Profiles in Workspace ONE UEM are the primary means to manage and configure your Windows 10 devices. Find information about various profiles that connect to and protect resources, that restrict and control devices, and that are specific to Dell.

What Are Profiles?

You can think of profiles as the settings and rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They contain the settings, configurations, and restrictions that you want to enforce on devices.

A profile consists of the general profile settings and a specific payload. Profiles work best when they contain only a single payload.

User or Device Level

Windows Desktop profiles apply to a device at either the user level or the device level. When creating Windows Desktop profiles, you select the level the profile applies to. Some profiles are not available for both levels and you can only apply them to either the user level or the device level. The Workspace ONE UEM console identifies which profiles are available at what level. Some caveats for the successful use of device and user profiles include the following list.

  • Workspace ONE UEM runs commands that apply to the device context even if the device has no active enrolled user login.
  • User-specific profiles require an active enrolled user login.

Antivirus

Create an Antivirus profile to configure the native Windows Defender Antivirus on Windows Desktop devices. Windows Defender configured for all your devices ensures that your end users are protected as they use the device.

Important: This profile only configures native Windows Defender Antivirus and not other third-party antivirus appliances.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Antivirus Profile.

  6. Configure the Antivirus settings:

    Settings Descriptions
    Real-time Monitoring Enable to configure Windows Defender Antivirus to monitor the device in real time.
    Real-time Scan Direction Enable to configure Windows Defender Antivirus to monitor inbound files, outbound files, or all files. Use this option to help network performance for those servers or server roles you defined for Windows Server installations that handle traffic in one direction.
    Cloud Protection Level Enable to configure how aggressive Windows Defender Antivirus is in blocking and scanning suspicious files. Consider network performance when setting this menu item.
    Cloud Block Timeout Select a time, in seconds, for a file to remain blocked while Windows Defender Antivirus analyzes it threat potential. The default block time is 10 seconds. The system adds the seconds set in this menu item to the default time.
    Signature Updates Signature update interval in hours
    Signature update file shares sources
    Check for Signature Before Running Scan
    Signature Update Fallback Order
    Scan Interval Full Scan - Enable to schedule when a full system scan runs. Select the time interval (in hours) between scans.
    Quick Scan - Enable to schedule when a quick system scan runs. Select the time interval (in hours) between scans.
    Exclusions Select the file paths or processes to exclude from the Windows Defender Antivirus scans. Select Add New to add an exception.
    Threat Default Action (Low, Moderate, High, Severe threats) Set the default action for the different threat levels found during scans.

    Clean – Select to clean the issues with the threat.
    Quarantine – Select to separate the threat into a quarantine folder.
    Remove – Select to remove the threat from your system.
    Allow – Select to let the threat stay.
    User Defined – Select to let the user decide what to do with the threat.
    No Action – Select to take no action with the threat.
    Block – Select to block the threat from accessing the device.
    Advanced Scan Avg CPU Load Factor - Set the maximum average percentage of CPU Windows Defender Antivirus can use during scans.

    UI Lockdown - Enable to lock down completely the UI so end users cannot change settings.

    Catchup Full Scan - Enable to allow run a full scan that was interrupted or missed previously. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

    Catchup Quick Scan - Enable to allow run a quick scan that was interrupted or missed previously.

    A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

    Behavior Monitoring - Enable to set the virus scanner to send an activity log to Microsoft.

    Intrusion Prevention System - Enable to configure the network protection against the exploitation of known vulnerabilities.

    This option enables Windows Defender Antivirus to monitor the connections continuously and identify potentially malicious behavior patterns. In this respect, the software behaves like a classic virus scanner, except that instead of scanning files it now scans network traffic.

    PUA Protection - Enable to set Windows Defender Antivirus to monitor for potentially unwanted applications (PUA) on end clients.

    IOAV Protection - Enable to have Windows Defender scan downloaded files.

    OnAccess Protection - Enable to set Windows Defender Antivirus to protect files and folders from unauthorized access.

    Cloud Protection - Enable to set Windows Defender Antivirus to detect and prevent threats quickly using proprietary resources and machine learning.

    User Consent - Enable to set Windows Defender Antivirus to prompt the end client user for consent before it acts on identified threats.

    Scan Email - Enable to allow Windows Defender to scan emails.

    Scan Mapped Network Drives - Enable to allow Windows Defender Antivirus to scan network drives mapped to devices.

    Scan Archives - Enable to allow Windows Defender Antivirus to run a full scan archived folders.

    Scan Removable Drives - Enable to allowWindows Defender Antivirus to scan any removable drives attached to the device.

    Remove Quarantined Files After - Set how long files are quarantined before being removed.
  7. Select Save & Publish.

Application Control

Limit which applications can be installed onto Windows Desktop devices with the Application Control profile. Limiting application installs protects your data from malicious apps and prevents end users from accessing unwanted apps on corporate devices.

To allow or prevent installation of applications on devices, you can enable Application Control to trust and block specific applications. While the compliance engine monitors devices for trusted and blocked apps, Application Control prevents users from even attempting to add or remove applications. For example, prevent a certain game application from ever installing on a device, or allow only specific apps trusted to be installed on a device. Blocked apps installed on the device before the Application Control payload is pushed to the device are disabled after the profile is pushed.

The Application Control profile helps reduce the cost of device management by preventing user from running prohibited apps that cause issues. Preventing apps from causing issues reduces the number of calls your support staff must answer.

Configuring an Application Control Profile

Enable Application Control to trust and block specific applications to allow or prevent use of applications on devices. Application Control uses Microsoft AppLocker configurations to enforce app control on Windows 10 devices.

To configure an XML configuration file, you must configure the AppLocker settings on a device and export the file for use with the profile.

The Application Control profile requires Windows 10 Enterprise or Education.

Important:

  • Create policies using Audit Only mode first. After verifying with the Audit Only version on a test device, create an Enforce mode version for use with your devices. Failing to test policies before general use may result in your devices becoming unusable.
  • Create default rules and any other desired rules for your organization to reduce chances of locking the default configurations or breaking devices after reboot. For more information on creating rules, see the Microsoft TechNet article on AppLocker.

Procedure

  1. On the configuration device, start the Local Security Policy editor.
  2. Navigate to Application Control Policies > AppLocker and select Configure Rule Enforcement. Application Control Policies
  3. Enable Executable Rules, Windows Installer Rules, and Script Rules enforcement by selecting Enforce Rules.
  4. Create Executable Rules, Windows Installer Rules, and Script Rules by selecting the folder on the right then right-clicking the folder and selecting Create New Rule. Remember to create Default Rules to reduce chances of locking the default configuration or breaking the device.
  5. After creating all the rules you want, right-click AppLocker and select Export Policy and save the XML configuration file.
  6. Navigate in the Workspace ONE UEM console to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  7. Select Windows and then select Windows Desktop.
  8. Select Device Profile.
  9. Configure the profile General settings.
  10. Select the Application Control payload.
  11. Select Import Sample Device Configuration and select Upload to add your Policy Configuration File.
  12. Select Save & Publish.

BIOS

Configure BIOS settings for select Dell enterprise devices with the BIOS profile. This profile requires integration with Dell Command | Monitor.

Support for the BIOS profile settings varies by Dell Enterprise device. Workspace ONE UEM only pushes the settings a device supports. If you push this profile to devices, Workspace ONE UEM automatically pushes the Dell Command | Monitor app to the devices.

Prerequisites

If you want to use the configuration package feature, you must push the Dell Command | Configure app to devices.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the BIOS payload and configure the following settings.

    • BIOS Password Setting - Select Managed to have Workspace ONE UEM auto-generate a strong, unique BIOS password for devices. You can access the generated password from the Device Details page.Select Manual to enter your own BIOS password.
    • BIOS Password - Enter the password used to unlock the BIOS of the device. This setting displays when theBIOS Password Settingis set to Manual.
    • TPM Chip - Select Enable to enable the device Trusted Platform Module chip.If you disable the TPM Chip, you also disable the one-time BIOS password capability. The BIOS password set from the Managed BIOS Profile does not rotate after use.
    • Boot Mode - Select whether the device boots in BIOS or UEFI mode.
    • Boot Mode Protection - Select Enable to prevent issues with the OS installed on the device from booting. This protection prevents a change in Boot Mode on a device with an installed OS.
    • Secure Boot - Select Enable to use Secure Boot settings on the device. You cannot disable Secure Boot with DCM. If your devices already use Secure Boot, you must manually disable the settings on the device. Secure Boot requires Boot Mode to be set to UEFI and Legacy Option ROMS to be set to Disable.
    • Legacy Option ROMS - Select Enable to allow the use of legacy option ROMS during the boot process.
    • CPU Virtualization - Select Enable to allow hardware virtualization support.
    • Virtualization IO - Select Enable to allow input/output virtualization.
    • Trusted Execution - Select Enable to allow the device to use the TPM chip, CPU Virtualization, and Virtualization IO for trust decisions. Trust Execution requires the TPM Chip, CPU Virtualization, and Virtualization IO settings to be set to Enabled.
    • Wireless LAN - Select Enable to allow use of the device wireless LAN functionality.
    • Cellular Radio - Select Enable to allow use of the device cellular radio functionality.
    • Bluetooth - Select Enable to allow use of the device Bluetooth functionality.
    • GPS - Select Enable to allow use of the device GPS functionality.
    • SMART Reporting - Select Enable to use SMART monitoring of the device storage solutions.
    • Primary Battery Charge - Select the charging rules for the device. These rules control when the battery starts and stops charging. If you select Custom Charge, you can manually set the charge percentage to start and stop charging the battery.
      • Standard Charge - Consider using this option for users who switch between battery power and an external power source. This option fully charges the battery at a standard rate. Charge time varies by device model.
      • Express Charge - Consider using this option for users who need the battery charged over a short time period. Dell’s fast charging technology allows a completely discharged battery to typically charge to 80% in about 1 hour when the computer is turned off and to 100% in approximately 2 hours. Charge time may be longer with the computer turned on.
      • AC Charge - Consider using this option for users who primarily operate their system while plugged in to an external power source. This setting may extend your battery’s lifespan by lowering the charge threshold.
      • Auto Charge - Consider using this option for users who want to set the option and not change it. This option lets the system adaptively optimize your battery settings based on your typical battery usage pattern.
      • Custom Charge - Consider using this option for advanced users that desire greater control over when their battery starts and stops charging.
    • Primary Battery Custom Charge Start Limit - Set the battery charge percentage that must be reached before the device starts charging the battery.
    • Primary Battery Custom Charge Stop Limit - Set the battery charge percentage that must be reached before the device stops charging the battery.
    • Peak Shift - Select Enable to use peak shift to control when a device uses battery charge or AC current. Peak shift allows you to use battery power instead of AC current during specified times. To set the schedule for Peak Shift, select the calendar icon.
    • Peak Shift Scheduling - The three parameters for peak shift scheduling control when a device uses battery or AC current and when the device charges the battery.
      • Peak Shift Start – Set the start time for Peak Shift when devices switch to battery power.
      • Peak Shift End – Set the end time for Peak Shift when devices switch to AC current.
      • Peak Shift Charge Start – Set the start time for Peak Shift Charge when the devices charge the batteries while using AC current.
    • Peak Shift Battery Threshold - Set the battery charge percentage that must be reached before devices switch back to AC current from battery power. The Peak Shift Charge Start setting controls the time when devices charge the batteries after switching to AC current.
    • System Properties - Select Add System Properties to add a custom system property. Select the button again to add additional properties. These properties are advanced options. Consider reviewing Dell documentation before using these settings. System Properties override any pre-defined settings configured in the profile.
    • Class - Enter a class and select it from the drop-down menu. Displays after selecting Add System Properties.
    • System Property - Enter a system property and select it from the drop-down menu. Displays after selecting Add System Properties.
    • BIOS Attributes - Select Add BIOS Attribute to add a custom BIOS attribute. Select the button again to add additional attributes. These attributes are advanced options. Consider reviewing Dell documentation before using these settings. BIOS Attributes override any pre-defined settings configured in the profile.
    • BIOS Attribute - Enter a BIOS attribute and select it from the drop-down menu. Displays after selecting Add BIOS Attribute.
    • Value - Select a value for the BIOS attribute. If a value is not supplied, the BIOS Attribute is read only. Displays after selecting Add BIOS Attribute.
    • Configuration Package - Select Upload to add a Dell Command | Configure configuration package. Uploading a package allows you to configure multiple Dell devices with a single configuration. Configuration packages override any custom system properties or attributes. If you trust the file extensions allowed, you must add the CCTK file extension to the allowlist. Navigate to Groups & Settings > All Settings > Content > Advanced > File Extensions to add the file extension.
  6. Select Save & Publish.

Credentials

A Credentials profile allows you to push Root, Intermediate, and Client certificates to your Windows 10 devices to support any Public Key Infrastructure (PKI) and certificate authentication use case. The profile pushes configured credentials to the proper credentials store on the Windows Desktop device. Learn how to configure a credentials profile to enable authentication for your Windows 10 devices.

Even with strong passcodes and other restrictions, your infrastructure remains vulnerable to brute force, dictionary attacks, and employee error. For greater security, you can implement digital certificates to protect corporate assets. To use certificates in this way, you must first configure a Credentials payload with a certificate authority, and then configure your Wi-Fi and VPN payloads. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.

The Credentials profile also allows you to push S/MIME certificates to devices. These certificates are uploaded under each user account and controlled by the Credentials profile.

Configuring a Credentials Profile

A Credentials profile pushes certificates to devices for use in authentication. With Workspace ONE UEM, you can configure credentials for personal, intermediate, trusted root, trusted publisher, and trusted people certificate stores. Learn how to configure a credentials profile to enable authentication for your Windows 10 devices.

Even with strong passcodes and other restrictions, your infrastructure remains vulnerable to brute force, dictionary attacks, and employee error. For greater security, you can implement digital certificates to protect corporate assets. To use certificates in this way, you must first configure a credentials payload with a certificate authority, and then configure your Wi-Fi and VPN payloads. Each of these payloads has settings for associating the certificate authority defined in the credentials payload.

The credentials profile also allows you to push S/MIME certificates to devices. These certificates are uploaded under each user account and controlled by the credentials profile.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select User Profile or Device Profile.

  4. Configure the profile General settings.

  5. Select the Credentials payload and configure the following settings:

    Settings Descriptions
    Credential Source Select the credential source as either an Upload, a Defined Certificate Authority, or User Certificate. The remaining payload options are source-dependent.

    If you select Upload, you must upload a new certificate.
    If you select Defined Certificate Authority, you must choose a predefined certificate authority and Template.
    If you select User Certificate, you must select how the S/MIME certificate is used.
    Upload Select to navigate to the desired credential certificate file and upload it to the Workspace ONE UEM console. This setting displays when Upload is selected as the Credential Source.
    Certificate Authority Use the drop-down menu to select a predefined certificate authority. This setting displays when Defined Certificate Authority is selected as the Credential Source.
    Certificate Template Use the drop-down menu to select a predefined certificate template specific to the selected certificate authority. This setting displays when Defined Certificate Authority is selected as the Credential Source.
    Export Private Key Select Allow to let end users export certificates using Windows Certificate Manager.

    Select Don't Allow to prohibit end users from exporting certificates.
    Key Location Select the location for the certificate private key:

    TPM If Present – Select to store the private key on a Trusted Platform Module if one is present on the device, otherwise store it in the OS.

    TPM Required – Select to store the private key on a Trusted Platform Module. If a TPM is not present, the certificate does not install and an error displays on the device.

    Software – Select to store the private key in the device OS.

    Passport – Select to save the private key within the Microsoft Passport. This option requires the Azure AD integration.
    Certificate Store Select the appropriate certificate store for the credential to reside in on the device:

    Personal – Select to store personal certificates. Personal certificates require the Workspace ONE Intelligent Hub on the device or using the SCEP payload.

    Intermediate – Select to store certificates from Intermediate Certificate Authorities.

    Trusted Root – Select to store certificates from Trusted Certificate Authorities and root certificates from your organization and Microsoft.

    Trusted Publisher – Select to store certificates from Trusted Certificates Authorities trusted by software restriction policies.

    Trusted People – Select to store certificates from trusted people or end entities that are explicitly trusted. Often these certificates are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.
    Store Location Select User or Machine to define where the certificate is located.
    S/MIME Select whether the S/MIME certificate is for encryption or signing. This option only displays if Credential Source is set to User Certificate.
  6. Select Save & Publish to push the profile to devices.

Custom Settings

The Custom Settings payload provides a way to use Windows Desktop functionality that Workspace ONE UEM does not currently support through its native payloads. If you want to use the new features, you can use the Custom Settings payload and XML code to enable or disable certain settings manually.

Prerequisites

You must write your own SyncML code for Windows Desktop profiles. Microsoft publishes a Configuration Service Provider reference site available on their website. To simplify creating the SyncML code, visit VMware Policy Builder.

Example Code


  <Replace>
    <CmdID>2</CmdID>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
        </Meta>
        <Data>{"Account":"standard","AUMID":"AirWatchLLC.AirWatchBrowser_htcwkw4rx2gx4!App"}</Data>
      </Item>
  </Replace>

Procedure

  1. Navigate to VMware Policy Builder.

  2. Select the Configuration Service Providers policy you want to use to create your custom profile.

  3. Select Configure.

  4. On the Configure page, configure the policy settings to meet your business needs.

  5. Select the command verb to use with the policy: Add, Delete, Remove, or Replace.

  6. Select the Copy button.

  7. In the Workspace ONE UEM console, navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  8. Select Windows and then select Windows Desktop.

  9. Select User Profile or Device Profile.

  10. Configure the profile General settings.

  11. Select the Custom Settings payload and select Configure.

  12. Select a Target for the custom profile.

    Most use cases use OMA-DM as the Target. Use Workspace ONE Intelligent Hub when you are customizing a BitLocker profile or looking to prevent users from disabling the airwatch service.

  13. Select Make Commands Atomic as long as your SyncML uses the Add, Delete, or Replace commands. If your code uses Exec, do not select Make Commands Atomic.

  14. Paste the XML you copied in the Install Settings text box. The XML code you paste must contain the complete block of code, from <Add> to </Add> or whatever command your SyncML code uses Do not include anything before or after these tags..

  15. Add the removal code to the Delete Settings text box. The removal code must contain <replace> </replace> or <delete> </delete>.

    This code enables Workspace ONE UEM functionality such as Remove Profile and Deactivate Profile. Without the removal code, you cannot remove the profile from the devices besides pushing a second Custom Settings profile. For more information, see https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference.

  16. Select Save and Publish.

Preventing Users from Disabling the Workspace ONE UEM Service

Use a Custom Settings profile to prevent end users from disabling the Workspace ONE UEM (AirWatch) Service on their Windows 10 devices. Preventing end users from disabling the Workspace ONE UEM Service ensures that the Workspace ONE Intelligent Hub runs regular check-ins with the Workspace ONE UEM console and receives the latest policy updates.

  1. Create a Custom Settings profile.

  2. Set the Target to Protection Agent.

  3. Copy the following code and paste it into the Custom Settings text box.

    
              <wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile">
                <characteristic type="com.airwatch.winrt.awservicelockdown" uuid="7957d046-7765-4422-9e39-6fd5eef38174">
                  <parm name="LockDownAwService" value="True"/> 
                </characteristic>
              </wap-provisioningdoc>
    
    
  4. Select Save & Publish. If you want to remove the restriction from end user devices, you must push a separate profile using the following code.

    
              <wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile"> 
                <characteristic type="com.airwatch.winrt.awservicelockdown" uuid="7957d046-7765-4422-9e39-6fd5eef38174">
                  <parm name="LockDownAwService" value="False"/> 
                </characteristic> 
              </wap-provisioningdoc>
    
    

Data Protection

The Data Protection profile configures rules to control how enterprise applications access data from multiple sources in your organization. Learn how using the data protection profile ensures that your data is only accessible by secured, approved applications.

With personal and work data on the same device, accidental data disclosure is possible through services that your organization does not control. With the Data Protection payload, Workspace ONE UEM controls how your enterprise data moves between applications to limit leakage with a minimal impact on end users. Workspace ONE UEM uses the Microsoft Windows Information Protection (WIP) feature to protect your Windows 10 devices.

Data Protection works by trusting enterprise applications to give them permission to access enterprise data from protected networks. If end users move data to non-enterprise applications, you can act based on the selected enforcement policies.

WIP treats data as either unencrypted personal data or corporate data to protect and encrypt. Applications trusted for Data Protection fall into four different types. These types determine how the app interacts with protected data.

  • Enlightened Apps – These apps fully support WIP functionality. Enlightened apps can access both personal and corporate data without issues. If data is created with an enlightened app, you can save the data as unencrypted personal data or encrypted corporate data. You can restrict users from saving personal data with enlightened apps using the Data Protection profile.
  • Allowed – These apps support WIP-encrypted data. Allowed apps can access both corporate and personal data but the apps save any accessed data as encrypted corporate data. Allowed apps save personal data as encrypted corporate data that cannot be accessed outside of WIP-approved apps. Consider slowly trusting apps on a case-by-case basis to prevent issues accessing data. Reach out to software providers for information on WIP approval.
  • Exempt – You determine which apps are exempt from WIP policy enforcement when you create the Data Protection profile. Exempt any apps that do not support WIP-encrypted data. If an app does not support WIP-encryption, the apps break when attempting to access encrypted corporate data. No WIP policies apply to exempt apps. Exempt apps can access unencrypted personal data and encrypted corporate data. Because exempt apps access corporate data without WIP policy enforcement, use caution when trusting exempt apps. Exempt apps create gaps in data protection and leak corporate data.
  • Not Allowed – These apps are not trusted or exempted from WIP policies and cannot access encrypted corporate data. Not allowed apps can still access personal data on a WIP-protected device.

Important: The Data Protection profile requires Windows Information Protection (WIP). This feature requires the Windows Anniversary Update. Consider testing this profile before deploying to production.

Configuring a Data Protection Profile

Create the Data Protection (Preview) profile to use the Microsoft Windows Information Protection feature to limit user and application access to your organizational data to approved networks and applications. You can set detailed controls over data protection.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and choose Windows Desktop as the platform.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Data Protection payload.

  6. Configure the Enterprise Data Protection settings:

    Settings Descriptions
    Add Select to add enterprise applications to the enterprise allowed list. Applications added here are trusted to use enterprise data.
    App Type Select whether the application is a traditional desktop application or a Microsoft Store app.

    You can also select an application publisher for desktop applications or store apps. Selecting a publisher trusts all apps from the publisher.
    Name Enter the app name. If the app is a Microsoft Store app, select the Search icon to search for the app Package Family Name (PFN).
    Identifier Enter the file path for a desktop application or the package family name for a store app.
    Exempt Select the check box if the app does not support full data protection but still needs access to enterprise data. Enabling this option exempts the app from data protection restrictions. These apps are often legacy apps not yet updated for data protection support.

    Creating exemptions creates gaps in data protection. Only create exemptions when necessary.
    Primary Domain Enter the primary domain that your enterprise data uses.

    Data from protected networks is accessible by enterprise applications only. Attempting to access a protected network from an application not on the enterprise allowed list results in enforcement policy action.

    Enter domains in lowercase characters only.
    Enterprise Protected Domain Names Enter a list of domains (other than your primary domain) used by the enterprise for its user identities. Separate the domains with the vertical bar character |.

    Enter domains in lowercase characters only.
    Enterprise IP Ranges Enter the enterprise IP ranges that define the Windows 10 devices in the enterprise network.

    Data that comes from the devices in range are considered part of the enterprise and are protected. These locations are considered a safe destination for enterprise data sharing.
    Enterprise Network Domain Names Enter the list of domains that are the boundaries of the enterprise network.

    Data from a listed domain that is sent to a device is considered enterprise data and is protected. These locations are considered a safe destination for enterprise data sharing.
    Enterprise Proxy Servers Enter the list of proxy server that the enterprise can use for corporate resources.
    Enterprise Cloud Resources Enter the list of enterprise resource domains hosted in the cloud that need to be protected by routing through the enterprise network through a proxy server (on port 80).

    If Windows cannot determine whether to allow an app to connect to a network resource, it will automatically block the connection. If you want Windows to default to allow the connections, add the /*AppCompat*/ string to the setting. For example: www.air-watch.com | /*AppCompat*/

    Only add the /*AppCompat*/ string once to change the default setting.
    Application Data Protection Level Set the level of protection and the actions taken to protect enterprise data.
    Show EDP Icons Enable to display an EDP icon in the Web browser, file explorer, and app icons when accessing protected data. The icon also displays in enterprise-only app tiles on the Start menu.
    Revoke on Unenroll Enable to revoke Data Protection keys from a device when the device unenrolls from Workspace ONE UEM.
    User Decryption Enable to allow users to select how data is saved using an enlightened app. They can select Save as Corporate or Save as Personal.

    If this option is not enabled, all data saved using an enlightened app will save as corporate data and encrypt using the corporate encryption.
    Direct Memory Access Enable to allow users direct access to device memory.
    Data Recovery Certificate Upload the special Encrypting File System certificate to use for file recovery if your encryption key is lost or damaged.
  7. Select Save & Publish to push the profile to devices.

Creating an Encrypting File System Certificate

The Data Protection profile encrypts enterprise data and restricts access to approved devices. Create an EFS certificate to encrypt your enterprise data protected by a Data Protection profile.

  1. On a computer without an EFS certificate, open a command prompt (with admin rights) and navigate to the certificate store you where you want to store the certificate.

  2. Run the command: cipher /r:<EFSRA>

    The value of is the name of the .cer and .pfx files that you want to create.

  3. When prompted, enter the password to help protect your new .pfx file.

  4. The .cer and .pfx files are created in the certificate store you selected.

  5. Upload your .cer certificate to devices as part of a Data Protection profile.

Defender Exploit Guard

Protect your Windows 10 devices from exploits and malware with the Windows Defender Exploit Guard profile. Workspace ONE UEM uses these settings to protect your devices from exploits, reduce attack surfaces, control folder access, and protect your network connections.

Windows Defender Exploit Guard

Various malware and exploits use vulnerabilities in your Windows 10 devices to gain access to your network and devices. Workspace ONE UEM uses the Windows Defender Exploit Guard profile to protect your devices from these bad actors. The profile uses the Windows Defender Exploit Guard settings native to Windows 10. The profile contains four different methods of protection. These methods cover different vulnerabilities and attack vectors.

Exploit Protection

Exploit protection automatically applies exploit mitigations to both the operating system and apps. These mitigations also work with third-party antivirus and Windows Defender antivirus. In the Windows Defender Exploit Guard profile, you configure these settings by uploading a configuration XML file. This file must be created using the Windows Security App or PowerShell.

Attack Surface Reduction

Attack surface reduction rules help prevent the typical actions malware use to infect devices. These rules target actions such as:

  • Executable files and scripts used in Office apps or web mail that try to download or run files
  • Obfuscated or otherwise suspicious scripts
  • Actions that apps do not usually use

Attack surface reduction rules require Windows Defender Real Time Protection enabled.

Controlled Folder Access

Controlled folder access helps protect your valuable data from malicious apps and threats including ransomware. When enabled, Windows Defender Antivirus reviews all apps (.EXE, .SCR, .DLL, and so on). Windows Defender then determines if the app is malicious or safe. If the app is marked as malicious or suspicious, then Windows prevents the app from changing files in protected folders.

Protected folders include common system folders. You can add you own folders to Controlled Folder Access. Most known and trusted apps can access protected folders. If you want an internal or unknown app to access protected folders, you must add the app file path when creating the profile.

Controlled folder access requires Windows Defender Real Time Protection enabled.

Network Protection

Network protection helps protect users and data from phishing scams and malicious websites. These settings prevent users from using any app to access dangerous domains that might host phishing attacks, exploits, or malware.

Network protection requires Windows Defender Real Time Protection enabled.

Additional Information

For more information on the specific exploit protections and settings configured, see https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy.

Creating a Defender Exploit Guard Profile

Create a Defender Exploit Guard profile through Workspace ONE UEM to protect your Windows 10 devices against exploits and malware. Learn how to use the profile to configure the Windows Defender Exploit Guard settings on your Windows 10 devices.

When you create rules and settings for Attack Surface Reduction, Controlled Folder Access, and Network Protection, you must select Enabled, Disabled, or Audit. These options change how the rule or setting functions.

  • Enabled - Configures Windows Defender to block exploits for that method. For example, if you set Controlled Folder Access to Enabled, Windows Defender will block exploits from accessing the protected folders.
  • Disabled - Doe not configured the policy for Windows Defender.
  • Audit - Configured Windows Defender to block the exploits the same as Enabled, but also logs the event in the event viewer.

Prerequisites

To use the Exploit Protection settings in this profile, you must create a configuration XML file using Windows Security App or PowerShell on an individual device before creating the profile.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.
  5. Select the Defender Exploit Guard payload.
  6. Upload Exploit Protection Settings configuration XML file.

    These settings automatically apply exploit mitigation techniques to both the operating system and individual apps. You must create the XML file using the Windows Security App or PowerShell on an individual device.
  7. Configure the Attack Surface Reduction settings. These rules help prevent the typical actions malware uses to infect devices with malicious code. Select Add to add additional rules.

    The description of each rule describes what apps or file types the rule applies to. Attack surface reduction rules require Windows Defender Real-Time Protection enabled.
  8. Configure the Controlled Folder Access settings. Set Controlled Folder Access to Enabled to use these settings. When enabled, the setting protects several folders by default. To see the list, point to over the ? icon. These settings automatically protect your data from malware and exploits. Controlled folder access requires Windows Defender Real-Time Protection enabled.
    • Add additional folders to protect by selecting Add New and enter the folder file path.
    • Add applications that can access protected folders by selecting Add New and entering the application file path. Most known and trusted apps can access the folders by default. Use this setting to add internal or unknown apps to access protected folders.
  9. Configure the Network Protection settings. Set Network Protection to Enabled to use these settings. These settings protect users and data from phishing scams and malicious websites. Network protection requires Windows Defender Real-Time Protection enabled.
  10. Select Save and Publish when you are finished to push the profile to devices.

Encryption

Secure your organization's data on Windows Desktop devices with the Encryption profile. The Encryption profile configures the native BitLocker encryption policy on your Windows Desktop devices to ensure that data remains secure.

BitLocker encryption is only available on Windows 10 Enterprise, Education, and Pro devices.

Because laptops and tablets are mobile devices by design, they risk your organization's data being lost or stolen. By enforcing an encryption policy through Workspace ONE UEM, you can protect data on the hard drive. BitLocker is the native Windows encryption and Dell Data Protection | Encryption is a third-party encryption solution from Dell. With the Encryption profile enabled, Workspace ONE Intelligent Hub continually checks the encryption status of the device. If Workspace ONE Intelligent Hub finds that the device is not encrypted, it automatically encrypts the device.

If you decide to encrypt with BitLocker, a recovery key created during encryption is stored for each drive (if configured) in the Workspace ONE UEM console.

The Encryption profile requires Workspace ONE Intelligent Hub to be installed on the device.

Note: The Encryption profile does not configure or enable Dell Data Protection | Encryption. The status of the encryption is reported to the Workspace ONE UEM console and Self-Service Portal, but the encryption must be configured manually on the device.

Caution: Windows 10 does not support devices without a pre-boot onscreen keyboard. Without a keyboard, you cannot enter the start-up pin necessary to unlock the hard drive and start Windows on the device. Pushing this profile to devices without a pre-boot onscreen keyboard breaks your device.

BitLocker Functionality

The Encryption profile uses advanced BitLocker functionality to control authentication and deployment of BitLocker encryption.

BitLocker uses the Trusted Platform Module (TPM) on devices to store the encryption key for the device. If the drive is removed from the motherboard, the drive remains encrypted. For enhanced authentication, you can enable an encryption PIN to boot the system. You can also require a password for devices when a TPM is not available.

Deployment Behavior

The Windows-native BitLocker encryption secures data on Windows Desktop devices. Deploying the encryption profile may require additional actions from the end user, such as creating a PIN or password.

If the Encryption profile is pushed to an encrypted device and the current encryption settings match the profile settings, Workspace ONE Intelligent Hub adds a BitLocker protector and sends a recovery key to the Workspace ONE UEM console.

With this feature, if a user or an admin attempts to disable BitLocker on the device, the Encryption profile can re-encrypt it. The encryption is enforced even if the device is offline.

If the existing encryption does not meet the authentication settings of the Encryption profile, the existing protectors are removed and new protectors are applied that meet the Encryption profile settings.

If the existing encryption method does not match the Encryption profile, Workspace ONE UEM leaves the existing method in place and does not override it. This functionality also applies if you add a version of the Encryption profile to a device managed by an existing Encryption profile. The existing encryption method is not changed.

Encryption Statuses

If BitLocker is enabled and in use, you can see information about the state of encryption in the listed areas.

  • Workspace ONE UEM Device Details
    • Device Details displays recovery key information. Use the View Recovery Key link to view and copy recovery keys for all your encrypted drives.
    • Find several BitLocker statuses on the Summary tab that include Encrypted, Encryption in Progress, Decryption in Progress, Suspended, and Partially Protected.
      • The Suspended (X reboots remaining) status reflects the suspension of the disk's protection, although the disk is still encrypted. You might see this status if an operating system is getting updated or if system level changes are being made to the system. Once the number of reboots is exhausted, BitLocker protection is automatically re-enabled.
      • The Partially Protected status reflects the situation where the OS drive is encrypted but other drives are not.
    • On the Security tab in Device Details, view the encryption status and the encryption method of your drives. You can find out at a glance if a machine is not using the level of encryption you have set in the encryption profile. Workspace ONE UEM only displays the encryption method. It does not decrypt disks, even if they do not match the Encryption Method setting in the Encryption profile.
  • Workspace ONE UEM Self-Service Portal
    • The Security page of the Self-Service Portal displays the BitLocker recovery key.
    • BitLocker protection displays as enabled.

Removal Behavior

If the profile is removed from the Workspace ONE UEM console, Workspace ONE UEM no longer enforces the encryption and the device automatically decrypts. Enterprise wiping or manually uninstalling Workspace ONE Intelligent Hub from the Control Panel disables BitLocker encryption.

When you create the Encryption profile, you can enable the Keep System Encrypted at All Times option. This setting ensures that the device remains encrypted even if the profile is removed, the device is wiped, or communication with Workspace ONE UEM ends.

If the end user decides to unenroll during the BitLocker encryption process, the encryption process continues unless it is turned off manually from the Control Panel.

Escrowing Recovery Keys

Workspace ONE UEM escrows recovery keys for OS Drive and All Fixed Hard Drives when you have this setting enabled for Encrypted Volume in the Encryption profile. If a drive needs to be recovered, the recovery key is available for each individual drive.

BitLocker and Compliance Policies

You can configure compliance policies to support the BitLocker encryption status you want to enforce. In the Rules section of a compliance policy, select Encryption > Is and select from the choices of Not applied to system drive, Not applied to some drives (partially protected), or Suspended.

Configuring an Encryption Profile

Create an Encryption profile to secure your data on Windows Desktop devices using the native BitLocker encryption.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.
  5. Select the Encryption profile and configure the settings.

    Settings Descriptions
    Encrypted Volume Use the drop-down menu to select the type of encryption as follows:

    OS Drive and All Fixed Hard Drives – Encrypts all hard drives on the device, including the System Partition where the OS is installed.
    OS Drive – Encrypts the drive that Windows is installed on and from which it boots.
    Encryption Method Select the encryption method for the device.
    Default to System Encryption Method Select this check box if your OEM specifies a default encryption method for a given type of device. This setting applies the default encryption algorithm.
    Only Encrypt Used Space During Initial Encryption Enable to limit the BitLocker encryption to only the used space on the drive at the time of encryption.
    Custom URL for Recovery Key Enter the URL to display on the lock screen directing end users to get the recovery key.

    Consider entering the Self Service Portal URL as Workspace ONE UEM hosts the recovery key there.
    Force Encryption Enable to force encryption on the device. This enforcement means that the device immediately re-encrypts if BitLocker is manually disabled.

    Consider disabling this setting to prevent issues during upgrades or Enterprise Wipes.
    Keep System Encrypted at All Times Enable this option to keep the device encrypted at all times. Use this option to ensure that device wipes, profile removals, or break in communication with Workspace ONE UEM does not decrypt the device.

    If you enable this setting and wipe a device, you can only access the recovery from the Workspace ONE UEM console for 30 days. After 30 days, the system may be unrecoverable.
    BitLocker Authentication Settings: Authentication Mode Select the method for authenticating access to a BitLocker encrypted device.

    TPM — Uses the devices Trusted Platform Module. Requires a TPM on the device.
    Password — Uses a password to authenticate.
    BitLocker Authentication Settings: Require PIN at startup Select the check box to require users to enter a PIN to boot the device. This option prevents OS start up and auto-resume from suspend or hibernate until the user enters the correct PIN.
    BitLocker Authentication Settings: PIN Length Select this setting to configure a specific length for the PIN at startup. This PIN is numeric unless otherwise configured with Allow Enhanced PIN at Startup.
    BitLocker Authentication Settings: Allow Enhanced PIN at Startup Select this check box to allow users to set PINs with more than numbers. Users can set uppercase and lowercase letters, use symbols, numbers, and spaces.
    If the machine does not support enhanced PINs in a preboot environment, this settings does not work.
    BitLocker Authentication Settings: Use Password if TPM Not Present Select the check box to use a password as a fallback to encrypt the device if the TPM is unavailable.

    If this setting is not enabled, any devices without a TPM do not encrypt.
    BitLocker Authentication Settings: Suspend BitLocker until TPM is initialized Select this option to postpone encryption on the device until TPM is initialized on the machine. Use this option for enrollments that require encryption before TPM initializes such as OOBE.
    BitLocker Authentication Settings: Minimum Password Length Select the minimum number of characters a password must be. Displays if the Authentication Mode is set to Password or if Use Password if TPM Not Available is enabled.
    BitLocker Static Recovery Key Settings: Create Static BitLocker Key Select the check box if a static recovery key is enabled.
    BitLocker Static Recovery Key Settings: BitLocker Recovery Password Select the Generate icon to generate a new recovery key.
    BitLocker Static Recovery Key Settings: Rotation Period Enter the number of days until the recovery key rotates.
    BitLocker Static Recovery Key Settings: Grace Period Enter the number of days after rotation that the previous recovery key still works.
    BitLocker Suspend: Enable BitLocker Suspend Select the check box to enable BitLocker Suspension. This functionality suspends BitLocker encryption during a specified time period.

    Use this feature to suspend BitLocker when updates are scheduled so devices can reboot without requiring end users to enter the Encryption PIN or password.
    BitLocker Suspend: Suspend BitLocker Type Select the type of suspension.

    Schedule — Select to enter the specific time period that BitLocker suspends. Then set the schedule repeat to daily or weekly.
    Custom — Select to enter the day and time to begin and end BitLocker suspension.
    BitLocker Suspend: BitLocker Suspend Start Time Enter the time to start BitLocker suspension.
    BitLocker Suspend: BitLocker Suspend End Time Enter the time to end BitLocker suspension.
    BitLocker Suspend: Scheduled Repeat Type Set whether the scheduled suspension repeats daily or weekly. If you select weekly, select the days of the week to repeat the schedule.
  6. Select Save & Publish when you are finished to push the profile to devices.

Exchange ActiveSync

The Exchange ActiveSync profiles enable you to configure your Windows Desktop devices to access your Exchange ActiveSync server for email and calendar use.

Use certificates signed by a trusted third-party certificate authority (CA). Mistakes in your certificates expose your otherwise secure connections to potential man-in-the-middle attacks. Such attacks degrade the confidentiality and integrity of data transmitted between product components, and might allow attackers to intercept or alter data in transit.

The Exchange ActiveSync profile supports the native mail client for Windows Desktop. The configuration changes based on which mail client you use.

Removing Profiles or Enterprise Wiping

If the profile is removed using the remove profile command, compliance policies, or through an enterprise wipe, all email data is deleted, including:

  • User account/login information.
  • Email message data.
  • Contacts and calendar information.
  • Attachments that were saved to the internal application storage.

Username and Password

If you have email user names that are different than user email addresses, you can use the {EmailUserName} text box, which corresponds to the email user names imported during directory service integration. Even if your user user names are the same as their email addresses, use the {EmailUserName} text box, because it uses email addresses imported through the directory service integration.

Create an Exchange ActiveSync profile to give Windows Desktop devices access to your Exchange ActiveSync server for email and calendar use.

Configuring an Exchange ActiveSync Profile

Create an Exchange ActiveSync profile to give Windows Desktop devices access to your Exchange ActiveSync server for email and calendar use.

Note: Workspace ONE UEM does not support Outlook 2016 for Exchange ActiveSync profiles. Exchange Web Services (EWS) profile configuration for Outlook Application on a Windows Desktop device through Workspace ONE UEM is no longer supported with Microsoft Exchange 2016 version.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and choose Windows Desktop as the platform.

  3. Select User Profile.

  4. Configure the profile General settings.

  5. Select the Exchange ActiveSync payload.

  6. Configure the Exchange ActiveSync settings:

    Settings Descriptions
    Mail Client Select the Mail Client that the EAS profile configures. Workspace ONE UEM supports the Native Mail Client.
    Account Name Enter the name for the Exchange ActiveSync account.
    Exchange ActiveSync Host Enter the URL or IP Address for the server hosting the EAS server.
    Use SSL Enable to send all communications through the Secure Socket Layer.
    Domain Enter the email domain. The profile supports lookup values for inserting enrollment user login information.
    Username Enter the email user name.
    Email Address Enter the email address. This text box is a required setting.
    Password Enter the email password.
    Identity Certificate Select the certificate for the EAS payload.
    Next Sync Interval (Min) Select the frequency, in minutes, that the device syncs with the EAS server.
    Past Days of Mail to Sync Select how many days of past emails sync to the device.
    Diagnostic Logging Enable to log information for troubleshooting purposes.
    Require Data Protection Under Lock Enable to require data to be protected when the device is locked.
    Allow Email Sync Enable to allow the syncing of email messages.
    Allow Contacts Sync Enable to allow the syncing of contacts.
    Allow Calendar Sync Enable to allow the syncing of calendar events.
  7. Select Save to keep the profile in the Workspace ONE UEM console or Save & Publish to push the profile to the devices.

Exchange Web Services

Create an Exchange Web Services profile to allow end users to access corporate email infrastructures and Microsoft Outlook accounts from their devices.

Important: During first-time configuration, the device must have access to the Internal Exchange Server.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select User Profile.

  4. Configure the profile General settings.

  5. Select the Exchange Web Services profile and configure the settings:

    Settings Descriptions
    Domain Enter the name of the email domain to which the end user belongs.
    Email Server Enter the name of the Exchange server.
    Email Address Enter the address for the email account.
  6. Select Save & Publish when you are finished to push the profile to devices.

    Removing an Exchange Web Services profile removes all Outlook accounts from the device.

Firewall

Create a Firewall profile to configure the native Windows Desktop firewall settings. This profile uses more advanced functionality than the Firewall (Legacy) profile.

Workspace ONE UEM trusts the OMA-DM agent automatically to ensure the Workspace ONE UEM console can always communicate with devices.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Firewall payload.

  6. Configure the Global settings.

    Setting Description
    Stateful FTP Set how the firewall handles FTP traffic. If you select Enable, the firewall tracks all FTP traffic. If you select Disable, the firewall does not inspect FTP traffic.
    Security Association Idle Time Select Configured and set the maximum amount of time (in seconds) the device waits before deleting idle security associations.

    Security associations are an agreement between two peers or endpoints. These agreements contain all the information required to securely exchange data.
    Preshared Key Encoding Select the type of encoding used for the preshared key.
    IPSec Exemptions Select the IPSec exemptions to use.
    Certification Revocation List Verification Select how to enforce the certificate revocation list verification.
    Opportunity Match Auth Set Per KM Select how key modules ignore authentication suites. Enabling this option forces key modules to ignore only the authentication suites they do not support.

    Disabling this option forces key modules to ignore the entire authentication set if they do not support all the authentication suites in the set.
    Enable Packet Queue Select how packet queuing works on the device. This setting allows you to ensure proper scaling.
  7. Configure how the firewall behaves when connected to Domain, Private, and Public networks.

    Setting Description
    Firewall Set to Enable to enforce policy settings on the network traffic. If disabled, the device allows all network traffic, regardless of other policy settings.
    Outbound Action Select the default action the firewall takes on outbound connections. If you set this setting to Block, the firewall blocks all outbound traffic unless explicitly specified otherwise.
    Inbound Action. Select the default action the firewall takes on inbound connections. If you set this setting to Block, the firewall blocks all inbound traffic unless explicitly specified otherwise.
    Unicast Responses to Multicast or Broadcast Network Traffic Set the behavior for the responses to multicast or broadcast network traffic. If you disable this option, the firewall blocks all responses to multicast or broadcast network traffic.
    Notify User When Windows Firewall Blocks a New App Set the notification behavior for the firewall. If you select Enable, the firewall may send notifications to the user when it blocks a new app. If you select Disable, the firewall does not send any notifications.
    Stealth Mode To set the device in stealth mode, select Enable. Stealth mode helps prevent bad actors from gaining information about network devices and services.

    When enabled, stealth mode blocks outgoing ICMP unreachable and TCP reset messages from ports without an app actively listening on that port.
    Allow IPSec Network Traffic in Stealth Mode Set how the firewall handles unsolicited traffic secured by IPSec. If you select Enable, the firewall allows unsolicited network traffic secure by IPSec. This setting only applies when you enable Stealth Mode.
    Local Firewall Rules Set how the firewall interacts with local firewall rules. If you select Enable, the firewall follows local rules. If you select Disable, the firewall ignores local rules and does not enforce them.
    Local Connection Rules Set how the firewall interacts with local security connection rules. If you select Enable, the firewall follows local rules. If you select Disable, the firewall ignores local rules and does not enforce them, regardless of the schema and connection security versions.
    Global Port Firewall Rules Set how the firewall interacts with global port firewall rules. If you select Enable, the firewall follows the global port firewall rules. If you select Disable, the firewall ignores the rules and does not enforce them.
    Authorized Application Rules Set how the firewall interacts with local authorized application rules. If you select Enable, the firewall follows local rules. If you select Disable, the firewall ignores local rules and does not enforce them.
  8. To configure you own firewall rules, select Add Firewall Rule. After adding a rule, configure the settings as needed. You can add as many rules as you need.

  9. When finished, select Save And Publish to push the profile to devices.

Firewall (Legacy)

The Firewall (Legacy) profile for Windows Desktop devices allows you to configure the Windows Firewall settings for devices. Consider using the new Firewall profile for Windows Desktop as the new profile uses new Windows features.

Important: The Firewall profile requires the Workspace ONE Intelligent Hub to be installed on the device.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Firewall (Legacy) payload.

  6. Enable Use Windows Recommended Settings to use the Windows Recommended Settings and disable all other options available in this profile. The settings will automatically change to the recommended settings and you cannot change them.

  7. Configure the Private Network settings:

    Settings Description
    Firewall Enable to use the firewall when the device is connected to private network connections.
    Block All Incoming Connections, Including Those on the List of Allowed Apps Enable to block all incoming connections. This setting allows outbound connections.
    Notify User when Windows Firewall Blocks a New App Enable to allow notifications to display when the Windows Firewall blocks a new app.
  8. Configure the Public Network settings:

    Settings Description
    Firewall Enable to use the firewall when the device is connected to private network connections.
    Block All Incoming Connections, Including Those on the List of Allowed Apps Enable to block all incoming connections. This setting allows outbound connections.
    Notify User when Windows Firewall Blocks a New App Enable to allow notifications to display when the Windows Firewall blocks a new app.
  9. Select Save and Publish when you are finished to push the profile to devices.

Kiosk

Configure a Kiosk profile to turn your Windows Desktop device into multi-app kiosk device. This profile allows you to configure the apps that display in the device start menu.

You can upload your own custom XML to configure the Kiosk profile or create your kiosk as part of the profile. This profile does not support domain accounts or domain groups. The user is a built-in user account created by Windows.

  • Supported Apps
    • .EXE apps
      • MSI and ZIP files require you to add the file path.
    • Built-In apps
      • Select built-in apps are automatically added to the designer. These apps include:
      • News
      • Microsoft Edge
      • Weather
      • Alarms & Clock
      • Sticky Notes
      • Maps
      • Calculator and Photos.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings. You must add an assignment before configuring the Kiosk profile.

  5. Select the Kiosk profile.

  6. If you have your custom XML already, select Upload Kiosk XML and complete the Assign Access Configuration XML settings. Select Upload and add your Assigned Access Configuration XML. You can also paste your XML into the text box. For more information, see https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp.

  7. If you do not have any custom XML, select Create Your Kiosk and configure the app layout.

    This layout is the device Start Menu in a grid. The apps that display on the left are the apps assigned to the assignment group you selected. Some apps have a gear icon with a red dot in the top-right corner. This icon displays for apps that require additional settings when added to the kiosk layout. After you configure the settings, the red dot disappears but the icon remains. You can select the arrow icon to change the size of the apps. For classic desktop apps, you can only select Small or Medium. Kiosk Example

    For applications that require additional support applications, the Kiosk profile supports adding these support applications using the Additional Settings option. For example, the VMware Horizon client requires up to four support applications to run in Kiosk mode. Add these additional support applications when you configure the primary kiosk application by adding the additional Application Executable Paths. An image displaying the additional Application Executable Paths for the support appllications the VMware Horizon client requires for a Kiosk profile.

  8. Drag all the apps you want to add to the start menu to the center. You can create up to four groups for your apps. These groups combine your apps into sections on the start menu.

  9. Once you have added all the apps and groups you want, select Save.

  10. On the Kiosk profile screen, select Save & Publish.

Results

The profile does not install onto the device until all apps included in the profile are installed. After the device receives the profile, the device restarts and runs in Kiosk mode. If you remove the profile from the device, the device disables Kiosk mode, restarts, and removes the Kiosk user.

OEM Updates

Configure OEM Update settings for select Dell enterprise devices with the OEM Updates profile. This profile requires integration with Dell Command | Update.

Support for the OEM Update profile settings varies by Dell Enterprise device. Workspace ONE UEM only pushes the settings a device supports. You can see all OEM updates deployed to your Windows Desktop devices on the Device Updates page, found at Resources > Device Updates > OEM Updates tab.

Note: The OEM Updates profile supports Dell Command | Update versions 2.4, 3.1 and 3.1.1. It does not support version 3.0.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the OEM Updates payload and configure the following settings.

    • Check for Updates - Select the interval used to check for updates.
    • Day of the Week - Select the day of the week to check for updates. Only displays when Check for Updates is set to Weekly.
    • Day of the Month - Select the day of the month to check for updates. Only displays when Check for Updates is set to Monthly.
    • Time - Select the time of day to check for updates.
    • Update Behavior - Select the actions to take when checking for updates.
      • Select Scan Notify to scan for updates and notify the user that updates are available.
      • Select Scan Download Notify to scan for updates, download any available, and notify the user that updates are available for installation.
      • Select Scan Notify Apply Reboot to scan for updates, download any available, install the updates, and reboot the device.
    • Reboot Delay - Select the amount of time the device delays rebooting after downloading updates.
    • Urgent Updates - Select Enable to apply Urgent Updates to the device.
    • Recommended Updates - Select Enable to apply Recommended Updates to the device.
    • Optional Updates - Select Enable to apply Optional Updates to the device.
    • Hardware Drivers - Select Enable to apply hardware driver updates provided by the OEM to the device.
    • Application Software - Select Enable to apply application software updates provided by the OEM to the device.
    • BIOS Updates - Select Enable to apply BIOS updates provided by the OEM to the device. Consider disabling any BIOS passwords if you want to use the OEM Update profile to manage BIOS updates. Some BIOS updates prompt users to enter the BIOS password.
    • Firmware Updates - Select Enable to apply firmware updates provided by the OEM to the device.
    • Utility Software - Select Enable to apply utility software updates provided by the OEM to the device.
    • Other - Select Enable to apply other updates provided by the OEM to the device.
    • Audio - Select Enable to apply audio device updates provided by the OEM to the device.
    • Chipset - Select Enable to apply chipset device updates provided by the OEM to the device.
    • Input - Select Enable to apply input device updates provided by the OEM to the device.
    • Network- Select Enable to apply network device updates provided by the OEM to the device.
    • Storage - Select Enable to apply storage device updates provided by the OEM to the device.
    • Video - Select Enable to apply video device updates provided by the OEM to the device.
    • Others - Select Enable to apply other device updates provided by the OEM to the device.
  6. Select Save & Publish.

Passcode

Use a Passcode profile to protect your Windows 10 devices by requiring a passcode each time they return from an idle state. Learn how a Passcode profile with Workspace ONE UEM ensures that all your sensitive corporate information on managed devices remains protected.

Passcodes set using this profile only take effect if the passcode is stricter than existing passcodes. For example, if the existing Microsoft Account passcode requires stricter settings than the Passcode payload requirements, the device continues to use the Microsoft Account passcode.

Important: The Passcode payload does not apply to domain-joined devices.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Passcode profile.

  6. Configure the Passcode settings:

    Settings Descriptions
    Password Complexity Set to Simple or Complex to your preferred level of password difficulty.
    Require Alphanumeric Enable to require the passcode to be an alphanumeric passcode.
    Minimum Password Length Enter the minimum number of characters a Password must contain.
    Maximum Password Age (days) Enter the maximum number of days that may elapse before the end user is required to change the Password.
    Minimum Password Age (days) Enter the minimum number of days that must elapse before the end user is required to change the Password.
    Device Lock Timeout (in Minutes) Enter the number of minutes before the device automatically locks and requires a passcode re-entry.
    Maximum Number of Failed Attempts Enter the maximum number of attempts the end user may enter before the device is restarted.
    Password History (occurrences) Enter the number of occurrences a password is remembered. If the end user reuses a password within the number of recorded occurrences, they cannot reuse that password. For example, if you set the history to 12, an end user cannot reuse the past 12 passwords.
    Expire Password Enable to expire the existing password on the device and require a new password to be created. Requires Workspace ONE Intelligent Hub to be installed on the device.
    Password Expiration (days) Configure the number of days that a password is valid for before expiring.
    Reversible Encryption for Password Storage Enable to set the operating system to store passwords using reversible encryption. Storing passwords using reversible encryption is essentially the same as storing plain text versions of the passwords. For this reason, do not enable this policy unless application requirements outweigh the need to protect password information.
    Use Protection Agent for Windows 10 Devices Enable to use the Workspace ONE Intelligent Hub to enforce Password profile settings instead of the native DM functionality. Enable this settings if you have issues using the native DM functionality.
  7. Select Save & Publish when you are finished to push the profile to your devices.

Peer Distribution

Workspace ONE Peer Distribution uses the native Windows BranchCache feature that is built into the Windows operating system. This feature provides a peer-to-peer technology alternative.

Configure peer distribution on your Windows 10 devices with the Peer Distribution Windows Desktop Profile. Peer distribution supports Distributed, Hosted and Local BranchCache modes along with their configuration settings; disk space percentage and max cache age. You can also view the BranchCache Statistics of an application from the Peer Distribution Details panel under Apps&Books > Native > List View > Application Details.

Peer distribution with Workspace ONE allows you to deploy your Windows apps to enterprise networks. This profile uses the native Windows BranchCache functionality built into the the Windows operating system.

Configuring a Peer Distribution Profile

Peer distribution with Workspace ONE allows you to deploy your Windows apps to enterprise networks. This profile uses the native Windows BranchCache functionality built into the the Windows operating system.

Before you can use the Peer Distribution profile for peer-to-peer distribution, you must meet the peer distribution with Workspace ONE requirements.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Peer Distribution profile and select Configure.

    You must have File Storage configured before you can create a Peer Distribution profile. For more information, see Requirements for Workspace ONE Peer Distribution.

  6. Select the Workspace ONE Peer Distribution Mode you want to use.

    Setting Description
    Distributed Select this option to have your devices download apps from peers in a local subnet.
    Hosted Select this option to have your devices to download apps from a hosted cache server.
    Local Select this option to have your devices to download apps from local device caching only.
    Disabled Select this option to disable peer distribution.
  7. Configure the Cache settings:

    Setting Description
    Maximum Cache Age (days) Enter the maximum number of days that peer distribution items should remain in the cache before the device purges the items.
    Percentage of Disk Space Used for BranchCache Enter the amount of local disk space the device should allow peer distribution to use.
  8. If you set the distribution mode to Hosted, configure the Hosted Cache Servers settings. You must add at least one hosted cache server for devices to download and upload content to and from.

  9. Select Save & Publish.

Personalization

Configure a Personalization profile for Windows Desktop devices to configure the Windows Personalization settings. These settings include the desktop background and the start menu settings.

The options in this profile are all optional. Consider only configuring the settings you need to meet your Personalization requirements.

This profile does not create a multi-app kiosk device like the Kiosk profile.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Personalization profile.

  6. Configure the Images settings:

    Settings Descriptions
    Desktop Image Select Upload to add an image to use as the desktop background.
    Lock Screen Image Select Upload to add an image to use as the lock screen background.
  7. Upload a start layout XML. This XML file overrides the default start menu layout and prevents users from changing the layout. You can configure the layout of tiles, the number of groups, and the apps in each group. You must create this XML yourself. For more information on creating a start layout XML, see https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout.

  8. Configure the Start Menu Policies settings. These settings allow you to control which shortcuts are allowed in the start menu. You can also choose to Hide or Show certain options such as the Shut Down option or the App List.

  9. Select Save & Publish.

Proxy

Create a Proxy profile to configure a proxy server for your Windows Desktop devices. These settings do not apply to VPN connections.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Proxy profile and configure the settings:

    Settings Description
    Automatically Detect Settings Enable to have the system automatically try to find the path to a proxy auto-config (PAC) script.
    Use Setup Script Enable to enter the file path to the PAC script.
    Script Address Enter the file path to the PAC script. This option displays when Use Setup Script is enabled.
    Use Proxy Server Enable to use a static proxy server for Ethernet and Wi-Fi connections. This proxy server is used for all protocols. These settings do not apply to VPN connections.
    Address to Proxy Server Enter the proxy server address. The address must follow the format: <server>[“:”<port>].
    Exceptions Enter any addresses that should not use the proxy server. The system will not user the proxy server for these addresses. Separate enteries with a semicolon (;).
    User Proxy for Local (Intranet) Addresses Enable to use the proxy server for local (intranet) addresses.
  6. Select Save And Publish.

Restrictions

Use the Restrictions profile to disable end-user access to device features to ensure that your Windows 10 devices are not tampered with. Learn how to control what settings and options end users can use or change with the Workspace ONE UEM restrictions profile.

The Windows version and edition you use change what restrictions apply to a device.

  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Restrictions profile.

  6. Configure the Administration settings:

    Settings Description
    Allow Manual MDM Unenrollment Allow the end user to unenroll from Workspace ONE UEM manually through the Workplace/Work Access enrollment. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Runtime Configuration Hub to Install Provisioning Packages Enable to allow the use of provisioning packages to enroll devices into Workspace ONE UEM (bulk provisioning). This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Location Select how location services run on the device. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Runtime Configuration Agent to Remove Provisioning Packages Enable to allow the removal of provisioning packages. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Send Diagnostic and Usage Telemetry Data Select the level of of telemetry data to send to Microsoft . This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Require Microsoft Account for MDM Enable to require a Microsoft Account for devices to receive policies or applications.
    Require of Microsoft Account for Modern Applications Enable to require a Microsoft Account for devices to download and install Windows Apps.
    Provisioning Packages Must Have a Certificate Signed by a Device Trusted Authority Enable to require a trusted certificate for all provisioning packages (bulk provisioning). This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow User to Change Auto Play Settings Allow the user to change what program is used for Auto Play of file types. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow User to Change Data Sense Settings Allow the user to change the Data Sense settings to restrict data use on the device. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Date/Time Allow the user to change the Date/Time settings. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Language Allow the user to change the language settings. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow User to Change Power and Sleep Settings Allow the user to change the Power and Sleep settings. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Region Allow the user to change the region. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow User to Change Sign-In Options Allow the user to change the Sign-In Options. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    VPN Allow the user to change the VPN settings. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow User to Change Workplace Settings Allow the user to change Workplace settings and change how MDM functions on the device. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow the User to Change Account Settings Allow the user to change Account settings. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Bluetooth Allow the use of Bluetooth on the device. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Device Bluetooth Advertising Allow the device to broadcast Bluetooth Advertisements. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Bluetooth-enabled devices can discovery the device Allow Bluetooth discovery of the device by other Bluetooth devices. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Camera Allow access the camera function of the device. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Cortana Allow access to the Cortana application. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Device Discovery UX on the Lock Screen Allow the device discovery UX on the lock screen to discover projectors and other displays. When enabled, the Win+P and Win+K shortcuts do not work. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    IME Logging Enable to allow the user to turn on and off the logging for incorrect conversions and saving of auto-tuning result to a file and history-based predictive input. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    IME Network Access Enable to allow the user to turn on the Open Extended Dictionary to integrate Internet searches to provide input suggestions that do not exist in a devices local dictionary. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Smart Screen Enable to allow the end user to use the Microsoft SmartScreen feature, which is a form of security requesting the end user to draw shapes on an image to unlock the device. This option also allows end users to use PINs as their passcode.

    Note: After you disable the function, you cannot reenable it through Workspace ONE UEM MDM. To reenable it, you must factory reset the device.

    The restriction does not apply to Windows 10 Home edition devices.
    Search to Leverage Location Information Allow the search to use the device location information. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Storage Card Enable to allow the use of an SD card and the device USB ports. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Windows Sync Settings Allow user to sync Windows settings across devices. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Windows Tips Allow Windows Tips on the device to help the user. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    User Account Control Setting Select the level of notification sent to end users when a change to the operating system requires device admin permission.
    Allow Non-Microsoft Store Trusted Applications Allows the downloading and installation of applications not trusted by the Microsoft Store. This restriction applies to all Windows 10 devices.
    App Store Auto Updates Enable to allow apps downloaded from the Microsoft Store to update automatically when new versions are available. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow Developer Unlock Allows the use of the Developer Unlock setting for sideloading applications onto devices. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow DVR & Game Broadcasting Enable to allow the recording and broadcasting of games on the device. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Allow Share Data Among Multiple Users of the Same App Allows sharing of data between multiple users of an app. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Restrict App Data to System Volume Restricts app data to the same volume as the OS instead of secondary volumes or removable media. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Restrict Installation of Applications to System Drive Restricts the installation of apps to the system drive instead of secondary drives or removable media. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Auto Connect to Wi-Fi Hotspots Enable to allow the device to connect to Wi-Fi hotspots automatically using the Wi-Fi Sense functionality. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Cellular Data On Roaming Enable to allow cellular data use while roaming. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Internet Sharing Enable to allow Internet sharing between devices. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Data Usage on Roaming Enable to allow end users to transmit and receive data while roaming. This restriction applies to all Windows devices.
    VPN Over Cellular Allow the use of a VPN over cellular data connections. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    VPN Roaming Over Cellular Allow the use of a VPN while on roaming cellular data connections. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Auto fill Allow the use of Auto fill to complete user information. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Cookies Allow the use of cookies. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Do Not Track Allow the use of Do Not Track requests. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Password Manager Allow the use of a password manager. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Pop-ups Allow pop-up browser windows. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Search Suggestions in Address Bar Allow search suggestions to appear in address bar. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Smart Screen Allow the use of the SmartScreen malicious site and content filter. This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.
    Send Intranet Traffic to Internet Explorer Allow intranet traffic to use Internet Explorer. This restriction applies to all Windows 10 devices.
    Enterprise Site List URL Enter the URL for an enterprise site list. This restriction applies to all Windows 10 devices.
  7. Select Save & Publish when you are finished to push the profile to devices.

SCEP

Simple Certificate Enrollment Protocol (SCEP) profiles enable you to install certificates onto devices silently without interaction from the end user.

Even with strong passcodes and other restrictions, your infrastructure remains vulnerable to brute force, dictionary attacks, and employee error. For greater security, you can implement digital certificates to protect corporate assets. To use SCEP to install these certificates to devices silently, you must first define a certificate authority, then configure a SCEP payload alongside your EAS, Wi-Fi, or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the SCEP payload.

To push certificates to devices, configure a SCEP payload as part of the profiles you created for EAS, Wi-Fi, and VPN settings.

Configuring a SCEP Profile

A SCEP profile silently installs certificates onto devices for use with device authentication.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select User Profile or Device Profile.

  4. Configure the profile General settings.

  5. Select the SCEP profile.

  6. Configure the SCEP settings, including:

    Settings Descriptions
    Credential Source This drop-down menu is always set to defined certificate authority.
    Certificate Authority Select the certificate authority you want to use.
    Certificate Template Select the template available for the certificate.
    Key Location Select the location for the certificate private key:

    TPM If Present – Select to store the private key on a Trusted Platform Module if one is present on the device, otherwise store it in the OS.
    TPM Required – Select to store the private key on a Trusted Platform Module. If a TPM is not present, the certificate does not install and an error displays on the device.
    Software – Select to store the private key in the device OS.
    Passport – Select to save the private key within the Microsoft Passport. This option requires the Azure AD integration.
    Container Name Specify the Passport for Work (now called ‘Windows Hello for Business’) container name. This setting displays when you set Key Location to Passport.
  7. Configure the Wi-Fi, VPN, or EAS profile.

  8. Select Save & Publish when you are finished to push the profile to devices.

Single App Mode

The Single App Mode profile allows you to limit access on the device to a single application. With Single App Mode, the device is locked into a single application until the payload is removed. The policy enables after a device reboot.

Single App Mode has some restrictions and limitations.

  • Windows Universal or Modern apps only. Single App Mode does not support legacy .msi or .exe applications.
  • Users must be local standard users only. They cannot be a domain user, admin user, Microsoft account, or guest. The Standard User must be a Local User. Domain Accounts are not supported.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop
  3. Select User Profile.
  4. Configure the profile General settings.
  5. Select the Single App Mode Profile.
  6. Configure the Single App Mode settings for Application Name and enter the application friendly name. For Windows apps, the friendly name is the Package Name or Package ID.bRun a PowerShell command to get the friendly name of the app installed on the device. The command "Get-AppxPackage" returns the application friendly name as "name."
  7. After configuring a Single App Mode profile, you must set up Single App Mode on the device.
    • After receiving the Single App Mode profile on the device, reboot the device to begin.
    • Once the device restarts, you are prompted to sign into the device with the Standard User account.

Once signed in, the policy launches and Single App Mode is ready for use. If you must sign out of Single App Mode, press the Windows key 5X fast to launch the login screen to log in to a different user.

VPN

Workspace ONE UEM supports configuring device VPN settings so your end users can remotely and securely access your organizations internal network. Learn how the VPN profile provides detailed VPN settings control including specific VPN provider settings and Per-App VPN access.

Important: Before enabling VPN Lockdown, verify that the VPN configuration for the VPN profile works. If the VPN configuration is incorrect, there is a chance you cannot delete the VPN profile off the device because there is no Internet connection.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select User Profile or Device Profile.

  4. Configure the profile General settings.

  5. Select the VPN profile.

  6. Configure the Connection Info settings.

    • Connection Name - Enter the name of the VPN connection.
    • Connection Type - Select the type of VPN connection:
    • Server - Enter the VPN server hostname or IP Address.
    • Port - Enter the port the VPN server uses.
    • Advanced Connection Settings - Enable to configure advanced routing rules for device VPN connection.
    • Routing Addresses - Select Add to enter the IP Addresses and Subnet Prefix Size of the VPN server. You can add more routing addresses as needed.
    • DNS Routing Rules - Select Add to enter the Domain Name that governs when to use the VPN. Enter the DNS Servers and Web Proxy Servers to use for each specific domain.
    • Routing Policy - Choose either to Force All Traffic Through VPN or Allow Direct Access to External Resources.
      • Force All Traffic Through VPN (Force Tunnel): For this traffic rule, all IP traffic must go through the VPN Interface only.
      • Allow Direct Access to External Resources (Split Tunnel): For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
    • Proxy - Select Auto Detect to detect any proxy servers used by the VPN. Select Manual to configure the proxy server.
    • Server - Enter the IP Address for the proxy server. Displays when Proxy is set to Manual.
    • Proxy Server Config URL - Enter the URL for the proxy server configuration settings. Displays when Proxy is set to Manual.
    • Bypass proxy for local - Enable to bypass the proxy server when the device detects it is on the local network.
    • Protocol - Select the authentication protocol for the VPN:
      • EAP – Allows for various authentication methods.
      • Machine Certificate – Detects a client certificate in the device certificate store to use for authentication.
    • EAP Type|Select the type of EAP authentication:
      • EAP-TLS – Smart Card or client certificate authentication
      • EAP-MSCHAPv2 – User name and Password
      • EAP-TTLS
      • PEAP
      • Custom Configuration – Allows all EAP configurations.Displays only if Protocol is set to EAP.
    • Credential Type - Select Use Certificate to use a client certificate. Select Use Smart Card to use a Smart Card to authenticate. Displays when EAP Type is set to EAP-TLS.
    • Simple Certificate Selection - Enable to simplify the list of certificates from which the user selects. The certificates display by the most recent certificated issued for each entity. Displays when EAP Type is set to EAP-TLS.
    • Use Windows Log On Credentials - Enable to use the same credentials as the Windows device. Displays when EAP Type is set to EAP-MSCHAPv2.
    • Identity Privacy - Enter the value to send servers before the client authenticates the server identity. Displays when EAP Type is set to EAP-TTLS.
    • Inner Authentication Method - Select the authentication method for inner identity authentication. Displays when EAP Type is set to EAP-TTLS.
    • Enable Fast Reconnect - Enable to reduce the delay in time between an authentication request by a client and the response from the server. Displays when EAP Type is set to PEAP.
    • Enable Identity Privacy - Enable to protect the user identity until the client authenticates with the server.
    • Per-app VPN Rules - Select Add to add traffic rules for specific Legacy and Modern applications.
    • Application ID - First select whether the app is a Store App or a Desktop App. Then, enter the application file path for Desktop apps. You can also enter the package family name for Store Apps to specify the app the traffic rules apply to.
      • File Path example: %ProgramFiles%/ Internet Explorer/iexplore.exe
      • Package Family Name example: AirWatchLLC.AirWatchMDMAgent_htcwkw4rx2gx4 The PFN Lookup allows you to search for the application PFN by selecting the Search icon. A display window opens allowing you to select the app you want to configure Per-app VPN rules to govern. The PFN is then autopopulated.
    • VPN On Demand - Enable to have the VPN connection automatically connect when the application is launched.
    • Routing Policy - Select the routing policy for the app.
      • Allow Direct Access to External Resources allows for both VPN traffic and traffic through the local network connection.
      • Force All Traffic Through VPN forces all traffic through the VPN.
    • DNS Routing Rules - Enable to add DNS routing rules for the app traffic. Select Add to add Filter Types and Filter Values for the routing rules. Only traffic from the specified app that matches these rules can be sent through the VPN.
      • IP Address: A list of comma-separated values specifying remote IP address ranges to allow.
      • Ports: A list of comma-separated values specifying remote port ranges to allow. For example, 100–120, 200, 300–320. Ports are only valid when the protocol is set to TCP or UDP.
      • IP Protocol: Numeric value 0–255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.
    • Device Wide VPN Rules - Select Add to add traffic rules for the entire device. Select Add to add Filter Typesand Filter Values for the routing rules. Only traffic that matches these rules can be sent through the VPN.
      • IP Address: A list of comma-separated values specifying remote IP address ranges to allow.
      • Ports: A list of comma-separated values specifying remote port ranges to allow. For example, 100–120, 200, 300–320. Ports are only valid when the protocol is set to TCP or UDP.
      • IP Protocol: Numeric value from 0–255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17. For a list of the numeric value of all protocols, see https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
    • Remember Credentials - Enable to remember the end user login credentials.
    • Always On - Enable to force the VPN connection to be always on.
    • VPN Lockdown - Enable to force the VPN to be on always, never disconnect, disable any network access if the VPN is not connected, and prevent other VPN profiles from connecting on the device. A VPN profile with VPN Lockdown enabled must be deleted before you push a new VPN profile to the device. This feature only displays if the profile is set to Device context.
    • Bypass for Local - Enable to bypass the VPN connection for local intranet traffic.
    • Trusted Network Detection - Enter, separated by commas, trusted network addresses. The VPN does not connect when a trusted network connection is detected.
    • Domain - Select Add New Domain to add domains to resolve through the VMware Tunnel server. Any domains added resolve though the VMware Tunnel server regardless of the app originating the traffic. For example, vmware.com resolves through the VMware Tunnel server if you use the trusted Chrome app or the untrusted Edge apps. This option only displays when you create the VPN profile as a user profile.
  7. Select Save & Publish when you are finished to push the profile to devices.

Workspace ONE UEM VPN profiles support configuring Per-App VPN settings for Windows 10 devices. Learn how to configure your VPN profile to use the specific traffic rules and logic to enable Per-App VPN access.

Per-App VPN for Windows 10 Using the VPN Profile

Workspace ONE UEM VPN profiles support configuring Per-App VPN settings for Windows 10 devices. Learn how to configure your VPN profile to use the specific traffic rules and logic to enable Per-App VPN access.

Per-app VPN lets you configure VPN traffic rules based on specific applications. When configured, the VPN connects automatically when a specified app starts and sends the application traffic through the VPN connection but not traffic from other applications. With this flexibility, you can ensure that your data remains secure while not limiting device access to the Internet at large.

Each rule group under the Per-App VPN Rules section uses the logical OR operator. So if the traffic matches any of the configured policies, it is allowed through the VPN.

Per-App VPN Rules

The applications for which Per-app VPN traffic rules apply can be legacy Windows applications such as EXE files or modern apps downloaded from the Microsoft Store. By setting specific applications to start and use the VPN connection, only the traffic from those apps uses the VPN and not all device traffic. This logic allows you to keep corporate data secure while reducing the bandwidth sent through your VPN.

To help you reduce VPN bandwidth constraint, you can set DNS routing rules for the Per-app VPN connection. These routing rules limit the amount of traffic sent through the VPN to only that traffic that matches the rules. The logic rules use the AND operator. If you set an IP Address, Port, and IP Protocol, the traffic much match each of these filters to pass through the VPN.

Per-app VPN allows you to configure detailed control over your VPN connections on an app by app basis.

Web Clips

A Web Clips Profile allows you to push URLs on to end-user devices for easy access to important Web sites.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select User Profile.

  4. Configure the profile General settings.

  5. Select the Web Clips profile.

  6. Configure the Web Clips settings, including:

    Settings Description
    Label Enter a description for the Web clip.
    URL Enter the target URL for the Web clip.
    Show in App Catalog Enable to show the Web clip in the app catalog.
  7. Select Save & Publish when you are finished to push the profile to devices.

Wi-Fi

Create a Wi-Fi profile through Workspace ONE UEM to connect your devices to hidden, encrypted, or password-protected corporate networks. Learn how Wi-Fi profiles are useful for end users who need access to multiple networks or for configuring devices to connect automatically to the appropriate wireless network.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Wi-Fi profile and configure the settings.

    Settings Descriptions
    Service Set Identifier Enter an identifier for the name (SSID) of the desired Wi-Fi network.

    The network SSID cannot contain spaces.
    Hidden Network Enable this option if the network uses a hidden SSID.
    Auto-Join Enable this option to set the device to join the network automatically.
    Security Type Use the drop-down menu to select the security type (for example, WPA2 Personal) for the Wi-Fi network.
    Encryption Use the drop-down menu to select the encryption type used. Displays based on the Security Type.
    Password Enter the password required to join the Wi-Fi network for networks with static passwords.

    Select the Show Characters check box to disable hidden characters within the text box. Displays based on the Security Type.
    Proxy Enable this option to configure proxy settings for the Wi-Fi connection.
    URL Enter the URL for the proxy.
    Port Enter the port for the proxy.
    Protocols Select the type of protocols to use:

    Certificate: PEAP-MsChapv2

    EAP-TTLS: Custom

    This section displays when the Security Type is set to WPA Enterprise or WPA2 Enterprise.
    Inner Identity Select the method of authentication through EAP-TTLS:

    Username/Password
    Certificate

    This section displays when the Protocols option is set to EAP-TTLS or PEAP-MsChapv2.
    Require Crypto Binding Enable this option to require cryptographic binding on both authentications. This menu item limits man-in-the-middle attacks.
    Use Windows Log On Credentials Enable this option to use the Windows login credentials are the user name/password to authenticate. Displays when Username/Password is set as the Inner Identity.
    Identity Certificate Select an Identity Certificate, which you can configure using the Credentials payload. Displays when Certificate is set as the Inner Identity.
    Trusted Certificates Select Add to add Trusted Certificates to the Wi-Fi profile.

    This section displays when the Security Type is set to WPA Enterprise or WPA2 Enterprise.
    Allow Trust Exceptions Enable to allow trust decisions to be made by the user through a dialog box.
  6. Select Save & Publish when you are finished to push the profile to devices.

Windows Hello

Windows Hello provides a secure alternative to using passwords for security. The Windows Hello profile configures Windows Hello for Business for your Windows Desktop devices so end users can access your data without sending a password.

Protecting devices and accounts with a user name and password creates potential security exploits. Users can forget a password or share it with non-employees, putting your corporate data at risk. Using Windows Hello, Windows 10 devices securely authenticate the user to applications, Web sites, and networks on the behalf of the user without sending a password. The user does not need to remember passwords, and man-in-the-middle attacks are less likely to compromise your security.

Windows Hello requires users to verify possession of a Windows 10 device before it authenticates with either a PIN or Windows Hello biometric verification. After authentication through Windows Hello, the device gains instant access to Web sites, applications, and networks.

Important: Windows Hello for Business requires Azure AD integration to work.

Create a Windows Hello profile to configure Windows Hello for Business for your Windows Desktop devices so end users can access your applications, websites, and networks without entering a password.

Creating a Windows Hello Profile

Create a Windows Hello profile to configure Windows Hello for Business for your Windows Desktop devices so end users can access your applications, websites, and networks without entering a password.

Important: Windows Hello profiles only apply to devices enrolled through Azure AD integration.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Windows Hello profile and configure the settings:

    Settings Descriptions
    Biometric Gesture Enable to allow end users to use the device biometric readers.
    TPM Set to Require to disable Passport use without a Trusted Protection Module installed on the device.
    Minimum PIN Length Enter the minimum number of digits a PIN must contain.
    Maximum PIN Length Enter the maximum number of digits a PIN can contain.
    Digits Set the permissions level for using digits in the PIN.
    Upper Case Letters Set the permissions level for using upper case letters in the PIN.
    Lower Case Letters Set the permissions level for using lower case letters in the PIN.
    Special Characters Set the permissions level for using special characters in the PIN.
    ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~
  6. Select Save & Publish to push the profile to devices.

Windows Licensing

Configure a Windows Licensing profile to provide your Windows 10 devices with a Windows 10 Enterprise or Windows 10 Education license key. Use this profile to upgrade devices that do not come with Windows 10 Enterprise.

Important:

This upgrade cannot be reversed. If you publish this profile to BYOD devices, you cannot remove the licensing through MDM. Windows 10 can only upgrade following a specific upgrade path:

  • Windows 10 Enterprise to Windows 10 Education
  • Windows 10 Home to Windows 10 Education
  • Windows 10 Pro to Windows 10 Education
  • Windows 10 Pro to Windows 10 Enterprise

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Windows Licensing profile and configure the following settings:

    Settings Descriptions
    Windows Edition Select either Enterprise or Education edition.
    Please Enter valid License Key Enter the license key for the edition of Windows that you are using.
  6. Select Save & Publish to push the profile to devices.

Windows Updates

Create a Windows Updates profile to manage the Windows Updates settings for Windows Desktop devices. The profile ensures that all your devices are up-to-date, which improves device and network security.

To configure Windows Update advanced settings, use the Windows Device Manager.

Important: To see the OS version each update branch supports, see Microsoft's documentation on Windows 10 release information: https://technet.microsoft.com/en-us/windows/release-info.aspx.

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile General settings.

  5. Select the Windows Updates profile.

  6. Configure the Windows Updates settings:

    Settings Descriptions
    Windows Update Source Select the source for Windows Updates:

    Microsoft Update Service – Select to use the default Microsoft Update Server.
    Corporate WSUS – Select to use a corporate server and enter the WSUS Server URL and WSUS Group. The device must contact the WSUS at least once for this setting to take effect.

    Selecting Corporate WSUS as a source allows your IT Admin to view updates installed and device status of devices in the WSUS Group.
    Update Branch Select the update branch to follow for updates.

    Semi-Annual Channel
    Windows Insider Branch - Slow
    Windows Insider Branch - Fast
    Release Windows Insider Build
    Insider Builds Allow the download of Windows Insider builds of Windows 10.
    Defer Feature Updates Period in Days Select the number of days to delay feature updates before installing the updates on the device.

    The maximum number of days you can defer an update changed in Windows 10 version 1703. Devices running a version before 1703 can only defer for 180 days. Devices running a version later than 1703 can defer up to 365 days.

    If you defer an update for longer than 180 days and push the profile to a device running Windows 10 before the 1703 update, the profile fails to install on the device.
    Pause Feature Updates Enable to pause all feature updates for 60 days or until disabled. This setting overrides the Defer Feature Updates Period in Days setting. Use this option to delay an update that causes issues that can normally install following your deferral settings.
    Defer Quality Updates Period In Days Select the number of days to delay quality updates before installing the updates on the device.
    Pause Quality Updates Enable to pause all quality updates for 60 days or until disabled. This setting overrides the Defer Quality Updates Period in Days setting. Use this option to delay an update that causes issues that can normally install following your deferral settings.
    Enable Settings for Previous Windows versions Select to enable deferral settings for previous versions of Windows. The settings include:

    Defer New Features (months)
    Defer New Updates (weeks)
    Pause Deferrals
    Automatic Updates Set how updates from the selected Update Branch are handled:

    Install updates automatically.
    Install Updates but let the user schedule the computer.
    Install updates automatically and restart at specified time.
    Install updates automatically and prevent user from modifying the control panel settings.
    Check for updates but let the user choose whether to download and install them.
    Never check for updates.
    Active Hours Maximum (Hours) Enter the maximum number of active hours that prevent the system from rebooting due to updates.
    Active Hours Start Time Enter the start time for active hours. Set the active hours to prevent the system from rebooting during these hours.
    Active Hours End Time Displays the end time for active hours This time is determined by the Active Hours Start Time and the Active Hours Maximum.
    Auto Restart Deadlines Set the maximum number of days that can pass after installing a Quality or Feature Update before a system reboot is mandatory.
    Auto-Restart Notification (Minutes) Set the number of minutes before an auto-restart that a warning displays.
    Auto-Restart Required Notification Set how an auto-restart notification must be dismissed.

    Auto Dismissal - Automatically dismissed
    User Dismissal - Requires the user to close the notification.
    Engaged Restart Deadline Engaged Restarts allow to manage when the device reboots after installing a Quality or Feature update during Active Hours. Use this option to set the number of days a user can engage a reboot before a reboot is automatically scheduled outside of active hours.
    Engaged Restart Snooze Schedule Enter the number of days a user can snooze an Engaged Restart. After the snooze period passes, a reboot time is scheduled outside active hours.
    Scheduled Auto-Restart Warning (Hours) Set the number of hours before a scheduled auto-restart to warn users.
    Scheduled Auto-Restart Warning (Minutes) Set the number of minutes before a scheduled auto-restart to warn users.
    Allow Public Updates Allow updates from the public Windows Update service. Not allowing this service can cause issues with the Microsoft Store.
    Allow Microsoft Updates Allow updates from Microsoft Update.
    Update Scan Frequency (Hours) Set the number of hours between scans for updates.
    Dual Scan Enable to use Windows Update as your primary update source while using Windows Server update Services to provide all other content.
    Exclude Windows Update Drivers from Quality Updates Enable to prevent driver updates from automatically installing on devices during Quality Updates.
    Install Signed Updates from 3rd Party Entities Allow the installation of updates from approved third parties.
    Mobile Operator App Download Limit Select whether to ignore any Mobile Operator download limits for downloading apps and their updates over a cellular network.
    Mobile Operator Update Download Limit Select whether to ignore any Mobile Operator download limits for downloading OS updates over a cellular network.
    Require Update Approval Enable to require updates to have approval before downloading to the device.

    Enable to require admins explicitly approve updates before downloading to the device. This approval is either through Update Groups or individual update approval.

    This option requires you to accept any required EULA on behalf of your end users before the update pushes to devices. If a EULA must be accepted, a dialog box opens displaying the EULA. To approve updates, navigate to Lifecycle > Windows Updates.
    Auto-Approved Updates Enable this option to set update groups that are automatically approved for download on end-user devices. This option requires you to accept any required EULA on behalf of your end users before the update pushes to devices. If a EULA must be accepted, a dialog box opens displaying the EULA.

    When you enable this option, the update groups display so you can set which groups automatically update. Set these groups to Allowed to approve the updates for download to assigned devices automatically.

    Feature Updates
    Application
    Connectors
    Critical
    Definition
    Developer Kit
    Drivers
    Feature Pack
    Guidance
    Security
    Service Pack
    Tool Updates
    Update Rollups
    General
    Peer-to-Peer Updates Allow the use of peer-to-peer downloading of updates.
    Allowed Peer-to-Peer Method Select the method of peer-to-peer connection you want to allow.
    Limit Peer Usage to Member with the Same Group ID Limit peer-to-peer downloading to devices within the same organization group.
    VPN Peer Caching Enable to allow devices to participate in Peer Caching while connected to a VPN.
    Minimum Battery Required for Peer Uploads (%) Select the minimum battery charge percentage that a device must have before it can participate in peer-to-peer uploading.
    Maximum Allowed Cache Size Enter the maximum catch size that delivery optimization can use. This value is a percantage of disk size.
    Maximum cache size that delivery optimization can utilize (%) Enter the percentage of the cache that delivery optimization can use.
    Maximum time each file is held in the delivery optimization cache (seconds) Set the number of seconds a file is held in the delivery optimization cache before being pushed to devices.

    The optimization cache keeps updates available on other peers that the device can reach for quicker downloading of updates.
    Minimum Disk Size for Device to Use Peer Caching Enter the minimum disk size (in GB) that the device must have to use Peer Caching
    Minimum RAM for Device to Use Peer Caching Enter the minimum RAM size (in GB) that the device must have to use Peer Caching.
    Minimum Content File Size That Can Use Peer Caching Enter the minimum file size content must be to use Peer Caching.
    Drive Location Used for Peer Caching Enter the file location to use for Peer Caching.
    Maximum upload bandwidth that a device will use across all concurrent upload activity (KB/second Enter the maximum upload bandwidth in KB/second that a device uses when sending updates to peers.
    Maximum Download Bandwidth that a Device Will Use (KB/second) Enter the maximum download bandwidth in KB/second that a device uses when downloading updates from peers.
    Maximum Download Bandwidth as a Percentage of Total Available (%) Enter the maximum download bandwidth percentage (of the total bandwidth available) used for downloading updates from Peer Caching.
    Minimum QoS for Backgrund Downloads (KB/second) Enter the minimum quality of service (or speed) in KB/second for background downloads.
    Monthly Upload Data Cap (GB) Enter the maximum amount of data (in GB) that a device can upload per month.
  7. Select Save & Publish to push the profile to devices.

Device Updates for Windows Desktop

Workspace ONE UEM supports reviewing and approving OS and OEM updates for Windows 10 devices. The Device Updates page lists all updates available for Windows 10 devices enrolled in the selected organization group.

Navigation

Find the available Device Updates in Resources > Device Updates. This page lists updates for Windows and OEM Updates.

Windows Tab

From the Windows tab, you can approve updates and assign the updates to the specific smart groups as meets your business needs. This tab displays all updates with their published date, platform, classification, and assigned group. Only the updates available for the Windows 10 devices enrolled in the selected organization group (OG) display. If you do not have any Windows 10 devices enrolled in the OG, no updates display.

Selecting the update name displays a window with detailed information, a link to the Microsoft KB page for the update, and the status of the update installation.

This process requires that you publish a Windows Update profile to devices with Require Update Approval enabled.

The update installation status shows the deployment of the update across your devices. See the status of the update deployment by selecting the update in the list or selecting View in the Installed Status column.

Status Descriptions
Assigned The update is approved and assigned to the device.
Approved The approved update is successfully assigned to the device.
Available The update is available on the device for installation.
Pending Installation The installation is approved and available but not yet installed.
Pending Reboot Installation is paused until the device reboots.
Installed The update successfully installed.
Failed The updated failed to install.

OEM Updates Tab

From this tab, you can see all OEM updates deployed to your Windows Desktop devices. You can order the list view by name, level, type, and device category. You can also filter the displayed updates with filters including audio drivers, chipset drivers, BIOS updates, and more.

See the installation status of the update deployment by selecting the update name.

Approve Windows Updates

Review and approve Windows updates for installation on your Windows 10 devices. This feature allows you to ensure your devices remain up-to-date while controlling the distribution of updates to meet your business needs.

You must publish a Windows Update profile with Require Update Approval enabled.

  1. Navigate to Resources > Device Updates > Windows.

  2. Select the check box on the left of the update.

    Selecting the check box displays the Assign menu item. You cannot access the assign feature if you do not select the check box.

  3. Select the Assign button.

  4. Enter the smart groups to which the update applies.

  5. Select Add.

check-circle-line exclamation-circle-line close-line
Scroll to top icon