build 2016 - p508 - customizing your device experience with assigned access
TRANSCRIPT
Windows 10Pro
Enterprise
Education
Restrict the device experience for a specific user account to a
single universal windows application.
Example:
• Kiosk type single-function devices
Windows 10Mobile
Mobile Enterprise
Restrict the device experience for one or more functional roles to
a curated set of applications and settings.
Examples:
• Kiosk type single-function devices
• Corporate owned lockdown devices for single user
• Corporate owned shared devices for multiple users with different roles
Assigned access lets you restrict a specific user account to using only one universal windows app.
Desktop
Kiosk app
(under lock view)
Lock screen app
Kiosk app
(above lock view)
z order
low
high
• Secure
• Use
• Provide
• Manage
• Add
• Test
• Do not
• Do not MSDN link
Intended for corporate owned task oriented devices
Role is a curated lockdown experience
Multiple roles can be defined by IT admin
Custom login and role switching experience
• Start simple
• Add comments
• Validate
• Allow device reset
• Test
Class Method Description
DeviceLockdownProfile ApplyLockdownProfileAsync Activates the restrictions
associated with the
specified user role ID.
GetCurrentLockdownProfile Gets the user role ID
that is currently in use
by the device.
GetLockdownProfileInformation Gets the information
object about a specific
user role.
GetSupportedLockdownProfiles Gets the list of
supported user role IDs.
Class Property Description
DeviceLockdownProfileInformation Name Gets the user descriptor string of
current profile
Windows.Embedded.DeviceLockdown APIs
protected override void OnNavigatedTo(NavigationEventArgs e)
{
try
{
// If the current role is Guid.Empty, then the user is not signed in.
Guid currentRole = DeviceLockdownProfile.GetCurrentLockdownProfile();
if (currentRole == Guid.Empty)
{
SignInStatus.Text = "You are not signed in.";
canSignOut = false;
}
else
{
DeviceLockdownProfileInformation currentProfile = DeviceLockdownProfile.GetLockdownProfileInformation(currentRole);
SignInStatus.Text = "You are signed in as " + currentProfile.Name;
canSignOut = true;
}
SignOutButton.IsEnabled = canSignOut;
LoadApplicationUsers();
}
catch (System.IO.FileNotFoundException)
{
rootPage.NotifyUser("Assigned Access is not configured on this device.", NotifyType.ErrorMessage);
}
}
private void LoadApplicationUsers()
{
// Add the available roles.
foreach (Guid roleId in DeviceLockdownProfile.GetSupportedLockdownProfiles())
{
DeviceLockdownProfileInformation profile = DeviceLockdownProfile.GetLockdownProfileInformation(roleId);
UserRoles.Items.Add(new ListBoxItem() { Content = profile.Name, Tag = roleId });
}
// If there are roles available, then pre-select the first one and enable the Sign In button.
if (UserRoles.Items.Count > 0)
{
UserRoles.SelectedIndex = 0;
SignInButton.IsEnabled = true;
}
}
private async Task SignInAsync()
{
// Extract the name and role of the item the user selected.
ListBoxItem selectedItem = (ListBoxItem)UserRoles.SelectedItem;
string selectedName = (string)selectedItem.Content;
Guid selectedRole = (Guid)selectedItem.Tag;
// Note that successfully applying the profile will result in the termination of all running apps, including this sample.
await DeviceLockdownProfile.ApplyLockdownProfileAsync(selectedRole);
}
private async Task SignOutAsync()
{
// Apply the Default role, which is represented by Guid.Empty.
// The Default role is the one that is used when nobody is signed in.
// Note that successfully applying the profile will result in the termination of all running apps, including this sample.
await DeviceLockdownProfile.ApplyLockdownProfileAsync(Guid.Empty);
}
<?xml version="1.0" encoding="utf-8"?>
<Package
xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest"
xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
IgnorableNamespaces="uap mp rescap">
.
.
.
<Dependencies>
<TargetDeviceFamily Name="Windows.Mobile" MinVersion="10.0.10240.0" MaxVersionTested="10.0.10586.0" />
</Dependencies>
.
.
.
<Capabilities>
<rescap:Capability Name="enterpriseDeviceLockdown" />
</Capabilities>
</Package>
Set up a kiosk on Windows 10 Pro, Enterprise, or Education
Kiosk apps for assigned access: Best practices
Configure Windows 10 Mobile using Lockdown XML
Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
Windows.Embedded.DeviceLockdown namespace
Github - Device lockdown with Azure login sample
EnterpriseAssignedAccess CSP
Channel 9
Microsoft Virtual Academy