Você está na página 1de 48

Windows 10 Mobile: mobile device management guide

Windows 10 Mobile: mobile device


management guide
This guide provides an overview of the mobile device and app management technologies in the
Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use
the built-in device management client to deploy, configure, maintain, and support phones and small
tablets running Windows 10 Mobile.
Bring Your Own Device (BYODthat is, personal devices) and corporate devices are key scenarios that
Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to
registering devices with directory services and MDM systems, and IT organizations can provision
comprehensive device-configuration profiles based on their companys need to control and secure mobile
business data.
Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than
Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal
Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their
MDM system. They can control and distribute custom line-of-business (LOB) apps the same way.

In this topic

Overview

Device deployment

Device configuration

App management

Device operations

Device retirement

See also:

Mobile device management

Enterprise Mobility Suite

Overview of Mobile Device Management for Office 365

Windows Store for Business

Windows 10 Mobile: mobile device management guide

Overview
Organizations users increasingly depend on their mobile devices, but phones and tablets bring new and
unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps
quickly to support the business while balancing the growing need to protect corporate data because of
evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices
are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges
by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their
choice to manage this client.

Built-in MDM client


The built-in MDM client is common to all editions of the Windows 10 operating system, including
desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can
manage any device that runs Windows 10. The client has two important roles: device enrollment in an
MDM system and device management.

Device enrollment. Users can enroll in the MDM system. On Windows 10, a user can register a
device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the
same time so that the system can manage the device, the apps running on it, and the confidential
data it holds. Enrollment establishes the management authority for the device. Only one
management authority (or MDM enrollment) is possible at a time, which helps prevent
unauthorized access to devices and ensures their stability and reliability.

Device management. The MDM client allows the MDM system to configure policy settings;
deploy apps and updates; and perform other management tasks, such as remotely wiping the
device. The MDM system sends configuration requests and collects inventory through the MDM
client. The client uses configuration service providers (CSPs) to configure and inventory settings. A
CSP is an interface to read, set, modify, or delete configuration settings on the device. These
settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents
direct access to registry settings and operating system files. For more information, see the
Windows 10 Mobile security overview.)

The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional,
custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have
equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose
Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more
information about Windows 10 Mobile device management APIs, see Mobile device management.

Windows 10 Mobile editions


Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and
management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of
Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can
provision a license file without reinstalling the operating system:

Windows 10 Mobile: mobile device management guide

Ability to postpone software updates. Windows 10 Mobile gets software updates directly from
Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile
Enterprise, however, allows you to curate and validate updates prior to deploying them.

No limit on the number of self-signed LOB apps that you can deploy to a single device. To
use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the
software packages with a code signing certificate that your organizations certificate authority
(CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile
device, more than 20 if your organizations devices run Windows 10 Mobile Enterprise.

Set telemetry to security level. The telemetry Security level configures the operating system to
gather only the telemetry information required to keep devices secured.

Note:
Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use
Windows Store for Business to obtain apps. With either method, you can distribute more than 20 apps to
a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM
system.

To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your companys MDM
system or a provisioning package to inject a license onto the device. You can download a Windows 10
Mobile Enterprise license from the Business Support Portal.

Life-cycle management
Windows 10 Mobile supports end-to-end life-cycle device management to give companies control of
their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage
devices throughout their life cycle, as Figure 1 illustrates. The remainder of this guide describes the
operating systems mobile device and app management capabilities through each phase of the life cycle,
showing how MDM systems use specific features.

Windows 10 Mobile: mobile device management guide

Figure 1. Device management life cycle

Device deployment
Device deployment includes the initial registration and configuration of the device, including its
enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you
deploy devices and which controls you put in place are device ownership and how the user will use the
device. This guide covers two scenarios:
1.

Companies allow users to personalize their devices because the users own the devices or because
company policy doesnt require tight controls (defined as personal devices in this guide).

Windows 10 Mobile: mobile device management guide

2.

Companies dont allow users to personalize their devices or they limit personalization, usually
because the organization owns the devices and security considerations are high (defined as
corporate devices in this guide).

Often, employees can choose devices from a list of supported models, or companies provide devices that
they preconfigure, or bootstrap, with a baseline configuration.
Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and
Azure AD Registration and MDM enrollment and management for personal devices.

Deployment scenarios
Most organizations support both personal and corporate device scenarios. The infrastructure for these
scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes
characteristics of the personal and corporate device scenarios. Activation of a device with an
organizational identity is unique to Windows 10 Mobile.
Table 1. Characteristics of personal and corporate device scenarios

Personal devices

Corporate devices

Ownership

User

Organization

Primary use

Personal

Work

Deployment

The primary identity on the device


is a personal identity. A Microsoft
account is the default option for
Windows 10 Mobile.

The primary identity on the device


is an organizational identity. An
Azure AD account is the default
option for Windows 10 Mobile.

Identity management
People can use only one account to activate a device, so its imperative that your organization control
which account you enable first. The account you choose will determine who controls the device and
influence your management capabilities. The following list describes the impact that users identities have
on management (Table 2 summarizes these considerations):

Personal identity. In this scenario, employees use their Microsoft account to activate the device.
Then, they use their Azure AD account (organizational identity) to register the device in Azure AD
and enroll it with the companys MDM solution. You can apply policies to help protect and
contain corporate apps and data on the devices, designed to prevent intellectual property leaks,
but users keep full control over personal activities, such as downloading and installing apps and
games.

Windows 10 Mobile: mobile device management guide

Organizational identity. In this scenario, employees use their Azure AD account to register the
device to Azure AD and automatically enroll it with the organizations MDM solution. In this case,
companies can block personal use of devices. Using organizational Identities to initialize devices
gives organizations complete control over devices and allows them to prevent personalization.

Table 2. Personal vs. organizational identity

Personal identity

Organizational identity

First account on
the device

Microsoft account

Azure AD account

Device sign-in

Users cannot sign in to devices


with Azure AD credentials, even if
they add the credentials after
initial activation with a Microsoft
account.

Users can unlock devices with an


Azure AD account. Organizations
can block the addition of a
personal identity.

User settings and


data roaming
across devices

User and app settings roam across


devices activated with the same
personal identity over personal
OneDrive.

Windows 10 Mobile currently does


not support users and app settings
roaming over the enterprise cloud.
It can block the roaming of
personal cloud settings.

No

Yes

Organization can apply most1


restrictive policies to devices, but
they cannot remove the Microsoft
account from them. Device users
can reclaim full control over their
devices by un-enrolling them from
the organizations MDM solution.

Organizations are free to apply the


restrictive policies to devices that
policy standards and compliance
regulations require and prevent
the user from un-enrolling the
device from the enterprise.

Ability to block the


use of a personal
identity on the
device
Level of control

MDM functionality on personal devices might be limited in the future.

Infrastructure requirements
For both device scenarios, the essential infrastructure and tools required to deploy and manage
Windows 10 Mobile devices include an Azure AD subscription and an MDM system.
Azure AD is a cloud-based directory service that provides identity and access management. You can
integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions:
Free, Basic, and Premium (see Azure Active Directory editions). All editions support Azure AD device
Windows 10 Mobile: mobile device management guide

registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access
based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD.
Note:
Most industry-leading MDM vendors already support integration with Azure AD or are working on
integration. You can find the MDM vendors that support Azure AD in Azure Marketplace.
Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD
organizational account. (By default, Intune uses Azure AD and includes a license). If your organization
doesnt use Azure AD, you must use a personal identity to activate devices and enable common scenarios,
such as downloading apps from Windows Store.
Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and
corporate device deployment scenarios. Microsoft offers Intune, which is part of the Enterprise Mobility
Suite and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses
Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or
sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and
Android, to provide a complete MDM solution.
You can also integrate Intune with Microsoft System Center Configuration Manager to gain a single
console in which to manage all devicesin the cloud and on premises. For more information, see Manage
Mobile Devices with Configuration Manager and Microsoft Intune. For guidance on choosing between a
stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see
Choose between Intune by itself or integrating Intune with System Center Configuration Manager.
In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM
systems claim to support Windows 10 and Windows 10 Mobile: AirWatch, Citrix, Lightspeed Systems,
Matrix42, MobileIron, SAP, SOTI, and Symantec.
All MDM vendors have equal access to the Windows 10 MDM APIs. The extent to which they implement
these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support.
Note:
Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices
instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later
and Office 365.
In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for
Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android.
MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability
to remotely wipe a device, block a device from accessing Exchange Server email, and configure device
policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see
Overview of Mobile Device Management for Office 365.

Windows 10 Mobile: mobile device management guide

Provisioning
Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a
runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
To assist users with MDM system enrollment, use a provisioning package. To do so, use the Windows
Imaging and Configuration Designer to create a provisioning package, and then install that package on
the device.
Users can perform self-service MDM enrollment based on the following deployment scenarios:

Corporate device. During the out-of-the-box experience (OOBE), you can instruct the user to select
This device is owned by my organization and join the device to Azure AD and the MDM system.

Personal device. The user activates the device with a Microsoft account, but you can instruct him or
her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the
user clicks, Settings, clicks Accounts, and then clicks Work access.

To automate MDM enrollment, use provisioning packages as follows:

Corporate device. You can create a provisioning package and apply it to a corporate device before
delivery to the user, or instruct the user to apply the package during OOBE. After application of the
provisioning package, the OOBE process automatically chooses the enterprise path and requires the
user to register the device with Azure AD and enroll it in the MDM system.

Personal device. You can create a provisioning package and make it available to users who want to
enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for
further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user
clicks Settings, clicks Accounts, and then clicks Provisioning).

Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an
email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and
require that the user enter a password to apply them.
See Build and apply a provisioning package for more information on creating provisioning packages.

Device configuration
The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile
MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10.
Configurable settings include:

Email accounts.

Account restrictions.

Device lock restrictions.

Windows 10 Mobile: mobile device management guide

Hardware restrictions.

Certificate management.

Wi-Fi.

Proxy.

Virtual private network (VPN).

Access point name (APN) profiles.

Data leak prevention.

Storage management.

Note:
Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM
systems may show them in their user interface. In addition, naming may vary among MDM systems.
Consult your MDM systems documentation for more information.

Email accounts
You can use your corporate MDM system to manage corporate email accounts. Define email account
profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings
immediately after enrollment, regardless of scenario.
This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS
email profiles.
Table 3. Windows 10 Mobile settings for EAS email profiles

Setting

Description

Email Address

The email address associated with the EAS account

Domain

The domain name of the Exchange Server instance

Account Name

A user-friendly name for the email account on the device

Password

The password for the email account

Windows 10 Mobile: mobile device management guide

10

Setting

Description

Server Name

The server name that the email account uses

User Name

The user name for the email account

Calendar Age Filter

The age of calendar items to be synchronized with the device


(e.g., synchronizing calendar items within the past 7 days)

Logging

The level of diagnostic logging

Mail Body Type

The email body format type: text, HTML, RTF, or Multipurpose Internet
Mail Extensions

Mail HTML Truncation

The maximum size of an HTML-formatted email message before the


message is synchronized to the device (Any HTML-formatted email
message that exceeds this size is automatically truncated.)

Mail Plain Text


Truncation

The maximum size of a text-formatted email message before the


message is synchronized to the device (Any text-formatted email
message that exceeds this size is automatically truncated.)

Schedule

The schedule for synchronizing email between the Exchange Server


instance and the device

Use SSL

Establishes whether Secure Sockets Layer (SSL) is required when syncing

Mail Age Filter

The age of messages to be synchronized with the device


(e.g., synchronizing messages within the past 7 days)

Content Types

The content type that is synchronized (e.g., email, contacts, calendar,


task items)

Table 4 lists settings that you can configure in other email profiles.
Table 4. Windows 10 Mobile settings for other email profiles

Setting

Description

User logon name

The user logon name for the email account

Outgoing authentication
required

Whether the outgoing server requires authentication

Windows 10 Mobile: mobile device management guide

11

Setting

Description

Password

The password for the account in the User logon name field

Domain

The domain name for the account in the User logon name field

Days to download

How much email (measured in days) should be downloaded from the


server

Incoming server

The incoming server name and port number, where the value format is
server_name:port_number (The port number is optional.)

Send and receive schedule

The length of time (in minutes) between email send-and-receive updates

IMAP4 maximum
attachment size

The maximum size for message attachments for Internet Message Access
Protocol version 4 (IMAP4) accounts

Send mail display name

The name of the sender displayed on a sent email

Outgoing server

The outgoing server name and port number, where the value format is
server_name:port_number (The port number is optional.)

Reply address

The users reply email address

Email service name

The name of the email service

Email service type

The email service type (e.g., POP3, IMAP4).

Maximum receive
message size

The maximum size (in bytes) of messages retrieved from the incoming
email server (Messages that exceed this size are truncated to the
maximum size.)

Delete message action

How messages are deleted on the server (Messages can either be


permanently deleted or sent to the Trash folder.)

Use cellular only

Whether the account should be used only with cellular connections and
not Wi-Fi connections

Content types to
synchronize

The content types supported for synchronization (i.e., mail messages,


contacts, calendar items)

Content synchronization
server

The name of the content synchronization server, if its different from the
email server

Windows 10 Mobile: mobile device management guide

12

Setting

Description

Calendar synchronization
server

The name of the calendar synchronization server, if its different from the
email server

Contact server requires


SSL

Whether the contact server requires an SSL connection

Calendar server requires


SSL

Whether the calendar server requires an SSL connection

Contact items
synchronization schedule

The schedule for syncing contact items

Calendar items
synchronization schedule

The schedule for syncing calendar items

Alternative SMTP email


account

The display name associated with a users alternative Simple Mail


Transfer Protocol (SMTP) email account

Alternate SMTP domain


name

The domain name for the users alternative SMTP email account

Alternate SMTP account


enabled

Whether the users alternative SMTP account is enabled

Alternate SMTP password

The password for the users alternative SMTP account

Incoming and outgoing


servers require SSL

A group of properties that specify whether the incoming and outgoing


email servers use SSL

Account restrictions
On a corporate device registered with Azure AD and enrolled in the MDM system, you can control
whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the
settings that you can use to manage accounts on Windows 10 Mobile devices.
Table 5. Windows 10 Mobile account management settings

Setting

Description

Allow Microsoft Account

Specifies whether users are allowed to add a Microsoft account to the


device after MDM enrollment and use this account for connection

Windows 10 Mobile: mobile device management guide

13

Setting

Description
authentication and services, such as purchasing apps in Windows
Store, or cloud-based consumer services, such as Xbox or Groove.
If a device was activated with a Microsoft account, the MDM system
would not be able to block that account from being used.

Allow Adding Non


Microsoft Accounts

Specifies whether users are allowed to add email accounts other than
Microsoft accounts after MDM enrollment. If Allow Microsoft
Account is applied, user can also not use a Microsoft account.

Allow Your Account

Specifies whether users are able to change account configuration in


the Your Email and Accounts panel in Settings.

Device lock restrictions


Its common sense to lock a device when it is not in use. Microsoft recommends that you secure
Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best
practice for securing apps and data on devices. Windows Hello is the name given to the new biometric
sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all
of which Windows 10 supports.
Note:
In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft
Passport for Work, which lets you access apps and services without a password. Microsoft Passport for
Work is supported only in Windows 10 for desktop and requires System Center Configuration Manager.
In addition, the device must be joined to a domain. For more information, see Enable Microsoft Passport
for work in the organization.

Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock
restrictions.
Table 6. Windows 10 Mobile device lock restrictions

Setting

Description

Device Password Enabled

Specifies whether users are required to use a device lock password


Notes:
1. When a device is registered with Azure AD and automatic MDM
enrollment is not configured, the user will automatically be

Windows 10 Mobile: mobile device management guide

14

Setting

Description

2.

prompted to set a password PIN of at least six digits (simple PINs are
not allowed).
If the device is capable of using biometric authentication, the user
will be able to enroll an iris or other biometric gesture (depending
on hardware) for device lock purposes. When a user uses a biometric
gesture, he or she can still use the PIN as a fallback mechanism
(e.g., if the iris-recognition camera fails).

Allow Simple Device


Password

Whether users can use a simple password (e.g., 1111 or 1234)

Alphanumeric Device
Password Required

Whether users need to use an alphanumeric password

Min Device Password


Complex Characters

The number of password element types (i.e., uppercase letters, lowercase


letters, numbers, or punctuation) required to create strong passwords

Device Password
Expiration

The number of days before a password expires (Biometric data does not
expire.)

Device Password History

The number of passwords Windows 10 Mobile remembers in the


password history (Users cannot reuse passwords in the history to create
new passwords.)

Min Device Password


Length

The minimum number of characters required to create new passwords

Max Inactivity Time


Device Lock

The number of minutes of inactivity before devices are locked and


require a password to unlock

Allow Idle Return Without


Password

Whether users are required to re-authenticate when their devices return


from a sleep state, before the inactivity time was reached

Max Device Password


Failed Attempts

The number of authentication failures allowed before a device is wiped


(A value of zero disables device wipe functionality.)

Screen Timeout While


Locked

The number of minutes before the lock screen times out (This policy
influences the devices power management.)

When configured, Windows prompts the user with a full device keyboard
to enter a complex password. When not configured, the user will be able
to enter a numeric PIN on the keyboard.

Windows 10 Mobile: mobile device management guide

15

Setting

Description

Allow Screen Timeout


While Locked User
Configuration

Whether users can manually configure screen timeout while the device is
on the lock screen (Windows 10 Mobile ignores the Screen Timeout
While Locked setting if you disable this setting.)

Hardware restrictions
Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such
as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication
(NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can
also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings
that Windows 10 Mobile supports to configure hardware restrictions.
Note:
Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data
protection will be available in the Windows Insider Preview in the future and broadly available mid-2016.

Table 7. Windows 10 Mobile hardware restrictions

Setting

Description

Allow NFC

Whether the NFC radio is enabled

Allow USB Connection

Whether the USB connection is enabled (This setting doesnt affect


USB charging.)

Allow Bluetooth

Whether users can enable and use the Bluetooth radio on their
devices

Allow Bluetooth
Advertising

Whether the device can act as a source for Bluetooth advertisements


and be discoverable to other devices

Allow Bluetooth
Discoverable Mode

Whether the device can discover other devices (e.g., headsets)

Bluetooth Services
Allowed List

The list of Bluetooth services and profiles to which the device can
connect

Windows 10 Mobile: mobile device management guide

16

Setting

Description

Set Bluetooth Local


Device Name

The local Bluetooth device name

Allow Wi-Fi

Whether the Wi-Fi radio is enabled

Allow Auto Connect to


Wi-Fi Sense Hotspots

Whether the device can automatically connect to Wi-Fi hotspots and


friends home networks that are shared through Wi-Fi Sense

Allow Manual Wi-Fi


Configuration

Whether users can manually connect to Wi-Fi networks not specified


in the MDM systems list of configured Wi-Fi networks

WLAN Scan Mode

How actively the device scans for Wi-Fi networks (This setting is
hardware dependent.)

Allow Camera

Whether the camera is enabled

Allow Storage Card

Whether the storage card slot is enabled

Allow Voice Recording

Whether the user can use the microphone to create voice recordings

Allow Location

Whether the device can use the GPS sensor or other methods to
determine location so applications can use location information

Certificate management
Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses,
including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web
content. Although users could manage certificates on devices manually, its a best practice to use your
MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to
revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information
Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management
through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps
improve user productivity and reduce support calls. Your MDM system can automatically deploy these
certificates to the devices certificate stores after you enroll the device. Table 8 lists the SCEP settings that
the MDM client in Windows 10 Mobile provides.

Windows 10 Mobile: mobile device management guide

17

Table 8. Windows 10 Mobile SCEP certificate enrollment settings

Setting

Description

Certificate enrollment server URLs

The certificate enrollment servers (To specify


multiple server URLs, separate the URLs with
semicolons [;].)

SCEP enrollment challenge

The Base64-encoded SCEP enrollment


challenge

Extended key use object identifiers

The object identifiers (OIDs) for extended key


use

Key usage

The key usage bits for the certificate in


decimal format

Subject name

The certificate subject name

Private key storage

Where to store the private key (i.e., the


Trusted Platform Module [TPM], a software
key storage provider [KSP], or the Microsoft
Passport KSP)

Pending retry delay

How long the device will wait to retry when


the SCEP server sends a pending status

Pending retry count

The number of times a device will retry when


the SCEP server sends a pending status

Template name

The OID of the certificate template name

Private key length

The private key length (i.e., 1024, 2048, or


4096 bits; Microsoft Passport supports only
the 2048 key length)

Certificate hash algorithm

The hash algorithm family (i.e., SHA-1, SHA-2,


SHA-3; multiple hash algorithm families are
separated by plus signs [+])

Root CA thumbprint

The root CA thumbprint

Subject alternative names

Subject alternative names for the certificate


(Use semicolons to separate multiple subject
alternative names.)

Windows 10 Mobile: mobile device management guide

18

Setting

Description

Valid period

The unit of measure for the period of time the


certificate is considered valid (i.e., days,
months, or years)

Valid period units

The number of units of time that the certificate


is considered valid (Use this setting with the
Valid Period setting. For example, if this
setting is 3 and Valid Period is Years, the
certificate is valid for 3 years.)

Custom text to show in Microsoft Passport PIN


prompt

The custom text to show on the Microsoft


Passport PIN prompt during certificate
enrollment

Thumbprint

The current certificate thumbprint, if certificate


enrollment succeeds

In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates.
Table 9 lists the Windows 10 Mobile PFX certificate deployment settings.
Table 9. Windows 10 Mobile PFX certificate deployment settings

Setting

Description

Private key storage

Where to store the private key (i.e., the TPM, a software


KSP, or the Microsoft Passport KSP)

Microsoft Passport container name

The tenant identifier of the Azure AD tenant from which


the Microsoft Passport is derived, required only if you
select Microsoft Passport KSP in Private key storage

PFX packet

The PFX packet with the exported and encrypted


certificates and keys in Binary64 format

PFX packet password

The password that protects the PFX blob specified in


PFX packet

PFX packet password encryption

Whether the MDM system encrypts the PFX certificate


password with the MDM certificate

PFX private key export

Whether the PFX private key can be exported

Windows 10 Mobile: mobile device management guide

19

Setting

Description

Thumbprint

The thumbprint of the installed PFX certificate

Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing
root and intermediate CA certificates intentionally or accidently.
Note:
To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in
Windows Store. This Windows 10 Mobile app can help you:
View a summary of all personal certificates.
View the details of individual certificates.
View the certificates used for VPN, Wi-Fi, and email authentication.
Identify which certificates may have expired.
Verify the certificate path and confirm that you have the correct intermediate and root CA
certificates.
View the certificate keys stored in the device TPM.

Wi-Fi
People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi
networks require certificates and other complex information to restrict and secure user access. This
advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to
fully configure Wi-Fi settings without user intervention.
Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table
to help you create Wi-Fi connection profiles in your MDM system.
Table 10. Windows 10 Mobile Wi-Fi connection profile settings

Setting

Description

SSID

The case-sensitive name of the Wi-Fi network


(service set identifier [SSID])

Security type

The type of security the Wi-Fi network uses; can be


one of the following authentication types:

Open 802.11

Shared 802.11

WPA-Enterprise 802.11

Windows 10 Mobile: mobile device management guide

20

Setting

Authentication encryption

Description

WPA-Personal 802.11

WPA2-Enterprise 802.11

WPA2-Personal 802.11

The type of encryption the authentication uses; can


be one of the following encryption methods:

None (no encryption)

Wired Equivalent Privacy

Temporal Key Integrity Protocol

Advanced Encryption Standard (AES)

Extensible Authentication Protocol


Transport Layer Security (EAP-TLS)

WPA-Enterprise 802.11 and WPA2-Enterprise 802.11


security types can use EAP-TLS with certificates for
authentication

Protected Extensible Authentication


Protocol with Microsoft Challenge
Handshake Authentication Protocol
version 2 (PEAP-MSCHAPv2)

WPA-Enterprise 802.11 and WPA2-Enterprise 802.11


security types can use PEAP-MSCHAPv2 with a user
name and password for authentication

Shared key

WPA-Personal 802.11 and WPA2-Personal 802.11


security types can use a shared key for
authentication.

Proxy

The configuration of any network proxy that the


Wi-Fi connection requires (To specify the proxy
server, use its fully qualified domain name [FQDN],
Internet Protocol version 4 [IPv4] address, IP
version 6 [IPv6] address, or IPvFuture address.)

Disable Internet connectivity checks

Whether the Wi-Fi connection should check for


Internet connectivity

Proxy auto-configuration URL

A URL that specifies the proxy auto-configuration


file

Windows 10 Mobile: mobile device management guide

21

Setting

Description

Enable Web Proxy Auto-Discovery


Protocol (WPAD)

Specifies whether WPAD is enabled

Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity.
Table 11. Windows 10 Mobile Wi-Fi connectivity settings

Setting

Description

Allow Auto Connect To


Wi-Fi Sense Hotspots

Whether the device will automatically detect and connect to Wi-Fi


networks

Allow Manual Wi-Fi


Configuration

Whether the user can manually configure Wi-Fi settings

Allow Wi-Fi

Whether the Wi-Fi hardware is enabled

WLAN Scan Mode

How actively the device scans for Wi-Fi networks

Proxy
Apps running on Windows 10 Mobile (e.g., Microsoft Edge) can use proxy connections to access Internet
content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead.
You can define multiple proxies in Windows 10 Mobile.
Note:
Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically
configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host
Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.

Table 12 lists the Windows 10 Mobile settings for proxy connections.


Table 12. Windows 10 Mobile proxy connection settings

Setting

Description

Proxy name

The unique name of the proxy connection

Windows 10 Mobile: mobile device management guide

22

Setting

Description

Proxy ID

The unique identifier for the proxy connection

Name

The user-friendly name of the proxy connection

Server address

The address of the proxy server, which can be the server FQDN or IP
address

IP address type

The IP address type that identifies the proxy server, which can be one
of the following values:

Proxy connection type

Ports

IPV4

IPV6

E164

ALPHA

The proxy connection type, which can be one of the following values:

ISA

WAP

SOCKS

NULL

The port information for the proxy connection; includes the following
settings:

Port Name. The unique name of a port that the proxy connection
uses, such as PORT0 or PORT1

Port Name/Port Nbr. The proxy connection port number for this
port

Port Name/Services. The services that use this proxy connection


port

Services/Service Name. The name of a service that uses the


proxy connection

Windows 10 Mobile: mobile device management guide

23

Setting

Description

Configuration reference

Services/Service Name/Service Name. The protocol associated


with the parent port connection

The connection reference information for the proxy connection. The


corporation determines the information in this optional setting.

VPN
In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their companys
intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native
Microsoft VPNs (such as Point to Point Tunneling Protocol [PPTP], Layer 2 Tunneling Protocol [L2TP], and
Internet Key Exchange Protocol version 2 [IKEv2]), including:

IKEv2.

IP security.

SSL VPN connections (which require a downloadable plug-in from the VPN server vendor).

You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN
connection for each app that requires intranet connectivity. When users switch between apps, the
operating system automatically establishes the VPN connection for that app. In the event the device drops
the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in,
as well. The VPN stays connected until the user manually disconnects it.
MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN
connection profiles and associating VPN connections with apps. You can create and provision VPN
connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13
lists the Windows 10 Mobile fields for VPN connection profiles.
Table 13. Windows 10 Mobile VPN connection profile settings

Setting

Description

Native VPN protocol profile

The configuration information when the VPN uses


native Windows 10 Mobile VPN protocols (such as
IKEv2, PPTP, or L2TP); includes the following
settings:

Windows 10 Mobile: mobile device management guide

Servers. The VPN server for the VPN profile

24

Setting

Description

VPN plugin profile

Routing policy type. The type of routing


policy the VPN profile uses; can be set to one
of the following values:

Split tunnel. Only network traffic


destined to the intranet goes through the
VPN connection.

Force tunnel. All traffic goes through the


VPN connection.

Tunneling protocol type. The tunneling


protocol used for VPN profiles that use native
Windows 10 Mobile VPN protocols; can be
one the following values:

PPTP

L2TP

IKEv2

Automatic

User authentication method. The user


authentication method for the VPN
connection; can have a value of EAP or
MSChapv2. Windows 10 Mobile does not
support the value MSChapv2 for IKEv2-based
VPN connections.

Machine certificate. The machine certificate


used for IKEv2-based VPN connections.

EAP configuration. An HTML-encoded XML


blob of the EAP configuration. For more
information about creating the EAP
configuration XML blob, see EAP
configuration. You can use the XML blob
these steps create in the MDM system to
create the VPN profile.

Windows Storebased VPN plug-ins for the VPN


connection; includes the following settings:

Windows 10 Mobile: mobile device management guide

25

Setting

Description

VPN servers. A comma-separated list of VPN


servers; you can specify the servers with a
URL, fully qualified host name, or IP address.

Custom configuration. An HTML-encoded


XML blob for SSLVPN plug-inspecific
configuration information (e.g., authentication
information) that the plug-in provider
requires.

Windows Store VPN plugin family name.


Specifies the Windows Store package family
name for the Windows Storebased VPN
plug-in.

Always on connection

Whether the VPN connects at user sign-in and


stays connected until the user manually
disconnects the VPN connection.

App trigger list

A list of apps that automatically initiate the VPN


connection. Each app trigger in the list includes
the following settings:

App ID. The app identity for the app that


automatically initiates the VPN connection
Any apps in this list can send data through the
VPN connection; set it to one of the following
values:

DNS suffixes

Unique name of the Windows Store app


(Package Family Name). The package
family name is a unique name for each
app. For example, the package family
name for the Skype app is
Microsoft.SkypeApp_kzf8qxf38zg5c.

Fully qualified path to the app (such as


C:\Windows\System\Notepad.exe).

Kernel driver name.

A comma-separated list of DNS suffixes for the


VPN connection. Any DNS suffixes in this list are
automatically added to Suffix Search List.

Windows 10 Mobile: mobile device management guide

26

Setting

Description

LockDown VPN profile

Whether this VPN connection is a LockDown


profile. A LockDown VPN profile has the following
characteristics:

It is an always-on VPN profile.

It can never be disconnected.

If the VPN profile is not connected, the user


has no network connectivity.

No other VPN profiles can be connected or


modified.

You must delete a LockDown VPN profile before


you can add, remove, or connect other VPN
profiles.
Name Resolution Policy Table rules

Proxy

A list of Name Resolution Policy Table rules for


the VPN connection. Each rule in the list includes
the following settings:

Domain name. The namespace for the policy;


can be an FQDN or a domain suffix.

Domain name type. The type of namespace


in Domain name; has a value of either FQDN
or Suffix.

DNS servers. A comma-separated list of DNS


server IP addresses to use for the namespace
specified in Domain name.

Web proxy servers. The IP address for the


web proxy server (if the intranet redirects
traffic through a web proxy server).

Any post connection proxy support required for


the VPN connection; includes the following
settings:

Windows 10 Mobile: mobile device management guide

Proxy server. Specifies the fully qualified host


name or IP address of the proxy server when a
specific proxy server is required.

27

Setting

Description

Automatic proxy configuration URL.


Specifies the URL for automatically retrieving
proxy server settings.

Remember credentials

Whether the VPN connection caches credentials.

Route list

A list of routes to add to the routing table for the


VPN connection. Each route in the list includes the
following settings:

Traffic filter list

Address. The destination subnet address in


IPv4 or IPv6 format (such as 192.168.0.0).

Prefix size. The portion of the address used


to identify the destination subnet address
(such as 16 to produce the subnet
192.168.0.0/16).

A list of traffic rules that define the traffic that can


be sent through the VPN connection. Each rule in
the list includes the following settings:

App ID. The app identity for the traffic filter


based on a specific app (app-based traffic
filter). Any apps in this list can send data
through the VPN connection; set to one of the
following values:

Windows 10 Mobile: mobile device management guide

Unique name of the Windows Store app


(Package Family Name). The package
family name is a unique name for each
app. For example, the package family
name for the Skype app is
Microsoft.SkypeApp_kzf8qxf38zg5c.

Fully qualified path to the app (such as


C:\Windows\System\Notepad.exe).

Kernel driver name.

Protocol. The IP protocol to use for the traffic


filter rule (e.g., TCP = 6, UDP = 17).

28

Setting

Description

Trusted network detection

Local port ranges. Specifies a commaseparated list of local IP port ranges


(e.g., 100180, 200, 300350).

Remote port ranges. A comma-separated list


of remote IP port ranges (e.g., 100180, 200,
300350).

Local address ranges. A comma-separated


list of local IP address ranges that are allowed
to use the VPN connection (e.g., 192.168.0.1
192.168.0.255, 172.16.10.0172.16.10.255).

Remote address ranges. A comma-separated


list of remote IP address ranges that are
allowed to use the VPN connection
(e.g., 192.168.0.1192.168.0.255, 172.16.10.0
172.16.10.255).

Routing policy type. The type of IP tunnel for


the VPN connection; set to one of the
following:

Split tunnel. Only traffic destined for the


intranet is sent through the VPN
connection.

Force tunnel. All traffic is sent through


the VPN connection.

A comma-separated list of trusted networks that


causes the VPN not to connect when the intranet
is directly accessible.

Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you
manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or
data plan charges.
Table 14. Windows 10 Mobile VPN management settings

Setting

Description

Allow VPN

Whether users can change VPN settings

Windows 10 Mobile: mobile device management guide

29

Setting

Description

Allow VPN Over Cellular

Whether users can establish VPN connections over cellular networks

Allow VPN Over Cellular


when Roaming

Whether users can establish VPN connections over cellular networks


when roaming

APN profiles
An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a
device in collaboration with a mobile operator, but you can define multiple APNs if your company uses
multiple mobile operators.
An APN provides a private connection to the corporate network that is unavailable to other companies on
the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not
common in the United States.
You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for
Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists
the MDM settings that Windows 10 Mobile supports for APN profiles.
Table 15. Windows 10 Mobile APN profile settings

Setting

Description

APN name

The APN name

IP connection type

The IP connection type; set to one of the following values:

IPv4 only

IPv6 only

IPv4 and IPv6 concurrently

IPv6 with IPv4 provided by 46xlat

LTE attached

Whether the APN should be attached as part of an LTE Attach

APN class ID

The globally unique identifier that defines the APN class to the
modem

APN authentication type

The APN authentication type; set to one of the following values:

Windows 10 Mobile: mobile device management guide

30

Setting

Description

None

Auto

PAP

CHAP

MSCHAPv2

User name

The user account when users select Password Authentication Protocol


(PAP), CHAP, or MSCHAPv2 authentication in APN authentication
type

Password

The password for the user account specified in User name

Integrated circuit card ID

The integrated circuit card ID associated with the cellular connection


profile

Data leak protection


Some user experiences can risk corporate data stored on corporate devices. For example, allowing users
to copy and paste information out of the organizations LOB app can put data at risk. To mitigate the risk,
you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data
leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen
captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data
leaks.
Table 16. Windows 10 Mobile data leak protection settings

Setting

Description

Allow copy and paste

Whether users can copy and paste content

Allow Cortana

Whether users can use Cortana on the device,


where available

Allow device discovery

Whether the device discovery user experience is


available on the lock screen (For example, this
setting can control whether a device could
discover a projector [or other devices] when the
lock screen is displayed.)

Windows 10 Mobile: mobile device management guide

31

Setting

Description

Allow input personalization

Whether personally identifiable information can


leave the device or be saved locally (e.g., Cortana
learning, inking, dictation)

Allow manual MDM unenrollment

Whether users are allowed to delete the


workplace account (i.e., unenroll the device from
the MDM system)

Allow screen capture

Whether users are allowed to capture screenshots


on the device

Allow SIM error dialog prompt

Specifies whether to display a dialog prompt


when no SIM card is installed

Allow sync my settings

Whether the user experience settings are


synchronized between devices (works with
Microsoft accounts only)

Allow toasts notifications above lock screen

Whether users are able to view toast notification


on the device lock screen

Allow voice recording

Whether users are allowed to perform voice


recordings.

Storage management
Protecting the apps and data stored on a device is critical to device security. One method for helping
protect your apps and data is to encrypt internal device storage by using the device encryption in
Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when
an unauthorized user has physical possession of the device.
A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating
system stores apps on a partition specifically designated for that purpose. This feature is always on, so you
dont need to set a policy explicitly to enable it.
The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted
partition, but they can access the data stored on the unencrypted partition of the SD card, such as music
or photos.
You can disable the Allow Storage Card setting to prevent users from using SD cards altogether, but the
primary advantage of the SD card app partitionencryption feature is that organizations can give users the
flexibility to use an SD card while still protecting the confidential apps and data on it.
Windows 10 Mobile: mobile device management guide

32

If you dont encrypt storage, you can help protect your corporate apps and data by using the Restrict
app data to the system volume and Restrict apps to the system volume settings. They help ensure
that users cannot copy your apps and data to SD cards.
Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides.
Table 17. Windows 10 Mobile storage management settings

Setting

Description

Allow Storage Card

Whether users can use storage cards for device storage (This setting
does not prevent programmatic access to the storage cards.)

Require Device
Encryption

Whether internal storage is encrypted (When a device is encrypted, you


cannot use a policy to turn encryption off.)

Encryption method

Specifies the BitLocker drive encryption method and cipher strength; can
be one of the following values:

AES-Cipher Block Chaining (CBC) 128-bit

AES-CBC 256-bit

XEX-based tweaked-codebook mode with cipher text stealing (XTS)


AES (XTS-AES) 128-bit (this is the default)

XTS-AES-256-bit

Allow Federal Information


Processing Standard
(FIPS) algorithm policy

Whether the device allows or disallows the FIPS algorithm policy

SSL cipher suites

Specifies a list of the allowed cryptographic cipher algorithms for SSL


connections

Restrict app data to the


system volume

Specifies whether app data is restricted to the system drive

Restrict apps to the


system volume

Specifies whether apps are restricted to the system drive

App management

Windows 10 Mobile: mobile device management guide

33

Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for
organizations purchase apps from Windows Store for their employees and deploy those apps from
Windows Store or an MDM system. App management is becoming a key capability of MDM systems,
helping reduce the effort required to perform common app-related tasks, such as distributing apps, and
protecting data through app policies. This section describes the app management features in Windows 10
Mobile and includes the following topics:

UWP

Sourcing the right app

Windows Store for Business

Mobile application management (MAM) policies

Microsoft Edge

Universal Windows Platform


Windows 10 introduces UWP, converging the application platform for all devices running some edition of
Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now
has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and
Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only
with UWP apps. See the Guide to Universal Windows Platform (UWP) apps for additional information.

Sourcing the right app


The first step in app management is to obtain the apps your users need, and you can now acquire apps
from Windows Store. Developers can also create apps specific to an organization, known as line-ofbusiness apps (the developers of these apps are LOB publishers). An LOB developer (internal or external)
can now publish these apps to Windows Store at your request, or you can obtain the app packages offline
and distribute them through your MDM system.
To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to
distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a
licensed app in Windows Store or offline by distributing a package that you downloaded from Windows
Store (also called sideloading) on Windows 10 Mobile devices. You can fully automate the app
deployment process so that no user intervention is required.
IT administrators can obtain apps through Windows Store for Business. Most apps can be distributed
online, meaning that the user must be logged in to the device with an Azure AD account and have
Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the
app developer doesnt allow download of the app from Windows Store, then you must obtain the files
directly from the developer or use the online method. See Windows Store for Business for additional
information about apps obtained through Windows Store for Business.
Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted
software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish
Windows 10 Mobile: mobile device management guide

34

this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add
your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a
Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install
more than 20 apps on a device, although you can install more than 20 self-signed apps per device with
Windows 10 Mobile Enterprise.
Users can install apps from Windows Store that the organization purchases through the Store app on their
device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a
unified method for installing personal and corporate apps.

Windows Store for Business


Windows Store for Business is a web portal that IT pros and purchasers use to find, acquire, manage, and
distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access
to Windows Store for Business functionality and settings. Store managers can create a private section of
Windows Store in which organizations can manage apps specific and private to them. Windows Store for
Business allows organizations to make apps available to their users and purchase app licenses for them.
They can also integrate their Windows Store for Business subscriptions with their MDM systems, so the
MDM system can deploy apps from their free Windows Store for Business subscription.
The process for using Windows Store for Business is as follows:
1.

Create a Windows Store for Business subscription for your organization.

2.

In the Windows Store for Business portal, acquire apps from Windows Store (only free apps are
available at this time).

3.

In Windows Store for Business, distribute apps to users, and manage the app licenses for the apps
acquired in the previous step.

4.

Integrate your MDM system with your organizations Windows Store for Business subscription.

5.

Use your MDM system to deploy the apps.

For more information about Windows Store for Business, see Windows Store for Business.

MAM policies
With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny
(blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging,
email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices
for their intended purposes.
You can also control users access to Windows Store and whether the Store service updates apps
automatically. You can manage all these capabilities through your MDM system. Table 18 lists the
Windows 10 Mobile app management settings.
Table 18. Windows 10 Mobile app management settings

Windows 10 Mobile: mobile device management guide

35

Setting

Description

Allow All Trusted Apps

Whether users can sideload apps on the device

Allow App Store Auto


Update

Whether automatic updates of apps from Windows Store are allowed

Allow Developer Unlock

Whether developer unlock is allowed

Allow Shared User App


Data

Whether multiple users of the same app can share data

Allow Store

Whether Windows Store app is allowed to run

Allow Windows Bridge


For Android App
Execution

Whether the Windows Bridge for Android app is allowed to run

Application Restrictions

An XML blob that defines the app restrictions for a device (The XML
blob can contain an app allow or deny list. You can allow or deny apps
based on their app ID or publisher.)

Require Private Store


Only

Whether the private store is exclusively available to users (If enabled,


only the private store is available. If disabled, the retail catalog and
private store are both available.)

Restrict App Data To


System Volume

Whether app data is allowed only on the system drive

Restrict App To System


Volume

Whether app installation is allowed only to the system drive

Start screen layout

An XML blob used to configure the Start screen (See Start layout for
Windows 10 Mobile editions for more information.)

One potential security issue is that users can register as Windows 10 Mobile app developers and turn on
developer features on their device, potentially installing apps from unknown sources and opening the
device to malware threats. To prevent users from turning on developer features on their devices, set the
Disable development unlock (side loading) policy, which you can configure through your MDM system.

Microsoft Edge

Windows 10 Mobile: mobile device management guide

36

MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the
Microsoft Edge settings for Windows 10 Mobile.
Table 19. Microsoft Edge settings for Windows 10 Mobile

Setting

Description

Allow Active Scripting

Whether active scripting is allowed

Allow Autofill

Whether values are automatically filled on websites

Allow Browser

Whether Internet Explorer is allowed on the device

Allow Cookies

Whether cookies are allowed

Allow Do Not Track


headers

Whether Do Not Track headers are allowed

Allow InPrivate

Whether users can use InPrivate browsing

Allow Password Manager

Whether users can use Password Manager to save and manage


passwords locally

Allow Search
Suggestions in Address
Bar

Whether search suggestions are shown in the address bar

Allow SmartScreen

Whether SmartScreen Filter is enabled

First Run URL

The URL to open when a user launches Microsoft Edge for the first
time

Prevent Smart Screen


Prompt Override For
Files

Whether users can override the SmartScreen Filter warnings about


downloading unverified files

Device operations
In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios:

Device update

Windows 10 Mobile: mobile device management guide

37

Device compliance monitoring

Device inventory

Remote assistance

Cloud services

Device update
To help protect mobile devices and their data, you must keep those devices updated. Windows Update
automatically installs updates and upgrades when they become available.
The device update features described in this section are available only in Windows 10 Mobile Enterprise.
You can use your MDM system to postpone system upgrades when you activate an Enterprise license on
managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example,
you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install
updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running
the Current Branch for Business. Table 20 lists the Windows 10 Mobile Enterprise settings that you can use
to configure updates and upgrades.
Table 20. Windows 10 Mobile Enterprise update management settings

Setting

Description

Allow automatic update

The automatic update behavior for scanning, downloading, and


installing updates; the behavior can be one of the following:

Notify users prior to downloading updates.

Automatically install updates, and then notify users to schedule a


restart (this is the default behavior).

Automatically install and restart devices with user notification.

Automatically install and restart devices at a specified time.

Automatically install and restart devices without user interaction.

Turn off automatic updates.

Allow non Microsoft


signed update

Whether automatic updates will accept updates that entities other than
Microsoft have signed

Allow update service

Whether devices can obtain updates from Windows Update, WSUS, or


Windows Store

Windows 10 Mobile: mobile device management guide

38

Setting

Description

Monthly security updates


deferred

Whether monthly updates (e.g., security patches) are deferred (You can
defer updates up to 4 weeks.)

Nonsecurity upgrades
deferred

Whether nonsecurity upgrades are deferred (You can defer upgrades up


to 8 months.)

Pause update deferrals

Whether the device should skip an update cycle (This setting is valid only
when you configure devices to defer updates or upgrades.)

Require update approval

Whether approval is required before updates can be installed on devices


(If approval is required, any updates that have an End User License
Agreement [EULA] are automatically accepted on the users behalf.)

Schedule install time

The scheduled time at which updates are installed

Scheduled install day

The schedule of days on which updates are installed

Update deferral period

How long updates should be deferred

Update service URL

The name of a WSUS server from which to download updates instead of


Windows Update

Upgrade deferral period

How long Windows 10 Mobile upgrades should be deferred

In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage
individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help
you control the rollout of new updates to Windows 10 Mobile Enterprise devices.
Table 21. Windows 10 Mobile Enterprise approved update information

Setting

Description

Approved updates

A list of approved updates. Each update in the list includes the


Approved Time setting, which specifies the update approval time. Any
approved updates automatically accept EULAs on behalf of users.

Failed updates

A list of updates that failed during installation. Each update in the list
includes the following settings:

H Result. The update failure code

Windows 10 Mobile: mobile device management guide

39

Setting

Description

Status. The failed update state (e.g., download, install)

Installed updates

A list of updates that are installed on the device.

Installable updates

A list of updates that are available for installation. Each update in the list
includes the following settings:

Type. The type of update available for installation, set to one of the
following values:

0 (no type)

1 (security)

2 (critical)

Revision Number. The revision number for the update used to get
metadata for the update during synchronization.

Pending reboot updates

A list of updates that require a restart to complete update installation.


Each update in the last has the Installed Time setting enabled, which
specifies installation time for the update.

Last successful scan time

The last time a successful update scan was completed.

Defer upgrade

Whether the upgrade is deferred until the next update cycle.

Device compliance monitoring


You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to
track issues or perform remedial actions. This information helps you ensure that devices are configured to
comply with organizational standards.
You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions.
The process that the health attestation feature in Windows 10 Mobile uses is as follows:
1.

The health attestation client collects data used to verify device health.

2.

The client forwards the data to the Health Attestation service (HAS).

3.

The HAS generates a Health Attestation Certificate.

Windows 10 Mobile: mobile device management guide

40

4.

The client forwards the Health Attestation Certificate and related information to the MDM system for
verification.

For more information about health attestation in Windows 10 Mobile, see the Windows 10 Mobile
security overview.
Depending on the results of the health state validation, an MDM system can take one of the following
actions:

Allow the device to access resources.

Allow the device to access resources but identify the device for further investigation.

Prevent the device from accessing resources.

Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to
determine the action to perform. For most of these data points, the MDM system can take one of the
following actions:

Disallow all access.

Disallow access to high-business-impact assets.

Allow conditional access based on other data points that are present at evaluation timefor example,
other attributes on the health certificate or a devices past activities and trust history.

Take one of the previous actions, and also place the device on a watch list to monitor it more closely
for potential risks.

Take corrective action, such as informing IT administrators to contact the owner and investigate the
issue.

Table 21. Windows 10 Mobile HAS data points

Data point

Description

Attestation Identity Key


(AIK) present

Indicates that an AIK is present (i.e., the device can be trusted more
than a device without an AIK).

Data Execution
Prevention (DEP)
enabled

Whether a DEP policy is enabled for the device, indicating that the
device can be trusted more than a device without a DEP policy.

BitLocker status

BitLocker helps protect the storage on the device. A device with


BitLocker can be trusted more than a device without BitLocker.

Windows 10 Mobile: mobile device management guide

41

Data point

Description

Secure Boot enabled

Whether Secure Boot is enabled on the device. A device with Secure


Boot enabled can be trusted more than a device without Secure Boot.
Secure Boot is always enabled on Windows 10 Mobile devices.

Code integrity enabled

Whether the code integrity of a drive or system file is validated each


time its loaded into memory. A device with code integrity enabled
can be trusted more than a device without code integrity.

Safe mode

Whether Windows is running in safe mode. A device that is running


Windows in safe mode isnt as trustworthy as a device running in
standard mode.

Running Windows
Preinstallation
Environment
(Windows PE)

Whether the device is running Windows PE. A device running


Windows PE isnt as secure as a device running Windows 10 Mobile.

Boot debug enabled

Whether the device has boot debug enabled. A device that has boot
debug enabled is less secure (trusted) than a device without boot
debug enabled.

OS kernel debugging
enabled

Whether the device has operating system kernel debugging enabled.


A device that has operating system kernel debugging enabled is less
secure (trusted) than a device with operating system kernel
debugging disabled.

Test signing enabled

Whether test signing is disabled. A device that has test signing


disabled is more trustworthy than a device that has test signing
enabled.

Boot Manager Version

The version of the Boot Manager running on the device. The HAS can
check this version to determine whether the most current Boot
Manager is running, which is more secure (trusted).

Code integrity version

Specifies the version of code that is performing integrity checks


during the boot sequence. The HAS can check this version to
determine whether the most current version of code is running, which
is more secure (trusted).

Secure Boot
Configuration Policy
(SBCP) present

Whether the hash of the custom SBCP is present. A device with an


SBCP hash present is more trustworthy than a device without an SBCP
hash.

Windows 10 Mobile: mobile device management guide

42

Data point

Description

Boot cycle whitelist

The view of the host platform between boot cycles as defined by the
manufacturer compared to a published whitelist. A device that
complies with the whitelist is more trustworthy (secure) than a device
that is noncompliant.

Device inventory
Device inventory helps organizations better manage devices because it provides in-depth information
about those devices. MDM systems collect inventory information remotely, and you can use the systems
reporting capabilities to analyze device resources and information. With this information, you can
determine the current hardware and software resources of the device (e.g., installed updates).
Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device
inventory provides. In addition to this information, the MDM system can read any of the configuration
settings described in this guide.
Table 22. Windows 10 Mobile software and hardware inventory examples

Setting

Description

Installed enterprise apps

List of the enterprise apps installed on the device

Device name

The device name configured for the device

Firmware version

Version of firmware installed on the device

Operating system version

Version of the operating system installed on the device

Device local time

Local time on the device

Processor type

Processor type for the device

Device model

Model of the device as defined by the manufacturer

Device manufacturer

Manufacturer of the device

Device processor
architecture

Processor architecture for the device

Device language

Language in use on the device

Windows 10 Mobile: mobile device management guide

43

Setting

Description

Phone number

Phone number assigned to the device

Roaming status

Indicates whether the device has a roaming cellular connection

International mobile
equipment identity (IMEI)
and international mobile
subscriber identity (IMSI)

Unique identifiers for the cellular connection for the phone; Global
System for Mobile Communications networks identify valid devices by
using the IMEI, and all cellular networks use the IMSI to identify the
device and user

Wi-Fi IP address

IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the
device

Wi-Fi media access


control (MAC) address

MAC address assigned to the Wi-Fi adapter in the device

Wi-Fi DNS suffix and


subnet mask

DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the
device

Secure Boot state

Indicates whether Secure Boot is enabled

Enterprise encryption
policy compliance

Indicates whether the device is encrypted

Remote assistance
The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even
when the help desk does not have physical access to the device. These features include:

Remote lock. Support personnel can remotely lock a device. This ability can help when a user loses
his or her mobile device and can retrieve it but not immediately (e.g., leaving the device at a customer
site).

Remote PIN reset. Support personnel can remotely reset the PIN, which helps when users forget
their PIN and are unable to access their device. No corporate or user data is lost, and users are able to
gain access to their devices quickly.

Remote ring. Support personnel can remotely make devices ring. This ability can help users locate
misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized
users are unable to access the device if they find it.

Remote find. Support personnel can remotely locate a device on a map, which helps identify the
geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in

Windows 10 Mobile: mobile device management guide

44

Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the
device.
These remote management features help organizations reduce the IT effort required to manage devices.
They also help users quickly regain use of their device should they misplace it or forget the device
password.
Table 23. Windows 10 Mobile remote find settings

Setting

Description

Desired location accuracy

The desired accuracy as a radius value in meters; has a value between 1


and 1,000 meters

Maximum remote find

Maximum length of time in minutes that the server will accept a


successful remote find; has a value between 0 and 1,000 minutes

Remote find timeout

The number of seconds devices should wait for a remote find to finish;
has a value between 0 and 1,800 seconds

Cloud services
On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result,
they frequently connect to cloud services that provide user notifications and collect telemetry (usage
data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
Manage push notifications
The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw
updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient
and dependable way.
Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits
background activity on the devices to extend battery life. Users can configure battery saver to turn on
automatically when the battery drops below a set threshold. When battery saver is on, Windows 10
Mobile disables the receipt of push notifications to save energy.
There is an exception to this behavior, however. In Windows 10 Mobile, the Always allowed battery saver
settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on.
Users can manually configure this list, or you can use the MDM system to configure itthat is, you can
use the battery saver settings URI scheme in Windows 10 Mobile (ms-settings:batterysaver-settings) to
configure these settings.
For more information about push notifications, see Windows Push Notification Services (WNS) overview.

Windows 10 Mobile: mobile device management guide

45

Manage telemetry
As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft
identify and troubleshoot problems as well as improve its products and services. Microsoft recommends
that you select Full for this setting.
Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the
information that Windows 10 Mobile collects, but they are permitted to use the information only to repair
or improve Microsoft products and services or third-party software and hardware designed for use with
Microsoft products and services.
You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10
Mobile collects and provides a brief description of each. To configure devices, specify one of these levels
in the Allow Telemetry setting.
Table 24. Windows 10 Mobile data collection levels

Level of data

Description

Security

Collects only the information required to keep Windows 10 Mobile enterprise-grade


secure, including information about telemetry client settings, the Malicious Software
Removal Tool, and Windows Defender. This level is available only on Windows 10
Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile,
this setting disables Windows 10 Mobile telemetry.

Basic

Provides only the data vital to the operation of Windows 10 Mobile. This data level
helps keep Windows 10 Mobile and apps running properly by letting Microsoft know
the devices capabilities, whats installed, and whether Windows is operating correctly.
This option also turns on basic error reporting back to Microsoft. By selecting this
option, you allow Microsoft to provide updates through Windows Update, including
malicious software protection through the Malicious Software Removal Tool.

Enhanced

Includes all Basic data plus data about how users use Windows 10 Mobile, such as how
frequently or how long they use certain features or apps and which apps they use most
often. This option also lets operating system collect enhanced diagnostic information,
such as the memory state of a device when a system or app crash occurs, and measure
reliability of devices, the operating system, and apps.

Full

Includes all Basic and Enhanced data and also turns on advanced diagnostic features
that collect additional data from devices, such as system files or memory snapshots,
which may unintentionally include parts of documents user are working on when a
problem occurred. This information helps Microsoft further troubleshoot and fix
problems. If an error report contains personal data, Microsoft does not use that
information to identify, contact, or target advertising to users.

Windows 10 Mobile: mobile device management guide

46

Device retirement
Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device
retirement has been a complex and difficult process for organizations. When the organization no longer
needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even
more complex because users expect their personal apps and data to remain untouched. Therefore,
organizations must remove their data without affecting users data.
You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting
existing user data (partial or enterprise wipe). The help desk or the devices users can initiate device
retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as
they were before enrollment. The following list summarizes the corporate data removed from a device
when its retired:

Email accounts

Enterprise-issued certificates

Network profiles

Enterprise-deployed apps

Any data associated with the enterprise-deployed apps

Note:
All these features are in addition to the devices software and hardware factory reset features, which
users can use to restore devices to their factory configuration.

To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM
system, enable the Allow Manual MDM Unenrollment setting. Table 25 lists additional Windows 10
remote wipe settings that you can use the MDM system to configure.
Table 25. Windows 10 Mobile remote wipe settings

Setting

Description

Wipe

Specifies that a remote wipe of the device should be performed

Allow manual MDM


unenrollment

Whether users are allowed to delete the workplace account


(i.e., unenroll the device from the MDM system)

Allow user to reset phone

Whether users are allowed to use Control Panel or hardware key


combinations to return the device to factory defaults

Windows 10 Mobile: mobile device management guide

47

Windows 10 Mobile: mobile device management guide

48