Windows Device Profile

Device Profile is a feature that helps you to group your policies together. Once a profile is created, you can apply it to multiple devices. Any change that you make in device profile will be automatically applied to all the devices. You can also apply a Device Profile to a Device Group so that you can easily group your devices and manage their settings as well.

In this guide we will see how to create a Windows Device Profile and the various settings that can be used.

Before You Begin

1. Make sure to Sign In to MobiLock Dashboard.
2. As per our observation we have seen that not all the features work on the various versions of Windows 10 and some do not work at all although as per the Windows 10 protocol they are supposed to work. The iconography below indicates the feature compatibility.
   Indicates that the feature is supported.
   Indicates that the feature is not supported.
   Indicates the feature is supported as per Windows 10 protocol, but does not work as intended.

Creating and Configuring a Profile

1. Navigate to Device Management > Device Profile and click CREATE NEW PROFILE button.
   

   

2. In the create profile dialog select Windows tab. Enter a name for your profile and click on SUBMIT.
   

   

3. You will see the screen to configure the device profile. The device profile is divided into 2 sections,
   1. Select Apps: Section to configure your application policy.
   2. Settings: Section to configure additional settings based on categories. Available sub-categories are,
4. Select Apps: The first step is to configure the application policy. Choose an application policy and click NEXT

   Feature	Description	Supported on
   Application Blacklisting	Block selected windows applications from being allowed to run. You can block only UWP apps or apps installed from Windows store. Use Device Profile to select the apps to block.	Win 10 Pro Win 10 Enterprise
   Skip Configuring Apps	Select this option if you do not want to define an application policy for your windows devices.	Win 10 Pro Win 10 Enterprise

5. Settings > Branding

   Feature	Description	Supported on
   Home & Lock Screen Wallpaper	Branding allows you to apply a home and/or lock screen wallpaper to your enterprise devices. You can create a custom branding under Device Management > Branding section and then apply it in Device Profile. You will be able to select branding that is compatible with Windows.	Win 10 Pro Win 10 Enterprise

6. Settings > Wifi & Network

   Feature	Description	Supported on
   Allow Device to connect Wifi	Choose to allow or restrict users to connect to Wifi. Note - Use this feature with extreme caution as if this is disabled, then users cannot connect to Wifi. The only option is to connect via LAN or USB tether to get the latest policy and if there is no connectivity then device might have to be hard reset.	Win 10 Pro Win 10 Enterprise
   Auto Configuring a Wifi	If you have created a Wifi configuration, then you can apply it to a Device Profile. a. Automatic or Manual connection to Configured Wifi. b. Define Proxy rules for the Wifi.	Win 10 Pro Win 10 Enterprise
   Allow users to configure Wifi	Use this option to allow/deny the end users to configure new Wifi connection on device.	Win 10 Pro Win 10 Enterprise
   Allow Auto Connect to WifiSense	Control if Wifi Sense should be used and connect automatically to shared networks or not.	Win 10 Pro Win 10 Enterprise
   Allow VPN Connections	Control if user is allowed to connect to VPN connections	Win 10 Pro Win 10 Enterprise
   Allow VPN usage on Cellular Data	Control if cellular data should be used  to connect to VPN connections	Win 10 Pro Win 10 Enterprise
   Allow VPN roaming on Cellular Data	Control if VPN should be allowed on roaming Cellular data.	Win 10 Pro Win 10 Enterprise

7. Settings > Edge Browser
   For the settings to take effect, Microsoft Edge needs to be restarted.

   Feature	Description	Supported on
   Cookie Policy	Choose a cookie Policy for Microsoft Edge. You can either allow the user to control or define strict policy for cookies.	Win 10 Pro Win 10 Enterprise
   Start Page URL	Specify a start URL that will be launched whenever the Edge browser is opened.	Win 10 Pro Win 10 Enterprise
   Auto Fill	Allow: Forces the autofill featureRestrict: Prevents using Autofill.User-Control: Lets  users choose to use the Autofill feature to populate the form fields automatically.	Win 10 Pro Win 10 Enterprise
   Pop Ups	Allow: Force pop-ups on all sites and turn off Pop-up blocker. Restrict: Turn-on Pop-up Blocker which will block all the pop-ups. User-Control: Let users control the Pop-up blocker.	Win 10 Pro Win 10 Enterprise
   Address Bar Dropdown	Allow:  Let Edge shows the address bar drop down list.Restrict: Minimizes network connections from Edge to Microsoft service, and hide the functionality of the Address bar drop-down list. It also disables the Show search and site suggestions as I type toggle in Settings.	Win 10 Pro Win 10 Enterprise
   Browser Extension	Allow: Let users to add or personalize extensions in Edge.Restrict: Prevent users from adding or personalizing extensions.	Win 10 Pro Win 10 Enterprise
   Clear Browsing history on Close	Allow: Clear the browsing history on exit.Restrict: Do not clear the browsing history on exit.User-Control: Let users configure the setting.	Win 10 Pro Win 10 Enterprise
   Allow accessing “about:flags”	Allow:  Lets users access the about:flags page in Edge, which is used to change developer settings and enable experimental features. ChooseRestrict: Prevents users from accessing the about:flags page.	Win 10 Pro Win 10 Enterprise
   Allow Flash	Allow: Allow Adobe flash to run.Restrict: Prevent Adobe flash to run.User-Control: Let users control on a per-site basis.	Win 10 Pro Win 10 Enterprise
   Autorun Flash	Allow: If Adobe flash is allowed then auto-run the flash files.Restrict:  If Adobe flash is allowed then prevent flash files from auto-running	Win 10 Pro Win 10 Enterprise
   Developer Tools	Allow: Allow users to use the F12 key and view the developer tools.Restrict: Prevent users to use the F12 key and view the developer tools.	Win 10 Pro Win 10 Enterprise
   In-Private Browsing	Allow: Allow in-private browsing.Restrict: Prevent in-private browsing.User-Control: Same as Allow	Win 10 Pro Win 10 Enterprise
   Save Passwords Locally	Allow: Lets Edge use Password manager to store passwords locally.Restrict: Prevent Edge from storing passwords locally.User-Control: Let users control when to save passwords locally.	Win 10 Pro Win 10 Enterprise
   Search suggestions in Address bar	Allow: Show search suggestions Restrict: Block search suggestionsUser-Control: Let user control the search suggestion behaviour.	Win 10 Pro Win 10 Enterprise
   Force Fraudulent Website Warning	Allow: Force Windows Defender Smartscreen protection to prevent potential threats and prevent users from turning it off.Restrict: Turn off Windows Defender Smartscreen protection, leaves the user vulnerable to potential threats.User-Control: Let users choose if they want to use Windows Defender Smartscreen protection.	Win 10 Pro Win 10 Enterprise
   Override Fraudulent Websites warning	Allow: Let user’s ignore the warning and proceed to the site.Restrict: Does not allow users to ignore the warning and proceed to the site.User-Control: Same as allow..	Win 10 Pro Win 10 Enterprise
   Override malicious file warning	Allow: Allow users to download a potential malicious file or files from unverified sources.Restrict: Restrict users to download a potential malicious file or files from unverified sources.User-Control:Same as allow.	Win 10 Pro Win 10 Enterprise
   Allow "Do Not Track" request	Allow: Force Edge to send tracking information.Restrict: Prevent Edge from send tracking information.User-Control: Users can choose to send tracking information to sites they visit.	Win 10 Pro Win 10 Enterprise

8. Settings > Exchange Settings, Settings > Email Settings

   Feature	Description	Supported on
   Exchange Settings	Select the Exchange Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.	Win 10 Pro Win 10 Enterprise
   Email Settings	Select the Email Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.	Win 10 Pro Win 10 Enterprise

9. Settings > General Settings
   Most of the settings here are supported as per the protocol but in our testing they were not working. We have retained them for future use.

   Feature	Description	Supported on
   Allow USB Connections & SD Card	Use this setting to allow or restrict USB connections and external storage card.	Win 10 Pro Win 10 Enterprise
   Microsoft Feedback Notifications	Use this setting to enable or disable USB Microsoft feedback notifications.	Win 10 Pro Win 10 Enterprise
   Modify Data & Time	Use this setting to allow or restrict users from changing the device date & time.Note: There is a workaround where users can launch the legacy Date & Time dialog and change the settings.	Win 10 Pro Win 10 Enterprise
   Allow Bluetooth	Use this setting to allow or restrict bluetooth connections from the device.	Win 10 Pro Win 10 Enterprise
   Allow Bluetooth Pre-pairing	Enable this setting to automatically pair with devices that were previously connected.	Win 10 Pro Win 10 Enterprise
   Allow Bluetooth Services Advertisement	Control the bluetooth services advertisement behaviour.	Win 10 Pro Win 10 Enterprise
   Install Non-Store Apps	Allow or Restrict users to install/sideload applications from unknown sources.	Win 10 Pro Win 10 Enterprise
   Store App Data in Device Memory	Force the applications to store the data in device memory.	Win 10 Pro Win 10 Enterprise
   Install Apps in Device Memory	Force the applications to be installed in Device memory..	Win 10 Pro Win 10 Enterprise
   MobiLock Sync Interval	Select an interval on how often should MobiLock poll for Device Info. This polling helps in,1. Updating the device Location.2. Updating the Inactivity time.3. Syncing the latest policies.4. Getting vital Device Information	Win 10 Pro Win 10 Enterprise

10. Once you have configured the various settings, click on UPDATE PROFILE . Once the profile is saved, it will appear in the list of Device Profiles.

Applying a Device Profile to Windows 10 Devices

Once a device profile is created, you can easily apply to the devices. You have the following options,

1. Applying a Device Profile at Enrollment: If you are looking to apply a device profile right when the device enrolls, then create an Enrollment Configuration and in the Group/Profile section select Windows Profile that you want the devices to enroll it. Use the enrollment link to enroll the devices.
2. Changing a Device Profile after Enrollment: Follow the steps below to change the device profile,
   1. Navigate to Device Management > Device Profile and select Device Profile to which the device belongs.
   2. Click on the APPLY button on the actions panel on right side.
      

      

   3. You will be shown a dialog with all the Device Groups & Devices which are not associated with a device profile currently. Select the Device Group(s) or navigate to the Devices tab, select the devices and click APPLY

      

3. Applying a Windows Profile via Device Group: If you intent to use Device Groups, then you can add/modify a Windows Profile to a windows group. The selected Windows Profile will be applied to all the devices in this group.

Removing a Device Profile from Windows 10 Devices

If you want to move the device to a different device profile, then first you have to remove it from its existing profile. Follow the steps below to do so,

1. Navigate to Device Management > Device Profile and select Device Profile to which the device belongs.
2. Click on the Remove button from the actions panel on right and select Remove Devices.
   

   

3. You will see a dialog with all the devices where this profile is applied. Select the devices and click on REMOVE.
   

   

Frequently Asked Questions

Question: In Device Profile, under the Select Apps section, I don't see the applications that are installed on the enrolled devices?

Answer: MobiLock can collect the information only about the UWP applications or the applications installed from Windows Store. MobiLock collects this information when a new device enrolls and every 2 hours after enrollment. If the list is still not updated then you can do the following,

• Navigate to Devices section.
• Click on the Device that has the application installed.
• On the bottom panel and next to the Windows frame, click on Sync Apps option.

Question: We see quite a few settings marked as .Why does MobiLock allow control of the settings that are not working?

Answer: We had contemplated not adding these settings. However these are the ones that Windows MDM protocol claims to be supported and still not marked deprecated. Hence we have retained them with the assumption that it will work in future versions. Once the Windows documentation marks them deprecated or unsupported, we will remove them.

Question: The Exchange/Email settings are not removed from the device when we remove it from a Device Profile?

Answer: This is the intended behavior. As Exchange/Email are critical business information and is data intensive operation, we have not removed it when the devices are merely removed from Device Profile. This is based on the assumption that you would move the device to a different profile which will have the same exchange/email configuration.

Question: None of profile settings are removed from the device when we remove it from a Device Profile?

Answer: Yes. Removing a device retains its last profile/policy settings. We are in the process of adding a feature that lets you apply/remove policy that will allow you to temporary relax the policies on the device. However if you want to completely Unenroll the device, please use the Delete Device option.