Restrictions
You can impose restrictions on the managed Windows devices by creating a profile and associating the profile to the devices or groups. Restrictions profile is applicable for devices running Windows 8.1 or later versions. Restrictions can also be applied on Surface Hubs running Windows 10 Team OS.
Profile Description
| Profile Specification | Description |
|---|---|
| Device Functionality | |
| Enforce Device Encryption | Allow/Restrict encrypting the data stored in the managed device |
| Disable SD Card | Allow/Restrict using SD Card (external memory) in the managed device |
| Camera | Allow/Restrict using camera in the managed device |
| Screen Capture | Allow/Restrict capturing the device screen as images |
| Telemetry | Allow/Restrict/Partially Allow posting anonymous data to Windows for fixing security issues and other bugs |
| Microsoft Store | Allow/Restrict access to Microsoft Windows App Store from the managed device |
| Data transfer through USB | Allow/Restrict transfer of data between the managed device to computers and laptops. In case of USB devices, only the storage drive cannot be used. You will still be able to use a mouse/keyboard connected via USB. |
| Microsoft feedback notifications | Allow/Restrict feedback notifications from Microsoft |
| Modify device date/time | Allow/Restrict modifying date/time in the managed device |
| Modify device name | Allow/Restrict modifying the device name |
| Network | |
| Sharing Internet | Allow/Restrict sharing Internet between the managed device and other devices |
| VPN | Allow/Restrict establishing connection via VPN from the managed device |
| Allow VPN usage while using Cellular Data | Allow/Restrict establishing connection via VPN, while using Cellular Data |
| Allow VPN Roaming while using Cellular Data | Allow/Restrict VPN Roaming while using Cellular Data |
| Cellular Network | This option lets the Cellular Network be on always or leaves it to user's control |
| Cellular Data usage while Roaming | Allow/Restrict using cellular data, while Roaming |
| Wi-Fi | Allow/Restrict using Wi-Fi in the managed device |
| Wi-Fi Configuration | Allow/Restrict manual addition of Wi-Fi connections in the managed device. |
| Automatically connect to Wi-Fi Sense Hotspots | Allow/Restrict automatic connection to Wi-Fi Hotspots |
| Security and Privacy | |
| Clipboard share | Allow/Restrict copy and pasting data in the managed device |
| Location Services | Allow/Restrict using Location Services in the managed device |
| Microsoft account Connection | Allow/Restrict addition of Microsoft accounts in the managed device. This profile is not applied if the device already has a Microsoft account added |
| Adding Non-Microsoft account manually | Allow/Restrict adding non-Microsoft accounts in the managed device |
| Install root certificates | Allow/Restrict installing root certificates in the managed device |
| Developer Unlock | Allow/Restrict Developer Unlock option in the managed device. Developer Unlock option provides advanced controls such as accessing the data/file in the device OS |
| Reset device | Allow/Restrict resetting the managed device |
| Action Center Notifications | Allow/Restrict receiving Action Center Notifications |
| Toast Notifications | Allow/Restrict Toast Notifications |
| FIPS Compliance | This option lets you secure device communications and data only using FIPS-compliant algorithms. It is recommended to read this before configuring the restriction |
| Add Provisioning package | Allow/Restrict adding Provisioning packages in the managed device |
| Remove existing Provisioning package | Allow/Restrict removing Provisioning packages already present in the managed device |
| Anti-Theft Mode | Allow/Restrict Anti-Theft mode in the device |
| Social and Search | |
| Cortana | Allow/Restrict Cortana in the managed device |
| Voice Recording | Allow/Restrict voice recording in the device |
| Save "Office files" | Allow/Restrict saving Microsoft Office files in the device |
| Share "Office Files" | Allow/Restrict sharing Microsoft Office files from the managed device |
| Sync My Settings | Allow/Restrict Sync My Settings feature in the device |
| Store images from Vision Search | Allow/Restrict storing images from Vision Search in the managed device. |
| Safe Search permissions | Allow/Restrict using Safe Search in the managed device |
| Allow "Search" to use Location Services | Allow/Restrict the usage of Location Services by the default search engine, Bing |
| Application | |
| Non-Store app installation | Allow/Restrict installation of non-Store apps in the managed device. It can also be user-controlled |
| Install apps in device memory | Allow/Restrict installation of apps in the device memory |
| Store app data in device memory | Allow/Restrict storage of data by apps in the device memory |
| Auto-update of Store apps | Allow/Restrict automatic update of Store apps present on the device |
| Allow access only to Private Store | Allow/Prevent downloading of apps not managed by the organization. |
| NFC and Bluetooth | |
| NFC | Allow/Restrict NFC functionality in the managed devices |
| Bluetooth | Allow/Restrict Bluetooth functionality in the managed device |
| Bluetooth discovery | Allow/Restrict Bluetooth discovery in the managed device |
| Bluetooth pre-pairing | Allow/Restrict Bluetooth pre-pairing in the managed device. Pre-pairing is a process by which the Bluetooth peripherals are automatically paired during the manufacturing process. User needn't manually pair these peripherals as they paired when setup for the first time. If the peripherals are unpaired and within range of the other paired device, they get paired automatically. For more details, refer to this. |
| Bluetooth services advertising | Allow/Restrict advertising Bluetooth services |
Jump To