.
    • OMA-URI–The OMA-URI for the ADMX template. For example, for Chrome Browser, the OMA-URI is ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx. Get the OMA-URI from the app’s documentation.
    • Data type–Select String from the drop-down list.
    • Value–Enter the text from the ADMX template. Note: Enter the text as a string and don’t try to upload it as an XML file. It’s similar to XML, but fails XML validation.
    • Description (optional)–Enter a description.
  6. Click Next.
  7. Choose the organizational unit to get the ingestion template. Only accounts in organizational units with the ingestion template can sync the app policies you set in the next step.
  8. Click Apply.

Step 2: Add a custom setting for each policy

First, get the parameters you need to set the policy, from the app or Microsoft documentation:

  • The OMA-URI of the policy. For example, for Chrome Browser, the OMA-URI for the policy to set managed bookmarks is: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ManagedBookmarks.
  • The text to enter the policy, such as <enabled />.

Next, add and configure a custom setting for the policy:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile and endpointsand thenSettingsand thenWindows.
  3. Click Custom settings.
  4. Click Add a custom setting.
  5. Enter text into the fields:
    • Name–A descriptive name for the setting, such as the app and the policy setting.
    • OMA-URI–The OMA-URI for the policy.
    • Data type–Select String from the drop-down list.
    • Value–Enter the text with the policy configuration.
    • Description (optional)–Enter a description.
  6. Click Next.
  7. Choose the organizational unit to apply the policy to.
  8. Click Apply.

It can take up to 3 hours for policies to apply to devices with internet connection. To force a policy sync, on the device open Settings and find Managed by Google. Manually sync the device twice, then check the policies again.

Step 3: Confirm that the policy is set

After you apply any app policies, users need to restart the app for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.

  1. On a managed device, open the app.
  2. Verify that the policy you set is enabled.

Check your app’s documentation for other ways you can verify that policies are applied.

Troubleshooting

  • Make sure the device is enrolled in Windows device management. Learn how
  • If the custom policy you set isn’t showing up on managed devices, it may not have propagated to them yet. It can take up to 3 hours for policies to apply to devices with internet connection. To force a policy sync, on the device open Settings and find Managed by Google. Manually sync the device twice then check the policies again.
  • Make sure you've typed the OMA-URI correctly and ensure that the value is correct XML. If you get any of these values wrong, an error message isn't returned, but the policy isn't enforced on your users devices.
  • You can review attempts to apply custom settings on all or specific devices in the Devices audit log:
    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu and then Reportingand thenReportsand thenDevicesand thenMobile.
    3. Click Add a filterand thenEvent nameand thenAdvanced Policy Sync event. To filter by a specific policy, click the filter bar then Policy name and enter the OMA-URI of the policy.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
6798520878842435115
true
Search Help Center
true
true
true
false
false