Configure Multi-App Kiosk (Custom Launcher UI) on Windows
There are various use cases where IT Admins would like to control the applications that the end users can see and use when using the managed Windows devices. Scalefusion's Multi-app kiosk policy allows IT Admins to configure such policies easily and enables the end users to have a dedicated account on the device which when logged in to provides a view consisting of only the allowed applications.
This document guides you on how to use the Multi-App kiosk mode and its associated features.
Before You Begin
- Make sure to Sign In to Scalefusion Dashboard.
- Windows OS 10 and above - Applicable on Win 10 Pro, Enterprise, Education, or Business Editions with Win 1803 version
- Windows OS 7 and 8.1 and Windows Home (10 & 11) devices should be enrolled with Scalefusion MDM agent for the Multi-App Kiosk feature to work.
- Supported OS and architectures - Windows OS 7, 8.1, 10, 11 32-bit and 64-bit Operating Systems
Configuring a Multi-App Kiosk Policy
- Sign In to Scalefusion and navigate to Device Profiles & Policies > Device Profiles and either create a new Windows device profile or edit an existing device profile.
- The first option/tab in Profile creation wizard is to SELECT APPS. Within this you would be shown the following options,
- Multi-App Kiosk Mode
- App Locker Policy
- Skip Application PolicyThe features which work on both modes, that is, Modern Management and Agent based, are identified by iconography where windows icon is for modern management and Scalefusion icon is for Agent enrolled devices.
No iconography against a feature tab/setting/option would mean it is supported only on modern management.
- Choose the radio button Multi-App Kiosk Mode. This policy offers you the following sub-sections,
- Step 1: Select Mode
- Step 2: Add User Info
- Step 3: Select Apps
- Step 4: General Settings
Step 1: Select Mode
Kiosk mode is offered in two modes. Select the mode how you want to use the device policy, by choosing one of the following options:
- Apply this policy using Windows MDM CSP: Takes into account the Windows MDM CSP to apply this policy and is applicable on Windows 10 & above devices.
- Apply this policy using Scalefusion MDM agent app: Uses Scalefusion MDM agent to apply this policy. In this mode the policy can be applied on all Windows PC operating systems.
- Enable Advanced Protection using App Locker: If checked, it prevents users from launching disallowed applications on MDM managed devices.
Summary of which policy will be applicable based on enrollment method:
Which Multi-app kiosk policy gets applied
On which OS is it applicable
Win 10 Pro & above
Win 10 Pro & above
Win 10 Pro & above
Win 10 Pro & above, Win 7, Win 8.1, and Win Home (10 & 11)
Step 2: Add User Info
This section lets you configure the user account settings, choose the taskbar and folder settings.
- User Account Selection
The Multi-app kiosk mode policy works only for the non-admin user accounts on the device, and this section lets you configure the account settings. Choose from one of the options below,
- Enter Primary Username(Non Admin user): Select this option if you want to apply the policy to an already existing user account on the device. If you have selected this option then configure,
- In the Text field enter the name of the user account on the device. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
- Select User Account Type:
- User is a local account: Select this if the user account is local to the device.
- User is an Azure AD user: Select this if the user is an Azure AD user.
- User is a domain user: Select this if the user is a domain joined user. If you select this please provide the domain name as well.
- AutoCreate Kiosk Account: This option is useful if you want to create a user-agnostic account on the device without any password. Selecting this option creates an un-named account on the device with standard user privileges and the system autologs in to this account on reboot. If you have selected this option you can provide a display name for this account, leaving it blank will assign a Windows generated name.
- Create New Account: This option lets you create a new account with non-admin/standard user privileges on the enrolled device post the enrollment. To enable this, enter the account details as shown below,
- Enter Domain Host Name: Provide the hostname for this PC.
- Enter New Account Name: Provide the name of the account that needs to be created. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
- Enter New Account Password: Provide a default password for these accounts so that the users can login using this and change it as per password policy.
- Enrolled User: With having this selected, the allowed apps policy gets applied only on the enrolled user.For this setting to take effect, you need to remove Local Admin privileges for the enrolled user. This can be done by enabling the setting from Scalefusion Agent Settings
- Non-Admin User Group: With this option, you can apply this policy to all the users belonging to a non-admin group. Enter a user group name where the group should have non-admin privileges. You can also enter custom properties that you have defined like $device.groupname or to have these values dynamically populated based on the device or user.
Once you have configured this step, move to the next step to configure the application policy.
Step 3: Select Apps
Now that you have configured the account settings, it is time to configure the applications that will be allowed for this account. By default this section displays a list with the following options,
- Apps: Displays the overall list of UWP & Win32 applications that have been reported/synced from the managed devices. Scalefusion seeds the default/preloaded UWP apps on a Windows device.
- UWP: Universal Windows Platform applications that run on all Windows platforms
- Win32: Legacy Windows applications that are installed based on architectures
- Type: Displays the type of application, UWP or Win32
- Enable Toggle: Allows you to toggle the enable state of the app. Enable All lets you enable all applications at one go. The applications that are enabled are the ones that will be visible to end user.
- Visible Toggle: Set up the visibility of allowed apps that is an app that is enabled and can be chosen to be made visible as tile or not. If this is not enabled that means other apps can invoke this app when they need but users don't see a tile. By default visibility is set to ON.
- Edit App Details: Additional details for the Application that will allow Scalefusion to apply this policy.
Use this section to enable the applications that you would want the end users to see on their device. As you enable the applications, you would be asked for the Application details if Scalefusion doesn't have the details yet.
For Scalefusion to allow the applications using Windows protocol, we would need the AUM-ID/App Id for UWP apps and the installed application path for Win32 apps. We have seeded the required details for all the preloaded applications, but for new applications this needs to be by the IT Admin. Follow the steps below to enter the App Details,
- UWP Apps: For the default (inbuilt) apps, the details will be auto-filled whereas the ones that are installed from store, the Edit App details dialog box will show up as soon as you enable the app. Here you will need to enter the App Id. The App Id can be fetched by downloading and running the script on one of the Windows devices where this app is enrolled. Follow the steps below to get the App Id for an application,
- In the App Details dialog box, click on Download Script
- Now logon to the Windows device where this application is installed and transfer/copy the downloaded script file.
- Double click on the file to Run the batch file.
- If asked for UAC, then click on More info and click on Run anyway
- A batch shell will open. Enter the name of your third-party app in the batch script and hit enter key for the App Id to be displayed.
- Once the App Id is displayed, copy this to the App Details dialog on the Dashboard and click Save
- Win32 apps: The Edit App details dialog box will show up as soon as you enable the toggle for the app. Here, enter the path of the file in the Application Path field. Follow the steps below to get the application path of an Win32 app,
- Logon to the Windows device where this application is installed
- Right click on the installed application and click Properties
- Copy everything shown in the Target field excluding the quotes,
- Paste this path on Scalefusion Dashboard, in Application Path field and click Save
Once you have configured the application policy, move to the next step to configure General settings.
Step 4: General Settings
Configure StartUp App
Once you have selected the applications, you can choose one among them to be the start up and also provide the launch arguments. The provided app will be started app at every login and the parameters will be passed to the app.
- Allow Taskbar: Enable this if you want task bar to be visible on the managed Windows device when the user logs in.
Starting in Windows 10, version 1809, you can allow all or explicitly allow some known folders to be accessed when the user tries to open the file explorer. You can choose to,
- Allow All: Allows access to all folders
- Block All: Blocks access to all folders
- Allow following: Allows access to only Downloads folder and/or Removable drives.
Add Win32 app
In Kiosk mode, there are few applications which do not open on Windows devices. Some apps also happen to be services or system apps or device drivers which cannot be allowed as well. If you try to search such apps in Device Profiles to enable, they are not even listed in the apps list. As for eg. a Printer's driver.
In Scalefusion, there is a workaround to identify such apps and add them through Scalefusion Dashboard via Add Win32 app feature where you can explicitly provide the full exe full path of the apps which unblocks/enables the apps.
- Navigate to Device Profiles & Policies > Device Profiles
- Select the Windows Device profile (in which the app has to be added) and Edit it.
- Under Select Apps > Multi-App Kiosk Mode List, go to Select Apps
- Click on button Add Win32 App
- This opens a new dialog box. Enter the following:
- Application Name: Provide some application name (minimum 6 characters)
- App Version: Enter application version
- Application Icon: You can upload an image as icon
- Application Path: Provide the application path. It is the full path of that exe. For eg. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
- Click Save
- Click Next and update the profile.
The application gets added and is available in the list of apps in device profile in Enabled state. When you restart the Windows device, the kiosk mode should work.
End User Experience
Once the end user signs into their managed account gets an experience as shown below
- If you have not provided the correct path for an application then the entire policy will fail and the changes will not reflect on the device.