An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by using a validation certificate to validate against a root certificate embedded in a configuration profile installed on the device. The configuration profile is configured to be non-removable, so it cannot be remove or updated, except by another configuration profile signed by the same authority. Validation against the embedded root certificate thereby implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.