build 2016 - p508 - customizing your device experience with assigned access

Windows 10Pro

Enterprise

Education

Restrict the device experience for a specific user account to a

single universal windows application.

Example:

• Kiosk type single-function devices

Windows 10Mobile

Mobile Enterprise

Restrict the device experience for one or more functional roles to

a curated set of applications and settings.

Examples:

• Kiosk type single-function devices

• Corporate owned lockdown devices for single user

• Corporate owned shared devices for multiple users with different roles

Assigned access lets you restrict a specific user account to using only one universal windows app.

Desktop

Kiosk app

(under lock view)

Lock screen app

Kiosk app

(above lock view)

z order

low

high

• Secure

• Use

• Provide

• Manage

• Add

• Test

• Do not

• Do not MSDN link

Intended for corporate owned task oriented devices

Role is a curated lockdown experience

Multiple roles can be defined by IT admin

Custom login and role switching experience

• Start simple

• Add comments

• Validate

• Allow device reset

• Test

Class Method Description

DeviceLockdownProfile ApplyLockdownProfileAsync Activates the restrictions

associated with the

specified user role ID.

GetCurrentLockdownProfile Gets the user role ID

that is currently in use

by the device.

GetLockdownProfileInformation Gets the information

object about a specific

user role.

GetSupportedLockdownProfiles Gets the list of

supported user role IDs.

Class Property Description

DeviceLockdownProfileInformation Name Gets the user descriptor string of

current profile

Windows.Embedded.DeviceLockdown APIs

protected override void OnNavigatedTo(NavigationEventArgs e)

{

try

{

// If the current role is Guid.Empty, then the user is not signed in.

Guid currentRole = DeviceLockdownProfile.GetCurrentLockdownProfile();

if (currentRole == Guid.Empty)

{

SignInStatus.Text = "You are not signed in.";

canSignOut = false;

}

else

{

DeviceLockdownProfileInformation currentProfile = DeviceLockdownProfile.GetLockdownProfileInformation(currentRole);

SignInStatus.Text = "You are signed in as " + currentProfile.Name;

canSignOut = true;

}

SignOutButton.IsEnabled = canSignOut;

LoadApplicationUsers();

}

catch (System.IO.FileNotFoundException)

{

rootPage.NotifyUser("Assigned Access is not configured on this device.", NotifyType.ErrorMessage);

}

}

private void LoadApplicationUsers()

{

// Add the available roles.

foreach (Guid roleId in DeviceLockdownProfile.GetSupportedLockdownProfiles())

{

DeviceLockdownProfileInformation profile = DeviceLockdownProfile.GetLockdownProfileInformation(roleId);

UserRoles.Items.Add(new ListBoxItem() { Content = profile.Name, Tag = roleId });

}

// If there are roles available, then pre-select the first one and enable the Sign In button.

if (UserRoles.Items.Count > 0)

{

UserRoles.SelectedIndex = 0;

SignInButton.IsEnabled = true;

}

}

private async Task SignInAsync()

{

// Extract the name and role of the item the user selected.

ListBoxItem selectedItem = (ListBoxItem)UserRoles.SelectedItem;

string selectedName = (string)selectedItem.Content;

Guid selectedRole = (Guid)selectedItem.Tag;

// Note that successfully applying the profile will result in the termination of all running apps, including this sample.

await DeviceLockdownProfile.ApplyLockdownProfileAsync(selectedRole);

}

private async Task SignOutAsync()

{

// Apply the Default role, which is represented by Guid.Empty.

// The Default role is the one that is used when nobody is signed in.

// Note that successfully applying the profile will result in the termination of all running apps, including this sample.

await DeviceLockdownProfile.ApplyLockdownProfileAsync(Guid.Empty);

}

<?xml version="1.0" encoding="utf-8"?>

<Package

xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"

xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest"

xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"

xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"

IgnorableNamespaces="uap mp rescap">

.

.

.

<Dependencies>

<TargetDeviceFamily Name="Windows.Mobile" MinVersion="10.0.10240.0" MaxVersionTested="10.0.10586.0" />

</Dependencies>

.

.

.

<Capabilities>

<rescap:Capability Name="enterpriseDeviceLockdown" />

</Capabilities>

</Package>

Set up a kiosk on Windows 10 Pro, Enterprise, or Education

Kiosk apps for assigned access: Best practices

Configure Windows 10 Mobile using Lockdown XML

Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise

Windows.Embedded.DeviceLockdown namespace

Github - Device lockdown with Azure login sample

EnterpriseAssignedAccess CSP

Channel 9

Microsoft Virtual Academy