Employee apps supplement (Handheld 8)
2/18/2014
With Windows Embedded 8 Handheld, enterprises can use the new Employee apps feature to lock down a device to ensure that it is used only for intended business functions and not for unauthorized activities, such as text messaging and web browsing. However, the device administrator must perform this procedure manually by using an SD card on each device. This method is not feasible for very large numbers of devices or for devices that lack an SD card reader. In those situations, the enterprise must rely on the OEM to configure their devices to their specific requirements.
OEMs can lock down multiple devices to restrict the device features that are available to users by adding the Employee apps configuration file, employeeApps.xml, to the device image.
The new lockdown feature lets you specify which hardware buttons are available, and which apps are available from the Start screen and App list by adding the buttons and apps to the Allow list. Apps not on the Allow list remain installed on the device, but are hidden from view. Context-sensitive menu items to Uninstall, Share, and Rate an app are also removed so that the user cannot remove applications or access the web to share content or rate an application.
The employeeApps.xml file that specifies this lockdown information is manually authored offline according to the instructions in Employee apps walkthrough and then added to the device package. When the device image is created, the employeeApps.xml file is placed in a specific path on the device. During the out-of-box experience (OOBE) phase, the data from the employeeApps.xml file is applied to the appropriate registry settings to configure the device. Only the specified apps will be available from the Start screen and App list on the device. The hardware buttons are also enabled or disabled as specified in the employeeApps.xml file.
Important
Apps that are not on the allow list in the employeeApps.xml file are hidden from view, but remain installed on the device and can be used. For example, if a PDF viewer app is installed on the device but is not on the Allow list, and another app provides a link to a PDF file, the PDF viewer app will start when the user activates the link.
Add employeeApps.xml to the device package
Note
Before you create the device package, define the lockdown configuration in the employeeApps.xml file according to the instructions in Employee apps walkthrough.
The following example shows how the employeeApps.xml file is added to the device package.xml.
<Components>
<OSComponent>
<Files>
<File
Source="EmployeeApps.xml"
DestinationDir="$(runtime.commonfiles)\Provisioning\OEM"
/>
</Files>
</OSComponent>
</Components>
Employee apps will run during OOBE and apply the specified lockdown configuration to the device.
Considerations for reconfiguring a device
If Employee apps is available on the device from either the Start screen or the App list, the device administrator can rerun it by using a different employeeApps.xml on an SD card to update a device’s lockdown settings. Device lockdown settings that were previously configured are reset to reflect the settings in the new employeeApps.xml file. However, if the device is reset, the settings in the employeeApps.xml that the OEM included in the device image will be applied to the device.
Important
If Employee apps is not available on the device from either the Start screen or the App list, or if the device does not have an SD card reader, there is no way to change the original lockdown configuration of the device.