Locking down a device

  • Article

August 13, 2015

After you deploy your devices, you can still configure lockdown settings that were available in the Prov.xml file. You can use a mobile device management (MDM) solution, such as System Center 2012 R2 Configuration Manager, to push lockdown settings to enrolled devices. To do this, use the AssignedAccessXML setting and use the lockdown XML as the value.

Important note

Do not use the FileSystem configuration service provider (CSP) to push the lockdown XML to a device because doing this does not validate the file.

The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of <). For an example of the escaped characters in XML, see Lockdown XML.

After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.

For information about settings that you can lock down, see Settings that can be locked down. For information about using Configuration Manager to configure lockdown settings, see Configuring Assigned Access with System Center Configuration Manager.

Configuration options after deployment

The following table shows the lockdown settings that you can add, replace, or query (get) by using the Configuration Manager server. Some configurations are defined at the device level and apply to all users, whereas other configurations are defined for each user role.

Important note

The formatting used in the examples in this table cannot be used in your actual provisioning file. The example is provided in this format for readability only. The XML code must use escaped characters (such as &lt; instead of <) because the XML is embedded in XML. Do not replace the escaped characters in the provisioning file. See Create a Prov.xml for the correct formatting.

Entry

Description

ActionCenter

You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center; otherwise, set to false to disable the Action Center.

Example:

<ActionCenter enabled="true"></ActionCenter>

Device (default profile)

User (role list)

StartScreenSize

Provide the size of the start screen.

  • Large to set the width big enough to hold six small tiles or the equivalent (such as one large and one medium tile).

  • Small to set the width to hold four small tiles.

Example:

<StartScreenSize>
   Large
</StartScreenSize>

Device (default profile)

Application

Provide the product ID for each app that will be available on the device.

To obtain the product ID for apps that you install from the Windows Phone Store, open a browser and locate the installation page for the app. In the URL, you will see the GUID for the app, as shown in the following illustration.

You can find the product ID for a locally developed app in the AppManifest.xml file of the app.

Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.

For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 indicates the first column, a value of 1 indicates the second column, and so on.

You can also configure the app to run automatically on the device or the user role. To do this, include autoRun as an attribute as follows.

Example:

<Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5601}" autoRun="true">
   <PinToStart>
      <Size>Large</Size>
      <Location>
         <LocationX>0</LocationX>
         <LocationY>2</LocationY>
      </Location>
   </PinToStart>
</Application>

To make sure that an OEM settings app is available when a device is locked down, get the GUID of the app from the OEM and add the following to your lockdown file.

<Application productId=AppGUID includeInMoSettings="true" excludeInApps="true"/>

Device (default profile)

User (role list)

AppInstall

Provide the installation type Network, product ID, program file path, and license file path to install an application.

Example:

<characteristic type="AppInstall">
   <characteristic type="Network">
      <parm name="ProductID" value="{912627c8-174c-4a49-ac53-a2b8e4a5be37}"/>
      <parm name="AppXPath" value="Appx\ReliabilityAppxV1.appx"/>
      <parm name="LicensePath" value="Appx\ReliabilityAppxV1_license.xml"/>
   </characteristic>
   <characteristic type="Network">
      <parm name="ProductID" value="{912627c8-174c-4a49-ac53-a2b8e4a5be37}"/>
      <parm name="AppXPath" value="\\SharedFolder\ReliabilityAppxV1.appx"/>
      <parm name="LicensePath" value="\\SharedFolder\ReliabilityAppxV1_license.xml"/>
   </characteristic>
</characteristic>

The following example shows how to use an XAP package:

<characteristic type="AppInstall">
   <characteristic type="Network">
      <parm name="ProductID" value="{F8240AA8-B1C7-4a9c-8914-79BA6A466475}"/>
      <parm name="XAPPath" value="MEGSLTestGame.xap"/>
      <parm name="LicensePath" value="MEGSLTestGame_License.xml"/>
   </characteristic>
</characteristic>

Device (default profile)

Settings

Provide the setting that will be available on the device. This makes up an Allow list. Any setting that is not in this list will not be available on the device to users.

Example:

<Settings>
   <System name="Microsoft.Themes" />
   <Application name="Microsoft.Search" />
</Settings>
Important note
If the Microsoft.DateTime setting is not locked down, users can change the time on the device. This can cause scheduled maintenance and communication with the MDM server to occur at the wrong time.

Device (default profile)

User (role list)

Buttons

The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. A user cannot access the functionality of a hardware button that is in the lockdown list.

  • Start

    Note
    Lock down of the Start button only prevents the press and hold event.

  • Back

  • Search

  • Camera

  • Custom1

  • Custom2

  • Custom3

    Note
    Custom buttons are hardware buttons that can be added to devices by OEMs.

Example:

<Buttons>
   <ButtonLockdownList>
      <!-- Lockdown all buttons -->
         <Button name="Search">
         </Button>
         <Button name="Camera">
         </Button>
         <Button name="Custom1">
         </Button>
         <Button name="Custom2">
         </Button>
         <Button name="Custom3">
         </Button>
   </ButtonLockdownList>

The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users.

Note
The lockdown settings for a button, per user role, will apply regardless of the button mapping.
Caution
Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.

To remap a button in the provisioning file, you supply the button name, the button event (typically press), and the product ID for the application the button will open.

Important note
The empty parameter statement (parameter=””) is required for the remapping to work.

Example:

<ButtonRemapList>
   <Button name="Search">
      <ButtonEvent name="Press">
         <!-- Alarms -->
         <Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
          </ButtonEvent>
   </Button>
</ButtonRemapList>

Disabling navigation buttons

To disable navigation buttons (such as Home or Back) in the provisioning file, you supply the name (for example, Start) and button event.

The following section contains a sample WEHLockdown.xml file that shows how to disable navigation buttons.

Example:

<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
    <Default>
        <ActionCenter enabled="false" />
        <Apps>
            <!-- Settings -->
            <Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5601}">
                <PinToStart>
                    <Size>Large</Size>
                    <Location>
                        <LocationX>0</LocationX>
                        <LocationY>0</LocationY>
                    </Location>
                </PinToStart>
            </Application>
            <!-- Phone Apps -->
            <Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5611}">
                <PinToStart>
                    <Size>Small</Size>
                    <Location>
                        <LocationX>2</LocationX>
                        <LocationY>2</LocationY>
                    </Location>
                </PinToStart>
            </Application>
        </Apps>
        <Buttons>
            <ButtonLockdownList>
                <Button name="Start">
                    <ButtonEvent name="Press" />
                </Button>
                <Button name="Back">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Search">
                    <ButtonEvent name="All" />
                </Button>
                <Button name="Camera">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Custom1">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Custom2">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Custom3">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
            </ButtonLockdownList>
            <ButtonRemapList />
        </Buttons>
        <MenuItems>
            <DisableMenuItems/>
        </MenuItems>
        <Settings>
            <System name="Microsoft.About" />
            <System name="Microsoft.FlashAppSetting" />
            <System name="Microsoft.CompanyAccount" />
            <System name="Microsoft.WiFi" />
            <Application name="Microsoft.Search" />
            <Application name="Microsoft.IE" />
            <Application name="Microsoft.Maps" />
            <Application name="Microsoft.Messaging" />
            <Application name="Microsoft.OfficeMobile" />
            <Application name="Microsoft.Contacts" />
            <Application name="Microsoft.Phone" />
        </Settings>
        <Tiles>
            <EnableTileManipulation/>
        </Tiles>
        <StartScreenSize>Small</StartScreenSize>
    </Default>
</HandheldLockdown>

Device (default profile)

User (role list)

MenuItems

Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.

Example:

<MenuItems>
   <DisableMenuItems/>
</MenuItems>
Important note
If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.

Device (default profile)

User (role list)

Tiles

Turning-on tile manipulation

By default, under Assigned Access, tile manipulation is turned off (blocked) and available only if it is enabled in the user’s profile.

If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.

Important note
If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.

The following sample file contains code for enabling tile manipulation.

Note
Tile manipulation is disabled when you don’t have a <Tiles> node in WEHLockdown.xml, or if you have a <Tiles> node but don’t have the <EnableTileManipulation/> node.

Example:

<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
    <Default>
        <ActionCenter enabled="false" />
        <Apps>
            <!-- Settings -->
            <Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5601}">
                <PinToStart>
                    <Size>Large</Size>
                    <Location>
                        <LocationX>0</LocationX>
                        <LocationY>0</LocationY>
                    </Location>
                </PinToStart>
            </Application>
            <!-- Phone Apps -->
            <Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5611}">
                <PinToStart>
                    <Size>Small</Size>
                    <Location>
                        <LocationX>2</LocationX>
                        <LocationY>2</LocationY>
                    </Location>
                </PinToStart>
            </Application>
        </Apps>
        <Buttons>
            <ButtonLockdownList>
                <Button name="Start">
                    <ButtonEvent name="Press" />
                </Button>
                <Button name="Back">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Search">
                    <ButtonEvent name="All" />
                </Button>
                <Button name="Camera">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Custom1">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Custom2">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
                <Button name="Custom3">
                    <ButtonEvent name="Press" />
                    <ButtonEvent name="PressAndHold" />
                </Button>
            </ButtonLockdownList>
            <ButtonRemapList />
        </Buttons>
        <MenuItems>
            <DisableMenuItems/>
        </MenuItems>
        <Settings>
            <System name="Microsoft.About" />
            <System name="Microsoft.FlashAppSetting" />
            <System name="Microsoft.CompanyAccount" />
            <System name="Microsoft.WiFi" />
            <Application name="Microsoft.Search" />
            <Application name="Microsoft.IE" />
            <Application name="Microsoft.Maps" />
            <Application name="Microsoft.Messaging" />
            <Application name="Microsoft.OfficeMobile" />
            <Application name="Microsoft.Contacts" />
            <Application name="Microsoft.Phone" />
        </Settings>
        <Tiles>
            <EnableTileManipulation/>
        </Tiles>
        <StartScreenSize>Small</StartScreenSize>
    </Default>
</HandheldLockdown>

User (role list)

See also

Other resources

EnterpriseAssignedAccess configuration service provider

Configure devices

Provision the device on startup