Enable Application Control to whitelist and blacklist specific applications to allow or prevent use of applications on devices. Application Control uses Microsoft AppLocker configurations to enforce app control on Windows 10 devices.

  • Create policies using Audit Only mode first. After verifying with the Audit Only version on a test device, create an Enforce mode version for use with your devices. Failing to test policies before general use may result in your devices becoming unusable.
  • Create default rules and any other desired rules for your organization to reduce chances of locking the default configurations or breaking devices after reboot. For more information on creating rules, see the Microsoft TechNet article on AppLocker.


To configure an XML configuration file, you must configure the AppLocker settings on a device and export the file for use with the profile.

The Application Control profile requires Windows 10 Enterprise or Education.


  1. On the configuration device, start the Local Security Policy editor.
  2. Navigate to Application Control Policies > AppLocker and select Configure Rule Enforcement.
  3. Enable Executable Rules, Windows Installer Rules, and Script Rules enforcement by selecting Enforce Rules.
  4. Create Executable Rules, Windows Installer Rules, and Script Rules by selecting the folder on the right then right-clicking the folder and selecting Create New Rule.
    Remember to create Default Rules to reduce chances of locking the default configuration or breaking the device.
  5. After creating all the rules you want, right-click AppLocker and select Export Policy and save the XML configuration file.
  6. Navigate in the Workspace ONE UEM console to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  7. Select Windows and then select Windows Desktop.
  8. Select Device Profile.
  9. Configure the profile General settings.
  10. Select the Application Control payload.
  11. Select Import Sample Device Configuration and select Upload to add your Policy Configuration File.
  12. Select Save & Publish.