Wednesday 27 June 2018

Intune Windows 10 Kiosk Mode

I have been tasked to start looking at a Kiosk solution for our organisation and noticed that in the "what's new in Intune" documentation a new configuration profile for Windows 10 1803 devices was announced as available as of the week of 8th June. I am unsure of the specific requirements for the project at this stage but typically in the solution we would need to provide a locked down web browser that can only access specific sites so that is what I have decided to configure;

First of all, log in to the Microsoft Store for Business and search for the Kiosk Browser app. Select "Get the app"

Log in to the Intune portal and navigate to Mobile Apps > Microsoft Store for Business. Select "Sync"

Wait a few moments for the app to sync then assign it to a device group containing the kiosk devices

Log in to the device and confirm that the Kiosk Browser has been deployed, carry out a sync on the device from the Intune portal if required

Now navigate to Device configuration - profiles and select "Create Profile"

Enter an appropriate profile name, select the correct platform and select "Kiosk (Preview)" as the profile type.

Select the "Configure" option then add a Kiosk setting

Specify a suitable name for the configuration, set the mode as "Single full-screen app kiosk", select the Kiosk browser as the app to use for kiosk mode and specify the account type as "Autologon"

Select "Ok" twice. Now access the kiosk web browser settings menu. In this example I have set the home page, allowed the home button and allowed the navigation buttons. Select "Ok" twice to save the settings.

Assign the profile to the required device group

Ensure that the profile has deployed to the device by selecting the "Device Install Status" option

Restart the device and you will see it automatically log on using a KioskUser account and then launch the Kiosk browser.

Please note 
I have only been able to achieve the above on a Surface Pro 4 at this stage. I attempted this procedure on a Windows 10 1803 VM in order to be able to take some accurate screenshots of this last step and was unable to get the device to enrol into MDM. Rather than delay this post any longer (It has been in my drafts for weeks!) I will update this part when I find out what is causing the issue.

Friday 8 June 2018

Samsung Oreo Android Enterprise Work Profile Changes

Thought I would post on this as it could have the potential to cause headaches for enterprises with Android Samsung devices due to the variation in end user experiences that are introduced.

As per the announcement here it would appear that Samsung have taken it upon themselves to provide a "unified" experience, combining their Knox Workspace solution with the Android Enterprise (AE) Work profile. These changes take effect as of the Oreo operating system. I felt that the previous article explained this poorly and my perception was that this would simply be an experience that was "available". Any extra security features that could be leveraged within the Knox Workspace as far as I am aware are not currently supported within Intune so I intended on waiting before deciding on whether we switch to Workspaces as a business.

So I completely misunderstood this and was directed to here which does indicate that this unification is a forced change

This means that if you are running Samsung devices within your enterprise you could see 3 different experiences in your environment at one time;

1. Pre-Oreo
The Workspace is not unified and you will see the standard AE Work Profile experience;

2. Oreo upgrade
This is for a device which already has an AE profile and is upgraded to Oreo. Any existing shortcuts will have an orange key badge;

Note that you can see as of Oreo the Gmail app now has an improved experience for showing unread email notifications;

Also the content for notifications is hidden both within the lock screen and home screen;

The only setting available within Intune turns this feature off therefore it needs to be configured on every device;
Open the "Workspace Settings" App

Notifications and Data > Turn on "Show notification content"

Notifications on lock screen > Show notification content

3. Oreo new enrollment
This gives the new unified experience. Initially, badged apps will only be available by accessing the Workspace directly and you will not be able to add them from there to the home screen;

In order to be able to add these apps to the home screen you will need to do the following;
Access the Workspace settings from within the "more options" menu in the top right of the Workspace;

Workspace style > Turn off  "Hide Workspace apps"

As with the previous experience you will also need to follow the steps to show home screen and lock screen notifications if that is a requirement. Staying in the same menu;
Notifications and data > Turn on "Show notification content"

Notifications on lock screen > Show notification content