diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 8c6466d2d4..59f79b2a6c 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 07/27/2017 --- # AssignedAccess CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration. @@ -19,8 +21,6 @@ For step-by-step guide for setting up devices to run in kiosk mode, see [Set up > **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education. -  - The following diagram shows the AssignedAccess configuration service provider in tree format ![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png) @@ -36,21 +36,29 @@ In Windows 10, version 1607, you can use a provisioned app to configure the kio Here's an example: ``` syntax -{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"} +{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"} ``` When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. > **Note**  The domain name can be optional if the user name is unique across the system. -  For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output. + The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. -## Examples +**AssignedAccess/Configuration** +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Enterprises can use this to easily configure and manage the curated lockdown experience. + +Supported operations are Add, Get, Delete, and Replace. + +Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout). + +## Examples KioskModeApp Add @@ -132,11 +140,319 @@ KioskModeApp Replace ``` +## AssignedAccessConfiguration XSD + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Overview of the AssignedAccessConfiguration XML + +Let's start by looking at the basic structure of the XML file.  + +- A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run.  +- A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id. +- A profile has no effect if it’s not associated to a user account.    +A profile node has below information:  +- Id: a GUID attribute to uniquely identify the Profile. +- AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps.  +- StartLayout: a node for startlayout policy xml.  +- Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar.  + +You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml. + +``` syntax + + +    +        +            +                +                      +            +            +        +    +    +        +            +            +        +    + +```   +### Allowed apps +Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules.  +- For Windows apps, you need to provide the App User Model ID (AUMID).  + - [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or  + - Get the AUMID via the [Start Layout XML](#start-layout).  +- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). +Here are the predefined assigned access AppLocker rules:  +**For UWP apps** +    +1. Default rule is to allow all users to launch the signed package apps.  +2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list.  +  +> [!Note] +> Assigned access multi-app mode doesn’t block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list.  +  +**For Win32 apps** +1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs.  +2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration.  +3. Enterprise defined allowed desktop apps are added in the AppLocker allow list.  + +The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device. + +``` syntax +      +        +          +          +          +          +          +          +          +        +      +``` + +### Start layout + +Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start.  +  +The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout.  + +A few things to note here: + +- The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration.  +- Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.  +- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration. + +The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start. + +```syntax +      +        +                      +                      +                        +                          +                            +                              +                              +                              +                              +                              +                            +                            +                              +                              +                            +                          +                        +                      +                    +                ]]> +      +``` + +For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) + +### Taskbar + +Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.  +The following example exposes the taskbar to the end user: + +``` syntax +      +``` +The following example hides the taskbar: + +``` syntax +      +``` + +> [!Note] +> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar.  + +### Profiles and configs + +In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.  + +``` syntax +  +    +``` + +Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience.  + +``` syntax +  +    +      MultiAppKioskUser +      +      +``` + +> [!Note] +> - The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.   +> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. + +### Example AssignedAccessConfiguration XML + +``` syntax + + +    +      +        +          +          +          +          +          +          +          +        +      +      +        +                      +                      +                        +                          +                            +                              +                              +                              +                              +                              +                            +                            +                              +                              +                            +                          +                        +                      +                    +                ]]> +      +      +    +    +      MultiAppKioskUser +      +    + +``` diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index f3cb07376f..a5f029da79 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 07/27/2017 --- # AssignedAccess DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. @@ -20,13 +22,15 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1709. ``` syntax ]> + "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd" + [ + +]> 1.2 @@ -46,25 +50,52 @@ The XML below is the current version for this CSP. - + com.microsoft/1.1/MDM/AssignedAccess KioskModeApp + - - This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app. + This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. -This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. +This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. + + + + + + + + + + + + + + text/plain + + + + + Configuration + + + + + + + + This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN. diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png index 14d49cdd89..df8aa48b95 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7740c70323..ff7ed8e468 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -956,6 +956,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
  • DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
    • + + + +[AssignedAccess CSP](assignedaccess-csp.md) +

    Here are the changes in Windows 10, version 1709.

    +
      +
    • Added Configuration node
      • +
    [Policy CSP](policy-configuration-service-provider.md) @@ -1347,6 +1355,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
  • DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
    • +
      + + +[AssignedAccess CSP](assignedaccess-csp.md) +

      Here are the changes in Windows 10, version 1709.

      +
        +
      • Added Configuration node
        • +
      [SurfaceHub CSP](surfacehub-csp.md)