deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 8630: Update instructions for Kiosk Browser

Browse Source
This commit is contained in:
Jeanie Decker
2018-05-30 21:12:13 +00:00
parent 20e657c653
commit 78b25d3167
3 changed files with 70 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,7 +10,7 @@ ms.localizationpriority: high
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 05/25/2018
ms.date: 05/31/2018
---
# Change history for Configure Windows 10
@ -23,6 +23,7 @@ New or changed topic | Description
--- | ---
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available.
Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/).
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering.
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected.
[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method.

70
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -9,7 +9,7 @@ author: jdeckerms
ms.localizationpriority: high
ms.author: jdecker
ms.topic: article
ms.date: 04/30/2018
ms.date: 05/31/2018
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@ -45,8 +45,6 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser app is coming soon to Microsoft Store for Business.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
@ -54,6 +52,72 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
#### Kiosk Browser settings
Kiosk Browser settings | Use this setting to
--- | ---
Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
>[!TIP]
>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information:
>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
>- Data type: Integer
>- Value: 1
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
Additional guidelines for URLs:
- If a period precedes the host, the policy filters exact host matches only.
- You cannot use user:pass fields.
- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- Key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
Blocked URL rule | Block URL exception rule | Result
--- | --- | ---
`*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains.
`contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
`youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
The following table gives examples for blocked URLs.
Entry | Result
--- | ---
`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com
`https://*` | Blocks all HTTPS requests to any domain.
`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com
`.contoso.com` | Blocks contoso.com but not its subdomains, like contoso.com/docs.
`.www.contoso.com` | Blocks www.contoso.com but not its subdomains.
`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list.
`*:8080` | Blocks all requests to port 8080.
`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains.
`192.168.1.2` | Blocks requests to 192.168.1.2.
`youtube.com/watch?v=V1` | Blocks youtube video with id V1.
### Other browsers
>[!NOTE]

2
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -38,7 +38,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
>[!WARNING]
>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
>
>Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.