Best practices for configuring devices
August 13, 2015
Before you configure Windows Embedded 8.1 Handheld devices, review the recommendations in this topic.
For more information about profiles, see Multiple user profiles on a device.
Locking down devices
While you are developing your lockdown configuration, we recommend that you include Settings in your application allow list as well as Settings.About (Microsoft.About) in your settings allow list so that you can reset the device easily if your lockdown configuration does not operate as you intended.
If the Microsoft.DateTime setting is not locked down, users can change the time on the device, which can cause maintenance and communication with the MDM server that is scheduled for a defined maintenance window to occur at the wrong time.
The Microsoft.About setting allows a user to reset the device. Lock down this setting if you do not want users to have this ability.
After you configure your lockdown settings, if you are using multiple profiles anddd you can switch profiles as expected, you may want to remove About from the Settings allow list for your associates to ensure they cannot reset the device to factory settings.
Make sure that you have mobile device management (MDM) configured properly if you intend to remove About from all profiles. This will enable you to remotely configure and reset devices if needed.
Button remapping can enable a user to open an app that is not in the Allow list. Use button lockdown to prevent app access for a user role.
If you do not disable the physical Search button, device users can start the Bing app on a device that is configured to run in kiosk mode.
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user taps and holds an app. You can include this entry in the default profile and in any additional user role profiles that you create. If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.
Use PolicyManager configuration service provider to block launching of applications in conjunction with Assigned Access allow list for more robust control of the user experience. For instance, some screens in the Handheld operating system provide links that could take a user to Internet Explorer or Facebook. You can use PolicyManager to block these applications from starting.
Profiles
Consider creating an Administrator profile that includes the Microsoft.About setting and the Settings app. This profile provides you with the means to reset a device directly.
For more information about profiles, see Multiple user profiles on a device.
Mobile device management (MDM)
Handheld 8.1 devices that are enrolled to mobile device management (MDM) can receive settings and policies from the MDM server. Sometimes, the settings or policies can override the original configuration. If you reset a device that had its configuration changed by MDM policies, the original configuration will be reapplied. To avoid confusion and ensure that devices are configured the way you want, we recommend the following:
If your device has multiple roles, push down only policies and settings that are not in the provisioning XML (Prov.xml) file. Those policies and settings will apply to all roles.
If you want to overwrite the policies and settings already defined in Prov.xml, push down a new Prov.xml with the changes to all roles, and then reset the device to apply the new configuration. Otherwise, the policies and settings will take effect only on the user role currently in use, and will be overwritten after switching roles.