Assigned Access \ Kiosk Mode with Microsoft Intune

December 8, 2014 at 8:54 am in Uncategorized by nsienaert

Hi All,

Let’s talk today about Assigned Access, Kiosk Mode, Device LockDown,… whatever you want to call it.

This scenario will be typically used in scenarios where devices are located in a public spot (Kiosk) or for certain Task Work scenarios where only specific Settings or Application(s) are required to be available.

Let’s have a look how this reflects within the Intune Console en let’s discuss per Platform.

iOS:

Start an “iOS Configuration Policy”, and go to the “Kiosk” section. Notice that you have choice between a “Managed” or a “Store” App.

You can also set a bunch of Device Settings.

pic1

Important to realize before you start deploying these kind of policies is the following:

– Make sure your device is in Supervised Mode otherwise Kiosk Policies will be rejected. This prevents a personal device from getting these kind of restrictions. To put an iOS in Supervised Mode you need Apple Configurator which you can only install on a MAC. This is immediately the reason why I cannot show you the experience as I currently don’t have a MAC. :-)

– Make sure the particular Application that you want to allow is installed BEFORE you apply the Kiosk settings.

– To get the device out of the Kiosk state put it back through the Apple Configurator.

Android (KNOX):

Start an “Android Configuration Policy”, and go to the “Kiosk” section. Notice that you have NO choice between a “Managed” or a “Store” App.

You can also set some policies but with compared to iOS you have less choice.

pic2

Important to realize before you start deploying these kind of policies is the following:

-KNOX does not know a concept of Supervised Mode, so you have to be careful when deploying Kiosk policies. The danger exists that you can lock down a personal device through Kiosk mode. For that it’s important that consider well the way how you will deploy these kind of policies for instance by creating a Device Enrollment Manager and add it to a User Group which has been created specifically for Kiosk policies.

– Make sure the the particular Application that you want to allow is installed BEFORE you apply the Kiosk settings.

-By retiring from management you can take an Android device out of Kiosk mode.

Windows Phone:

For similar settings Windows Phones works with OMA-URI, as I mentioned in my previous blog this will be supported in the December release.

How that will look like in the console cannot be demonstrated yet but the OMA-URI XML piece you will need for sure. Hereby an example of controlling “Settings”.

<?xml version=”1.0″ encoding=”utf-8″?> <HandheldLockdown version=”1.0″ > <Default> <Buttons> <ButtonLockdownList> <!– Lockdown all buttons –> <Button name=”Search”> </Button> <Button name=”Camera”> <ButtonEvent name=”Press” /> <ButtonEvent name=”PressAndHold” /> </Button> </ButtonLockdownList> <ButtonRemapList> <Button name=”Search”> <ButtonEvent name=”Press”> <!– Settings –> <Application productId=”{5B04B775-356B-4AA0-AAF8-6491FFEA5601}” parameters=”” /> </ButtonEvent> </Button> </ButtonRemapList> </Buttons> </Default> </HandheldLockdown>

More you can find in the PDF.

The result might look like something like this:

image

Important to realize before you start deploying these kind of policies is the following:

– Windows Phone does not know a concept of Supervised Mode, so be careful! Certainly if you will read the 3rd bullet.

– Make sure your Apps are deployed first

– Once an Assigned Access has been provisioned to a device, the only way to remove this functionality will    be to Factory Reset the device.

– Look into the PDF for more interesting “Notes” about Assigned Access & Windows Phone

Conclusion:

Kiosk Mode is a cool feature which can help you in typical scenarios. When starting to use this, it’s very important to realize that provisioning and de-provisioning are differing from OS platform. This is not caused by Microsoft Intune, this is just how these OS’es are designed. And yes currently only support in the Cloud-Only mode except for Windows Phone, because of the OMA-URI you can use that already in the Hybrid Solution.

Till next time!

Nico Sienaert (Twitter: @nsienaert)

8637_Microsoft_MVP_logo .