Skip to main content
Matrix42 Self-Service Help Center

Windows 10 Mobile Profiles, Polices and Apps

This article has been moved from the Management Guide as Windows 10 Mobile is marked as deprecated by Microsoft and Matrix42 Silverback. Windows 10 Mobile will be removed from the Management Console at all around Q2/2022.

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

Setting Windows 10 Mobile Description
Exchange ActiveSync Settings Enabled or Disabled Enables Profile
Label e.g. Imagoverum Exchange The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Sync Interval
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
E-Mail synchronization interval
Past Days of Mail to Sync
  • Unlimited
  • Three days
  • One Week
  • Two Weeks
  • One Month
Period of mail to synchronize to the device
Use SSL Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.

Email

Setting Windows 10 Mobile Description
Email Settings Enabled or Disabled Enables Email Settings
Email Address e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account
User Display Name e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account
Account Description e.g. Imagoverum Mail Defines Friendly Name of this Email Account
Account Type
  • IMAP
  • POP
Toggles between IMAP and POP Account Types
Domain e.g. Imagoverum The Internal Domain Suffix for the Mail Server
Auth Name e.g. Username Username used when performing authenticating
Auth Password Enable Embed User Password or e.g. Pa$$w0rd Password used when authenticating
Mail Sync Days
  • Unlimited
  • One Week
  • Two Weeks
  • One Month
How far from the past mails will be synchronized
Sync Interval
  • Manual
  • 15 Minutes
  • 30 Minutes
  • 1 hour
  • 2 hours

 

How often the device check for new mail items.
Incoming Mail
Incoming Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com Server settings for the Incoming Mail Server
Use SSL Enabled or Disabled Enabled the usage of SSL
Outgoing Mail
Outgoing Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com Server settings for the Outgoing Mail Server
Requires Authentication Enabled or Disabled Can be enabled when the outgoing server requires authentication
Use SSL Enabled or Disabled Enabled the usage of SSL
Alternative SMTP Settings
Enable Alternative SMTP Enabled or Disabled Enables alternative SMPT settings
Domain e.g. Imagoverum The Internal Domain Suffix for the Mail Server
Auth Name e.g. Username Username used when performing authenticating.
Password Enable Embed User Password or e.g. Pa$$w0rd Password used when authenticating

Passcode

Setting Windows 10 Mobile Description
Passcode Settings Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Permit the use of repeating, ascending or descending characters
Allow Convenience Login Not available Allows the usage of picture password as Login method
Complexity
  • Any Complexity
  • Numeric
  • Alpha Numeric
Character groups that required to be used in the User’s passcode
Minimum Length 4-18 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty How often passcode must be changed
Auto-lock (minutes) e.g. 15 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty Number of unique passcodes required before reuse
Maximum Failed Attempts e.g. 10 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

Setting Windows 10 Mobile
Allow App Store Enabled or Disabled
Allow Camera Enabled or Disabled
Allow WiFi Enabled or Disabled
Allow Bluetooth Enabled or Disabled
Allow Storage Card Enabled or Disabled
Force Storage Encryption Enabled or Disabled
Allow Browser Enabled or Disabled
Allow NFC Enabled or Disabled
Allow Internet Sharing Enabled or Disabled
Allow Auto Connect to WiFi Sense Hotspots Enabled or Disabled
Allow WiFi HotSpot Reporting Enabled or Disabled
Allow Manual WiFi Configuration Enabled or Disabled
Allow VPN Over Cellular Connection Enabled or Disabled
Allow VPN Roaming Over Cellular Connection Enabled or Disabled
Allow the Device to Send Telemetry Information Enabled or Disabled
Allow Microsoft Account for Non Email Related Services Enabled or Disabled
Allow User to Add Non-Microsoft Accounts manually Enabled or Disabled
Allow Manual Root and CA Certificate Installation Enabled or Disabled
Allow Developer Unlock Enabled or Disabled
Allow Location Service Enabled or Disabled
Allow USB Connection Enabled or Disabled
Allow Cellular Data Roaming Enabled or Disabled
Allow Search to Use Location Enabled or Disabled
Force Strict Safe Search Results Enabled or Disabled
Allow Storing Images From Vision Search Enabled or Disabled
Allow Save As Of Office Files Enabled or Disabled
Allow Action Center Notifications Enabled or Disabled
Allow Sync My Settings Enabled or Disabled
Allow User to Reset Phone Enabled or Disabled
Allow Manual MDM Unenrollment Enabled or Disabled
Allow Screen Capture Enabled or Disabled
Allow Cortana Enabled or Disabled
Allow Sharing Of Office Files Enabled or Disabled
Allow Copy Paste Enabled or Disabled
Allow Voice Recording Enabled or Disabled

Virtual Private Network

General VPN settings for Windows 10 Mobile

Setting Values Description
VPN Settings Enabled or Disabled Enables and Disables VPN for the Tag
VPN Type
  • Juniper Junos Pulse
  • F5 Big-IP Edge Client
  • Checkpoint Mobile VPN
  • IKE v2
Determines which VPN client will be used.
Profile Name e.g. Imagoverum VPN Name of the VPN Profile visible to the user on the device
Server Address e.g. vpn.imagoverum.com Network Address of the VPN Service
Primary DNS Suffix e.g.  imagoverum.com Primary DNS Suffix for connection

Juniper Junos Pulse

Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted

F5 Big-IP Edge Client

Setting Values Description
Prompt for credentials Enabled or Disabled Enables the prompt for credentials
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Application Select Select applications from the drop down list
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.

Checkpoint Mobile VPN

Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted

IKE v2

Setting Values Description
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting Windows 10 Windows 10 Mobile Description
Private APN Settings not available Enabled or Disabled Enables the Private APN Feature on Selected Devices.
Name not available e.g. VFD2 Web The name of the carrier access point
Username not available e.g. User The username to connect to the access point
Password not available e.g. Pa$$w0rd The password to connect to the access point
Server not available e.g web.vodafone.com The fully qualified address of the proxy server
Type not available
  • IPv4v6
  • IPv4v6xlat
  • IPv6
  • IPv4
APN Type
Auth Type not available
  • None
  • PAP
  • CHAP
  • MSCHAPv2
  • Auto
APN Auth Type

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting Windows 10 Mobile Description
Wi-Fi Settings Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • WPA 2
  • WPA 2 Enterprise
Defines the used Wireless network security
Encryption Type
  • AES
  • TKIP
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd Password for authenticating to the wireless network
Specify Trust (WPA 2 Enterprise only)
Use issuing CA Thumbprint Enabled or Disabled  
Specify intermediate Trust
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
 
Proxy (Windows 10 Mobile only)
Proxy PAC Url e.g. http://proxy.imagoverum.de/proxy.pac Defines the URL where the PAC file is located
Enabled Proxy Enabled or Disabled Defines the usage of proxy
Server e.g. 192.168.0.254 Defines the proxy server
Port e.g. 8080 Defines the used proxy port

Certificate Trusts

For Windows 10 Mobile devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Certificate

In this section you can distribute certificates to Windows 10 Mobile devices. Depending on your configured Certificate Deployment Method you will see different views and settings. 

Enterprise Certificate

Setting Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enables Certificate Settings in this Tag
New Certificate Choose File Use the Button to Upload your Enterprise Certificate
Certificate Password e.g. Pa$$w0rd Enter here the certificate password

Individual Client

Setting Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enables Certificate Settings in this Tag
Template Name e.g. Silverback User Defines the Template created on the Certification Authority. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom Subject Name Variable e.g. u_{firstname}.{lastname} Defines a custom subject name (Issued to) for requested certificates .  Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom UPN SAN Variable e.g. {UserName} Defines a custom UPN SAN Variable (Principal Name) for requested certificates. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom RFC 822 SAN Variable e.g. {SerialNumber}  Defines a custom RFC822 Subject Alternative name. Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting Windows 10 Mobile Description
App Portal   Enabled or Disabled Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

Web Clips 

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Windows 10 Mobile Description
Web Clip Name   e.g. Matrix42 Web Clip Display Name 
Link e.g. https://www.matrix42.com Target URL for the Web Clip
Icon File Choose File Web Clip Display Icon.  Support File Type: *.png

Policy 

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Application Blacklist

Application Blacklist is available for Windows 10 Mobile. Because a very specific identifier needs to be provided to the device, the applications must be first added to the App Portal and then added to the blacklist. 

Setting Windows 10 Mobile Description
Enforce Application Blacklist   Enabled or Disabled Enables and disables the Application Blacklist for this Tag
Save Save the changes Saves the changes you’ve made.
Assign More Apps Add applications Allows to choose Apps to add to the list. This list of apps is based on the apps assigned in the App
Portal tab.

Lockdown 

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 
Exclude Home Network Allows the Administrator to disable roaming alerts for devices roaming on Home Networks

Lockdown Policies

Policy  General Windows 10 Mobile Description
Enforce Application Whitelist

Enabled or Disabled

  • Block All
  • Block Non Microsoft
  • Block Non Microsoft and Facebook

Application Whitelist will ensure that each device has only applications approved by a system administrator installed

Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Cost Control Settings
Send Roaming Alerts Enabled or Disabled No actions available

Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data).

Enforce Home Networks Policy Enabled or Disabled
  • No action 
  • Block
  • Wipe
Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’.
Home Networks

Add

Enforce Home Networks  Policy will activate this grid

e.g. Imagoverum Wi-Fi This grid is where Silverback Administrators can specify their ‘Home Networks’

Apps

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Two different App Types are available for Windows devices:

Type Description
Enterprise

Applications owned by an Organization

Windows 10 Mobile with *appx file

Market Applications from public Windows 10 Mobile Store


Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or Market
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remove Removes the App from the Tag

Content 

Content Management functionalities are not supported on Windows 10 Mobile 

App Portal

Add Windows 10 Mobile Application

  • Navigate to App Portal
  • Click Windows 10 Mobile
  • Click New Application

From here Administrators have the ability to choose the application type and configure the corresponding details:

Add Enterprise App

Setting Configuration Description
Name e.g. Imagoverum Travel The display name of the application being added.
Description e.g. Imagoverum Travel will provide you information about your upcoming travels and helps to you create your travel expense.   The description of the application to display. Will be displayed in App Portal in Silverback and on end users App Portal. 
App File Choose File Upload your *.appx or *.xap file.
Icon Choose File

The icon to display in the app portal. It must meet the following specifications:

  • Dimensions: 114x114
  • Format: PNG
If no icon is specified, a default, blank icon will be used.
Visible in App Portal Enabled or Disabled Makes the App Visible to users in the Silverback App Portal.
Windows Phone App Management
Automatically push to managed devices Enabled or Disabled Silently installs the app on the device when it becomes managed.
  • Click Save

Add Market App

Setting Configuration Description
App Identity e.g. https://www.microsoft.com/en-us/p/an...t/9wzdncrdj8lh The Unique String associated with the App from the Microsoft Store.
Name e.g. AnyConnect The display name of the application being added.
Description e.g. AnyConnect provides reliable and easy-to-deploy encrypted network connectivity from devices by delivering persistent corporate access for users on the go.  The description of the application to display. Will be displayed in App Portal in Silverback and on end users App Portal. 
Icon Choose File

The icon to display in the app portal. It must meet the following specifications:

  • Dimensions: 114x114
  • Format: PNG
If no icon is specified, a default, blank icon will be used.
Visible in App Portal Enabled or Disabled Makes the App Visible to users in the Silverback App Portal.
  • Click Save 
  • Was this article helpful?