Customizing your device experience with assigned access Lily Hou Program Manager

Agenda Assigned access overview Create a kiosk in Windows 10 9/17/2018 12:59 PM Agenda Assigned access overview Create a kiosk in Windows 10 Create a shared device in Windows 10 Mobile © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Assigned access overview Microsoft Build 2016 9/17/2018 12:59 PM Assigned access overview Windows 10 Pro Enterprise Education Restrict the device experience for a specific user account to a single universal windows application. Example: Kiosk type single-function devices Mobile Mobile Enterprise Restrict the device experience for one or more functional roles to a curated set of applications and settings. Examples: Corporate owned lockdown devices for single user Corporate owned shared devices for multiple users with different roles © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Assigned access Windows 10 9/17/2018 12:59 PM Assigned access Windows 10 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Single app kiosk experience 9/17/2018 12:59 PM Single app kiosk experience Assigned access lets you restrict a specific user account to using only one universal windows app. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Architecture Restrict user to the designated app by launching it above the lock screen. Sign out of assigned access using Ctrl+Alt+Del. Desktop Kiosk app (under lock view) Lock screen app (above lock view) z order low high

Best practices for developing a kiosk app 9/17/2018 12:59 PM Best practices for developing a kiosk app Secure your information Use GetCurrentView().Dispatcher in assigned access mode Provide an interface to exit assigned access (if Ctrl+Alt+Del not possible) Manage app’s lifecycle, secure data for unexpected termination Add windows.aboveLockScreen extension to app’s manifest file to enable choosing from assigned access settings Test end-to-end experience with your app running in assigned access mode ----------------------------------------------------------------------- Do not use MainView.Dispatcher in assigned access mode Do not create new views in assigned access mode MSDN link © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Assigned access Windows 10 Mobile 9/17/2018 12:59 PM Assigned access Windows 10 Mobile © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Customized role-based device experience 9/17/2018 12:59 PM Customized role-based device experience Intended for corporate owned task oriented devices Role is a curated lockdown experience A list of allowed applications & settings pages Action center & Quick actions configuration Start screen layout customization Hardware buttons lockdown/remapping Multiple roles can be defined by IT admin Custom login and role switching experience APIs provide ability to get and set lockdown profiles Enterprise signed application only Not for Windows Store public distribution Can integrate with identity management solution Store associate role Manager role © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Lily Hou Microsoft Build 2016 9/17/2018 12:59 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Architecture

WEHLockdown.xml Overview 9/17/2018 12:59 PM WEHLockdown.xml Overview © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

RoleList XML StartScreenSize available for Default only 9/17/2018 12:59 PM RoleList XML StartScreenSize available for Default only Support same elements as Default except for StartScreenSize Use any GUID generator, just need to be unique within the XML No imposed limit to the number of Roles that can be defined Friendly name for role returned to application through GetLockdownProfileInformation method © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best practices for creating the XML 9/17/2018 12:59 PM Best practices for creating the XML Start simple and iterate Add comments in your XML Validate with EnterpriseAssignedAccess XSD Allow device reset during development and testing Test using Visual Studio emulator before deploying to physical devices WARNING: The only way to completely remove assigned access settings from your mobile device is to reset or re-flash your device © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise role login experience Microsoft Build 2016 9/17/2018 12:59 PM Enterprise role login experience Provide a simple and consistent interface for locking down the available applications and tiles on the device for specific user roles defined by the enterprise. Available in the Mobile Extension SDK. Require enterpriseDeviceLockdown capability. Windows.Embedded.DeviceLockdown APIs Class Method Description DeviceLockdownProfile ApplyLockdownProfileAsync Activates the restrictions associated with the specified user role ID. GetCurrentLockdownProfile Gets the user role ID that is currently in use by the device. GetLockdownProfileInformation Gets the information object about a specific user role. GetSupportedLockdownProfiles Gets the list of supported user role IDs. Class Property Description DeviceLockdownProfileInformation Name Gets the user descriptor string of current profile © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Show current sign in status 9/17/2018 12:59 PM Show current sign in status protected override void OnNavigatedTo(NavigationEventArgs e) { try // If the current role is Guid.Empty, then the user is not signed in. Guid currentRole = DeviceLockdownProfile.GetCurrentLockdownProfile(); if (currentRole == Guid.Empty) SignInStatus.Text = "You are not signed in."; canSignOut = false; } else DeviceLockdownProfileInformation currentProfile = DeviceLockdownProfile.GetLockdownProfileInformation(currentRole); SignInStatus.Text = "You are signed in as " + currentProfile.Name; canSignOut = true; SignOutButton.IsEnabled = canSignOut; LoadApplicationUsers(); catch (System.IO.FileNotFoundException) rootPage.NotifyUser("Assigned Access is not configured on this device.", NotifyType.ErrorMessage); © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

List the role names 9/17/2018 12:59 PM private void LoadApplicationUsers() { // Add the available roles. foreach (Guid roleId in DeviceLockdownProfile.GetSupportedLockdownProfiles()) DeviceLockdownProfileInformation profile = DeviceLockdownProfile.GetLockdownProfileInformation(roleId); UserRoles.Items.Add(new ListBoxItem() { Content = profile.Name, Tag = roleId }); } // If there are roles available, then pre-select the first one and enable the Sign In button. if (UserRoles.Items.Count > 0) UserRoles.SelectedIndex = 0; SignInButton.IsEnabled = true; © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign in to a role 9/17/2018 12:59 PM private async Task SignInAsync() { // Extract the name and role of the item the user selected. ListBoxItem selectedItem = (ListBoxItem)UserRoles.SelectedItem; string selectedName = (string)selectedItem.Content; Guid selectedRole = (Guid)selectedItem.Tag; // Note that successfully applying the profile will result in the termination of all running apps, including this sample. await DeviceLockdownProfile.ApplyLockdownProfileAsync(selectedRole); } © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/17/2018 12:59 PM Sign out of a role private async Task SignOutAsync() { // Apply the Default role, which is represented by Guid.Empty. // The Default role is the one that is used when nobody is signed in. // Note that successfully applying the profile will result in the termination of all running apps, including this sample. await DeviceLockdownProfile.ApplyLockdownProfileAsync(Guid.Empty); } © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/17/2018 12:59 PM Appx manifest <?xml version="1.0" encoding="utf-8"?> <Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities" IgnorableNamespaces="uap mp rescap"> . <Dependencies> <TargetDeviceFamily Name="Windows.Mobile" MinVersion="10.0.10240.0" MaxVersionTested="10.0.10586.0" /> </Dependencies> <Capabilities> <rescap:Capability Name="enterpriseDeviceLockdown" /> </Capabilities> </Package> © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Summary Assigned access overview Create a kiosk in Windows 10 Microsoft Build 2016 9/17/2018 12:59 PM Summary Assigned access overview Create a kiosk in Windows 10 Create a shared device in Windows 10 Mobile © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Call to Action Resources and documentation Microsoft Build 2016 9/17/2018 12:59 PM Call to Action Resources and documentation Set up a kiosk on Windows 10 Pro, Enterprise, or Education Kiosk apps for assigned access: Best practices Configure Windows 10 Mobile using Lockdown XML Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise Windows.Embedded.DeviceLockdown namespace Github - Device lockdown with Azure login sample EnterpriseAssignedAccess CSP Report any problems you find, send us feedback and feature request with the Windows Feedback app. Check out session (B861) “Microsoft Vision for IoT: From Windows Devices to Azure” at Build Re-visit Build on Channel 9. Continue your education at Microsoft Virtual Academy online. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/17/2018 12:59 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.