Deploy a restrictions payload for added security on Windows Phone devices. Restrictions payloads for Windows Phone devices can disable end user access to device features to ensure devices are not tampered with.

The Windows version and edition you use change what restrictions apply to a device.

To enforce a Restrictions profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Phone.
  3. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  4. Select the Restrictions profile.
  5. Configure the Administration settings:
    Settings Descriptions
    Allow Manual MDM Enrollment

    Allow the end user to enroll into AirWatch through the native MDM enrollment.

    This restriction applies to all Windows Phone devices.

    Allow User To Reset Phone

    Allow the end user to factory reset their device.

    This restriction applies to all Windows Phone devices.

    Security and Privacy
    Allow Adding Non-Microsoft Accounts Manually Allow the end user to add accounts such as Facebook or Twitter manually.

    Allow Microsoft to experiment with the product to study user preferences or device behavior.

    This restriction applies to Windows 10 Mobile devices only.


    Allow the use of location services.

    This restriction applies to all Windows Phone devices.

    Allow Manual Root Certificate Installation

    Allow end user to manually install root and intermediate CAP certificates.

    This restriction applies to all Windows Phone devices.

    User Decryption

    Allow users to decrypt the device.

    This restriction applies to Windows 10 Mobile devices only.

    Allow Telemetry Allow the device to send telemetry information (such as SQM or Watson) to the AirWatch Console.
    Allow User to Change Data Sense Settings Allows the user to change the Data Sense application settings.
    Date/Time Allows the user to change the Date and Time settings.
    VPN Allows the user to change the VPN configuration.
    Allow User to Change Account Settings Allows the user to change the Account settings.
    Device Functionality
    Allow Action Center Notifications Allow app and device notifications to display in the Action Center of the device.
    App Store Allow access to the app store.
    App Store Auto Update Allows applications from the app store to automatically update.
    Bluetooth Allow the connection of devices through Bluetooth.
    Allow Browser Allow end users to use the native Internet Explorer browser.
    Camera Allows the user to access the camera function of the device.
    Allow Copy and Paste Allows the user to copy and paste on the device.
    Cortana Allow access to the Cortana application.
    Direct Memory Access Allows direct memory access.
    Indexing of Encrypted Stores or Items Allows the indexing of encrypted stores or items for faster searching.
    Allow NFC Allow the use of the Near Field Communication chip on the device.
    Allow Save as of Office Files Allows the user to Save as Office files and change the file name and location.
    Allow Sharing Office Files Allows the users to share Office files.
    Allow Search to Use Location Allows the user searches to use the device location services.
    Screen Capture Allows the user to take screenshots of the device.
    Allow Storage Card Allow the use of a SD card.
    Allow Storing of Vision Search Images Allow the storage of Vision Search images onto the device.
    Allow Sync Settings Between Devices Allows the users to sync their settings preferences between Windows Phone 8.1+ and Windows Desktop devices.
    Allow Task Switching Allows the users to use the task switcher to switch between apps.
    Allow USB Connection Allow desktop to access phone storage through USB. Both MTP and IPoUSB are disabled when this restriction is enforced.
    Use Diacritics Allows the use of diacritics for languages such as the accent or cedilla.
    Automatic Language Detection Specifies whether to always use automatic language detection when indexing content and properties.
    Allow Voice Recording Allow the end users to record voice recordings.
    Require Device Encryption

    Encrypt all data stored on the device to prevent an end user from accessing readable, sensitive information.


    If you select this feature, you cannot return to not encrypting device data by simply deselecting the checkbox. In order to return the device to an unencrypted state, you must restore the device to factory settings (i.e., device wipe).

    Require Strict Safe Search Require searches to use the strict safe search setting.
    Allow Non-Windows Store Trusted Applications Allows the downloading and installation of applications that are not trusted by the Windows Store.
    Allow Developer Unlock Allows the user of the Developer Unlock setting for sideloading applications onto devices.
    Allow Shared Among Multiple Users of the Same App Allows sharing of data between multiple users of an app.
    Restrict App Data to System Volume Restricts app data to the same volume as the OS instead of secondary volumes or removable media.
    Restrict Installation of Applications to System Drive Restricts the installation of apps to the system drive instead of secondary drives or removable media.
    Allow Auto Connect to Wi-Fi Sense Hotspots Allow the device to automatically connect to Wi-Fi hotspots using the Wi-Fi Sense functionality.
    Allow Cellular Data Roaming Allow cellular data usage while roaming.
    Allow Internet Sharing Allow Internet sharing between devices.
    Allow Manual VPN Configuration Allow creation of VPN connections.
    Allow Manual Wi-Fi Configuration Allow connections to Wi-Fi outside of the MDM server installed networks.
    VPN Over Cellular Allow the device to create a VPN over cellular networks.
    VPN Roaming over Cellular Allow the device to create a VPN while roaming over cellular networks.
    Wi-Fi Allows the users to connect to Wi-Fi.
    Allow Wi-Fi Hotspots Reporting Allow Wi-Fi Hotspots information reporting to Microsoft. Once disallowed, the user cannot turn this function on.
    WLAN Scan Frequency Select the frequency of scans when the device searches for Wi-Fi networks to connect to.
    Cellular App Download Limit Set the application file size limit to prevent the users from downloading large apps over cellular data.
    Cookies Allows the use of cookies.
    Do Not Track Allows the sending of Do Not Track requests.
    Password Manager Allows the use of the password manager to store website credentials.
    SmartScreen Filter Allows the use of the SmartScreen Filter to protect devices from malicious sites and downloads.
  6. Select Save & Publish when you are finished to push the profile to the devices.