Windows Device Profile

Device Profile is a feature that helps you to group your policies together. Once a profile is created, you can apply it to multiple devices. Any change that you make in device profile will be automatically applied to all the devices. You can also apply a Device Profile to a Device Group so that you can easily group your devices and manage their settings as well.

In this guide we will see how to create a Windows Device Profile and the various settings that can be used.

Before You Begin

  1. Make sure to Sign In to MobiLock Dashboard.
  2. As per our observation we have seen that not all the features work on the various versions of Windows 10 and some do not work at all although as per the Windows 10 protocol they are supposed to work. The iconography below indicates the feature compatibility.
    Indicates that the feature is supported.
    Indicates that the feature is not supported.
    Indicates the feature is supported as per Windows 10 protocol, but does not work as intended.

Creating and Configuring a Profile

  1. Navigate to Device Management > Device Profile and click CREATE NEW PROFILE button.
  2. In the create profile dialog select Windows tab. Enter a name for your profile and click on SUBMIT.
  3. You will see the screen to configure the device profile. The device profile is divided into 2 sections,
    1. Select Apps: Section to configure your application policy.
    2. Settings: Section to configure additional settings based on categories. Available sub-categories are,
  4. Select Apps: The first step is to configure the application policy. Choose an application policy and click NEXT

    Feature

    Description

    Supported on

    Application Blacklisting

    Block selected windows applications from being allowed to run. You can block only UWP apps or apps installed from Windows store. Use Device Profile to select the apps to block.

    Win 10 Pro

    Win 10 Enterprise

    Skip Configuring Apps

    Select this option if you do not want to define an application policy for your windows devices.

    Win 10 Pro

    Win 10 Enterprise

  5. Settings > Branding

    Feature

    Description

    Supported on

    Home & Lock Screen Wallpaper

    Branding allows you to apply a home and/or lock screen wallpaper to your enterprise devices. You can create a custom branding under Device Management > Branding section and then apply it in Device Profile. You will be able to select branding that is compatible with Windows.

    Win 10 Pro

    Win 10 Enterprise

  6. Settings > Wifi & Network

    Feature

    Description

    Supported on

    Allow Device to connect Wifi

    Choose to allow or restrict users to connect to Wifi.
    Note - Use this feature with extreme caution as if this is disabled,
    then users cannot connect to Wifi. The only option is to connect
    via LAN or USB tether to get the latest policy and if there is no
    connectivity then device might have to be hard reset.

    Win 10 Pro

    Win 10 Enterprise

    Auto Configuring a Wifi

    If you have created a Wifi configuration, then you can apply it to a Device Profile.
    a. Automatic or Manual connection to Configured Wifi.
    b. Define Proxy rules for the Wifi.

    Win 10 Pro

    Win 10 Enterprise

    Allow users to configure Wifi

    Use this option to allow/deny the end users to configure new Wifi connection on device.

    Win 10 Pro

    Win 10 Enterprise

    Allow Auto Connect to WifiSense

    Control if Wifi Sense should be used and connect automatically to shared networks or not.

    Win 10 Pro

    Win 10 Enterprise

    Allow VPN Connections

    Control if user is allowed to connect to VPN connections

    Win 10 Pro

    Win 10 Enterprise

    Allow VPN usage on Cellular Data

    Control if cellular data should be used  to connect to VPN connections

    Win 10 Pro

    Win 10 Enterprise

    Allow VPN roaming on Cellular Data

    Control if VPN should be allowed on roaming Cellular data.

    Win 10 Pro

    Win 10 Enterprise

  7. Settings > Edge Browser
    For the settings to take effect, Microsoft Edge needs to be restarted.

    Feature

    Description

    Supported on

    Cookie Policy

    Choose a cookie Policy for Microsoft Edge. You can either allow the user to control or define strict policy for cookies.

    Win 10 Pro

    Win 10 Enterprise

    Start Page URL

    Specify a start URL that will be launched whenever the Edge browser is opened.

    Win 10 Pro

    Win 10 Enterprise

    Auto Fill

    Allow: Forces the autofill featureRestrict: Prevents using Autofill.User-Control: Lets  users choose to use the Autofill feature to populate the form fields automatically.

    Win 10 Pro

    Win 10 Enterprise

    Pop Ups

    Allow: Force pop-ups on all sites and turn off Pop-up blocker.

    Restrict: Turn-on Pop-up Blocker which will block all the pop-ups.

    User-Control: Let users control the Pop-up blocker.

    Win 10 Pro

    Win 10 Enterprise

    Address Bar Dropdown

    Allow:  Let Edge shows the address bar drop down list.Restrict: Minimizes network connections from Edge to Microsoft service, and hide the functionality of the Address bar drop-down list. It also disables the Show search and site suggestions as I type toggle in Settings.

    Win 10 Pro

    Win 10 Enterprise

    Browser Extension

    Allow: Let users to add or personalize extensions in Edge.Restrict: Prevent users from adding or personalizing extensions.

    Win 10 Pro

    Win 10 Enterprise

    Clear Browsing history on Close

    Allow: Clear the browsing history on exit.Restrict: Do not clear the browsing history on exit.User-Control: Let users configure the setting.

    Win 10 Pro

    Win 10 Enterprise

    Allow accessing “about:flags”

    Allow:  Lets users access the about:flags page in Edge, which is used to change developer settings and enable experimental features. ChooseRestrict: Prevents users from accessing the about:flags page.

    Win 10 Pro

    Win 10 Enterprise

    Allow Flash

    Allow: Allow Adobe flash to run.Restrict: Prevent Adobe flash to run.User-Control: Let users control on a per-site basis.

    Win 10 Pro

    Win 10 Enterprise

    Autorun Flash

    Allow: If Adobe flash is allowed then auto-run the flash files.Restrict:  If Adobe flash is allowed then prevent flash files from auto-running

    Win 10 Pro

    Win 10 Enterprise

    Developer Tools

    Allow: Allow users to use the F12 key and view the developer tools.Restrict: Prevent users to use the F12 key and view the developer tools.

    Win 10 Pro

    Win 10 Enterprise

    In-Private Browsing

    Allow: Allow in-private browsing.Restrict: Prevent in-private browsing.User-Control: Same as Allow

    Win 10 Pro

    Win 10 Enterprise

    Save Passwords Locally

    Allow: Lets Edge use Password manager to store passwords locally.Restrict: Prevent Edge from storing passwords locally.User-Control: Let users control when to save passwords locally.

    Win 10 Pro

    Win 10 Enterprise

    Search suggestions in Address bar

    Allow: Show search suggestions

    Restrict: Block search suggestionsUser-Control: Let user control the search suggestion behaviour.

    Win 10 Pro

    Win 10 Enterprise

    Force Fraudulent Website Warning

    Allow: Force Windows Defender Smartscreen protection to prevent potential threats and prevent users from turning it off.Restrict: Turn off Windows Defender Smartscreen protection, leaves the user vulnerable to potential threats.User-Control: Let users choose if they want to use Windows Defender Smartscreen protection.

    Win 10 Pro

    Win 10 Enterprise

    Override Fraudulent Websites warning

    Allow: Let user’s ignore the warning and proceed to the site.Restrict: Does not allow users to ignore the warning and proceed to the site.User-Control: Same as allow..

    Win 10 Pro

    Win 10 Enterprise

    Override malicious file warning

    Allow: Allow users to download a potential malicious file or files from unverified sources.Restrict: Restrict users to download a potential malicious file or files from unverified sources.User-Control:Same as allow.

    Win 10 Pro

    Win 10 Enterprise

    Allow "Do Not Track" request

    Allow: Force Edge to send tracking information.Restrict: Prevent Edge from send tracking information.User-Control: Users can choose to send tracking information to sites they visit.

    Win 10 Pro

    Win 10 Enterprise

  8. Settings > Exchange Settings, Settings > Email Settings

    Feature

    Description

    Supported on

    Exchange Settings

    Select the Exchange Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.

    Win 10 Pro

    Win 10 Enterprise

    Email Settings

    Select the Email Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.

    Win 10 Pro

    Win 10 Enterprise

  9. Settings > General Settings
    Most of the settings here are supported as per the protocol but in our testing they were not working. We have retained them for future use.

    Feature

    Description

    Supported on

    Allow USB Connections & SD Card

    Use this setting to allow or restrict USB connections and external storage card.

    Win 10 Pro

    Win 10 Enterprise

    Microsoft Feedback Notifications

    Use this setting to enable or disable USB Microsoft feedback notifications.

    Win 10 Pro

    Win 10 Enterprise

    Modify Data & Time

    Use this setting to allow or restrict users from changing the device date & time.Note: There is a workaround where users can launch the legacy Date & Time dialog and change the settings.

    Win 10 Pro

    Win 10 Enterprise

    Allow Bluetooth

    Use this setting to allow or restrict bluetooth connections from the device.

    Win 10 Pro

    Win 10 Enterprise

    Allow Bluetooth Pre-pairing

    Enable this setting to automatically pair with devices that were previously connected.

    Win 10 Pro

    Win 10 Enterprise

    Allow Bluetooth Services Advertisement

    Control the bluetooth services advertisement behaviour.

    Win 10 Pro

    Win 10 Enterprise

    Install Non-Store Apps

    Allow or Restrict users to install/sideload applications from unknown sources.

    Win 10 Pro

    Win 10 Enterprise

    Store App Data in Device Memory

    Force the applications to store the data in device memory.

    Win 10 Pro

    Win 10 Enterprise

    Install Apps in Device Memory

    Force the applications to be installed in Device memory..

    Win 10 Pro

    Win 10 Enterprise

    MobiLock Sync Interval

    Select an interval on how often should MobiLock poll for Device Info. This polling helps in,1. Updating the device Location.2. Updating the Inactivity time.3. Syncing the latest policies.4. Getting vital Device Information

    Win 10 Pro

    Win 10 Enterprise

  10. Once you have configured the various settings, click on UPDATE PROFILE . Once the profile is saved, it will appear in the list of Device Profiles.

Applying a Device Profile to Windows 10 Devices

Once a device profile is created, you can easily apply to the devices. You have the following options,

  1. Applying a Device Profile at Enrollment: If you are looking to apply a device profile right when the device enrolls, then create an Enrollment Configuration and in the Group/Profile section select Windows Profile that you want the devices to enroll it. Use the enrollment link to enroll the devices.
  2. Changing a Device Profile after Enrollment: Follow the steps below to change the device profile,
    1. Navigate to Device Management > Device Profile and select Device Profile to which the device belongs.
    2. Click on the APPLY button on the actions panel on right side.
    3. You will be shown a dialog with all the Device Groups & Devices which are not associated with a device profile currently. Select the Device Group(s) or navigate to the Devices tab, select the devices and click APPLY
  3. Applying a Windows Profile via Device Group: If you intent to use Device Groups, then you can add/modify a Windows Profile to a windows group. The selected Windows Profile will be applied to all the devices in this group.

Removing a Device Profile from Windows 10 Devices

If you want to move the device to a different device profile, then first you have to remove it from its existing profile. Follow the steps below to do so,

  1. Navigate to Device Management > Device Profile and select Device Profile to which the device belongs.
  2. Click on the Remove button from the actions panel on right and select Remove Devices.
  3. You will see a dialog with all the devices where this profile is applied. Select the devices and click on REMOVE.

Frequently Asked Questions

Question: In Device Profile, under the Select Apps section, I don't see the applications that are installed on the enrolled devices?

Answer: MobiLock can collect the information only about the UWP applications or the applications installed from Windows Store. MobiLock collects this information when a new device enrolls and every 2 hours after enrollment. If the list is still not updated then you can do the following,

  • Navigate to Devices section.
  • Click on the Device that has the application installed.
  • On the bottom panel and next to the Windows frame, click on Sync Apps option.

Question: We see quite a few settings marked as .Why does MobiLock allow control of the settings that are not working?

Answer: We had contemplated not adding these settings. However these are the ones that Windows MDM protocol claims to be supported and still not marked deprecated. Hence we have retained them with the assumption that it will work in future versions. Once the Windows documentation marks them deprecated or unsupported, we will remove them.

Question: The Exchange/Email settings are not removed from the device when we remove it from a Device Profile?

Answer: This is the intended behavior. As Exchange/Email are critical business information and is data intensive operation, we have not removed it when the devices are merely removed from Device Profile. This is based on the assumption that you would move the device to a different profile which will have the same exchange/email configuration.

Question: None of profile settings are removed from the device when we remove it from a Device Profile?

Answer: Yes. Removing a device retains its last profile/policy settings. We are in the process of adding a feature that lets you apply/remove policy that will allow you to temporary relax the policies on the device. However if you want to completely Unenroll the device, please use the Delete Device option.


How did we do?