From c55a00bb51aa7d460ae10cedc9dcdef8765af4fd Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 1 Mar 2024 14:51:14 -0500 Subject: [PATCH] Update AssignedAccess configuration and kiosk app guidelines --- .../mdm/assignedaccess-csp.md | 1 - .../assigned-access/configuration-file.md | 326 +++++------------- .../configuration/assigned-access/index.md | 7 - .../configuration/assigned-access/overview.md | 6 +- .../shell-launcher/configuration-file.md | 2 +- 5 files changed, 98 insertions(+), 244 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 384ec929cb..8eb4ded4db 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -15,7 +15,6 @@ The AssignedAccess configuration service provider (CSP) is used to configure a k To learn more about how to configure Assigned Access, see [Configure kiosks and restricted user experiences](/windows/configuration/assigned-access). -Test relative link: [Configure kiosks and restricted user experiences](../../configuration/assigned-access/index.md) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index ffc1de6ba9..8c65d99402 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -51,7 +51,7 @@ The Assigned Access configuration XML is versioned. The version is defined in th |Windows 10|`rs5`|`http://schemas.microsoft.com/AssignedAccess/201810/config`| |Windows 10|default|`http://schemas.microsoft.com/AssignedAccess/2017/config`| -To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the `StartPins` feature that was added in Windows 11, version 22H2, use the below example. Notice the alias `v5` associated to the `http://schemas.microsoft.com/AssignedAccess/2022/config` namespace for 22H2 release, and the alias is tagged on `StartPins` inline. +To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the `StartPins` feature that was added in Windows 11, version 22H2, use the below example. Note the alias `v5` associated to the `http://schemas.microsoft.com/AssignedAccess/2022/config` namespace for 22H2 release, and the alias is tagged on `StartPins` inline. ```xml @@ -77,7 +77,7 @@ Here you can find the Assigned Access XML schema definitions: [Assigned Access X ## Profiles -A configuration file can contain one or more profiles. Each profile is identified by a unique identified `Profile Id` and, optionally, a `Name`. For example: +A configuration file can contain one or more profiles. Each profile is identified by a unique identifier `Profile Id` and, optionally, a `Name`. For example: ```xml @@ -132,8 +132,8 @@ Within the `AllAppList` node you define a list of applications that are allowed |-|-|-| |`AppUserModelId`|The Application User Model ID (AUMID) of the UWP app.|Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md).| |`DesktopAppPath`|The full path to a desktop app executable.|This is the path to the desktop app that will be used in the kiosk mode. The path can contain system environment variables in the form of `%variableName%`.| -|`rs5:AutoLaunch="true"`|A Boolean attribute to indicate whether to launch the app automatically when the user signs in.|This property is optional. Only one application is allowed to be auto-launched.| -|`rs5:AutoLaunchArguments`|The arguments to be passed to the app that is configured with `AutoLaunch`.|This property is optional.| +|`rs5:AutoLaunch`|A Boolean attribute to indicate whether to launch the app (either desktop or UWP app) automatically when the user signs in.|This property is optional. Only one application is allowed to be auto-launched.| +|`rs5:AutoLaunchArguments`|The arguments to be passed to the app that is configured with `AutoLaunch`.|AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. This property is optional.| Example: @@ -149,6 +149,79 @@ Example: ``` +::: zone pivot="windows-10" + +### File Explorer restrictions + +In a restricted user experience (`AllAppList`), folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node. + +You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. + +```xml + + + + + + + + + + + + + +``` + +Here are some practical examples. + +#### Block everything + +Either don't use the node or leave it empty + +```xml + + +``` + +#### Only allow downloads + +```xml + + + +``` + +#### Only allow removable drives + +```xml + + + +``` + +#### Allow both Downloads, and removable drives + +```xml + + + + +``` + +#### No restrictions, all locations are allowed + +```xml + + + +``` + +> [!TIP] +> To grant access to File Explorer in a restricted user experience, add `Explorer.exe` to the list of allowed apps, and pin a shortcut to the Start menu. + +::: zone-end + ### Start menu customizations For a restricted user experience profile (`AllAppList`), you must define the Start layout. The Start layout contains a list of applications that are pinned to the Start menu. You can choose to pin all the allowed applications to the Start menu, or a subset. The easiest way to create a customized Start layout is to configure the Start menu on a test device and then export the layout. @@ -195,23 +268,18 @@ Example with some apps pinned: ``` -> [!NOTE] -> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. - ::: zone-end ::: zone pivot="windows-11" To learn how to customize and export a Start menu configuration, see [Customize the Start menu](../start/customize-start-menu-layout-windows-11.md). -### StartPins - -With the exported Start menu configuration, use the `v5:StartPins` element and add the content of the JSON file. For example: +With the exported Start menu configuration, use the `v5:StartPins` element and add the content of the exported JSON file. For example: ```xml + ]]> ``` @@ -232,6 +300,9 @@ Example with some apps pinned: ::: zone-end +> [!NOTE] +> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. + ### Taskbar customizations ::: zone pivot="windows-10" @@ -261,11 +332,19 @@ The following example hides the taskbar: You can customize the Taskbar by creating a custom layout and adding it to your XML file. To learn how to customize and export the Taskbar configuration, see [Customize the Taskbar](../taskbar/customize-taskbar-windows-11.md). -With the exported Taskbar configuration, use the `v5:TaskbarLayout` element and add the content of the XML file. For example: - > [!NOTE] > In Windows 11, the `ShowTaskbar` attribute is no-op. Configure it with a value of `true`. +With the exported Taskbar configuration, use the `v5:TaskbarLayout` element and add the content of the XML file. For example: + +```xml + + + ]]> + +``` + Here's an example of a custom Taskbar with a few apps pinned: ```xml @@ -294,136 +373,7 @@ Here's an example of a custom Taskbar with a few apps pinned: ::: zone-end - - -::: zone pivot="windows-11" - - - -::: zone-end - -::: zone pivot="windows-10" - -### StartLayout - -### Taskbar - -### FileExplorerNamespaceRestrictions - -::: zone-end - - - -::: zone pivot="windows-11" - -Restricted user experience example: - -```xml - - - - - - - - - - - - - - -``` - -::: zone-end - -::: zone pivot="windows-10" - -Restricted user experience example: - -```xml - - - - - - - - - - - - - - - -``` - -::: zone-end - -A *profile node* contains the following properties: - -|Property|Description| -|-|-| -|Id|a GUID attribute to uniquely identify the profile| -|AllowedApps|a node with a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps| -|StartLayout|a node for startlayout policy xml| -|Taskbar|a node with a Boolean attribute ShowTaskbar to indicate whether to show the taskbar| - -```xml - - - - - - - -``` - - -### KioskModeApp - -**KioskModeApp** is used for a kiosk profile only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. - -```xml - -``` - -> [!IMPORTANT] -> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. - -### Auto Launch - -This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when Assigned Access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - -``` + ## Configs @@ -557,97 +507,7 @@ With `GlobalProfile` you can define an Assigned Access profile that is applied t > [!NOTE] > You can combine a global profile with other profiles. If you assign a user a non-global profile, the global profile won't be applied to that user. -::: zone pivot="windows-10" -### File Explorer restrictions - -When using Assigned Access, folder browsing is locked down. You can explicitly allow access to known folders when the user tries to open the file dialog box by including the `FileExplorerNamespaceRestrictions` node. - -You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. - -| Property | XML namespace (alias) | -|-|-| -|`FileExplorerNamespaceRestrictions`|`https://schemas.microsoft.com/AssignedAccess/201810/config` (rs5)| -|`AllowedNamespace:Downloads`|`https://schemas.microsoft.com/AssignedAccess/201810/config` (rs5)| -|`AllowRemovableDrives`|`https://schemas.microsoft.com/AssignedAccess/2020/config` (v3)| -|`NoRestriction`|`https://schemas.microsoft.com/AssignedAccess/2020/config` (v3)| - -:::row::: -:::column span="2"::: -#### Scenario -:::column-end::: -:::column span="2"::: -#### XML snippet -:::column-end::: -:::row-end::: -:::row::: -:::column span="2"::: -**Block everything** - -Either don't use the node or leave it empty -:::column-end::: -:::column span="2"::: - -```xml - - -``` -:::column-end::: -:::row-end::: -:::row::: -:::column span="2"::: -**Only allow downloads** -:::column-end::: -:::column span="2"::: -```xml - - - -``` -:::column-end::: -:::row-end::: -:::row::: -:::column span="2"::: -**Only allow removable drives** -:::column-end::: -:::column span="2"::: -```xml - - - -``` -:::column-end::: -:::row-end::: -:::row::: -:::column span="2"::: -**Allow both Downloads, and removable drives** -:::column-end::: -:::column span="2"::: -```xml - - - - -``` -:::column-end::: -:::row-end::: -:::row::: -:::column span="2"::: -**No restrictions, all locations are allowed** -:::column-end::: -:::column span="2"::: -```xml - - - -``` -:::column-end::: -:::row-end::: - -> [!TIP] -> To grant access to File Explorer in a restricted user experience, add `Explorer.exe` to the list of allowed apps, and pin a shortcut to the Start menu. - -::: zone-end ## Next steps diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md index 6b70fe9caa..73265362e4 100644 --- a/windows/configuration/assigned-access/index.md +++ b/windows/configuration/assigned-access/index.md @@ -110,14 +110,7 @@ These locations contain the latest "evaluated" configuration for each sign-in us "HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration" (If it doesn't exist, it means no Assigned Access to be enforced for this user.) - -> [!WARNING] -> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. - > [!NOTE] > If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. - - - --> \ No newline at end of file diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md index 677f8390d0..4268d5d2d2 100644 --- a/windows/configuration/assigned-access/overview.md +++ b/windows/configuration/assigned-access/overview.md @@ -565,6 +565,8 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce The above guidelines may help you select or develop an appropriate Windows app for your Assigned Access experience. Once you've selected your app, we recommend that you thoroughly test the Assigned Access experience to ensure that your device provides a good customer experience. - > [!NOTE] -> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout). \ No newline at end of file +> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout). + +> [!IMPORTANT] +> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. diff --git a/windows/configuration/assigned-access/shell-launcher/configuration-file.md b/windows/configuration/assigned-access/shell-launcher/configuration-file.md index 9b4c9ff993..5c0502b1de 100644 --- a/windows/configuration/assigned-access/shell-launcher/configuration-file.md +++ b/windows/configuration/assigned-access/shell-launcher/configuration-file.md @@ -50,7 +50,7 @@ The Shell Launcher configuration XML is versioned. The version is defined in the |Windows 10|`V2`|http://schemas.microsoft.com/ShellLauncher/2019/Configuration| |Windows 10|default|http://schemas.microsoft.com/ShellLauncher/2018/Configuration| -To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the kiosk application to execute in full screen, use the below example. Notice the alias `V2` associated to `http://schemas.microsoft.com/ShellLauncher/2019/Configuration` namespace, and the alias is tagged on the `AppType` and `AllAppsFullScreen` properties inline. +To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the kiosk application to execute in full screen, use the below example. Note the alias `V2` associated to `http://schemas.microsoft.com/ShellLauncher/2019/Configuration` namespace, and the alias is tagged on the `AppType` and `AllAppsFullScreen` properties inline. ```xml