Restrictions configuration (Windows Mobile policy)

With the Restrictions configuration you define restrictions for devices.

Device

Setting/Field

Description

Forbid SD card

Users cannot access the storage card. This does not prevent apps from accessing the storage card.

Forbid unencrypted device

Internal storage encryption is turned on.
Important After internal storage encryption has been turned on on a device, you cannot turn it off again through a policy.
Note You must enable BitLocker on the device before applying the policy.

Forbid action center notifications above lock screen

No Action Center notifications are displayed above the device lock screen.

Forbid manual addition of non-Microsoft email accounts

Forbids adding all types of email accounts, as well as Exchange, Office 365 and Outlook.com accounts.

Forbid Microsoft account connection

The Microsoft account is the system account used for synchronization, backup and the Store.

Forbid developer mode

The Windows developer mode is turned off.

Forbid Microsoft Store

The app store is unavailable.

Forbid native browser

The Microsoft Edge browser is unavailable.

Forbid camera

The Privacy setting Let apps use my camera is turned off.

Telemetry level

The amount of Windows diagnostic and usage data that devices are allowed to send.

Windows 10:

  • Full: All data required to identify and analyze issues.
  • Enhanced: Data about how Windows and apps are used and how they perform.
  • Basic: A limited set of data that’s critical for understanding the device and its configuration.
  • Disabled (Windows Phone 8.1 only): Not supported on Windows 10 devices. If you select this, the Basic level is used.
Note Levels are cumulative from bottom to top, e.g. Enhanced includes all data from Basic.
Tip For detailed information on the telemetry levels, see the Microsoft article Configure Windows telemetry in your organization (external link).

Windows Phone 8.1 doesn’t support different telemetry levels:

  • Full, Enhanced, Basic: Users can turn telemetry on or off.
  • Disabled (Windows Phone 8.1 only): No telemetry data is submitted.

Various

Setting/Field

Description

Forbid copy and paste

The clipboard is unavailable.

Forbid Cortana

Cortana is turned off.

Forbid "Save as" for Office files

Users cannot save a file on the device as an Office file.

Forbid screen capture

Screen captures are turned off.

Forbid sharing of Office files

Users cannot share Office files.

Forbid "Sync my settings"

Device settings cannot be synchronized to and from other Windows devices.

Forbid voice recording

Voice recording is turned off.

Wi-Fi

Setting/Field

Description

Forbid Wi-Fi

Wi-Fi connections are turned off.

Forbid internet sharing

Internet Connection Sharing (ICS) is turned off.

Forbid Wi-Fi Sense (hotspot auto-connect)

The device does not automatically connect to Wi-Fi hotspots.

Forbid hotspot reporting

The device does not send information about Wi-Fi connections.

Forbid manual configuration

Users cannot configure Wi-Fi connections beyond the connections that are configured by Sophos Mobile.

Connectivity

Setting/Field

Description

Forbid NFC

NFC (near-field communication) is turned off.

Forbid Bluetooth

Bluetooth is turned off.

Forbid USB connection

USB connection between the device and a computer to sync files or to use developer tools to deploy or debug apps is forbidden. This does not affect USB charging.

Roaming and costs

Setting/Field

Description

Forbid cellular data roaming

Data connections over foreign cellular networks are turned off.

Forbid VPN over cellular

VPN connections over cellular networks are turned off.

Forbid VPN roaming over cellular

VPN connections over foreign cellular networks are turned off.

Security and privacy

Setting/Field

Description

Forbid Bing Vision to store images from Bing Vision search

Bing Vision does not store the contents of the images captured when performing Bing Vision search.

Forbid manual installation of root certificates

Users cannot manually install root and intermediate CA certificates.

Forbid locating

All location privacy settings on the device are turned off. No apps can use the location service. This also forbids Sophos Mobile to locate the device.

SafeSearch permission

The level of search result filtering that is enforced on the device:
  • Moderate: Moderate filtering against adult content. Valid search results are not filtered.
  • Strict: Highest filtering against adult content.

Unenrollment

Setting/Field

Description

Forbid user to reset the phone

Users cannot factory reset the device through the control panel or hardware key combinations.

Forbid manual MDM unenrollment

Users cannot delete the workplace account.