Windows 10 Mobile Application Whitelisting
This technical bulletin addresses an issue that will affect customers leveraging application control policies for Windows 10 Mobile device management.
The Windows product team has identified several issues with Whitelisting support of applications on Windows 10 Mobile devices. End users may experience a condition in which system and native inbox applications are inadvertently blocked when upgrading or fresh enrolling a Windows 10 Mobile device. These applications cannot be reinstalled if they fail during upgrade. A key application affected is the Microsoft settings app. Without this app, end users will not be able to access settings menus on the device.
- New Windows 10 native (inbox) apps are not installed when migrating from Windows Phone 8.1 to Windows 10 Mobile. This will prevent the settings application and other MSFT native applications from being installed, causing the device to enter an unrecoverable state.
- Windows 10 Mobile native applications and the Windows store are inadvertently blocked when deploying an application control policy.
- Publisher whitelisting rules do not take effect on Windows 10 Mobile devices.
Microsoft has provided additional information about this issue in their knowledge base here.
- On OS upgrade the native (inbox) applications are migrated to new appIDs and therefore blocked. The OS does not handle the migration of whitelisting these new application IDs. Microsoft has identified this is a known issue.
- Device settings menus are applications and require whitelisting. Prior to the upgrade to Windows 10, the settings menu did not require whitelisting. Without specifically whitelisting the settings apps, devices enter an unrecoverable state upon upgrading to Windows 10.
The AirWatch Product team has raised this issue with Microsoft and received the following guidance for working around these issues. Microsoft will be posting a Tech Net bulletin in the coming days.
Before deploying Windows 10 Mobile in the customer environment ensure the below solution is implemented
- Remove the existing application Whitelist policy prior to upgrade.
- Deploy the attached XML (also available here) to all devices prior to upgrade. Please note the XML must be deployed as is. Failure to whitelist all specified applications may cause the device to enter an unrecoverable state.
- Create a Custom Settings profile targeted to Windows Phone devices in the AirWatch Console.
- Paste the XML from the attached document into the profile.
- Deploy the profile to all Windows Phone 8.1 devices prior to upgrade to Windows 10 Mobile. This profile can also apply to existing Windows 10 Mobile devices.
- Optionally, you can add entries to the XML profile for additional applications that were previously whitelisted. These must be inserted into the XML directly.
If a Windows Phone 8.1 device is upgraded to Windows 10 Mobile without properly whitelisting the necessary apps, the device must be restored with the Software Recovery Tool. Microsoft has provided instructions on utilizing this tool here.
Support Contact Information
If you have additional questions or concerns, please contact Account Services & Support or submit a support ticket through myAirWatch.
The AirWatch Team