Configure Multi-App Kiosk (Custom Launcher UI) on Windows 10
- Before You Begin
- Configuring a Whitelist App Policy
There are various use-cases where IT Admins would like to control the applications that the end users can see and use when using the managed Windows 10 devices. Scalefusion's App Whitelisting policy allows IT Admins to configure such policies easily and enables the end users to have a dedicated account on the device which when logged in to provides a view consisting of only the allowed applications.
This document guides you on how to use the Whitelisting App feature and associated features.
Before You Begin
- Make sure to Sign In to Scalefusion Dashboard.
- Managed device must be on Win 10 Pro, Enterprise, Education or Business Editions with Win 1803 version
Configuring a Whitelist App Policy
Step 1: Getting Started
- Sign In to Scalefusion and navigate to Device Profiles & Policies > Device Profiles and either create a new Windows device profile or edit an existing device profile.
- The first option/tab in Profile creation wizard is to SELECT APPS. Within this you would be shown the following options,
- Whitelist Selected Apps
- Blacklist Selected Apps
- Skip Application Policy
- Choose the radio button Whitelist Selected Apps. Whitelisting policy offers you the following sub-sections,
- Step 1: Add User Info
- Step 2: Select Apps
- Step 3: Startup App Settings
Step 1: Add User Info
This section lets you configure the user account settings, choose the taskbar and folder settings.
User Account Selection
The Whitelisting policy works only for the non-admin user accounts on the device, and this section lets you configure the account settings. Choose from one of the options below,
- Enter Primary Username(Non Admin user): Select this option if you want to apply the policy to an already existing user account on the device. If you have selected this option then configure,
- In the Text field enter the name of the user account on the device. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
- Select User Account Type:
- User is a local account: Select this if the user account is local to the device.
- User is an Azure AD user: Select this if the user is an Azure AD user.
- User is a domain user: Select this if the user is a domain joined user. If you select this please provide the domain name as well.
- AutoCreate Kiosk Account: This option is useful if you want to create a user-agnostic account on the device without any password. Selecting this option creates an un-named account on the device with standard user privileges and the system autologs in to this account on reboot. If you have selected this option you can provide a display name for this account, leaving it blank will assign a Windows generated name.
- Create New Account: This option lets you create a new account with non-admin/standard user privileges on the enrolled device post the enrollment. To enable this, enter the account details as shown below,
- Enter Domain Host Name: Provide the hostname for this PC.
- Enter New Account Name: Provide the name of the account that needs to be created. You can also custom properties that you have defined like $device.custompropertyname or $user.custompropertyname to have these values dynamically populated based on the device or user.
- Enter New Account Password: Provide a default password for these accounts so that the users can login using this and change it as per password policy.
- Allow Taskbar: Enable this if you want task bar to be visible on the managed Windows device when the user logs in.
Starting in Windows 10, version 1809, you can allow all or explicitly allow some known folders to be accessed when the user tries to open the file explorer. You can choose to,
- Allow All: Allows access to all folders
- Block All: Blocks access to all folders
- Allow following: Allows access to only Downloads folder and/or Removable drives.
Once you have configured this step, click Next to configure the application policy.
Step 2: Select Apps
Now that you have configured the account settings, it is time to configure the applications that will be allowed for this account. By default this section displays a list with the following options,
- Apps: Displays the overall list of UWP & Win32 applications that have been reported/synced from the managed devices. Scalefusion seeds the default/preloaded UWP apps on a Windows device.
- UWP: Universal Windows Platform applications that run on all Windows platforms
- Win32: Legacy Windows applications that are installed based on architectures
- Type: Displays the type of application, UWP or Win32
- Enable Toggle: Allows you to toggle the enable state of the app. Enable All lets you enable all applications at one go. The applications that are enabled are the ones that will be visible to end user.
- Visible Toggle: Set up the visibility of allowed apps that is an app that is enabled and can be chosen to be made visible as tile or not. If this is not enabled that means other apps can invoke this app when they need but users don't see a tile. By default visibility is set to ON.
- Edit App Details: Additional details for the Application that will allow Scalefusion to apply this policy.
Use this section to enable the applications that you would want the end users to see on their device. As you enable the applications, you would be asked for the Application details if Scalefusion doesn't have the details yet.
For Scalefusion to whitelist the applications using Windows protocol, we would need the AUM-ID/App Id for UWP apps and the installed application path for Win32 apps. We have seeded the required details for all the preloaded applications, but for new applications this needs to be by the IT Admin. Follow the steps below to enter the App Details,
- UWP Apps: For the default (inbuilt) apps, the details will be auto-filled whereas the ones that are installed from store, the Edit App details dialog box will show up as soon as you enable the app. Here you will need to enter the App Id. The App Id can be fetched by downloading and running the script on one of the Windows devices where this app is enrolled. Follow the steps below to get the App Id for an application,
- In the App Details dialog box, click on Download Script
- Now logon to the Windows device where this application is installed and transfer/copy the downloaded script file.
- Double click on the file to Run the batch file.
- If asked for UAC, then click on More info and click on Run anyway
- A batch shell will open. Enter the name of your third-party app in the batch script and hit enter key for the App Id to be displayed.
- Once the App Id is displayed, copy this to the App Details dialog on the Dashboard and click Save
- Win32 apps: The Edit App details dialog box will show up as soon as you enable the toggle for the app. Here, enter the path of the file in the Application Path field. Follow the steps below to get the application path of an Win32 app,
- Logon to the Windows device where this application is installed
- Right click on the installed application and click Properties
- Copy everything shown in the Target field excluding the quotes,
- Paste this path on Scalefusion Dashboard, in Application Path field and click Save
Once you have configured the application policy, click next to configure start up app settings.
Step 3: Startup App Settings
Once you have selected the applications, you can choose one among them to be the start up and also provide the launch arguments. The provided app will be started app at every login and the parameters will be passed to the app.
Add Win32 app
In Kiosk mode, there are few applications which do not open on Windows devices. Some apps also happen to be services or system apps or device drivers which cannot be whitelisted as well. If you try to search such apps in Device Profiles to enable, they are not even listed in the apps list. As for eg. a Printer's driver.
In Scalefusion, there is a workaround to identify such apps and add them through Scalefusion Dashboard via Add Win32 app feature where you can explicitly provide the full exe full path of the apps which unblocks/enables the apps.
- Navigate to Device Profiles & Policies > Device Profiles
- Select the Windows Device profile (in which the app has to be added) and Edit it.
- Under Select Apps > Whitelist Selected Apps, go to Select Apps
- Click on button Add Win32 App
- This opens a new dialog box. Enter the following:
- Application Name: Provide some application name (minimum 6 characters)
- App Version: Enter application version
- Application Icon: You can upload an image as icon
- Application Path: Provide the application path. It is the full path of that exe. For eg. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
- Click Save
- Click Next and update the profile.
The application gets added and is available in the list of apps in device profile in Enabled state. When you restart the Windows device, the kiosk mode should work.
End User Experience
Once the end user signs into their managed account gets an experience as shown below
- If you have not provided the correct path for a Whitelisted application then the entire policy will fail and the changes will not reflect on the device.