Deploying HoloLens 2 to External Clients with Remote Assist
This guide helps IT professionals with the following goals deploy Microsoft HoloLens 2 devices in their organization:
- Cloud connect HoloLens 2 devices
- Loan HoloLens 2 devices to external clients for use
- Secure loaned devices
This guide will provide general HoloLens 2 deployment recommendations that is applicable to most HoloLens 2 deployment scenarios and common concerns that customers have when deploying Remote Assist for external use.
For the purpose of this document, Contoso Company wants to ship a HoloLens 2 device to an external client's plant for short-term or long-term use. When the client needs assistance servicing machinery, the client will log into the HoloLens 2 device using credentials provided by Contoso Company and use Remote Assist to contact Contoso Company's experts.
Learn more about Remote Assist here.
Requirements for this Scenario
- Azure AD
- Mobile Device Manager - such as Intune
- Remote Assist License
- How to ensure that external clients do not have the ability to communicate with one another
- How to ensure that clients do not have access to company resources
- How to restrict apps
- How to manage passwords
- How to ensure that clients do not have access to chat history
How to ensure that external clients do not have the ability to communicate with one another
Since Remote Assist HoloLens to HoloLens calls are not supported, clients are able to search for, but are unable to, communicate with one another. To further restrict who clients can search for and call, Information barriers can restrict who a client can communicate with. Another option to consider is using Scoped Directory Search
Since single sign on is enabled, it is important to disable the browser using WDAC. If an external client opens the browser and uses the web version of Teams, the client will have access to call/chat history.
How to ensure that clients do not have access to company resources
There are two options to consider.
The first option is a multi-layer approach:
- Only assign licenses that the user requires. If you do not assign OneDrive, Outlook, SharePoint, Yammer, etc. to the user, he/she will not have access to those resources. The only licenses the users will need is Remote Assist, Intune, and AAD licenses to begin.
- Block apps (such as email) that you don’t want clients to access (See How to restrict apps).
- Do NOT share usernames nor password with clients. To log into the HoloLens 2, an email and numerical PIN is required.
The second option is to create a separate tenant that hosts clients (see Image 1.1).
How to restrict apps
How to manage passwords
- Remove password expiration. However, this increases the chance that that an account will be compromised. NIST password recommendation is change passwords every 30-90 days.
- Extend the password expiration for HoloLens 2 devices to exceed 90 days.
- The devices should be returned to Contoso to change the passwords. However, this can cause issues if the devices are expected to be in the client's plant for 90+ days.
- For devices that are sent to multiple clients, reset passwords before shipping the device to clients.
How to ensure that clients do not have access to chat history
Remote Assist clears chat history after each session. However, the chat history will be available for the Microsoft Teams user.
Since single sign on is enabled, it is important to disable the browser using WDAC. If a external client opens the browser and uses the web version of Teams, the client will have access to call/chat history.
General Deployment Recommendations and Instructions
We recommend the following for HoloLens 2 deployment Steps:
Use the latest HoloLens OS release as your baseline build.
Assign user-based or device-based licenses:
- Please note that the first user on the device will be the device owner.
- Please note that if the device is AAD joined, the user that performed the join is made device owner.
- For more, see Device Owner.
Tenant lock the device so that it can only joined your tenant.
- Additional Link: Tenant lock CSP.
Configure kiosk using global assigned access to here.
We recommend disabling the follow (optional) capabilities:
Use WDAC to allow or black apps on the HoloLens 2 device.
Update Remote Assist to the latest version as part of the setup. There are two options to do this:
- This can be done by going to Windows Microsoft Store --> Remote Assist --> and Update App.
- Enable auto updates using the ApplicationManagement/AllowAppStoreAutoUpdate CSP and keep the device plugged in to receive updates.
Disable all settings pages except the network settings to allow users to connect to guest networks at client sites.
- Option to control OS updates or allow to flow freely.