Kiosk management

In kiosk mode, you can lock a device, so that it can run only one or a small set of applications. This mode turns an Android or Apple phone or tablet into a dedicated device that can run only one or more specified apps. Kiosk mode provides effective control over the device use and helps ensure that the devices can be used only for intended purposes. Mobile devices can run tasks in kiosk mode by configuring the settings through a policy. This feature applies only for company owned devices. In a dedicated or supervised device, the device user can access only the apps that the kiosk policy allows.

For example, medical offices might let users run only custom healthcare applications. Retail locations, points of sale locations, or car dealerships, might also need to prohibit employees from accessing unapproved apps, or to provide digital signage.

By using the kiosk mode, an administrator can disable all the major system UI features such as notifications, home button, recent apps button, and global actions. In WebUI, an administrator can configure a kiosk policy to allow a single app or multiple apps to be installed and locked on a dedicated or a supervised mobile device.
Note: Device users cannot unenroll the device from BigFix MCM.
For complete information about kiosk mode on Android devices, refer to the Android documentation at https://developers.google.com/android/management/policies/dedicated-devices#kiosk_mode.

Supported OS versions

  • Android version 10.0 or later
  • iOS 9.3 or later for multiapp mode; IOS 6.0 or greater for single app mode

Supported enrollment types

  • Android: The device must be a dedicated device enrolled as device owner in Android Enterprise.
  • iOS/iPadOD: The device must be a supervised device.

Enabling kiosk mode

To enable kiosk mode:
  1. Create a Kiosk policy to specify one or more apps to lock down a device in kiosk mode.
    1. For Apple mobile devices, along with the kiosk policy, create an Appstore policy with the approved apps specified in the kiosk policy. The Appstore policy deploys the applications, and the kiosk policy prevents other apps from running on the device. Both the policies must specify the same app or apps. Include both these policies in a policy group, so that when you deploy the policy group, only the specified apps are installed can run on the device.
      Important: If you are deploying a single-app kiosk mode for Apple devices as part of a policy group, include only VPP apps. Otherwise, specify an app that the user already owns and who’s apple ID is used on the target device. This limitation applies because deploying a “public” Appstore app might lead to an undesirable result. If a user must interact with the App store to complete the installation, the kiosk policy blocks that interaction i as soon as the policy is processed.
  2. Associate the kiosk policy (and Appstore policy too with Apple devices) with policy group targeted for the following enrollment types only.
    1. Android: Dedicated
    2. iOS and iPadOS: Over-the-air enrollment and automated device enrollment
  3. Deploy the policy group to MDM server or directly onto the selected devices.

Creating a kiosk policy

You can create a kiosk policy in the following ways:
  • From the Kiosk policy page. For best results, use this method.
  • As a custom policy with kiosk settings and upload the custom policy through the WebUI.
  • From Custom from Template page.
    Note: The kiosk custom policy template is available only for Android. The name of the template isDedicated Device Example Template.
Attention: For Android devices, kiosk feature is applicable only for dedicated devices. Therefore, when you add a custom policy or custom from template policy with Android kiosk settings, ensure that you add it only to an Android policy group with "Dedicated" as enrolment type. To note, when you add a kiosk policy created from the Kiosk policy page to an Android policy group with enrollment types other than "Dedicated", WebUI warns that the policy group is applicable only for dedicated devices.

Single app kiosk mode

Single app kiosk mode restricts device access to a single application. On Android devices, you can set a single app as the device’s home app, so that the app starts automatically when the device starts up or even rebooted.

Multiple app kiosk mode

You can install multiple apps according to the organization's requirements or lock down a device on kiosk mode. Kiosk mode limits the device use to the specified applications by running only apps that the user needs to access.

A device can have only one designated kiosk app. However, for Android, if a kiosk app links to other apps, the additional apps can be added too. Multi-app mode provides some lock down capabilities, but users are not permanently limited to a specific app. Furthermore, users can choose from the apps that are allowlisted on the device even though all other apps on the device are hidden from view and inaccessible.

For sample codes, refer to https://developers.google.com/android/management/policies/dedicated-devices#kiosk-launcher

Targeting specific devices at pre-enrollment​

By deploying a Policy Group to the MDM servers and supplying a suitable Smart Group, you can limit a kiosk mode configuration through Device Attribute rules. For example, you can specify a list of serial numbers, and only those enrollments with a device that matches a serial number gets the kiosk mode setup. ​

Disabling kiosk mode

Android
To disable kiosk mode, unenroll the devices need from MCM.
Apple
Devices can be removed from kiosk mode through the Remove Policy action in webUI by selecting the specific kiosk mode policy that is installed on the device.​