PolicyManager configuration service provider

September 30, 2015

The PolicyManager configuration service provider enables the enterprise to configure policies on Windows Phone. Use this CSP to configure any company policies.

Note

This CSP applies only to Windows Embedded 8.1 Handheld devices.

The PolicyManager CSP has the following sub-categories:

  • PolicyManager/My/<AreaName> – Handles the policy configuration request from the server.

  • PolicyManager/Device/<AreaName> – Provides a read-only path to policies enforced on the device.

The configuration policies for the same <AreaName> must be wrapped in an Atomic command.

The following image shows the PolicyManager configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.

The following list describes the characteristics and parameters.

  • ./Vendor/MSFT/PolicyManager
    The root node for the PolicyManager configuration service provider. Supported operation is Get.

  • My
    Node for policies for a specific provider that can be retrieved, modified, or deleted. Supported operation is Get.

  • My/<AreaName>
    The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. Supported operations are Add, Get, and Delete.

  • My/<AreaName>/<PolicyName>
    Specifies the name/value pair used in the policy. The following list shows some tips to help you when configuring policies:

    • Separate multistring values by the Unicode &#xF000; in the XML file.

    • End multistrings with &#xF000; For example, One string&#xF000;two string&#xF000;red string&#xF000;blue string&#xF000;&#xF000;. Note that a query from different caller could provide a different value as each caller could have different values for a named policy.

    • In Syncml, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.

    • Supported operations are Add, Get, Delete, and Replace.

    • Value type is string.

    For possible area and policy names, see Supported company policies below.

  • Device
    Groups the evaluated policies from all providers that can be configured. Supported operations is Get.

  • Device/<AreaName>
    The area group that can be configured by a single technology independent of the providers. Supported operation is Get.

  • Device/<AreaName>/<PolicyName>
    Specifies the name/value pair used in the policy. Supported operation is Get.

    For possible area and policy names, see Supported company policies below.

Supported company policies

The following table shows company policies that you can change for MDM.

Area name/policy name

Description

DeviceLock/AllowIdleReturnWithoutPassword

Specifies whether the user is required to enter a password when the idle grace period ends.

The following list shows the supported values:

  • 0 – The user cannot set the password grace period and the value is set as Each time.

  • 1 (default) – The user can set the password grace period timer.

Supported via MDM only

Most restricted value is 0

DeviceLock/DevicePasswordEnabled

Specifies whether device lock is enabled.

The following list shows the supported values:

  • 1 (default) - Not required.

  • 0 – Required.

Supported via MDM and EAS

EAS policy name - DevicePasswordEnabled

Min policy value is the most restricted

DeviceLock/AllowSimpleDevicePassword

Specifies whether passwords like “1111” or “1234” are allowed.

The following list shows the supported values:

  • 0 - Not allowed.

  • 1 (default) – Allowed.

Supported via MDM and EAS

EAS policy name - AllowSimpleDevicePassword

Min policy value is the most restricted

DeviceLock/MinDevicePasswordLength

Specifies the minimum number or characters required in the PIN.

The following list shows the supported values:

  • An integer X where

    4 <= X <= 16.

  • 0- Not enforced.

  • Default: 4.

Supported via MDM and EAS

EAS policy name - MinDevicePasswordLength

Max policy value is the most restricted

DeviceLock/AlphanumericDevicePasswordRequired

Determines the type of password required. This policy only applies if DevicedPasswordEnabled policy is set to 0 (required).

The following list shows the supported values:

  • 0 - Alphanumeric password required.

  • 1 - Numeric password required.

  • 2 (default) - Users can choose: Numeric Password, or Alphanumeric Password.

Supported via MDM and EAS

EAS policy name - AlphanumericDevicePasswordRequired

Min policy value is the most restricted

DeviceLock/DevicePasswordExpiration

Specifies when the password expires (in days).

The following list shows the supported values:

  • An integer X where

    0 <= X <= 730.

  • 0 (default) - Passwords do not expire.

Supported via MDM and EAS

EAS policy name - DeviceePasswordExpiration

If all policy values = 0 then 0; otherwise, Min policy value is the most secure value

DeviceLock/DevicePasswordHistory

Specifies how many passwords can be stored in the history that can’t be used.

The following list shows the supported values:

  • An integer X where

    0 <= X <=50.

  • Default: 0

Supported via MDM and EAS

EAS policy name - DevicePasswordHistory

Max policy value is the most restricted

DeviceLock/MaxDevicePasswordFailedAttempts

The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.

The following list shows the supported values:

  • An integer X where

    0 <= X <= 999.

  • Default: 0. The device is never wiped after wrong passwords are entered.

Supported via MDM and EAS

EAS policy name - MaxDevicePasswordFailedAttempts

If all policy values = 0 then 0; otherwise, Min policy value is the most restricted value.

DeviceLock/MaxInactivityTimeDeviceLock

Specifies the amount of time (in minutes) after the device is idle that will cause the device to become password locked.

The following list shows the supported values:

  • An integer X where

    0 <= X <= 999.

  • 0 (default) - No timeout is defined. The default of "0" is Mango parity and is interpreted by as "No timeout is defined."

Supported via MDM and EAS

EAS policy name - MaxInactivityTimeDeviceLock

Min policy value (except ‘0’) is the most restricted value

DeviceLock/MinDevicePasswordComplexCharacters

The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password.

The following list shows the supported values:

  • An integer X where

    1 <= X <= 4.

Default: 1

Supported via MDM and EAS

EAS policy name - MinDevicePasswordComplexCharacters

Max policy value is the most restricted

WiFi/AllowWiFi

Allow or disallow Wi-Fi connection. (Configurable by Exchange as well – definition will be consistent with EAS definition.)

The following list shows the supported values:

  • 0 – Use Wi-Fi connection is disallowed.

  • 1 (default) – Use Wi-Fi connection is allowed.

Supported via MDM and EAS

EAS policy name - AllowWiFi

Most restricted value is 0

WiFi/AllowInternetSharing

Allow or disallow internet sharing.

(Configurable by Exchange as well – definition will be consistent with EAS definition.)

The following list shows the supported values:

  • 0 – Do not allow the use of Internet Sharing.

  • 1 (default) – Allow the use of Internet Sharing

Supported via MDM and EAS

EAS policy name - AllowInternetSharing

Most restricted value is 0

WiFi/AllowAutoConnectToWiFiSenseHotspots

Allow or disallow the device to automatically connect to Wi-Fi hotspots and friend social network.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

WiFi/AllowWiFiOffLoading

Allow or disallow automatic offloading data traffic to Wi-Fi hotspots and social network.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

WiFi/AllowWiFiHotSpotReporting

Allow or disallow Wi-Fi Hotspot information reporting to Microsoft. Once disallowed, the user cannot turn it on.

The following list shows the supported values:

  • 0 – HotSpot reporting is not allowed.

  • 1 (default) – HotSpot reporting is allowed.

Supported via MDM only

Most restricted value is 0

WiFi/AllowManualWiFiConfiguration

Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.

The following list shows the supported values:

  • 0 – No Wi-Fi connection outside of MDM provisioned network is allowed.

  • 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.

Supported via MDM only

Most restricted value is 0

Connectivity/AllowNFC

Allow or disallow near field communication (NFC) on the device.

Only MDM server can set it.

The following list shows the supported values:

  • 0 – Do not allow NFC capabilities.

  • 1 (default) – Allow NFC capabilities.

Supported via MDM only

Most restricted value is 0

Connectivity/AllowBluetooth

Allow the user to enable Bluetooth or restrict access.

The following list shows the possible values:

  • 0 – Disallow Bluetooth.

  • 1 – Not supported in Windows Phone 8.1 for MDM and EAS Disable Bluetooth, but allow the configuration of hands-free profiles.

  • 2 (default) – Allow Bluetooth.

Supported via MDM and EAS

EAS policy name - AllowBluetooth

Most restricted value is 0

Connectivity/AllowBluetoothSharing (new for GDR2)

This setting allows Bluetooth sharing.

The following list shows the supported values:

  • 0 – Do not allow Bluetooth sharing.

  • 1 (default) – Allow Bluetooth sharing.

Connectivity/AllowVPNRoamingOverCellular

This policy, when enforced, will prevent the device from connecting VPN when the device roams over cellular networks.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) - Allowed.

Supported via MDM only

Most restricted value is 0

Connectivity/AllowVPNOverCellular

This policy specifies what type of underlying connections VPN is allowed to use.

The following list shows the supported values:

  • 0 - VPN is not allowed over cellular.

  • 1 (default) – VPN could use any connection including cellular.

Supported via MDM only

Most restricted value is 0

Connectivity/AllowManualVPNConfiguration (new for GDR2)

This policy allows the enterprise to enforce a VPN protection by disabling all VPN settings. It prevents the user from manually configuring VPN settings that does not comply with company security policy.

The following list shows the supported values:

  • 0 – All VPN settings are disabled for end user from device side.

  • 1(Default) – all VPN settings are enabled for user from device side.

Supported via MDM only

Most restricted value is 0

Connectivity /CellularAppDownloadMBLimit (new for GDR2)

This policy specifies the maximum app file size in MB allowed for downloading through celluar connection.

The following list shows the supported values:

  • 0 - Boolean (value of “0” interpreted as 20MB.

  • 1 - interpreted as mobile operator imposed limit. Default value “0”.

Supported via MDM only

Connectivity/WLANScanMode (new for GDR2)

This policy defines the frequency mode for active Wi-Fi scanning trigger when screen is off and on. High setting would result in faster/better WiFi discoverbility.

The following list shows the supported values:

  • 0 – Default

  • 100 – normal interval

  • 500 – low interval

Default is 0, but 0 interpreted as normal interval.

Supported via MDM only

System/AllowStorageCard

Controls whether the user is allowed to use the storage card for device storage. This setting does not prevent programmatic access to the storage card, it only prevents the user from using the card as a storage location.

The following list shows the supported values:

  • 0 – SD card use is not allowed. This does not prevent programmatic access to the storage card.

  • 1 (default) – Allow a storage card.

Supported via MDM only

EAS policy name - AllowStorageCard

Most restricted value is 0

System/AllowTelemetry

Allow the device to send telemetry information (such as Software Quality Management (SQM) and Watson).

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 – Allowed, except for Secondary Data Requests.

  • 2 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experience/AllowCopyPaste

Specifies whether copy and paste is allowed.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experiences/AllowTaskSwitcher (new for GDR2)

This policy allows the company to disable the task switcher completely. It does not affect the back button action, just the visual switcher trigger by the hold back button action.

The following list shows the supported values:

  • 0 – disable task switcher

  • 1(Default) – enable task switcher

Supported via MDM only

Most restricted value is 0

Accounts/AllowMicrosoftAccountConnection

Specifies whether user is allowed to use an MSA account for non-email related connection authentication and services.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Accounts/AllowAddingNonMicrosoftAccountsManually

Specifies whether user is allowed to add non-MSA email accounts.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Security/AllowManualRootCertificateInstallation

Specifies whether the user is allowed to manually install root and intermediate CAP certificates.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Security/RequireDeviceEncryption

Allows enterprise to turn on internal storage encryption. Note that once turned on, it cannot be turned off via policy.

The following list shows the supported values:

  • 0 (default) – Encryption is not required.

  • 1 – Encryption is required.

Supported via MDM and EAS

EAS policy name - RequireDeviceEncryption

Most restricted value is 1

Security/AntiTheftMode (new for GDR2)

Allows enterprise to preventing user from enabling the anti-theft mode. Note, if user already enabled the anti-theft mode for the device before the policy applied, they will have to manually disable the anti-theft mode for this policy to take effect.

The following list shows the supported values:

  • 0 – do not allow anti-theft mode to be enabled.

  • 1 – (Default) allow anti-theft mode.

Supported via MDM only

Most restricted value is 0

ApplicationManagement/AllowStore

Specifies whether app store is allowed at the device.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

ApplicationManagement/ApplicationRestrictions

An XML blob that specifies the application restrictions company want to put to the device. It could be app allow list, app disallow list, allowed publisher IDs, etc.

Note
An application that is running may not be immediately terminated.

Value type is chr.

Supported via MDM only

Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.

ApplicationManagement/AllowDeveloperUnlock

Specifies whether developer unlock is allowed at the device.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Browser/AllowBrowser

Specifies whether Internet Explorer is allowed in the device.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM and EAS

EAS policy name - AllowBrowser

Most restricted value is 0

Experience/AllowScreenCapture

Specifies whether screen capture is allowed.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experience/AllowManulMDMUnenrollment

Specifies whether to allow the user to delete the workplace account using the workplace control panel. The MDM server can always remotely delete the account.

  • 0 - Not allowed server.

  • 1 – Allowed.

Supported via MDM only

Most restricted value is 0

System/AllowLocation

Specifies whether to allow a location service.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1 (default) – Allowed.

  • 2 –(GDR2) When set, the location service is always turned on. The Settings > Location in the user interface is disabled and the location services toggle will be turned on. The following message is displayed to the user: "Enabled by company policy."

Supported via MDM only

Most restricted value is 0

Connectivity/AllowUSBConnection

Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.

Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.

The following list shows the supported values:

  • 0 - Not allowed.

  • 1 – (default) Allowed.

Supported via MDM only

Most restricted value is 0

Connectivity/AllowCellularDataRoaming

Allows or disallows cellular data roaming on the device.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

Camera/AllowCamera

Disables or enables the camera.

The following list shows the supported values:

  • 0 – Use of camera is disallowed.

  • 1 (default) – Use of camera is allowed.

Supported via MDM only

Most restricted value is 0

Update/DeviceUpdateMode

Controls the device update behavior.

The following list shows the possible values.

  • 0 - Never check for updates.

  • 1 - Install updates automatically.

  • 2 - Check for updates, but let the user choose when to download and install the update.

  • 3 - Download updates but let the user choose when to install the update.

  • 4 - Default setting. Use the Device Update default behavior.

Search/AllowSearchToUseLocation

Specifies whether search could leverage location information.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

Search/SafeSearchPermissions

Not supported.

Specifies what level of safe search (filtering adult content) is required.

Note
This is not supported in Windows Phone 8.1.

The following list shows the supported values:

  • 0 – Strict, highest filtering against adult content.

  • 1(default) – Moderate filtering against adult content (valid search results will not be filtered.

Supported via MDM only

Most restricted value is 0

Search/AllowStoringImagesFromVisionSearch

Specifies whether to allow Bing Vision to store the contents of the images captured when performing Bing Vision search.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experience/AllowVoiceRecording

Specifies whether voice recording is allowed.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experience/AllowSaveAsOfOfficeFiles

Specifies whether the user is allowed to save a file on the device as an office file.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

AboveLock/AllowActionCenterNotifications

Specifies whether to allow action center notifications above the device lock screen.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experience/AllowCortana

Specifies whether Cortana is allowed on the device.

The following list shows the supported values:

  • 0 – Not allowed.

  • 1(default) – Allowed.

Supported via MDM only

Most restricted value is 0

Experience/AllowSyncMySettings

Allows the enterprise to disallow roaming settings among devices (in/from Windows Phone device). If not enforced, whether or not roaming is allowed may depend on other factors.

The following list shows the supported values:

  • 0 – Roaming is not allowed.

  • 1(default) – The enterprise does not enforce roaming restrictions.

Supported via MDM only

Most restricted value is 0

DataProtection/RequireProtectionUnderLockConfig (new for GDR2)

Allows data encryption of email data and associated attachments. Pin lock key is required to unlock and decode the content.

The following list shows the supported values:

  • 0(default) – data protection under lock is disabled.

  • 1 – data protection under lock is enabled.

Supported via MDM only

Most restricted value is 1

DataProtection/EnterpriseProtectedDomainNames(new for GDR2)

Specifies the enterprise domain names.

The following list shows the supported values:

  • String – domain name. Multiple domain names may be defined using “|” character as the separator.

  • Default value: <empty>

Example: Contoso.com|Fabrikam.com

Important note

This feature should only be used on devices that are owned or provided by the enterprise or organization, or on a user owned device where the user allowed the device to be fully managed by the enterprise company.

As a mobile device management solutions vendor, you must provide the following disclaimer to the IT administrator prior to the use of the feature.

This feature may cause the device to fail or lose connectivity and require that the device be serviced at a Nokia-authorized repair center to reset to factory settings. Microsoft is not liable for any damage to the device or any loss of productivity that results from use of this feature. Microsoft requires that software vendors provide disclaimers to users when their products expose this feature and capabilities.

Area name/policy name

Description

System/AllowUserToResetPhone

Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination

The following list shows the possible values:

  • 0 - Not allowed.

  • 1 (default) - Allowed to reset to factory default settings.

Supported via MDM only

Most restricted value is 0

Experience/AllowManualMDMUnenrollment

Specifies whether to allow the user to delete the workplace account via workplace control panel. The MDM server always could remotely delete the account.

The following list shows the possible values:

  • 0 - Not allowed.

  • 1 (default) –Allowed to reset to factory default settings.

Supported via MDM only

Most restricted value is 0

Examples

Disable Internet sharing and manual Wi-Fi configuration

<Atomic>
    <CmdID>1</CmdID>
    <Replace>
      <CmdID>2</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/PolicyManager/My/WiFi/AllowInternetSharing</LocURI>
        </Target>
        <Data>0</Data>
      </Item>
     </Replace>
    <Replace>
      <CmdID>3</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/PolicyManager/My/WiFi/AllowManualWiFiConfiguration </LocURI>
        </Target>
        <Data>0</Data>
      </Item>
     </Replace>
</Atomic>

Query the camera policy value on the device. This is important in case the multiple resources, such as Exchange server and MDM server, can configure this policy.

<Get>
     <CmdID>2</CmdID>
     <Item>
 <Target>                                    <LocURI>./Vendor/MSFT/PolicyManager/Device/Camera/AllowCamera</LocURI>                    
       </Target>
      </Item>
</Get>