Tag: endpoint manager

  • HoloLens multi-app kiosk

    HoloLens got to be one of the cooler devices out there, but probably also one of the lesser-known devices how to manage.

    What is a HoloLens really?

    HoloLens is Microsoft’s device aimed for Mixed Reality, but at heart, it’s actually a Windows-based device but done in a more modern way. This means that the support for legacy protocols is limited, but also that the level of built-in security is maybe a bit higher than on your Windows-based PC. You can read more about the HoloLens as a platform here.

    Given that it’s a Windows device, we can manage it using basically the same policies in Microsoft Endpoint Manager (MEM) as you would for the rest of your Windows devices. A lot of baseline profiles could be re-used (or duplicated) with ease which simplifies the configuration a bit.

    There are a few things to keep in mind when it comes to Microsoft HoloLens 2, which has had an impact on the designs and implementations in my experience.

    • It doesn’t support EPP/EDR software of any kind
    • You can only run UWP based applications
    • You will need additional licenses to run e.g. Remote Assistance

    HoloLens 2 as a kiosk

    There are a lot of different applications and ways to implement and use a HoloLens 2. In this post, I’ll focus on how to set up the HoloLens 2 as a multi-app kiosk, but with user sign-in, using Microsoft Endpoint Manager.

    Importing the device into Windows Autopilot

    If your vendor or retailer didn’t import the HoloLens hardware ID for you, you can do this by following these four simple steps:

    1. While the HoloLens 2 device is powered on, press and release the Power and Volume down buttons together to trigger the hardware ID and diagnostic log collection process.
    2. Connect the HoloLens 2 device to a PC using a USB cable so that it shows up in File Explorer.
    3. Browse to Internal Storage > Documents  and extract AutopilotDiagnostics.zip. This file/folder will contain a CSV file with a a file name that begins “DeviceHash…”.
    4. Upload the CSV file to the Windows Autopilot service

    In order to simplify our management a bit and be able to create a dynamic device group with only HoloLens devices, assign a GroupTag to the device such as “Hololens”.

    Creating a device group for HoloLens

    Like all things in device management, we are really dependent on groups. In this case, we will use a device group to target only our HoloLens devices.

    You can create a new Azure AD group by selecting Groups in the left hand side menu in the MEM portal. Then select “New group“.

    Give your group a good name and select “Dynamic Device” as Membership type.

    Next, click “Add dynamic query” at the bottom and add the following rule syntax, but replace the word Hololens used here with the name of your GroupTag.

    (device.devicePhysicalIds -any _ -eq "[OrderID]:Hololens")

    Click Save followed by Create to finish the creating of the group.

    Setting up enrollment

    First off, we need to create a new Deployment Profile for the HoloLens platform.

    You will find the Deployment Profiles by navigating to Devices > Windows > Windows Enrollment and selecting Deployment Profile.

    When you have selected the Deployment Profiles card, select “+ Create Profile” and choose HoloLens as the platform.

    Give your profile a name in the Basic tab and press next. On the “Out-of-box experience (OOBE)”, you can really only have to change the name template if you are looking to use custom names for your HoloLenses. In my example, I’ve left all values to default. Press next to move to the next tab.

    On the Assignment tab, select your HoloLens device group and press next.

    Review your settings and hit Create to finish the creating of the deployment profile.

    Creating a Filter for HoloLens

    To make sure that we only target settings deployed towards users to their HoloLens devices, we need to create a filter we will use later on.

    Navigate to Tenant administration > Filter. Create a new filter by clicking “+ Create” in the top ribbon. Give your filter a name, such as HoloLens, and select Windows 10 and later as the platform.

    Since filters are kind of like dynamic groups, we need to add a syntax. The easiest way I’ve found to include HoloLens devices is to use our Deployment profile name, the attribute is called EnrollmentProfileName on the device. Enter the name of your Deployment Profile in the Value field.

    Click next, then review and create the filter.

    Configuring kiosk mode

    You could basically already enroll your devices now and be done, but it will be like an unconfigured PC, your end-user will miss vital settings and applications.

    Since this is a Windows-based platform, you can reuse or duplicate profiles you already have for Wi-Fi, certificates, and such. Not all profiles make a whole lot of sense to use on the HoloLens (such as settings for the Office suite or Chrome browser to give some examples).

    The profile we need to create to set up the Kiosk-mode on HoloLens is a profile based on the Kiosk template.

    Go to Devices > Windows > Configuration profiles and create a new profile by pressing “+ Create profile” in the top ribbon. Select Windows 10 and later as platform and Templates as Profile type. Scroll down and find the Kiosk template and click create.

    As always, give your profile a name based on your naming convention on the basic tab and press next.

    Based on your scenario, select either “Single app, full screen” or “Multi app kiosk” as kiosk mode and select “No” on the question if device is running S mode.

    In my scenario, I will configure that users will use the device using their Azure AD accounts. Since I have to specify a group with eligible users, I’ve in my setup used a group containing most of my users meaning that all my users are allowed to sign in to the HoloLens. You can easily assign this to either a group of users or even a specific user. You can also add additional groups and/or users. Depending on your scenario, you can make different choices here.

    Next up is to select what applications we will run on the device. This can be done by either selecting built-in applications or applications distributed through MEM. Keep in mind that Win32 applications DO NOT WORK on the HoloLens when selecting applications.

    If you want to add built-in or system applications, this is done by adding the AUMID of the application. You can find all the HoloLens 2 applications AUMID on this MSFT Docs site.

    In this example, I will add one built-in application and one store app. You add apps by pressing the “Add…” button under the Browser and application section.

    When adding a app by using AUMID, you give the application a name (preferably what it’s called in the reference document) and the AUMID for the application.

    When adding a store app, MEM will list the apps you have available for distribution. Also, keep in mind that you will need to make sure to target the application distribution towards the HoloLens group.

    Leave the rest of the settings to the default value and click Next.

    In order for the Kiosk mode to function properly when requiring Azure AD users to sign in, the profile needs to be targeted toward users otherwise nothing will happen in my experience. If you are not doing personal logins, you can target this towards a device group.

    In order to not assign the Kiosk-mode to all the user’s devices, we will need to use a filter to limit what devices the profile is assigned to.

    On the Assignment tab, select your group of users who will be allowed to use the HoloLens and then press “Edit filter” next to the group.

    Select “Include filtered devices in assignment” and choose your filter then press Select.

    Press next and leave the Application Rules to blank and review and create your profile.

    Enroll and sign in!

    Now it’s time to enroll your device, simply start the device and follow the on-screen instructions.

    What I’ve seen is that sometimes, the kiosk mode does not kick in on the first login after enrollment. If this happens, simply sign in and out of the device, this has done the trick for me!

  • Key take-aways from Ignite 2020

    Key take-aways from Ignite 2020

    Ignite 2020 was a bit different from previous Ignite to say non the less. Instead of having an in-person event in New Orleans, the experience this year was a 100% digital.

    It was as always, a bit overwhelming with a lot of interesting sessions, but you didn’t have to walk between sessions. Oh, and the coffee was really good this year!

    Looking at what was covered from the modern workplace at Ignite this year there was one common theme. Remote working and the new normal that Covid-19 creates. There was a lot of talk about how the world has changed the playing field for remote work and that we might never go back completely to how it was before. Something that I find very intriguing since this is an areas I’m passionate about.

    If you would only watch two of the sessions from Ignite 2020, I would really recommend that you watch Satya Nadella’s keynote on Building Digital Resilience and Jared Spataro’s keynote on The Future of Work. Those two were really good!

    This was a year for refinements from device management. New options for what you can do during Windows Autopilot and Co-management/tenant attach. A lot of new things which will help a lot of companies on the road to transition from traditional management to modern management! If you want to geek out, here are all the Endpoint Manager related sessions, all the Teams sessions and all the Office 365 sessions.

    Microsoft Tunnel

    On of the things that really cought my eye on an early stage was Microsoft Tunnel, which is a Microsoft VPN solution without the need for any third party licenses. I think this will be very beneficial for scenarios where you are utilizing Microsoft solutions for VPN for Windows and don’t want to invest in additional services for your mobile devices.

    Microsoft Tunnel is in public preview and is available on iOS and Android. You can read all about it here.

    Microsoft Edge

    Microsoft has been pushing the new Edge for a while now, and for a good reason too!

    It’s a really good browser, built on Chromium but with Microsoft integrations. I’ve been using this browser since it first came out, and it’s really good now.

    Microsoft is pushing it even more now and was also highlighting the Internet Explorer compatibility mode.

    BUT the big thing for Ignite was Application Management for Edge on Windows 10 which brings the Application Protection Policy features from the mobile platforms to the desktop Edge browser. This means that you can manage just the application instead of the whole device. Additionally, Microsoft Edge will support the new Microsoft Endpoint Data Loss Prevention (DLP) service which will be launched in October from day one.

    There were a bunch of other improvements to Edge presented as well, you can read all about it here.

    Microsoft Teams

    If you think there were a lot of new improvements introduced for Microsoft Endpoint Manager, it was nothing compared to Microsoft Teams.

    It’s becoming increasingly clear that Microsoft Teams should not be considered a product, it’s a platform.

    There were so many new things ranging from power platform and low-code solution for automated workflows to improved meeting experiences and wellbeing.

    A few of the highlights that caught my attention were:

    • Breakout sessions
    • Custom layouts and new together scenes
    • Wellbeing and productivity insights
    • Improved first-line workers functionallity

    You can read more in details here.