VMware Cloud Expert

LAB 03- Create Device Restrictions & Profiles

Updated on

INTRODUCTION

Profiles in Workspace ONE UEM are the primary means to manage and configure your Windows devices. Find information about various profiles that connect to and protect resources, that restrict and control devices, and that are specific to the user and/or device

You can think of profiles as the settings and rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They contain the settings, configurations, and restrictions that you want to enforce on devices.

A profile consists of the general profile settings and a specific payload. Profiles work best when they contain only a single payload..

While profiles can be used to manage any device (Windows, Android, iOS) in this lab we focus on creating profiles for Windows. You can however, create profiles for other devices if you choose to.

TASKS

TASK 1 - Preview Payloads

In this task, you explore the core payloads available when creating device profiles for Windows 10 endpoints

  1. From the Workspace ONE UEM console main menu, expand the Organization Group dropdown menu and select your top-level OG, [your-last-name]
  2. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
  3. Select Windows > Windows Desktop and mouse over either User Profile or Device Profile

    Note: When you mouse over the User Profile and/or Device Profile you will see a list of possible Payloads that can be used to configure the profile.
    You will also notice that there are more payloads for Device Profiles than there are for User Profiles
  4. Click  either User Profile or Device Profile
    The General page opens
  5. Explore the settings of the General page and then  the selected payloads, such as Passcode, VPN, and Exchange ActiveSync
    • Click VPN
    • To display the configuration options, click Configure.
    • Close the window without making any changes.
  6. Repeat steps 4-5 for each core payload.
  7. Click Cancel as you are only investigating profiles and payloads in this task.
TASK 2 - Add a Windows 10 Restrictions Profile

In this task, you ensure that your Windows 10 devices are not tampered with. To disable user access to device features, you configure profile restrictions for your Windows 10 devices

  1. From the Workspace ONE UEM console main menu, expand the Organization Group drop-down menu and select your top-level OG, [your-last-name]
  2. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
  3. Select Windows as your platform, then select Windows Desktop > Device Profile.
    The General page opens.
  4. Configure the General settings:
    • Name: Block Date Time Adjustment
    • Smart Groups: Windows 10 Devices
  5. Review the other General settings.

    Note: Some settings might require additional configuration, such as Allowing Removal and Device Exclusions or enabling a Geofencing zone, Time Schedule, or both
  6. From the left pane, select Restrictions.
  7. Click Configure.
  8. Under Settings, select Don’t Allow for Date/Time.
  9. Click Save & Publish.
  10. To push the configuration, click Publish.
TASK 3 - Create a Windows Hello Profile

In this task, you simulate the process of configuring a Windows Hello profile in a production environment.

Windows Hello requires integration with Azure AD to work. Because you have no Azure AD integration in this lab environment, you cannot publish a Windows Hello profile to your device.

  1. From the Workspace ONE UEM console main menu, navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
  2. Select Windows > Windows Desktop.
  3. Select Device Profile.
  4. Configure the General settings as follows:
    • Name: Test Windows Hello
    • Smart Groups: Windows 10 Devices
  5. From the left pane, select Windows Hello
  6. Click Configure to select the following settings:
    • Biometric Gesture: Enable this setting to permit users to use the device biometric readers.
    • TPM: Set to Require to disable Passport use without a Trusted Protection Module installed on the device.
    • Minimum PIN Length: Enter the minimum number of digits a PIN must contain.
    • Maximum PIN Length: Enter the maximum number of digits a PIN can contain.
    • Digits: Set the permissions level for using digits in the PIN.
    • Upper Case Letters: Set the permissions level for using upper case letters in the PIN.
    • Lower Case Letters: Set the permissions level for using lower case letters in the PIN.
    • Special Characters: Set the permissions level for using special characters (! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~) in the PIN.
  7. Click Cancel to close the profile creation page without saving
TASK 4 - Create a Windows 10 License Profile

In this task you will create a profile to update your Windows 10 license to Windows 10 Enterprise Edition.

This profile will upgrade Windows 10 devices with Home Edition license or Professional Edition to Enterprise Edition

  1. From the Workspace ONE UEM console main menu, navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
  2. Select Windows > Windows Desktop.
  3. Select Device Profile.
  4. Configure the General settings as follows:
    • Name: Windows 10 Enterprise License Key
    • Smart Groups: Windows 10 Devices
  5. From the left pane, select Windows Licensing
  6. Click Configure to select the following settings:
    • License Key: 6F7G4-9NDW8-TRGF8-CVQK8-QDDCC
  7. Click Save and Publish
TASK 5 - Configure the Health Attestation Settings

In this task, you configure the compromised status definitions for Windows Desktop devices.

  1. On the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Windows Health Attestation.
  2. Click Override then customize the Health Attestation settings:
    • Early Launch Anti-Malware Disabled: Select.
    • Leave all other health attestation options at their default value.
  3. Click Save
Task 6 -  Review Profile Management Settings

In this task, you review the profile management settings available to UEM administrators.

  1. From the Workspace ONE UEM console main menu, expand the Organization Group drop-down menu and select your top-level OG, [your-last-name]
  2. Navigate to Resources > Profiles & Baselines > Profiles
  3. Review the following settings and actions:
    • Under Add, you have controls to upload a profile or Batch import Wi-Fi profiles.
    • In the top-right, you can perform a profile search, change the view, refresh the data, or export the data in CSV format.
    • Use the filtering toggles to filter profiles based on Status, Publishing State, Platform, Configuration Setting, and Smart Group assignment.
    • Profiles can be disabled by clicking the radio button, at the left of the profile name.
      When a profile is disabled, it is removed from all devices.
  4. To view the different controls, select the number under Installed Status, and then Assigned Groups.
    You see your device listed with a control to remove or reinstall the profile if any device has been deployed. If a 0 is shown, it means that the profile is not yet installed or has a Status of Pending.
  5. Click the radio button next to a profile to show the profile task menu:
    • Devices: Permits you to view the device assignment for a selected profile.
    • </>XML: Permits you to view the XML code for the selected profile.
    • More Actions: Permits you to Copy, Deactivate, or Delete the selected profile.102
  6. Click any existing profile to see profile details. On the Profile Detail page, you have the following controls:
    • Add Version: Permits you to modify the profile payload content.

Note: Only click Add Version if you want to modify the profile payloads, such as Restriction, Exchange ActiveSync, Wi-Fi, and so on.

After you modify the payload content, you click Save & Publish to publish the profile, the updated profile content is applied to all assigned devices.

You have no requirement to click Add Version if you only want to change the assignment. In this case, you can directly modify the Assigned Groups and click Save & Publish.

The profile is only applied to devices that are new to the assignment or only removed from devices that are no longer part of the assignment.

  • Save & Publish: Permits you to publish this profile to assigned devices.
  • Cancel

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Message

 Print Article