--- title: EnterpriseAssignedAccess CSP description: Use the EnterpriseAssignedAccess configuration service provider (CSP) to configure custom layouts on a device. ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: 07/12/2017 --- # EnterpriseAssignedAccess CSP The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings, such as language and themes, lock down a device, and configure custom layouts on a device. For example, the administrator can lock down a device so that only applications specified in an Allow list are available. Apps not on the Allow list remain installed on the device, but are hidden from view and blocked from launching. > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile). The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. ``` ./Vendor/MSFT EnterpriseAssignedAccess ----AssignedAccess --------AssignedAccessXml ----LockScreenWallpaper --------BGFileName ----Theme --------ThemeBackground --------ThemeAccentColorID --------ThemeAccentColorValue ----Clock --------TimeZone ----Locale --------Language ``` The following list shows the characteristics and parameters. **./Vendor/MSFT/EnterpriseAssignedAccess/** The root node for the EnterpriseAssignedAccess configuration service provider. Supported operations are Add, Delete, Get and Replace. **AssignedAccess/** The parent node of assigned access XML. **AssignedAccess/AssignedAccessXml** The XML code that controls the assigned access settings that will be applied to the device. Supported operations are Add, Delete, Get and Replace. The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML. > [!IMPORTANT] > When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability. When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters. Entry | Description ----------- | ------------ ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center. ActionCenter | Example: `` ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md) ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `` ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `` StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `` Application | modern app notification Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically. Application example: ```xml Large 0 2 ``` Entry | Description ----------- | ------------ Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. The following example shows how to pin both Outlook mail and Outlook calendar. Application example: ```xml Large 1 4 Large 1 6 ``` Entry | Description ----------- | ------------ Folder | A folder should be contained in `` node among with other `` nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. Folder example: ```xml Large 0 2 ``` An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder. ```xml Medium 0 0 2 ``` Entry | Description ----------- | ------------ Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file. For Windows 10, version 1703, see the instructions below for the new way to specify the settings pages.
  • System (main menu) - SettingsPageGroupPCSystem
    • Display - SettingsPageDisplay
    • Notifications & actions - SettingsPageAppsNotifications
    • Phone - SettingsPageCalls
    • Messaging - SettingsPageMessaging
    • Battery saver - SettingsPageBatterySaver
    • Storage - SettingsPageStorageSenseStorageOverview
    • Driving mode - SettingsPageDrivingMode
    • Offline maps - SettingsPageMaps
    • About - SettingsPagePCSystemInfo
    • Apps for websites - SettingsPageAppsForWebsites
  • Devices (main menu) - SettingsPageGroupDevices
    • Default camera - SettingsPagePhotos
    • Bluetooth - SettingsPagePCSystemBluetooth
    • NFC - SettingsPagePhoneNFC
    • Mouse - SettingsPageMouseTouchpad
    • USB - SettingsPageUsb
  • Network and wireless (main menu) - SettingsPageGroupNetwork
    • Cellular and SIM - SettingsPageNetworkCellular
    • Wi-Fi - SettingsPageNetworkWiFi
    • Airplane mode - SettingsPageNetworkAirplaneMode
    • Data usage - SettingsPageDataSenseOverview
    • Mobile hotspot - SettingsPageNetworkMobileHotspot
    • VPN - SettingsPageNetworkVPN
  • Personalization (main menu) - SettingsPageGroupPersonalization
    • Start - SettingsPageBackGround
    • Colors - SettingsPageColors
    • Sounds - SettingsPageSounds
    • Lock screen - SettingsPageLockscreen
    • Glance - SettingsPageGlance
    • Navigation bar - SettingsNavigationBar
  • Accounts (main menu) - SettingsPageGroupAccounts
    • Your account - SettingsPageAccountsPicture
    • Sign-in options - SettingsPageAccountsSignInOptions
    • Work access - SettingsPageWorkAccess
    • Sync your settings - SettingsPageAccountsSync
    • Apps corner* - SettingsPageAppsCorner
    • Email - SettingsPageAccountsEmailApp
  • Time and language (main menu) - SettingsPageGroupTimeRegion
    • Date and time - SettingsPageTimeRegionDateTime
    • Language - SettingsPageTimeLanguage
    • Region - SettingsPageRegion
    • Keyboard - SettingsPageKeyboard
    • Speech - SettingsPageSpeech
  • Ease of access (main menu) - SettingsPageGroupEaseOfAccess
    • Narrator - SettingsPageEaseOfAccessNarrator
    • Magnifier - SettingsPageEaseOfAccessMagnifier
    • High contrast - SettingsPageEaseOfAccessHighContrast
    • Closed captions - SettingsPageEaseOfAccessClosedCaptioning
    • More options - SettingsPageEaseOfAccessMoreOptions
  • Privacy (main menu) - SettingsPageGroupPrivacy
    • Location - SettingsPagePrivacyLocation
    • Camera - SettingsPagePrivacyWebcam
    • Microphone - SettingsPagePrivacyMicrophone
    • Motion - SettingsPagePrivacyMotionData
    • Speech inking and typing - SettingsPagePrivacyPersonalization
    • Account info - SettingsPagePrivacyAccountInfo
    • Contacts - SettingsPagePrivacyContacts
    • Calendar - SettingsPagePrivacyCalendar
    • Messaging - SettingsPagePrivacyMessaging
    • Radios - SettingsPagePrivacyRadios
    • Background apps - SettingsPagePrivacyBackgroundApps
    • Accessory apps - SettingsPageAccessories
    • Advertising ID - SettingsPagePrivacyAdvertisingId
    • Other devices - SettingsPagePrivacyCustomPeripherals
    • Feedback & diagnostics - SettingsPagePrivacySIUFSettings
    • Call history - SettingsPagePrivacyCallHistory
    • Email - SettingsPagePrivacyEmail
    • Phone call - SettingsPagePrivacyPhoneCall
    • Notifications - SettingsPagePrivacyNotifications
    • CDP - SettingsPagePrivacyCDP
  • Update and Security (main menu) - SettingsPageGroupRestore
    • Phone update - SettingsPageRestoreMusUpdate
    • Backup - SettingsPageRestoreOneBackup
    • Find my phone - SettingsPageFindMyDevice
    • For developers - SettingsPageSystemDeveloperOptions
    • Windows Insider Program - SettingsPageFlights
    • Device encryption - SettingsPageGroupPCSystemDeviceEncryption
  • OEM (main menu) - SettingsPageGroupExtensibility
    • Extensibility - SettingsPageExtensibility
Entry | Description ----------- | ------------ Settings | Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page. Here is an example for Windows 10, version 1703. ```xml ``` **Quick action settings** Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). > [!NOTE] > Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.

  • SystemSettings_System_Display_QuickAction_Brightness

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

  • SystemSettings_System_Display_Internal_Rotation

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

  • SystemSettings_QuickAction_WiFi

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkWiFi

  • SystemSettings_QuickAction_InternetSharing

    Dependencies - SettingsPageGroupNetwork, SettingsPageInternetSharing

  • SystemSettings_QuickAction_CellularData

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkCellular

  • SystemSettings_QuickAction_AirplaneMode

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkAirplaneMode

  • SystemSettings_Privacy_LocationEnabledUserPhone

    Dependencies - SettingsGroupPrivacyLocationGlobals, SettingsPagePrivacyLocation

  • SystemSettings_Network_VPN_QuickAction

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkVPN

  • SystemSettings_Launcher_QuickNote

    Dependencies - none

  • SystemSettings_Flashlight_Toggle

    Dependencies - none

  • SystemSettings_Device_BluetoothQuickAction

    Dependencies - SettingsPageGroupDevices, SettingsPagePCSystemBluetooth

  • SystemSettings_BatterySaver_LandingPage_OverrideControl

    Dependencies - BatterySaver_LandingPage_SettingsConfiguration, SettingsPageBatterySaver

  • QuickActions_Launcher_DeviceDiscovery

    Dependencies - none

  • QuickActions_Launcher_AllSettings

    Dependencies - none

  • SystemSettings_QuickAction_QuietHours

    Dependencies - none

  • SystemSettings_QuickAction_Camera

    Dependencies - none

Starting in Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page. Here is the list: - QuickActions_Launcher_AllSettings - QuickActions_Launcher_DeviceDiscovery - SystemSettings_BatterySaver_LandingPage_OverrideControl - SystemSettings_Device_BluetoothQuickAction - SystemSettings_Flashlight_Toggle - SystemSettings_Launcher_QuickNote - SystemSettings_Network_VPN_QuickAction - SystemSettings_Privacy_LocationEnabledUserPhone - SystemSettings_QuickAction_AirplaneMode - SystemSettings_QuickAction_Camera - SystemSettings_QuickAction_CellularData - SystemSettings_QuickAction_InternetSharing - SystemSettings_QuickAction_QuietHours - SystemSettings_QuickAction_WiFi - SystemSettings_System_Display_Internal_Rotation - SystemSettings_System_Display_QuickAction_Brightness In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. ```xml ``` In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. ```xml ``` Here is an example for Windows 10, version 1703. ```xml ``` Entry | Description ----------- | ------------ Buttons | The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen.

  • Start

  • Back

  • Search

  • Camera

  • Custom1

  • Custom2

  • Custom3

> [!NOTE] > Lock down of the Start button only prevents the press and hold event. > > Custom buttons are hardware buttons that can be added to devices by OEMs. Buttons example: ```xml ``` The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users. > [!NOTE] > The lockdown settings for a button, per user role, will apply regardless of the button mapping. > > Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role. To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. ```xml ``` **Disabling navigation buttons** To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press"). The following section contains a sample lockdown XML file that shows how to disable navigation buttons. ```xml Large 0 0 Small 2 2 Small ``` Entry | Description ----------- | ------------ MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create. > [!IMPORTANT] > If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps. MenuItems example: ```xml ``` Entry | Description ----------- | ------------ Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. > [!IMPORTANT] > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. The following sample file contains configuration for enabling tile manipulation. > [!NOTE] > Tile manipulation is disabled when you don’t have a `` node in lockdown XML, or if you have a `` node but don’t have the `` node. ```xml Large 0 0 Small 2 2 Small ``` Entry | Description ----------- | ------------ CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role. **LockscreenWallpaper/** The parent node of the lock screen-related parameters that let administrators query and manage the lock screen image on devices. Supported operations are Add, Delete, Get and Replace. **LockscreenWallpaper/BGFileName** The file name of the lock screen. The image file for the lock screen can be in .jpg or .png format and must not exceed 2 MB. The file name can also be in the Universal Naming Convention (UNC) format, in which case the device downloads it from the shared network and then sets it as the lock screen wallpaper. Supported operations are Add, Get, and Replace. **Theme/** The parent node of theme-related parameters. Supported operations are Add, Delete, Get and Replace. **Theme/ThemeBackground** Indicates whether the background color is light or dark. Set to **0** for light; set to **1** for dark. Supported operations are Get and Replace. **Theme/ThemeAccentColorID** The accent color to apply as the foreground color for tiles, controls, and other visual elements on the device. The following table shows the possible values.
Value Description

0

Lime

1

Green

2

Emerald

3

Teal (Viridian)

4

Cyan (Blue)

5

Cobalt

6

Indigo

7

Violet (Purple)

8

Pink

9

Magenta

10

Crimson

11

Red

12

Orange (Mango)

13

Amber

14

Yellow

15

Brown

16

Olive

17

Steel

18

Mauve

19

Sienna

101 through 104

Optional colors, as defined by the OEM

151

Custom accent color for Enterprise
Supported operations are Get and Replace. **Theme/ThemeAccentColorValue** A 6-character string for the accent color to apply to controls and other visual elements. To use a custom accent color for Enterprise, enter **151** for *ThemeAccentColorID* before *ThemeAccentColorValue* in lockdown XML. *ThemeAccentColorValue* configures the custom accent color using hex values for red, green, and blue, in RRGGBB format. For example, enter FF0000 for red. Supported operations are Get and Replace. **PersistData** Not supported in Windows 10. The parent node of whether to persist data that has been provisioned on the device. **PersistData/PersistProvisionedData** Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CSP](remotewipe-csp.md) instead. **Clock/TimeZone/** An integer that specifies the time zone of the device. The following table shows the possible values. Supported operations are Get and Replace.
Value Time zone

0

UTC-12 International Date Line West

100

UTC+13 Samoa

110

UTC-11 Coordinated Universal Time-11

200

UTC-10 Hawaii

300

UTC-09 Alaska

400

UTC-08 Pacific Time (US & Canada)

410

UTC-08 Baja California

500

UTC-07 Mountain Time (US & Canada)

510

UTC-07 Chihuahua, La Paz, Mazatlan

520

UTC-07 Arizona

600

UTC-06 Saskatchewan

610

UTC-06 Central America

620

UTC-06 Central Time (US & Canada)

630

UTC-06 Guadalajara, Mexico City, Monterrey

700

UTC-05 Eastern Time (US & Canada)

710

UTC-05 Bogota, Lima, Quito

720

UTC-05 Indiana (East)

800

UTC-04 Atlantic Time (Canada)

810

UTC-04 Cuiaba

820

UTC-04 Santiago

830

UTC-04 Georgetown, La Paz, Manaus, San Juan

840

UTC-04 Caracas

850

UTC-04 Asuncion

900

UTC-03:30 Newfoundland

910

UTC-03 Brasilia

920

UTC-03 Greenland

930

UTC-03 Montevideo

940

UTC-03 Cayenne, Fortaleza

950

UTC-03 Buenos Aires

960

UTC-03 Salvador

1000

UTC-02 Mid-Atlantic

1010

UTC-02 Coordinated Universal Time-02

1100

UTC-01 Azores

1110

UTC-01 Cabo Verde

1200

UTC Dublin, Edinburgh, Lisbon, London

1210

UTC Monrovia, Reykjavik

1220

UTC Casablanca

1230

UTC Coordinated Universal Time

1300

UTC+01 Belgrade, Bratislava, Budapest, Ljubljana, Prague

1310

UTC+01 Sarajevo, Skopje, Warsaw, Zagreb

1320

UTC+01 Brussels, Copenhagen, Madrid, Paris

1330

UTC+01 West Central Africa

1340

UTC+01 Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

1350

UTC+01 Windhoek

1360

UTC+01 Tripoli

1400

UTC+02 E. Europe

1410

UTC+02 Cairo

1420

UTC+02 Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius

1430

UTC+02 Athens, Bucharest

1440

UTC+02 Jerusalem

1450

UTC+02 Amman

1460

UTC+02 Beirut

1470

UTC+02 Harare, Pretoria

1480

UTC+02 Damascus

1490

UTC+02 Istanbul

1500

UTC+03 Kuwait, Riyadh

1510

UTC+03 Baghdad

1520

UTC+03 Nairobi

1530

UTC+03 Kaliningrad, Minsk

1540

UTC+04 Moscow, St. Petersburg, Volgograd

1550

UTC+03 Tehran

1600

UTC+04 Abu Dhabi, Muscat

1610

UTC+04 Baku

1620

UTC+04 Yerevan

1630

UTC+04 Kabul

1640

UTC+04 Tbilisi

1650

UTC+04 Port Louis

1700

UTC+06 Ekaterinburg

1710

UTC+05 Tashkent

1720

UTC+05 Chennai, Kolkata, Mumbai, New Delhi

1730

UTC+05 Sri Jayawardenepura

1740

UTC+05 Kathmandu

1750

UTC+05 Islamabad, Karachi

1800

UTC+06 Astana

1810

UTC+07 Novosibirsk

1820

UTC+06 Yangon (Rangoon)

1830

UTC+06 Dhaka

1900

UTC+08 Krasnoyarsk

1910

UTC+07 Bangkok, Hanoi, Jakarta

1900

UTC+08 Krasnoyarsk

2000

UTC+08 Beijing, Chongqing, Hong Kong SAR, Urumqi

2010

UTC+09 Irkutsk

2020

UTC+08 Kuala Lumpur, Singapore

2030

UTC+08 Taipei

2040

UTC+08 Perth

2050

UTC+08 Ulaanbaatar

2100

UTC+09 Seoul

2110

UTC+09 Osaka, Sapporo, Tokyo

2120

UTC+10 Yakutsk

2130

UTC+09 Darwin

2140

UTC+09 Adelaide

2200

UTC+10 Canberra, Melbourne, Sydney

2210

UTC+10 Brisbane

2220

UTC+10 Hobart

2230

UTC+11 Vladivostok

2240

UTC+10 Guam, Port Moresby

2300

UTC+11 Solomon Is., New Caledonia

2310

UTC+12 Magadan

2400

UTC+12 Fiji

2410

UTC+12 Auckland, Wellington

2420

UTC+12 Petropavlovsk-Kamchatsky

2430

UTC+12 Coordinated Universal Time +12

2500

UTC+13 Nuku'alofa
**Locale/Language/** The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). The language setting is configured in the Default User profile only. > **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required. Supported operations are Get and Replace. ## OMA client provisioning examples The XML examples in this section show how to perform various tasks by using OMA client provisioning. > **Note**  These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file. ### Assigned Access settings The following example shows how to add a new policy. ```xml "/> ``` ### Language The following example shows how to specify the language to display on the device. ```xml ``` ## OMA DM examples These XML examples show how to perform various tasks using OMA DM. ### Assigned access settings The following example shows how to lock down a device. ```xml 2 ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml