Locking down a device
August 13, 2015
After you deploy your devices, you can still configure lockdown settings that were available in the Prov.xml file. You can use a mobile device management (MDM) solution, such as System Center 2012 R2 Configuration Manager, to push lockdown settings to enrolled devices. To do this, use the AssignedAccessXML setting and use the lockdown XML as the value.
Important note |
---|
Do not use the FileSystem configuration service provider (CSP) to push the lockdown XML to a device because doing this does not validate the file. |
The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as < in place of <). For an example of the escaped characters in XML, see Lockdown XML.
After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
For information about settings that you can lock down, see Settings that can be locked down. For information about using Configuration Manager to configure lockdown settings, see Configuring Assigned Access with System Center Configuration Manager.
Configuration options after deployment
The following table shows the lockdown settings that you can add, replace, or query (get) by using the Configuration Manager server. Some configurations are defined at the device level and apply to all users, whereas other configurations are defined for each user role.
Important note |
---|
The formatting used in the examples in this table cannot be used in your actual provisioning file. The example is provided in this format for readability only. The XML code must use escaped characters (such as < instead of <) because the XML is embedded in XML. Do not replace the escaped characters in the provisioning file. See Create a Prov.xml for the correct formatting. |
Entry |
Description |
|
---|---|---|
ActionCenter |
You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center; otherwise, set to false to disable the Action Center. Example:
|
Device (default profile) User (role list) |
StartScreenSize |
Provide the size of the start screen.
Example:
|
Device (default profile) |
Application |
Provide the product ID for each app that will be available on the device. To obtain the product ID for apps that you install from the Windows Phone Store, open a browser and locate the installation page for the app. In the URL, you will see the GUID for the app, as shown in the following illustration. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 indicates the first column, a value of 1 indicates the second column, and so on. You can also configure the app to run automatically on the device or the user role. To do this, include autoRun as an attribute as follows. Example:
To make sure that an OEM settings app is available when a device is locked down, get the GUID of the app from the OEM and add the following to your lockdown file.
|
Device (default profile) User (role list) |
AppInstall |
Provide the installation type Network, product ID, program file path, and license file path to install an application. Example:
The following example shows how to use an XAP package:
|
Device (default profile) |
Settings |
Provide the setting that will be available on the device. This makes up an Allow list. Any setting that is not in this list will not be available on the device to users. Example:
Important note
If the Microsoft.DateTime setting is not locked down, users can change the time on the device. This can cause scheduled maintenance and communication with the MDM server to occur at the wrong time.
|
Device (default profile) User (role list) |
Buttons |
The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. A user cannot access the functionality of a hardware button that is in the lockdown list.
Example:
The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
Note
The lockdown settings for a button, per user role, will apply regardless of the button mapping.
Caution
Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
To remap a button in the provisioning file, you supply the button name, the button event (typically press), and the product ID for the application the button will open.
Important note
The empty parameter statement (parameter=””) is required for the remapping to work.
Example:
Disabling navigation buttons To disable navigation buttons (such as Home or Back) in the provisioning file, you supply the name (for example, Start) and button event. The following section contains a sample WEHLockdown.xml file that shows how to disable navigation buttons. Example:
|
Device (default profile) User (role list) |
MenuItems |
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create. Example:
Important note
If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.
|
Device (default profile) User (role list) |
Tiles |
Turning-on tile manipulation By default, under Assigned Access, tile manipulation is turned off (blocked) and available only if it is enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
Important note
If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
The following sample file contains code for enabling tile manipulation.
Note
Tile manipulation is disabled when you don’t have a <Tiles> node in WEHLockdown.xml, or if you have a <Tiles> node but don’t have the <EnableTileManipulation/> node.
Example:
|
User (role list) |