Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part IV: Windows 10, Windows 10 Mobile

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

Setting Windows 10 Mobile Windows 10 Description
Exchange ActiveSync Settings Enabled or Disabled Enabled or Disabled Enables Profile
Label e.g. Imagoverum Exchange e.g. Imagoverum Exchange or  e.g. {firstname} The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Sync Interval
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
E-Mail synchronization interval
Past Days of Mail to Sync
  • Unlimited
  • Three days
  • One Week
  • Two Weeks
  • One Month
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
Period of mail to synchronize to the device
Use SSL Enabled or Disabled Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.

Email

Setting Windows 10 Mobile Windows 10 Description
Email Settings Enabled or Disabled not available Enables Email Settings
Email Address e.g. {UserEmail} or support@imagoverum.com not available Defines Email Address of the Account
User Display Name e.g. {UserName} or Tim Tober not available Defines  Display Name of the User for this Email Account
Account Description e.g. Imagoverum Mail not available Defines Friendly Name of this Email Account
Account Type
  • IMAP
  • POP
not available Toggles between IMAP and POP Account Types
Domain e.g. Imagoverum not available The Internal Domain Suffix for the Mail Server
Auth Name e.g. Username not available Username used when performing authenticating
Auth Password Enable Embed User Password or e.g. Pa$$w0rd not available Password used when authenticating
Mail Sync Days
  • Unlimited
  • One Week
  • Two Weeks
  • One Month
not available How far from the past mails will be synchronized
Sync Interval
  • Manual
  • 15 Minutes
  • 30 Minutes
  • 1 hour
  • 2 hours

 

not available How often the device check for new mail items.
Incoming Mail
Incoming Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com not available Server settings for the Incoming Mail Server
Use SSL Enabled or Disabled not available Enabled the usage of SSL
Outgoing Mail
Outgoing Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com not available Server settings for the Outgoing Mail Server
Requires Authentication Enabled or Disabled not available Can be enabled when the outgoing server requires authentication
Use SSL Enabled or Disabled not available Enabled the usage of SSL
Alternative SMTP Settings
Enable Alternative SMTP Enabled or Disabled not available Enables alternative SMPT settings
Domain e.g. Imagoverum not available The Internal Domain Suffix for the Mail Server
Auth Name e.g. Username not available Username used when performing authenticating.
Password Enable Embed User Password or e.g. Pa$$w0rd not available Password used when authenticating

Passcode

Setting Windows 10 Mobile Windows 10 Description
Passcode Settings Enabled or Disabled Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Not available Permit the use of repeating, ascending or descending characters
Allow Convenience Login Not available Enabled or Disabled Allows the usage of picture password as Login method
Complexity
  • Any Complexity
  • Numeric
  • Alpha Numeric
not available Character groups that required to be used in the User’s passcode
Minimum Length 4-18 6-23 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 3 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty Not available How often passcode must be changed
Auto-lock (minutes) e.g. 15 1-1200 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty not available Number of unique passcodes required before reuse
Maximum Failed Attempts e.g. 10 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

Windows 10 Restrictions

The restrictions are part of the Policy Configuration Service Provider from Microsoft.  

Setting Options
Above Lock Screen
Allow Cortana Above Lock Screen Enabled or Disabled
Allow Toasts Enabled or Disabled
Accounts
Allow User to Add Non-Microsoft Accounts Manually Enabled or Disabled
Allow Microsoft Account for Non Email Related Services Enabled or Disabled
Allow Microsoft Account Sign In Assistant Enabled or Disabled
Application Management
Allow App Store Auto Update Enabled or Disabled
Allow Windows Game Recording and Broadcasting Enabled or Disabled
Allow Shared User AppData Enabled or Disabled
Disable All Apps From Microsoft Store Enabled or Disabled
Allow User Control Over Installs Enabled or Disabled
Allow MSI Always Install With Elevated Privileges Enabled or Disabled
Only Display the Private Store Within the Microsoft Store Enabled or Disabled
Prevent Users` App Data From Being Stored on Non-System Volumes Enabled or Disabled
Disable Installing Windows Apps on Non-System Volumes Enabled or Disabled
Allow All Trusted Apps to Install
  • Not configured (default
  • Explicit deny
  • Explicit allow unlock
Allow Developer Unlock
  • Not configured (default
  • Explicit deny
  • Explicit allow unlock
Audit
Audit Account Lockout
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Group Membership
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Extended Mode
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Main Mode
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Quick Mode
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Logoff
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Logon
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Network Policy Server
  • Success+Failure (Default)
  • Off/None
  • Success
  • Failure
Audit Other Logon Logoff Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Special Logon
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit User Device Claims
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Credential Validation
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Kerberos Authentication Service
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Kerberos Service Ticket Operations
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Account Logon Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Application Group Management
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Computer Account Management
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Distribution Group Management
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Account Management Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Security Group Management
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit User Account Management
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Detailed Directory Service Replication
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Directory Service Access
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Directory Service Changes
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Directory Service Replication
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit DPAPI Activity
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit PNP Activity
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Process Creation
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Process Termination
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit RPC Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Token Right Adjusted
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Application Generated
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Central Access Policy Staging
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Certification Services
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Detailed File Share
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit File Share
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit File System
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Filtering Platform Connection
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Filtering Platform Packet Drop
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Handle Manipulation
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Kernel Object
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Object Access Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Registry
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit SAM
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Authentication Policy Change
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Authorization Policy Change
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Filtering Platform Policy Change
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit MPSSVC Rule Level Policy Change
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Policy Change Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Policy Change
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Non Sensitive Privilege Use
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other Privilege Use Events
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Sensitive Privilege Use
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit IPsec Driver
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit Other System Events
  • Success+Failure (Default)
  • Off/None
  • Success
  • Failure
Audit Security State Change
  • Success (Default)
  • Off/None
  • Failure
  • Success+Failure
Audit Security System Extension
  • Off/None (Default)
  • Success
  • Failure
  • Success+Failure
Audit System Integrity
  • Success+Failure (Default)
  • Off/None
  • Success
  • Failure
Authentication
Allow Azure AD Password Reset Enabled or Disabled
Allow EAP Cert SSO Enabled or Disabled
Allow Fast Reconnect Enabled or Disabled
Allow Companion Device for Secondary Authentication Enabled or Disabled
Allow Enable Fast First Sign In
  • None (Default)
  • Enabled
  • Disabled
Allow Enable Web Sign In
  • None (Default)
  • Enabled
  • Disabled
Bitlocker
Encryption Method
  • XTS-AES 128-bit (Default)
  • AES-CBC 128-bit
  • AES-CBC 256-bit
  • XTS-AES 256-bit
BITS
Set Default Download Behavior for Background Jobs on Costed Networks
  • Always transfer (Default)
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
Set Default Download Behavior for Foreground Jobs on Costed Networks
  • Always transfer (Default)
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
Bluetooth
Allow Advertising Enabled or Disabled
Allow Discoverable Mode Enabled or Disabled
Allow Prepairing Enabled or Disabled
Allow Prompted Proximal Connections Enabled or Disabled
Browser
Allow Address bar drop-down list suggestions Enabled or Disabled
Allow Browser Enabled or Disabled
Allow Configuration Updates for the Books Library Enabled or Disabled
Allow Developer Tools Enabled or Disabled
Allow Extensions Enabled or Disabled
Allow Adobe Flash Enabled or Disabled
Configure the Adobe Flash Click-to-Run Setting Enabled or Disabled
Allow FullScreen Mode Enabled or Disabled
Allow InPrivate Browsing Enabled or Disabled
Allow Microsoft Compatibility List Enabled or Disabled
Allow Microsoft Edge to Pre-Launch at Windows Startup Enabled or Disabled
Allow Printing Enabled or Disabled
Allow Saving History Enabled or Disabled
Allow Search Engine Customization Enabled or Disabled
Allow Sideloading of Extensions Enabled or Disabled
Allow Microsoft Edge to Start and Load the Start and New Tab Pages Enabled or Disabled
Allow Always Show the Books Library in Microsoft Edge Enabled or Disabled
Allow Clearing Browsing Data on Exit Enabled or Disabled
Configure Additional Search Engines Enabled or Disabled
Configure Kiosk Mode Enabled or Disabled
Disable Lockdown of Start Pages Enabled or Disabled
Allow Extended Telemetry for the Books Tab Enabled or Disabled
Configure the Enterprise Mode Site List Enabled or Disabled
Prevent Changes to Favorites on Microsoft Edge Enabled or Disabled
Prevent Access to the about:flags Page in Microsoft Edge Enabled or Disabled
Prevent Certificate Error Overrides Enabled or Disabled
Prevent the First Run Webpage From opening on Microsoft Edge Enabled or Disabled
Prevent Microsoft Edge From Gathering Live Tile Information Enabled or Disabled
Prevent Bypassing Windows Defender SmartScreen Prompts for Sites Enabled or Disabled
Prevent Bypassing Windows Defender SmartScreen Prompts for Files Enabled or Disabled
Prevent Using Localhost IP Address for WebRTC Enabled or Disabled
Send All Intranet Sites to IE 11 Enabled or Disabled
Allow Keep Favorites in Sync Between IE and Microsoft Edge Enabled or Disabled
Allow Unlock Home Button Enabled or Disabled
Allow a Shared Books Folder Enabled or Disabled
Configure Autofill
  • Allowed (Default)
  • Not allowed
Configure Favorites Bar
  • Hide bar (Default)
  • Show bar
Configure Home Button
  • Show home button and load the Start page (Default)
  • Show home button and load the New Tab page
  • Show home button and load the URL page
  • Hide home button
Configure Open Microsoft Edge With
  • Load specific page (Default)
  • Load start page
  • Load new page
  • Load previous pages
Configure Collection of Browsing Data for Microsoft 365 Analytics
  • No data (Default)
  • Send intranet
  • Send internet
  • Send both
Configure Do Not Track
  • Never send (Default)
  • Send
Configure Password Manager
  • Allowed (Default)
  • Not allowed
Configure Search Suggestions in Address Bar
  • Allowed (Default)
  • Not allowed
Set Default Search Engine
  • Specified for the Market (Default)
  • Specified for OpenSearchXML file
Show message when opening sites in IE
  • No additional message displayed (Default)
  • Show an additional message stating that a site has opened in IE11
  • Show an additional message with a "Keep going in Microsoft Edge" link
Configure Windows Defender SmartScreen
  • Turned on (Default)
  • Turned off
Allow Web Content on New Tab Page
  • Load new page (Default)
  • Load blank page
Configure Cookies
  • Allow all (Default)
  • Block all 
  • Block only
Configure Pop-up Blocker
  • Turn off blocker (Default)
  • Turn on blocker
Camera
Allow Camera Enabled or Disabled
Cellular
Let Apps Access Cellular Data
  • User is in control (Default)
  • Force allow
  • Force deny
Connectivity
Allow Bluetooth Enabled or Disabled
Allow Connected Devices Enabled or Disabled
Allow Phone PC Linking Enabled or Disabled
Allow VPN Over Cellular Enabled or Disabled
Allow VPN Roaming Over Cellular Enabled or Disabled
Allow Cellular Data
  • Allow (Default)
  • Not allow
  • Allow but user cannot turn it off
Allow Cellular Data Roaming
  • Allow (Default)
  • Not allow
  • Allow but user cannot turn it off
Control Policy Conflict
MDM Policy Is Used and the GP Policy Is Blocked Enabled or Disabled
Credential Providers
Disable the Visibility of the Credentials for Autopilot Reset Enabled or Disabled
Cryptography
Allow Fips Algorithm Policy Enabled or Disabled
Data Protection
Allow Direct Memory Access Enabled or Disabled
Defender
Allow Scan Archive Files Enabled or Disabled
Allow Turn On Behavior Monitoring Enabled or Disabled
Allow Join Microsoft MAPS Enabled or Disabled
Select Cloud Protection Level
  • Default (Default)
  • High
  • High+
  • Zero
Allow Turn On E-mail Scanning Enabled or Disabled
Allow Run Full Scan on Mapped Network Drives Enabled or Disabled
Allow Scan Removable Drives Enabled or Disabled
Allow Scan All Downloaded Files and Attachments Enabled or Disabled
Allow Intrusion Prevention System Enabled or Disabled
Allow Monitor File and Program Activity on Your Computer Enabled or Disabled
Allow Turn Off Real-Time Protection Enabled or Disabled
Allow Scan Network Files Enabled or Disabled
Allow Script Scanning Enabled or Disabled
Allow Enable Headless UI Mode Enabled or Disabled
Allow Check for the Latest Virus/Spyware Definitions Before Running a Scheduled Scan Enabled or Disabled
Allow Turn On Catch-up Full Scan Enabled or Disabled
Allow Turn On Catch-up Quick Scan Enabled or Disabled
Allow Configure Low CPU Priority for Scheduled Scans Enabled or Disabled
Configure Controlled Folder Access
  • Disabled (Default)
  • Enabled
  • Audit Mode
Prevent Users and Apps From Accessing Dangerous Websites
  • Disabled (Default)
  • Enabled (block mode)
  • Enabled (audit mode)
Configure PUA Protection
  • Off (Default)
  • On
  • Audit Mode
Configure Monitoring for Incoming/Outgoing File and Program Activity
  • All Files (Default)
  • Incoming Files
  • Outgoing Files
Specify the Scan Type to Use for a Scheduled Scan
  • Quick Scan (Default)
  • Full Scan
Specify the Time for a Daily Quick Scan From 12:00 AM to 11:00 PM
Specify the Day of the Week to Run a Scheduled Scan
  • Every Day (Default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
Specify the Time of Day to Run a Scheduled Scan From 12:00 AM to 11:00 PM
Specify the Interval to Check for Definition Updates Check every 1 to 24 hours
Send File Samples When Further Analysis Is Required
  • Send safe samples automatically (Default)
  • Always prompt
  • Never send
  • Send all samples automatically
Delivery Optimization
Enable Peer Caching While the Device Connects Via VPN Enabled or Disabled
Absolute Max Cache Size (in GB) e.g. 10
Delay Background Download From Http (in secs) e.g. 0
Delay Background Download Cache Server Fallback (in secs) e.g. 0
Delay Foreground download Cache Server Fallback (in secs) e.g. 0
Delay Foreground Download From Http (in secs) e.g. 0
Download Mode
  • HTTP blended with peering behind the same NAT (Default)
  • HTTP only
  • The HTTP blended with peering across a private group 
  • HTTP blended  with Internet peering
  • Simple download mode with no peering
  • Bypass mode
Select the Source of Group IDs
  • None (Default)
  • AD Site
  • Authenticated domain SID
  • DHCP user option
  • DNS suffix
Max Cache Age (in secs) e.g. 2592000
Max Cache Size (percentage) e.g. 20
Max Download Bandwidth (in KB/s) e.g. 0
Max Upload Bandwidth (in KB/s) e.g. 0
Min Background QoS (in KB/s) e.g. 500
Allow Uploads While the Device Is on Battery (percentage) e.g. 0
Min Disk Size Allowed to Use Peer Caching (in GB) e.g. 32
Min Peer Caching Content File Size (in MB) e.g. 100
Min RAM Capacity Required to Enable Use of Peer Caching (in GB) e.g. 4
Monthly Upload Data Cap (in GB) e.g. 20
Max Background Download Bandwidth (percentage) e.g. 0
Max Foreground Download Bandwidth (percentage) e.g. 0
Select a Method to Restrict Peer Selection
  • None (Default)
  • Subnet Mask
Device Guard
Configure the Launch of System Guard
  • Unmanaged (Default) 
  • Enables Secure Launch 
  • Disables Secure Launch
Turn On Virtualization Based Security
  • Disable (Default) 
  • Enable 
Turn On Credential Guard With Virtualization-Based Security
  • Disabled (Default) 
  • Enabled with lock
  • Enabled without lock
Configure Platform Security Features
  • Turn on VBS with Secure Boot (Default)
  • Turn on VBS with Secure Boot and DMA 
Device Health Monitoring
Allow Device Health Monitoring Enabled or Disabled
Device Lock
Enabled Device Password Enabled or Disabled
Allow Simple Device Password Enabled or Disabled
Alphanumeric Device Password Required
  • Password/Numeric/Alphanumeric PIN required (Default)
  • Password/Alphanumeric PIN required
  • Password/Numeric PIN required
Device Password Expiration (in days) e.g. 0
Device Password History e.g. 0
Max Device Password Failed Attempts e.g. 0
Max Inactivity Time Device Lock e.g. 0
Min Device Password Complex Characters
  • Digits only (Default)
  • Digits/lowercase letters
  • Digits/lowercase/uppercase letters
Min Device Password Length e.g. 4
Min Password Age (in days) e.g. 1
Display
Configure Per-Process System DPI Settings Enabled or Disabled
DMI Guard
Enumeration Policy for External Devices Incompatible With Kernel DMA Protection
  • Only after log in/screen unlock (Default)
  • Block All
  • Show All
Experience
Allow Cortana Enabled or Disabled
Allow Manual MDM Unenrollment Enabled or Disabled
Allow Sync My Settings Enabled or Disabled
Security
Allow Add Provisioning Package Enabled or Disabled
Allow Remove Provisioning Package Enabled or Disabled
Prevent Automatic Device Encryption For Azure AD Joined Devices Enabled or Disabled
Require Device Encryption Enabled or Disabled
Require Provisioning Package Signature Enabled or Disabled
Require Retrieve Health Certificate On Boot Enabled or Disabled
Configure The System To Clear The TPM If It Is Not In a Ready State
  • Will not force recovery from TPM (default)
  • Will prompt to clear TPM
Configure Windows Passwords
  • Default (Default)
  • Disallow Passwords
  • Allow Passwords
Recovery Environment Authentication
  • Default (Default)
  • Require Authentication
  • No Required Authentication
Allow Remove Provisioning Package
Settings
Allow Auto Play Enabled or Disabled
Allow Data Sense Enabled or Disabled
Allow Date Time Enabled or Disabled
Allow Language Enabled or Disabled
Allow Online Tips Enabled or Disabled
Allow Power Sleep Enabled or Disabled
Allow Region Enabled or Disabled
Allow Sign In Options Enabled or Disabled
Allow VPN Enabled or Disabled
Allow Workplace Enabled or Disabled
Allow Your Account Enabled or Disabled
Show additional Calendar
  • Allowed (Default)
  • Don't show additional calendars
  • Simplified Chinese (Lunar)
  • Traditional Chinese (Lunar)
WiFi
Allow Auto Connect to WiFi Sense Hotspots Enabled or Disabled
Allow Manual WiFi Configuration Enabled or Disabled
Allow WiFi Enabled or Disabled
Allow WiFi Direct Enabled or Disabled
WLAN Scan Mode From 0 to 500

Windows 10 Mobile Restrictions 

Setting Windows 10 Mobile
Allow App Store Enabled or Disabled
Allow Camera Enabled or Disabled
Allow WiFi Enabled or Disabled
Allow Bluetooth Enabled or Disabled
Allow Storage Card Enabled or Disabled
Force Storage Encryption Enabled or Disabled
Allow Browser Enabled or Disabled
Allow NFC Enabled or Disabled
Allow Internet Sharing Enabled or Disabled
Allow Auto Connect to WiFi Sense Hotspots Enabled or Disabled
Allow WiFi HotSpot Reporting Enabled or Disabled
Allow Manual WiFi Configuration Enabled or Disabled
Allow VPN Over Cellular Connection Enabled or Disabled
Allow VPN Roaming Over Cellular Connection Enabled or Disabled
Allow the Device to Send Telemetry Information Enabled or Disabled
Allow Microsoft Account for Non Email Related Services Enabled or Disabled
Allow User to Add Non-Microsoft Accounts manually Enabled or Disabled
Allow Manual Root and CA Certificate Installation Enabled or Disabled
Allow Developer Unlock Enabled or Disabled
Allow Location Service Enabled or Disabled
Allow USB Connection Enabled or Disabled
Allow Cellular Data Roaming Enabled or Disabled
Allow Search to Use Location Enabled or Disabled
Force Strict Safe Search Results Enabled or Disabled
Allow Storing Images From Vision Search Enabled or Disabled
Allow Save As Of Office Files Enabled or Disabled
Allow Action Center Notifications Enabled or Disabled
Allow Sync My Settings Enabled or Disabled
Allow User to Reset Phone Enabled or Disabled
Allow Manual MDM Unenrollment Enabled or Disabled
Allow Screen Capture Enabled or Disabled
Allow Cortana Enabled or Disabled
Allow Sharing Of Office Files Enabled or Disabled
Allow Copy Paste Enabled or Disabled
Allow Voice Recording Enabled or Disabled

VPN

The VPN section is for convenience divided into Windows 10 Mobile and Windows 10. 

Windows 10 Mobile

General VPN settings for Windows 10 Mobile

Setting Values Description
VPN Settings Enabled or Disabled Enables and Disables VPN for the Tag
VPN Type
  • Juniper Junos Pulse
  • F5 Big-IP Edge Client
  • Checkpoint Mobile VPN
  • IKE v2
Determines which VPN client will be used.
Profile Name e.g. Imagoverum VPN Name of the VPN Profile visible to the user on the device
Server Address e.g. vpn.imagoverum.com Network Address of the VPN Service
Primary DNS Suffix e.g.  imagoverum.com Primary DNS Suffix for connection
Juniper Junos Pulse
Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted
F5 Big-IP Edge Client
Setting Values Description
Prompt for credentials Enabled or Disabled Enables the prompt for credentials
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Application Select Select applications from the drop down list
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Checkpoint Mobile VPN
Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted
IKE v2
Setting Values Description
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted

Windows 10  

Setting Values
VPN Provider Windows (built-in)
Connection Name

e.g. Imagoverum VPN

Server name or address e.g vpn.imagoverum.com
VPN Type
  • Automatic
  • Point to Point Tunneling Protocol (PPTP)
  • L2TP/IPsec with certificate
  • L2TP/Ipsec with pre-shared key
  • Secure Socket Tunneling Protocol (SSTP)
  • IKEv2
Pre-Shared Key: e.g. Pa$$w0rd

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting Windows 10 Mobile Windows 10 Description
Private APN Settings Enabled or Disabled not available Enables the Private APN Feature on Selected Devices.
Name e.g. VFD2 Web not available The name of the carrier access point
Username e.g. User not available The username to connect to the access point
Password e.g. Pa$$w0rd not available The password to connect to the access point
Server e.g web.vodafone.com not available The fully qualified address of the proxy server
Type
  • IPv4v6
  • IPv4v6xlat
  • IPv6
  • IPv4
not available APN Type
Auth Type
  • None
  • PAP
  • CHAP
  • MSCHAPv2
  • Auto
not available APN Auth Type

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting Windows 10 Mobile Windows 10 Description
Wi-Fi Settings Enabled or Disabled Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • WPA 2
  • WPA 2 Enterprise
  • None
  • WEP
  • WPA 2
  • WPA 2 Enterprise
Defines the used Wireless network security
Encryption Type
  • AES
  • TKIP
  • AES
  • TKIP
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd e.g. Pa$$w0rd Password for authenticating to the wireless network
Specify Trust (WPA 2 Enterprise only)
Use issuing CA Thumbprint Enabled or Disabled Enabled or Disabled  
Specify intermediate Trust
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
 
Proxy (Windows 10 Mobile only)
Proxy PAC Url e.g. http://proxy.imagoverum.de/proxy.pac not available Defines the URL where the PAC file is located
Enabled Proxy Enabled or Disabled not available Defines the usage of proxy
Server e.g. 192.168.0.254 not available Defines the proxy server
Port e.g. 8080 not available Defines the used proxy port

Wallpaper

Wallpaper for Lock Screen and Home Screen are available for Windows 10 Enterprise Devices. After applied settings the devices needs a reboot before Wallpaper setting will take effect. Supported file types are *.jpg, *.jpeg and *.png

Setting Windows 10 Mobile Windows 10 Description
Lock Screen URL enabled not available Enabled or Disabled Enables the wallpaper for Lock Screen
Lock Screen URL not available e.g. https://imagoverum.com/Lockscreen.png Defines the URL where the wallpaper file is located
Home Screen URL enabled not available Enabled or Disabled Enables the wallpaper for Home Screen
Home Screen URL not available e.g. https://imagoverum.com/Wallpaper.png Defines the URL where the wallpaper file is located

Bitlocker

BitLocker Drive Encryption is an built-in solution on Windows 10 for data protection that addresses the threats of data thefts. BitLocker provides it's best protection when using it in combination with a Trusted Platform Module (TPM) version 1.2. or later. The Trusted Platform Mobile is a hardware component included in many of newer computers. In combination with BitLocker it helps to protect user data and ensures that a customer has not been manipulated while the system was offline.   In a nutshell BitLocker will encrypt the Windows operating system drive. 

Setting Windows 10 Mobile Windows 10 Description
Require Device Encryption not available Enabled or Disabled Forces a device encryption

This feature is available for Windows Enterprise and Education. 

Certificate

Windows Hello

Windows Hello is a biometric framework built into Windows 10 that uses facial recognition, fingerprint identification, or iris scans as login methods.  Windows Hello is closely related to Microsoft Passport, which is responsible for the underlying encryption and authentication mechanism and helps to secure the communications and identities. 

Setting Windows 10 Mobile Windows 10 Description
Windows Hello Settings not available Enabled or Disabled Activates Windows Hello Settings
Require Security Device not available Enabled or Disabled Defines if a Trusted Platform Module (TPM) is required. If it is set to Disabled it will use the preferred mode. Devices attempt to use a TPM, but if not available will provision using software 
Minimum PIN Length not available 4-127 Defines the Minimum PIN length 
Maximum PIN Length not available 8-127 Defines the Maximum PIN length
Upper Case Letters not available Allow, Require or Not allow  Define if Upper Case Letters are allowed, mandatory or prohibited
Lower Case Letters not available Allow, Require or Not allow  Define if Lower Case Letters are allowed, mandatory or prohibited
Special Characters not available Allow, Require or Not allow  Define if Special Characters are allowed, mandatory or prohibited
Digits not available Allow, Require or Not allow  Define if Digits are allowed, mandatory or prohibited
History not available 0-50 Defines, how many previous PINs can't be used. Default Value is 0, which means History is not activated 
Expiration not available 0-730  Defines the timeframe, when users will be forced to change the PIN. If set to 0, the PIN will never expire
Use Remote Passport not available Enabled or Disabled Windows Hello provides the ability for portable, registered device to be usable as a companion device for desktop authentication
Use Biometrics not available Enabled or Disabled Enable or disable the use of biometric gestures, such as facial recognition, fingerprint identification, or iris scan

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting Windows 10 Mobile Windows 10  Description
App Portal   Enabled or Disabled   Not available   Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

Certificate Trusts

For Windows 10 Mobile and Windows 10 devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Windows 10 Mobile Windows 10 Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Web Clips 

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Windows 10 Mobile Windows 10 Description
Web Clip Name   e.g. Matrix42 not available Web Clip Display Name 
Link e.g. https://www.matrix42.com not available Target URL for the Web Clip
Icon File Choose File not available Web Clip Display Icon.  Support File Type: *.png

Policy 

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Application Blacklist

Application Blacklist is available for Windows 10 Mobile. Because a very specific identifier needs to be provided to the device, the applications must be first added to the App Portal and then added to the blacklist. 

Setting Windows 10 Mobile Windows 10 Description
Enforce Application Blacklist   Enabled or Disabled not available Enables and disables the Application Blacklist for this Tag
Save Save the changes not available Saves the changes you’ve made.
Assign More Apps Add applications not available Allows to choose Apps to add to the list. This list of apps is based on the apps assigned in the App
Portal tab.

Lockdown 

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 
Exclude Home Network Allows the Administrator to disable roaming alerts for devices roaming on Home Networks

Lockdown Policies

Policy  General Windows 10 Mobile Windows 10 Description
Enforce Application Whitelist

Enabled or Disabled

  • Block All
  • Block Non Microsoft
  • Block Non Microsoft and Facebook
not available

Application Whitelist will ensure that each device has only applications approved by a system administrator installed

Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Cost Control Settings
Send Roaming Alerts Enabled or Disabled No actions available not available

Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data).

Enforce Home Networks Policy Enabled or Disabled
  • No action 
  • Block
  • Wipe
not available Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’.
Home Networks

Add

Enforce Home Networks  Policy will activate this grid

e.g. Imagoverum Wi-Fi not available This grid is where Silverback Administrators can specify their ‘Home Networks’

Apps

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for Windows 10 devices:

Type Description
Enterprise

Applications owned by an Organization

Windows 10 Mobile with *appx file

Windows 10 with *.msi file 

Market Applications from public Windows 10 Mobile Store


Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or Market
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remove Removes the App from the Tag

Content 

Content Management functionalities are not supported on Windows 10 Mobile and Windows 10. 

  • Was this article helpful?