Best practices for selecting an app for assigned access

  • Article

9/16/2013

Microsoft

September 2013

Summary

Provides guidance around selecting an appropriate app for assigned access.

Applies To

  • Windows 8.1 Pro
  • Windows 8.1 Enterprise
  • Windows Embedded 8.1 Industry Pro
  • Windows Embedded 8.1 Industry Enterprise

Introduction

Administrators can use assigned access to restrict a selected user account to access a single Windows Store app. You can choose almost any Windows Store app for assigned access; however, some apps may not provide a good user experience.

Guidelines

The following guidelines may help you choose an appropriate Windows Store app for your assigned access experience.

General

  • When you make changes to assigned access settings, you must restart the device in order for the changes to take effect.
  • Windows Store apps must be installed for the assigned access account before they can be selected as the assigned access app.
  • Breaking out of an assigned access session by pressing the Windows logo key five times does not sign out the account, but only suspends it. If you need to sign out an assigned access session, you can use Task Manager from an administrator account to sign out the user.
  • Updating a Windows Store app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
  • If you use certain characters in the app name, PC Settings displays a black square icon for the app after you select the app for assigned access. The app is still set correctly. Avoid using the following characters as part of your Windows Store app name:
    • Straight quotation marks (")
    • Asterisk (*)
    • Slash (/)
    • Colon (:)
    • Left angle bracket (<)
    • Right angle bracket (>)
    • Question mark (?)
    • Double Backslash (\\)
    • Pipe (|)

Access to the charms

Some Windows Store apps programmatically invoke the charms. When this occurs, assigned access attempts to switch focus back to the Windows Store app, causing the charms to flicker in and out. For example, an app may try to bring up the Search charm anytime the user types any text.

  • Avoid selecting a Windows Store app that programmatically invokes the charms, as the invoked charm will briefly appear on the screen before assigned access restores focus to the Windows Store app, resulting in a poor user experience.
  • When designing your own Windows Store app for use with assigned access, avoid programmatically invoking the charms.
  • If your Windows Store app requires access to the charms, for example to print, connect to a network, or share, then your app may not be a good choice for assigned access. If you are using Windows Embedded 8.1 Industry (Industry 8.1), you can create a customized locked down solution that enables access to charms.

Windows Store apps that launch other apps

Some Windows Store apps can launch other apps. Assigned access prevents Windows Store apps from launching other apps.

  • Avoiding selecting Windows Store apps that are designed to launch other apps as part of their core functionality.
  • If you are developing your own Windows Store app for assigned access, avoid direct links to other apps, as that functionality will not be available in assigned access.

Web browsers

Internet Explorer and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows Store apps. Web browsers are not good choices for assigned access.

If you need to use a web browser as your assigned access app, consider the following tips:

  • You can create your own web browser Windows Store app by using the WebView class.
  • You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar.

    To block access to the file system from Internet Explorer’s web address bar

    1. On the Start screen, type the following:

      gpedit.msc

    2. Press Enter or click the gpedit icon to launch the group policy editor.

    3. In the group policy editor, navigate to User Configuration > Administrative Templates > Start Menu and Taskbar.

    4. Double-click Remove Run menu from Start Menu.

    5. Select Disabled, and click Apply.

App notifications

Assigned access prevents system notifications from being displayed, but you must manually disable Windows Store app notifications.

Camera app

When a user breaks out of assigned access or puts the device to sleep they can swipe down on the Welcome screen to start the Camera app. For this reason, we recommend that you manually turn off the Camera app when using assigned access.

To manually turn off the Camera app

  1. Swipe in from the right edge of the screen, and then tap Settings (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings).

    Tap or click PC & Devices, and then tap or click Lock screen.

  2. Turn off the Camera app.

Power button

We recommend that you remove the Power button from the Welcome screen and block the physical power button so that a user cannot turn off the device when it is in assigned access.

To remove the Power button from the Welcome screen

  1. Sign in with an administrator account.

  2. At the start screen, type gpedit.msc and press enter to open the Local Group Policy Editor.

  3. In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings > Security Settings > Local Policies, and then tap or click Security Options.

  4. Double-tap or click Shutdown: Allow system to be shut down without having to log on.

  5. In the Shutdown: Allow system to be shut down without … dialog box, select Disabled, and then tap or click OK.

To disable the physical power button

  1. In Control Panel, navigate to Hardware and Sound > Power Options.

  2. Select Choose what the power buttons do.

  3. Under When I press the power button, change On Battery and Plugged in to Do Nothing.

  4. Tap or click Save Changes.

Conclusion

These guidelines should help you select or develop an appropriate Windows Store app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.