Windows Device Profile
Device Profile is a feature that helps you to group your policies together. Once a profile is created, you can apply it to multiple devices. Any change that you make in device profile will be automatically applied to all the devices. You can also apply a Device Profile to a Device Group so that you can easily group your devices and manage their settings as well.
In this guide we will see how to create a Windows Device Profile and the various settings that can be used.
Before You Begin
- Make sure to Sign In to ScaleFusion Dashboard.
- As per our observation we have seen that not all the features work on the various versions of Windows 10 and some do not work at all although as per the Windows 10 protocol they are supposed to work. The iconography below indicates the feature compatibility,
Indicates that the feature works as expected. | |
Indicates that the feature is supported by Windows 10 protocol, but DOES NOT work as intended. | |
Indicates that the feature does not work. |
Creating and Configuring a Profile
- Navigate to Device Management > Device Profile and click CREATE NEW PROFILE button.
- In the create profile dialog select Windows tab. Enter a name for your profile and click on SUBMIT.
- The Profile Creator wizard will be launched. The device profile creation is divided into 4 sections,
- Select Apps: Section to configure your application policy.
- Whitelist Websites: Section to whitelist websites to be used with Google Chrome.
- Chrome Configurations: Additional settings for Google Chrome.
- Settings: Section to configure additional settings based on categories.
- Select Apps: The first step is to configure the application policy. Choose an application policy and click NEXT
Feature
Description
Supported on
Application Blacklisting
Block selected windows applications from being allowed to run. You can block only UWP apps or apps installed from Windows store. Use Device Profile to select the apps to block.
Win 10 Pro
Win 10 Enterprise
Skip Configuring Apps
Select this option if you do not want to define an application policy for your windows devices.
Win 10 Pro
Win 10 Enterprise
Application Whitelisting
Select the list of applications that should be allowed. You can whitelist both UWP and Win32 apps. For more details, click here
Win 10 Pro
Win 10 Enterprise
- Whitelist Websites: Configure the URLs that a user is allowed to browser on Google Chrome or Windows Kiosk Browser app, by following our guide here.
- Google Chrome and Microsoft Edge Configurations: Use this section to configure Google Chrome settings. Please refer to our help document here.
- Settings > Kiosk App: Use this option to set an application to run always and set the Windows Device in Kiosk app mode. Please refer to our help document here.
- Settings > Branding
Feature
Description
Supported on
Home & Lock Screen Wallpaper
Branding allows you to apply a home and/or lock screen wallpaper to your enterprise devices. You can create a custom branding under Device Management > Branding section and then apply it in Device Profile. You will be able to select branding that is compatible with Windows.
Win 10 Pro
Win 10 Enterprise
- Settings > Wifi & Network
Feature
Description
Supported on
Allow Device to connect Wifi
Choose to allow or restrict users to connect to Wifi.
Note - Use this feature with extreme caution as if this is disabled,
then users cannot connect to Wifi. The only option is to connect
via LAN or USB tether to get the latest policy and if there is no
connectivity then device might have to be hard reset.Win 10 Pro
Win 10 Enterprise
Auto Configuring a Wifi
If you have created a Wifi configuration, then you can apply it to a Device Profile.
a. Automatic or Manual connection to Configured Wifi.
b. Define Proxy rules for the Wifi.Win 10 Pro
Win 10 Enterprise
Allow users to configure Wifi
Use this option to allow/deny the end users to configure new Wifi connection on device.
Win 10 Pro
Win 10 Enterprise
Allow Auto Connect to WifiSense
Control if Wifi Sense should be used and connect automatically to shared networks or not.
Win 10 Pro
Win 10 Enterprise
Allow VPN Connections
Control if user is allowed to connect to VPN connections
Win 10 Pro
Win 10 Enterprise
Allow VPN usage on Cellular Data
Control if cellular data should be used to connect to VPN connections
Win 10 Pro
Win 10 Enterprise
Allow VPN roaming on Cellular Data
Control if VPN should be allowed on roaming Cellular data.
Win 10 Pro
Win 10 Enterprise
- Settings > Edge BrowserThese are for the legacy Microsoft Edge. For the settings to take effect, Microsoft Edge needs to be restarted.
Feature
Description
Supported on
Cookie Policy
Choose a cookie Policy for Microsoft Edge. You can either allow the user to control or define strict policy for cookies.
Win 10 Pro
Win 10 Enterprise
Start Page URL
Specify a start URL that will be launched whenever the Edge browser is opened.
Win 10 Pro
Win 10 Enterprise
Auto Fill
Allow: Forces the autofill featureRestrict: Prevents using Autofill.User-Control: Lets users choose to use the Autofill feature to populate the form fields automatically.
Win 10 Pro
Win 10 Enterprise
Pop Ups
Allow: Force pop-ups on all sites and turn off Pop-up blocker.
Restrict: Turn-on Pop-up Blocker which will block all the pop-ups.
User-Control: Let users control the Pop-up blocker.
Win 10 Pro
Win 10 Enterprise
Address Bar Dropdown
Allow: Let Edge shows the address bar drop down list.Restrict: Minimizes network connections from Edge to Microsoft service, and hide the functionality of the Address bar drop-down list. It also disables the Show search and site suggestions as I type toggle in Settings.
Win 10 Pro
Win 10 Enterprise
Browser Extension
Allow: Let users to add or personalize extensions in Edge.Restrict: Prevent users from adding or personalizing extensions.
Win 10 Pro
Win 10 Enterprise
Clear Browsing history on Close
Allow: Clear the browsing history on exit.Restrict: Do not clear the browsing history on exit.User-Control: Let users configure the setting.
Win 10 Pro
Win 10 Enterprise
Allow accessing “about:flags”
Allow: Lets users access the about:flags page in Edge, which is used to change developer settings and enable experimental features. ChooseRestrict: Prevents users from accessing the about:flags page.
Win 10 Pro
Win 10 Enterprise
Allow Flash
Allow: Allow Adobe flash to run.Restrict: Prevent Adobe flash to run.User-Control: Let users control on a per-site basis.
Win 10 Pro
Win 10 Enterprise
Autorun Flash
Allow: If Adobe flash is allowed then auto-run the flash files.Restrict: If Adobe flash is allowed then prevent flash files from auto-running
Win 10 Pro
Win 10 Enterprise
Developer Tools
Allow: Allow users to use the F12 key and view the developer tools.Restrict: Prevent users to use the F12 key and view the developer tools.
Win 10 Pro
Win 10 Enterprise
In-Private Browsing
Allow: Allow in-private browsing.Restrict: Prevent in-private browsing.User-Control: Same as Allow
Win 10 Pro
Win 10 Enterprise
Save Passwords Locally
Allow: Lets Edge use Password manager to store passwords locally.Restrict: Prevent Edge from storing passwords locally.User-Control: Let users control when to save passwords locally.
Win 10 Pro
Win 10 Enterprise
Search suggestions in Address bar
Allow: Show search suggestions
Restrict: Block search suggestionsUser-Control: Let user control the search suggestion behaviour.
Win 10 Pro
Win 10 Enterprise
Force Fraudulent Website Warning
Allow: Force Windows Defender Smartscreen protection to prevent potential threats and prevent users from turning it off.Restrict: Turn off Windows Defender Smartscreen protection, leaves the user vulnerable to potential threats.User-Control: Let users choose if they want to use Windows Defender Smartscreen protection.
Win 10 Pro
Win 10 Enterprise
Override Fraudulent Websites warning
Allow: Let user’s ignore the warning and proceed to the site.Restrict: Does not allow users to ignore the warning and proceed to the site.User-Control: Same as allow..
Win 10 Pro
Win 10 Enterprise
Override malicious file warning
Allow: Allow users to download a potential malicious file or files from unverified sources.Restrict: Restrict users to download a potential malicious file or files from unverified sources.User-Control:Same as allow.
Win 10 Pro
Win 10 Enterprise
Allow "Do Not Track" request
Allow: Force Edge to send tracking information.Restrict: Prevent Edge from send tracking information.User-Control: Users can choose to send tracking information to sites they visit.
Win 10 Pro
Win 10 Enterprise
- Settings > Exchange Settings, Settings > Email Settings
Feature
Description
Supported on
Exchange Settings
Select the Exchange Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.
Win 10 Pro
Win 10 Enterprise
Email Settings
Select the Email Configuration(s) that you have created in Windows Utilities section so that they will be published to the devices in this Profile.
Win 10 Pro
Win 10 Enterprise
- Settings > General SettingsMost of the settings here are supported as per the protocol but in our testing they were not working. We have retained them for future use.
Feature
Description
Supported on
Allow USB Connections & SD Card
Use this setting to allow or restrict USB connections and external storage card.
Win 10 Pro
Win 10 Enterprise
Microsoft Feedback Notifications
Use this setting to enable or disable Microsoft feedback notifications.
Win 10 Pro
Win 10 Enterprise
Modify Data & Time
Use this setting to allow or restrict users from changing the device date & time.Note: There is a workaround where users can launch the legacy Date & Time dialog and change the settings.
Win 10 Pro
Win 10 Enterprise
Allow Bluetooth
Use this setting to allow or restrict bluetooth connections from the device.
Win 10 Pro
Win 10 Enterprise
Allow Bluetooth Pre-pairing
Enable this setting to automatically pair with devices that were previously connected.
Win 10 Pro
Win 10 Enterprise
Allow Bluetooth Services Advertisement
Control the bluetooth services advertisement behaviour.
Win 10 Pro
Win 10 Enterprise
Install Non-Store Apps
Allow or Restrict users to install/sideload applications from unknown sources.
Win 10 Pro
Win 10 Enterprise
Store App Data in Device Memory
Force the applications to store the data in device memory.
Win 10 Pro
Win 10 Enterprise
Install Apps in Device Memory
Force the applications to be installed in Device memory..
Win 10 Pro
Win 10 Enterprise
Scalefusion Sync Interval
Select an interval on how often should ScaleFusion poll for Device Info. This polling helps in,1. Updating the device Location.2. Updating the Inactivity time.3. Syncing the latest policies.4. Getting vital Device Information
Win 10 Pro
Win 10 Enterprise
General Settings > Start Layout Settings
The settings are supported on Windows 10 Pro and Enterprise Edition
Feature | Description |
Hide Switch Account | Use this setting to hide Switch user account option that is present on the left side of the Start menu |
Hide Sign out | Use this setting to hide the Sign Out button that is present on the left side of the Start menu, under the Accounts icon (or picture) |
Hide User tile | Tiling enables users to view each of their open programs or windows within a program simultaneously, rather than having to switch back and forth. Use this setting to hide start menu tiles for all users |
Hide Change Account Settings | Accounts Settings allows you to manage your Microsoft Account, set your user picture, change sign-in options, change password, change PIN, connect your PC to work or school etc. It is present on the left side of the Start menu. Use this setting to hide Change Account Settings option |
Hide People Bar | The People feature adds a special icon to the notification area of your taskbar and allows pinning your contacts directly to the taskbar, so you can start messaging, call or compose an email just with one click. Using this option, the People bar can be hidden. |
Hide Lock | This option which is present under Switch Account, locks the computer but keep all the user's programs running. Hide the Lock feature through this setting. |
Hide Hibernate | Hibernate option which is present in Start > Power, saves the current state of your PC—open programs and documents—to your hard disk and then turns off your PC. This feature can be hidden using Hide Hibernate settings. |
Hide Sleep | Sleep feature present in Start > Power puts your system into a low-power state and turning off your display when you're not using it. Use this setting to Hide Sleep setting. |
Hide Restart | This restarts your system. Use this setting to hide Restart |
Hide Power Options | Hide all the power options present in Start menu, with this setting. |
Hide Shutdown | The Shutdown feature which shuts down your system, can be hidden using this option. |
Allow End Task | Allow or disallow End Task feature in Task Manager. By default this option is checked. |
General Settings > Display Settings
These settings can be configured separately for device plugged in or running on battery
Feature | Description |
Configure Display Off Timeout | Display off timeout is the amount of minutes Windows will wait idle with no activity while on the lock screen, before timing out and automatically turning off the display. Configure the duration after which the display should timeout, through this setting |
Configure Hibernate Timeout | Specify the duration of time after sleep that the system automatically wakes and enters hibernation. |
Configure Unattended Sleep Timeout | The System unattended sleep timeout power setting is the idle timeout before the system returns to a low power sleep state after waking unattended. Specify a period of time before the system automatically enters sleep after waking from sleep in an unattended state. |
Allow Stand By Device Sleep | Control your device's stand by behavior by choosing one of the options:
|
Choose Lid Close Behavior | Select what the behavior should be when system lid is closed |
Choose Sleep Button Behavior | Select what the behavior should be when Sleep button is pressed |
Choose Power Button Behavior | Select what the behavior should be when Power button is pressed |
- User Control
- Take No Action
- Sleep
- Hibernate
- Shut Down
General Settings > Folder Settings
These settings let admin control the following folders from start layout, that is, whether they should be pinned or disabled from the Start menu:
- File Explorer
- Documents
- Downloads
- Music
- Videos
- Pictures
- Personal
- Network
- Settings
For the above folders, following options are available to choose from:
- User Control - Selected by default. This lets user control the behavior of a folder
- Show - Shows the folder
- Hide - Hides the folder
- Once you have configured the various settings, click on UPDATE PROFILE . Once the profile is saved, it will appear in the list of Device Profiles.
Applying a Device Profile to Windows 10 Devices
Once a device profile is created, you can easily apply to the devices. You have the following options,
- Applying a Device Profile at Enrollment: If you are looking to apply a device profile right when the device enrolls, then create an Enrollment Configuration and in the Group/Profile section select Windows Profile that you want the devices to enroll it. Use the enrollment link to enroll the devices.
- Changing a Device Profile after Enrollment: Follow the steps below to change the device profile,
- Navigate to Device Management > Device Profile and select Device Profile to which the device belongs.
- Click on the APPLY button on the actions panel on right side.
- You will be shown a dialog with all the Device Groups & Devices which are not associated with a device profile currently. Select the Device Group(s) or navigate to the Devices tab, select the devices and click APPLY
- Applying a Windows Profile via Device Group: If you intent to use Device Groups, then you can add/modify a Windows Profile to a windows group. The selected Windows Profile will be applied to all the devices in this group.
Removing a Device Profile from Windows 10 Devices
If you want to move the device to a different device profile, then first you have to remove it from its existing profile. Follow the steps below to do so,
- Navigate to Device Management > Device Profile and select Device Profile to which the device belongs.
- Click on the Remove button from the actions panel on right and select Remove Devices.
- You will see a dialog with all the devices where this profile is applied. Select the devices and click on REMOVE.
Frequently Asked Questions
Question: In Device Profile, under the Select Apps section, I don't see the applications that are installed on the enrolled devices?
Answer: ScaleFusion can collect the information only about the UWP applications or the applications installed from Windows Store. ScaleFusion collects this information when a new device enrolls and every 2 hours after enrollment. If the list is still not updated then you can do the following,
- Navigate to Devices section.
- Click on the Device that has the application installed.
- On the bottom panel and next to the Windows frame, click on Sync Apps option.
Question: We see quite a few settings marked as .Why does ScaleFusion allow control of the settings that are not working?
Answer: We had contemplated not adding these settings. However these are the ones that Windows MDM protocol claims to be supported and still not marked deprecated. Hence we have retained them with the assumption that it will work in future versions. Once the Windows documentation marks them deprecated or unsupported, we will remove them.
Question: The Exchange/Email settings are not removed from the device when we remove it from a Device Profile?
Answer: This is the intended behavior. As Exchange/Email are critical business information and is data intensive operation, we have not removed it when the devices are merely removed from Device Profile. This is based on the assumption that you would move the device to a different profile which will have the same exchange/email configuration.
Question: None of profile settings are removed from the device when we remove it from a Device Profile?
Answer: Yes. Removing a device retains its last profile/policy settings. We are in the process of adding a feature that lets you apply/remove policy that will allow you to temporary relax the policies on the device. However if you want to completely Unenroll the device, please use the Delete Device option.