Lab 6: Policies

Objective and Tasks

  1. Configure a baseline for Windows Desktop devices
  2. Configure a baseline for Windows Server devices
  3. Review payload capabilities
  4. Add a Windows Restrictions profile for Windows Desktop devices
  5. Add a Wi-Fi ADMX profile for Windows Desktop devices
  6. Add a RDP ADMX profile for Windows Server devices
  7. Configure the Health Attestation settings
  8. Review the Profile Management settings
  9. Verify the profiles and settings for an enrolled device
  10. Configure a Compliance Policy

Task 1: Configure a baseline for Windows Desktop devices

You create a Baseline to apply security settings to the Windows Desktop devices.

  1. From the VM Switcher, make sure that ControlCenter is selected.
  2. In Workspace ONE UEM Console, click Resources from the top navigation bar. Then, expand Profiles & Baselines in the left navigation menu and select Baselines.
  3. Click New.
  4. Select Desktop.
  5. Select Use Template, and click Next
  6. For Baseline Name, enter Windows11-25H2.
  7. Click Next.
  8. Select Windows Security Baseline,
  9. Select Windows 11 and Version 25H2 from the available dropdown menus. Then, click Next.
  10. On Customize screen, make the following changes:
  • Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration: Set to 4 minutes.
  • Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length: Set to 4.
  1. Click Next.
  2. In the search box, type camera, and wait for policies to appear.
  3. Select Allow use of camera.
  4. From the drop-down, click Enabled.
  5. Click Next.
  6. Click Save & Assign.
  7. Type Windows in the search for Smart Group box, and wait for the assignment groups to appear.
  8. Select Windows Desktop Devices.
  9. Click Publish.
  10. In the navigation at the top, click Devices. Then, select Devices from the navigation menu on the left.
  11. Click on the friendly name of one of your Windows Desktop devices.
  12. Click the Baselines tab. The status column next to the baseline should show a green checkmark.

It is possible that the status will show a black check mark, indicating that the baseline has not yet been applied.  If so, this is because the device has not yet checked in and been notified that the Baseline is awaiting.

If you see a black check mark, log in to that specific Windows VM and click the Sync Device button in the Intelligent Hub screen.

  1. Click the text in the Compliance column.
  2. Review the status of the settings from the baseline.
  3. Close the Compliance window.

Task 2: Configure a baseline for Windows Server devices

You create a Baseline to apply security settings to the Windows Server devices.

  1. From the VM Switcher, make sure that ControlCenter is selected.
  2. In Workspace ONE UEM Console, click Resources from the top navigation bar. Then, expand Profiles & Baselines in the left navigation menu and select Baselines.
  3. Click New.
  4. Select Server.
  5. Select Use Template, and click Next
  6. For Baseline Name, enter WinServer-25H2.
  7. Click Next.
  8. Select Windows Security Baseline.
  9. Select Version 2025 and Member Server from the available dropdown menus. Then, click Next.
  10. On Customize screen, make the following changes:
  • Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration: Set to 4 minutes.
  • Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length: Set to 4.
  1. Click Next.
  2. Click Next.
  3. Click Save & Assign.
  4. Type Windows in the search for Smart Group box, and wait for the assignment groups to appear.
  5. Select Windows Server Devices.
  6. Click Publish.
  7. In the navigation at the top, click Devices. Then, select Devices from the navigation menu on the left.
  8. Click on the friendly name of one of your Windows Desktop devices.
  9. Click the Baselines tab. The status column next to the baseline should show a green checkmark.

It is possible that the status will show a black check mark, indicating that the baseline has not yet been applied.  If so, this is because the device has not yet checked in and been notified that the Baseline is awaiting.

If you see a black check mark, log in to that specific Windows VM and click the Sync Device button in the Intelligent Hub screen.

  1. Click the text in the Compliance column.
  2. Review the status of the settings from the baseline.
  3. Close the Compliance window.

Task 3: Review Payload Capabilities

You explore the core payloads available when creating device profiles for Windows endpoints.

  1. Log in to the ControlCenter desktop VM.
    • User name: administrator
    • Password: Pa$$w0rd
  2. Open Chrome and log in to Workspace ONE UEM.
    • User name: studentadmin{labid}
    • Password: Pa$$w0rd

  3. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  4. In the navigation pane at the top, select Resources. In the navigation menu on the left, expand Profiles & Baselines, and then select Profiles.
  5. From the Add drop-down menu, select Add Profile.
  6. In the Add Profile dialog box, click Windows.
  7. In the Select Device Type dialog box, click Desktop.
  8. In the Select Context dialog box, click Device Profile. The General page opens.
  9. In the navigation pane on the left, explore the available settings for the selected payloads.
  10. Click Password.
  11. To display the configuration options, click Configure.
  12. In the navigation pane on the left, select a different payload without making any changes.
  13. Click Cancel to close the Add a New Desktop Profile dialog box.
  14. Click OK to discard changes.

Task 4: Add a Restrictions profile for Android mobile devices

You configure a Android Restrictions profile.

There are no Android devices enrolled in the lab. This task is for demonstration purposes only.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the navigation pane at the top, select Resources. Under the Profiles & Baselines, click Profiles.

  3. From the Add drop-down menu, select Add Profile.

  4. Select Android. 

  5. Select Android Management API as the Management Type to use for this profile.

  6. Click Next.

  7. Enter Android Restrictions in the Name text box.

  8. Ensure that Profile Scope is set to Production.

  9. In the Search field, enter Restrictions and click Search.

  10. From the search results, click Add next to Restrictions.

  11. From the list of available restrictions, click the toggles to disable the following options.

    • Allow screen capture

    • Allow Camera access

  12. Click Next.

  13. Type Android in the search for Smart Group box, and wait for the assignment groups to appear.
  14. Select Android Devices(Student{labid}).
  15. Click Save & Publish.

Task 5: Add a Wi-Fi Profile for Windows Desktop devices

You configure a Wi-Fi profile.

The Windows Desktop devices in the lab environment cannot connect to a Wi-Fi network. This task is for demonstration purposes only.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the navigation pane at the top, select Resources. Under the Profiles & Baselines, click Profiles.

  3. From the Add drop-down menu, select Add Profile.

  4. Select Windows. Then, select Desktop.

  5. Click Device Profile. The General page opens.

  6. Configure the General settings.

    1. Enter Test Wi-Fi in the Name text box.

    2. Click in the Smart Groups search box and select Windows Desktop Devices.

  7. In the left pane, select Wi-Fi and click Configure.

  8. Enter Test Wi-Fi in the Service Set Identifier text box.

  9. From the Security Type drop-down menu, verify that Open is selected.

  10. Click Save and Publish.

  11. To push the configuration, click Publish.

Task 6: Add a RDP ADMX profile for Windows Server devices

You configure a RDP ADMX profile.

The Windows Server device in thie lab environment is not licensed for Remote Desktop Services. This task is for demonstration purposes only.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the navigation pane at the top, select Resources. Under the Profiles & Baselines, click Profiles.

  3. From the Add drop-down menu, select Add Profile.

  4. Select Windows ADMX.

  5.  Select Device Profile.

  6. Enter RDP Configuration in the Name text box.

  7. In the Search field, enter Remote Desktop Services and click Search.

  8. From the listed results, click Add next to Remote Desktop Services.

  9. Scroll down until you find the section labeled Remote Desktop Session Host. Then, look for the subsection called Connections.

  10. Next to Allow users to connect remotely by using Remote Desktop Services, click the Enable button.

  11. Next to Limit number of connections, click the Enable button.

  12. Enter 10 in the RD Maximum Connections allowed field.

  13. Click Next.

  14. Type Windows in the search for Smart Group box, and wait for the assignment groups to appear.
  15. Select Windows Server Devices.
  16. Click Save & Publish.

Task 7: Configure the Health Attestation Settings

You configure the compromised status definitions for Windows Desktop devices.

  1. In the Workspace ONE UEM console, select Groups & Settings from the top navigation. Then, expand All Settings in the navigation pane on the left and navigate to Devices & Users > Microsoft > Windows > Windows Health Attestation.
  2. Next to Current Setting, click Override.
  3. Select the Early Launch Anti-Malware Disabled check box.
    • You leave the default values for all other health attestation options.
  4. Click Save.
  5. Close the Settings dialog box.

Task 8: Review the Profile Management Settings

You review the profile management settings available to UEM administrators.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.
  2. In the navigation pane on the left, select Resources. Under the Profiles & Baselines, select Profiles.
  3. Review the available settings and actions.
    • From the Add drop-down menu, you can upload a profile or batch-import profiles.
    • In the top-right corner of the Profiles page, you can perform a profile search, change the layout, refresh the data, or export the data in CSV or XLSX format.
    • You can use the Filters list to filter profiles based on Status, Publishing State, Platform, and Smart Group assignment.
    • Profiles can be deactivated by clicking the button to the left of the profile name and then selecting Deactivate from the More Actions drop-down menu. When a profile is deactivated, it is removed from all devices.
  4. Under Installed Status, click View in the row of one of the profiles.

You can see the number of devices that have a Not Installed, Installed, or Assigned status.

  1. Click the button next to a profile name to show the profile task menu.
    • </> XML: You can view the XML code for the selected profile.
    • More Actions: You can copy, deactivate, or delete the selected profile.
  2. Click an existing profile name to view and edit the profile details.
    • Add Version: You can modify the profile payload content.

Only click Add Version if you want to modify the profile payloads for all assigned devices. Publishing the profile after clicking Add Version will reinstall the profile to all assigned devices. You have no requirement to click Add Version if you only want to change the assignment. In this case, you can directly modify the Smart Groups and click Save and Publish. The profile is only applied to devices that are new to the assignment or only removed from devices that are no longer part of the assignment.

  • Save and Publish: You publish the updated profile content to all assigned devices.
  • Cancel: You return to the Profiles page without making changes to the profile details.
  1. Click Cancel.

Task 9: Verify the profiles and settings for an enrolled device

You verify that the profiles are installed on the enrolled devices.

  1. n the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.
  2. In the navigation pane at the top, select Devices. Then, click Devices in the navigation on the left.
  3. In the General Info column, click the friendly name hyperlink of your enrolled Windows device.
    • The Details View page of the device appears.
  4. To review the assigned profile configurations deployed to the device, click the Profiles tab.
  5. The Status column shows a green checkmark if the profile successfully installed and configured itself on the device.

Your lab environment might not show a green checkmark. You can continue.

You can also attempt a manual installation of the profile by clicking the button to the left of the profile name. The Install and Remove options appear above the profile list.

Task 10: Configure a Compliance Policy

You create a compliance policy for the platform you enrolled to monitor the device check-in status.

  1. Log in to the ControlCenter desktop VM.

    • User name: administrator

    • Password: Pa$$w0rd

  2. Open Chrome and log in to the Workspace ONE UEM console.

    • User name: studentadmin{labid}

    • Password: Pa$$w0rd

  3. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  4. In the navigation pane at the top, select Security. Then, under Compliance, click Compliance Policies.

  5. Click Add.

    • The Add Compliance Policy dialog box appears.

  6. Select Windows.

  7. For Device Type, select Windows.

    • The current values of the rule are MDM Terms of Use Acceptance, Not Within, 4, and Hours.

  8. Change the values of the rule to Device Last Seen, Not Within, 2, and Days.

  9. Click Next.

  10. Configure the settings on the Actions tab.

  11. From the Action drop-down menu, select Notify.

  12. From the Action Item drop-down menu, select Send Email to Administrator.

  13. Enter [email protected] in the To text box.

  14. Click Next.

  15. Click the Smart Group search box and select Windows Desktop Devices.

  16. Click Next.

  17. Click Finish & Activate.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.