Configure Multi-App Kiosk (Custom Launcher UI) on Windows 10

There are various use-cases where IT Admins would like to control the applications that the end users can see and use when using the managed Windows 10 devices. Scalefusion's App Whitelisting policy allows IT Admins to configure such policies easily and enables the end users to have a dedicated account on the device which when logged in to provides a view consisting of only the allowed applications.

This document guides you on how to use the Whitelisting App feature and associated features.

This policy can be applied only to a non-admin user/account on the device.

Before You Begin

  1. Make sure to Sign In to Scalefusion Dashboard.
  2. Managed device must be on Win 10 Pro, Enterprise, Education or Business Editions with Win 1803 version

Configuring a Whitelist App Policy

Step 1: Getting Started

  1. Sign In to Scalefusion and navigate to Device Management > Device Profiles and either create a new Windows device profile or edit an existing device profile.
  2. The first option/tab in Profile creation wizard is to SELECT APPS. Within this you would be shown the following options,
    1. Whitelist Selected Apps
    2. Blacklist Selected Apps
    3. Skip Application Policy
  1. Choose the radio button Whitelist Selected Apps. Whitelisting policy offers you the following sub-sections,
    1. Step 1: Add User Info
    2. Step 2: Select Apps
    3. Step 3: Startup App Settings

Step 1: Add User Info

This section lets you configure the user account settings, choose the taskbar and folder settings.

User Account Selection

The Whitelisting policy works only for the non-admin user accounts on the device, and this section lets you configure the account settings. Choose from one of the options below,

  1. Enter Primary Username(Non Admin user): Select this option if you want to apply the policy to an already existing user account on the device. If you have selected this option then configure,
    1. In the Text field enter the name of the user account on the device. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
    2. Select User Account Type:
      1. User is a local account: Select this if the user account is local to the device.
      2. User is an Azure AD user: Select this if the user is an Azure AD user.
      3. User is a domain user: Select this if the user is a domain joined user. If you select this please provide the domain name as well.
If you have selected a Local account and if the user does not exist then the policy won't be applied. For other account types the PC must be Azure AD or domain joined for the policy to work.
  1. AutoCreate Kiosk Account: This option is useful if you want to create a user-agnostic account on the device without any password. Selecting this option creates an un-named account on the device with standard user privileges and the system autologs in to this account on reboot. If you have selected this option you can provide a display name for this account, leaving it blank will assign a Windows generated name.
  2. Create New Account: This option lets you create a new account with non-admin/standard user privileges on the enrolled device post the enrollment. To enable this, enter the account details as shown below,
    1. Enter Domain Host Name: Provide the hostname for this PC.
    2. Enter New Account Name: Provide the name of the account that needs to be created. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
    3. Enter New Account Password: Provide a default password for these accounts so that the users can login using this and change it as per password policy.
Display Settings
  1. Allow Taskbar: Enable this if you want task bar to be visible on the managed Windows device when the user logs in.
Folder Restrictions

Starting in Windows 10, version 1809, you can allow all or explicitly allow some known folders to be accessed when the user tries to open the file explorer. You can choose to,

  • Allow All: Allows access to all folders
  • Block All: Blocks access to all folders
  • Allow following: Allows access to only Downloads folder and/or Removable drives.
This feature lets you restrict the access to File Explorer on the managed device for the end user.

Once you have configured this step, click Next to configure the application policy.

Step 2: Select Apps

Now that you have configured the account settings, it is time to configure the applications that will be allowed for this account. By default this section displays a list with the following options,

  • Apps: Displays the overall list of UWP & Win32 applications that have been reported/synced from the managed devices. Scalefusion seeds the default/preloaded UWP apps on a Windows device.
    • UWP: Universal Windows Platform applications that run on all Windows platforms
    • Win32: Legacy Windows applications that are installed based on architectures
  • Type: Displays the type of application, UWP or Win32
  • Enable Toggle: Allows you to toggle the enable state of the app. Enable All lets you enable all applications at one go. The applications that are enabled are the ones that will be visible to end user.
    • Edit App Details: Additional details for the Application that will allow Scalefusion to apply this policy.

Use this section to enable the applications that you would want the end users to see on their device. As you enable the applications, you would be asked for the Application details if Scalefusion doesn't have the details yet.

For Scalefusion to whitelist the applications using Windows protocol, we would need the AUM-ID/App Id for UWP apps and the installed application path for Win32 apps. We have seeded the required details for all the preloaded applications, but for new applications this needs to be by the IT Admin. Follow the steps below to enter the App Details,

  • UWP Apps: For the default (inbuilt) apps, the details will be auto-filled whereas the ones that are installed from store, the Edit App details dialog box will show up as soon as you enable the app. Here you will need to enter the App Id. The App Id can be fetched by downloading and running the script on one of the Windows devices where this app is enrolled. Follow the steps below to get the App Id for an application,
    • In the App Details dialog box, click on Download Script
    • Now logon to the Windows device where this application is installed and transfer/copy the downloaded script file.
    • Double click on the file to Run the batch file.
    • If asked for UAC, then click on More info and click on Run anyway
    • A batch shell will open. Enter the name of your third-party app in the batch script and hit enter key for the App Id to be displayed.
    • Once the App Id is displayed, copy this to the App Details dialog on the Dashboard and click Save

You can choose to update the Application Name and upload an Application icon, for your own reference. These values have no impact on the Device policy.

  • Win32 apps: The Edit App details dialog box will show up as soon as you enable the toggle for the app. Here, enter the path of the file in the Application Path field. Follow the steps below to get the application path of an Win32 app,
    • Logon to the Windows device where this application is installed
    • Right click on the installed application and click Properties
    • Copy everything shown in the Target field excluding the quotes,
    • Paste this path on Scalefusion Dashboard, in Application Path field and click Save

While updating the app details, select Set this as default path for all profiles checkbox to store this path at account level and becomes the default for all the new device profiles you create whenever you enable this particular app.

Once you have configured the application policy, click next to configure start up app settings.

Step 2: Startup App Settings

Once you have selected the applications, you can choose one among them to be the start up and also provide the launch arguments. The provided app will be started app at every login and the parameters will be passed to the app.

Note that handling the launch parameters is dependant on the application.

Note that any changes done to the Whitelisting Select Apps policy will reflect when the user logs in the next time.

End User Experience

Once the end user signs into their managed account gets an experience as sown below

Known Behavior

  1. If you have not provided the correct path for a Whitelisted application then the entire policy will fail and the changes will not reflect on the device.


How did we do?


Powered by HelpDocs (opens in a new tab)