Intune App configuration policy – Edge/Chrome URLBlocklist on Android: ‘Expected list value’ error

It’s funny when you are planning to post about a topic, then you encounter an error and then publish about the error instead. This was the case when I was comparing the app configuration policies for Edge and Chrome and came to the ‘Expected list value’ issue when trying to set up the URLBlocklist (sidenote below).

TL;DR
– URLBlocklist should be an array, not a string
– Intune’s ‘Configuration designer’ doesn’t allow modifying the value type, use the JSON editor
– Change the URLBlocklist managedProperty from valueString to valueStringArray type and make sure the value is an array of strings, example:

Hint: keep a copy of the JSON config because Intune will try to compile the configuration against the predefined schema which will result in an empty configuration when attempting to modify the JSON data.

Explained

Managed configurations (formerly ‘application restrictions’) can be deployed along with the Android app, if the application has these settings defined. These configuration items are exposed to the EMM partners by using Google Play APIs [so app configuration is not some Intune magic, it’s the beauty of Android Enterprise]. When you are setting up an app configuration policy (for managed devices) the configuration keys displayed are actually read from the application’s app_restrictions.xml file.

Google Chrome managed configuration items

For Edge and Chrome there is a managedProperty called URLBlocklist aka ‘Block access to a list of URLs’. As you can see the Value type here is string:

In the following example, I’m trying to block my webpage and Facebook via this setting:

Blocklist using configuration designer
Settings opened in JSON editor

Going forward the settings are now deployed, you open edge://policy or chrome://policy and you see the following:

‘Expected list value’ error

At this point we should understand how the setting is configured actually, referring to Chrome Enterprise (link). The URLBlacklist property is a list of strings (array), hence it does not accept a string. Now that we know what data type is needed, we should figure out the name of the data type (I did the Google for you, this is ValueStringArray).

Going back to Intune, open the JSON editor and change the data type and the value:

Before (left) and after (right)

This time, there is no error and the configuration works as expected:

URLBlocklist with valueStringArray data type
Facebook blocked

Unfortunately, when you try to modify the JSON, the settings are cleared so make sure you have a copy of your settings:

JSON configuration when trying to edit the previous settings


Sidenote: URL blocklist can also be specified for Edge using Managed app configuration, but it requires Intune App Protection Policy (APP). There are some rare scenarios where you don’t want to apply or can’t apply APP (eg. dedicated devices without Shared device mode)

Comments are closed.