Configure Multi-App Kiosk (Custom Launcher UI) on Windows

There are various use cases where IT Admins would like to control the applications that the end users can see and use when using the managed Windows devices. Scalefusion's Multi-app kiosk policy allows IT Admins to configure such policies easily and enables the end users to have a dedicated account on the device which when logged in to provides a view consisting of only the allowed applications.

This document guides you on how to use the Multi-App kiosk mode and its associated features.

This policy can be applied only to a non-admin user/account on the device.

Before You Begin

  1. Make sure to Sign In to Scalefusion Dashboard.
  2. Windows OS 10 and above - Applicable on Win 10 Pro, Enterprise, Education, or Business Editions with Win 1803 version
  3. Windows OS 7 and 8.1 and Windows Home (10 & 11) devices should be enrolled with Scalefusion MDM agent for the Multi-App Kiosk feature to work.
  4. Supported OS and architectures - Windows OS 7, 8.1, 10, 11 32-bit and 64-bit Operating Systems

Configuring a Multi-App Kiosk Policy

Getting Started

  1. Sign In to Scalefusion and navigate to Device Profiles & Policies > Device Profiles and either create a new Windows device profile or edit an existing device profile.
  2. The first option/tab in Profile creation wizard is to SELECT APPS. Within this you would be shown the following options,
    1. Multi-App Kiosk Mode
    2. App Locker Policy
    3. Skip Application Policy
      The features which work on both modes, that is, Modern Management and Agent based, are identified by iconography where windows icon is for modern management and Scalefusion icon is for Agent enrolled devices.

      No iconography against a feature tab/setting/option would mean it is supported only on modern management.
  3. Choose the radio button Multi-App Kiosk Mode. This policy offers you the following sub-sections,
    1. Step 1: Select Mode
    2. Step 2: Add User Info
    3. Step 3: Select Apps
    4. Step 4: General Settings

Step 1: Select Mode

Kiosk mode is offered in two modes. Select the mode how you want to use the device policy, by choosing one of the following options:

  • Apply this policy using Windows MDM CSP: Takes into account the Windows MDM CSP to apply this policy and is applicable on Windows 10 & above devices.
  • Apply this policy using Scalefusion MDM agent app: Uses Scalefusion MDM agent to apply this policy. In this mode the policy can be applied on all Windows PC operating systems.
    • Enable Advanced Protection using App Locker: If checked, it prevents users from launching disallowed applications on MDM managed devices.

Summary of which policy will be applicable based on enrollment method:

Enrollment Method

Selected Mode

Which Multi-app kiosk policy gets applied

On which OS is it applicable

Modern Management

Windows CSP

Windows CSP

Win 10 Pro & above

Modern Management

MDM agent

MDM Agent-based

Win 10 Pro & above

Scalefusion Agent

Windows CSP

Windows CSP

Win 10 Pro & above

Scalefusion Agent

MDM agent

MDM Agent-based

Win 10 Pro & above, Win 7, Win 8.1, and Win Home (10 & 11)

Step 2: Add User Info

This section lets you configure the user account settings, choose the taskbar and folder settings.

  1. User Account Selection

The Multi-app kiosk mode policy works only for the non-admin user accounts on the device, and this section lets you configure the account settings. Choose from one of the options below,

  1. Enter Primary Username(Non Admin user): Select this option if you want to apply the policy to an already existing user account on the device. If you have selected this option then configure,
    1. In the Text field enter the name of the user account on the device. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
    2. Select User Account Type:
      1. User is a local account: Select this if the user account is local to the device.
      2. User is an Azure AD user: Select this if the user is an Azure AD user.
      3. User is a domain user: Select this if the user is a domain joined user. If you select this please provide the domain name as well.
If you have selected a Local account and if the user does not exist then the policy won't be applied. For other account types the PC must be Azure AD or domain joined for the policy to work.
  1. AutoCreate Kiosk Account: This option is useful if you want to create a user-agnostic account on the device without any password. Selecting this option creates an un-named account on the device with standard user privileges and the system autologs in to this account on reboot. If you have selected this option you can provide a display name for this account, leaving it blank will assign a Windows generated name.
  2. Create New Account: This option lets you create a new account with non-admin/standard user privileges on the enrolled device post the enrollment. To enable this, enter the account details as shown below,
    1. Enter Domain Host Name: Provide the hostname for this PC.
    2. Enter New Account Name: Provide the name of the account that needs to be created. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
    3. Enter New Account Password: Provide a default password for these accounts so that the users can login using this and change it as per password policy.
  3. Enrolled User: With having this selected, the allowed apps policy gets applied only on the enrolled user.
    For this setting to take effect, you need to remove Local Admin privileges for the enrolled user. This can be done by enabling the setting from Scalefusion Agent Settings
  1. Non-Admin User Group: With this option, you can apply this policy to all the users belonging to a non-admin group. Enter a user group name where the group should have non-admin privileges. You can also enter custom properties that you have defined like $device.groupname or to have these values dynamically populated based on the device or user.
Primary Non-Admin Username, Enrolled User and Create New Account are applicable on Scalefusion MDM agent based devices.

Once you have configured this step, move to the next step to configure the application policy.

Step 3: Select Apps

Now that you have configured the account settings, it is time to configure the applications that will be allowed for this account. By default this section displays a list with the following options,

  • Apps: Displays the overall list of UWP & Win32 applications that have been reported/synced from the managed devices. Scalefusion seeds the default/preloaded UWP apps on a Windows device.
    • UWP: Universal Windows Platform applications that run on all Windows platforms
    • Win32: Legacy Windows applications that are installed based on architectures
  • Type: Displays the type of application, UWP or Win32
  • Enable Toggle: Allows you to toggle the enable state of the app. Enable All lets you enable all applications at one go. The applications that are enabled are the ones that will be visible to end user.
    • Visible Toggle: Set up the visibility of allowed apps that is an app that is enabled and can be chosen to be made visible as tile or not. If this is not enabled that means other apps can invoke this app when they need but users don't see a tile. By default visibility is set to ON.
    • Edit App Details: Additional details for the Application that will allow Scalefusion to apply this policy.

Use this section to enable the applications that you would want the end users to see on their device. As you enable the applications, you would be asked for the Application details if Scalefusion doesn't have the details yet.

On devices enrolled with Scalefusion MDM agent, only Win 32 apps will be launched/shown. No UWP apps will be visible

For Scalefusion to allow the applications using Windows protocol, we would need the AUM-ID/App Id for UWP apps and the installed application path for Win32 apps. We have seeded the required details for all the preloaded applications, but for new applications this needs to be by the IT Admin. Follow the steps below to enter the App Details,

  • UWP Apps: For the default (inbuilt) apps, the details will be auto-filled whereas the ones that are installed from store, the Edit App details dialog box will show up as soon as you enable the app. Here you will need to enter the App Id. The App Id can be fetched by downloading and running the script on one of the Windows devices where this app is enrolled. Follow the steps below to get the App Id for an application,
    • In the App Details dialog box, click on Download Script
    • Now logon to the Windows device where this application is installed and transfer/copy the downloaded script file.
    • Double click on the file to Run the batch file.
    • If asked for UAC, then click on More info and click on Run anyway
    • A batch shell will open. Enter the name of your third-party app in the batch script and hit enter key for the App Id to be displayed.
    • Once the App Id is displayed, copy this to the App Details dialog on the Dashboard and click Save

You can choose to update the Application Name and upload an Application icon, for your own reference. These values have no impact on the Device policy.

  • Win32 apps: The Edit App details dialog box will show up as soon as you enable the toggle for the app. Here, enter the path of the file in the Application Path field. Follow the steps below to get the application path of an Win32 app,
    • Logon to the Windows device where this application is installed
    • Right click on the installed application and click Properties
    • Copy everything shown in the Target field excluding the quotes,
    • Paste this path on Scalefusion Dashboard, in Application Path field and click Save

While updating the app details, select Set this as default path for all profiles checkbox to store this path at account level and becomes the default for all the new device profiles you create whenever you enable this particular app.

Once you have configured the application policy, move to the next step to configure General settings.

Step 4: General Settings

Configure StartUp App

Once you have selected the applications, you can choose one among them to be the start up and also provide the launch arguments. The provided app will be started app at every login and the parameters will be passed to the app.

Note that handling the launch parameters is dependent on the application.
StartUp App is configurable for both agent based and modern management mode of enrollment.
Display Settings
  1. Allow Taskbar: Enable this if you want task bar to be visible on the managed Windows device when the user logs in.
Folder Restrictions

Starting in Windows 10, version 1809, you can allow all or explicitly allow some known folders to be accessed when the user tries to open the file explorer. You can choose to,

  • Allow All: Allows access to all folders
  • Block All: Blocks access to all folders
  • Allow following: Allows access to only Downloads folder and/or Removable drives.
This feature lets you restrict the access to File Explorer on the managed device for the end user.

Note that any changes done to the Multi-app Kiosk mode policy will reflect when the user logs in the next time.

Add Win32 app

In Kiosk mode, there are few applications which do not open on Windows devices. Some apps also happen to be services or system apps or device drivers which cannot be allowed as well. If you try to search such apps in Device Profiles to enable, they are not even listed in the apps list. As for eg. a Printer's driver.

In Scalefusion, there is a workaround to identify such apps and add them through Scalefusion Dashboard via Add Win32 app feature where you can explicitly provide the full exe full path of the apps which unblocks/enables the apps.

  1. Navigate to Device Profiles & Policies > Device Profiles
  2. Select the Windows Device profile (in which the app has to be added) and Edit it.
  3. Under Select Apps > Multi-App Kiosk Mode List, go to Select Apps
  4. Click on button Add Win32 App
  5. This opens a new dialog box. Enter the following:
    1. Application Name: Provide some application name (minimum 6 characters)
    2. App Version: Enter application version
    3. Application Icon: You can upload an image as icon
    4. Application Path: Provide the application path. It is the full path of that exe. For eg. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    5. Click Save
  6. Click Next and update the profile.

The application gets added and is available in the list of apps in device profile in Enabled state. When you restart the Windows device, the kiosk mode should work.

End User Experience

Once the end user signs into their managed account gets an experience as shown below

Known Behavior

  1. If you have not provided the correct path for an application then the entire policy will fail and the changes will not reflect on the device.

How did we do?

Powered by HelpDocs (opens in a new tab)