kiosk mode operation design 1

This article explains how to create app which runs single account like kiosk mode. And also this article explains how to manage multiple accounts for multiple operation scenarios using this single account apps respectively.

Therefor, this article ‘DOES NOT’ explain how to set a device of kiosk mode by the AssignedAccess configuration service provider(it says ‘CSP‘ from this). Not only that, this article ‘DOES NOT’ use the kiosk feature of Windows operating system.

This article explains how to create ‘fake’ kiosk mode for some requirements which are difficult to create by UWP, such as creating local account of a device, or modifying the Windows Registry to set logon script for individual account. This ‘fake’ kiosk mode create by WPF.

・What is kiosk mode

The kiosk mode is just one of features which is provided by Windows operating system, so we should consider details of operation scenarios when we want to use the feature.

The kiosk mode is designed thought to be used single application of a device, and the app is executed by single account. So if your operation scenarios does not fit for it, you should create same other mechanisms which is equal to or greater than the kiosk mode of Windows OS.

If you want to use the kiosk mode with several different accounts to fit your several scenarios, you should manage multiple accounts with multiple correct security levels. And if you want to provide different application respectively for individual account, you should control the application to launch by correct account.

>>The summary of this article(Japanese:日本語)

・The AssignedAccess configuration service provider

The kiosk mode is controlled by the CSP, the CSP set some parameters below with XML format
(see involved article provided by Microsoft >>AssignedAccess CSP).

1.Define the account which is used in kiosk mode.

2.The account is used for specified one application.

3.The application can only use specified features of Windows OS. It is the Lockdown feature of kiosk mode.

New features of kiosk mode

you can assign group for kiosk app(Windows 10 Ver.1803-)

you can assign multiple apps which created as UWP or native app to account(or group), and can set auto run an app of them(Windows 10 Ver.1809-)

you can set specific folders when user use the File Open Dialog(Windows 10 Ver.1809~)

・What is the Lockdown feature of kiosk mode

The lockdown feature is controlled by the App capability declarations of UWP, it’s also available for native desktop application using CSP.
 Almost all of applications on Windows OS run in the AppContainers of Windows OS. If an application needs features of Windows OS, Windows OS provides the AppCntainer which bridges an instance which has minimum features of Windows OS for the application, these features are controlled by the App capability declarations.
 This mechanism intends to divide an application from Windows os, this isolation includes window isolation , network isolation and process isolation(see involved article provided by Microsoft >>the AppContainer isolation), this mechanism is provided by modern Windows OS(since Windows 8).
 the Lockdown feature is the App capability declarations which is specified on application development.


・Scenarios of this article

I want to explain something about ‘fake’ kiosk mode lockdown mechanism for the scenario that multiple accounts which ready for several operation scenarios use specific app respectively. The overview below is scenarios of this article.

1.It is assumed that, you create an app which is used like kiosk mode by end user.

2.The app will be used by several dozens or hundreds users at many places.

3.The app is supported by application operators who are dispatched at the places where the app is set. So you plan to create another application for the application operator.

4.When you procure new Windows 10 devices, you order setup works of your app to maintenance operators. And you think that this scenario needs another application.

5.You attempt to set an administrator account because you want to manage the devices completely.

>>As a result, you planned creating three apps, setting four account and logging working state of maintenance operators and application operators.

・How to lockdown a device for multiple accounts respectively

This article explain how to control several accounts like kiosk mode for above scenario using my blog’s implementations [Local account creation],[Desktop UI controlling],[Launch correct app by specific account],[Logging file save to Microsoft Azure] by C#.

・Preparation of sample code

This sample is created by WPF. And almost all logic of sample code is in ‘App_Startup’ method in App.xaml.cs. So at first, we set tiniest modify at App.xaml.cs , see below.

Modify [StartupUri=”MainWindow.xaml”] to [Startup=”App_Startup”] of App.xaml, and add [void App_Startup()] method to [App] class of App.xaml.cs.

<Application x:Class="WPFLockdownSample.App"
             xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
             xmlns:local="clr-namespace:WPFLockdownSample"
             Startup="App_Startup">
    <Application.Resources>
         
    </Application.Resources>
</Application>

    public partial class App : Application
    {
        void App_Startup(object sender, StartupEventArgs e)
        {

        }
    }

Go next step to create logic of App_Startup method >>

About takao

I'm Microsoft MVP since June 2010.