From 157d7770c48a76c093c027148c1b5bb09cdc83e2 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 18 Aug 2021 12:08:36 -0700 Subject: [PATCH 1/2] Add AAD cache steps to policy information page --- .../mdm/policy-csp-mixedreality.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 9b9c05d03d..c31db7523d 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -40,6 +40,19 @@ manager: dansimp +Steps to use this policy correctly: + +1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). +1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). + 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays + 1. The value can be between min / max allowed. +1. Enroll HoloLens devices and verify both configurations get applied to the device. +1. Let Azure AD user 1 sign-in when internet is available, once user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. Key point here is that any Azure AD user must sign-in to device using Internet so at least once we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. + +> [!NOTE] +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned in “disconnected” environments.
From c9643685bb11934569968b084ae6e46b5595312c Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 18 Aug 2021 12:13:25 -0700 Subject: [PATCH 2/2] score 80 --- windows/client-management/mdm/policy-csp-mixedreality.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index c31db7523d..cdf909411f 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -47,12 +47,12 @@ Steps to use this policy correctly: 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays 1. The value can be between min / max allowed. 1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in when internet is available, once user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. 1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. Key point here is that any Azure AD user must sign-in to device using Internet so at least once we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. > [!NOTE] -> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned in “disconnected” environments. +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.