Kiosk management

Kiosk mode allows locking a device to only be able to run one or a small set of applications. It turns an Android or Apple phone or tablet into a dedicated device that can only run one or more specified app(s). Kiosk mode provides complete control over the device usage and ensures that the devices can be used only for the intended purposes. Mobile devices can run tasks in a kiosk mode by configuring the settings through a policy. This feature is applicable only for company owned devices. In a dedicated or supervised device, the device user can access only the apps allowed as per the active kiosk policy.

For example, in Medical Offices to run custom healthcare applications, at Point of Sale locations, or care dealerships, or to provide digital signage.​

Kiosk mode allows the Administrator to disable all the major system UI features such as notifications, home button, recent apps button, and global actions. WebUI allows Administrator to configure a kiosk policy to allow a single app or multiple apps to be installed and locked on a dedicated or a supervised mobile device.
Note: Device users cannot unenroll the device from MCM.
For complete information on Kiosk mode in Android devices, refer to the official Android documentation at https://developers.google.com/android/management/policies/dedicated-devices#kiosk_mode.

Supported OS versions

  • Android version 10.0 or later
  • iOS 9.3 or greater for Multi-Appmode; IOS 6.0 or greater for Single App mode

Supported enrollment types

  • Android: Device must be a dedicated device enrolled as Device Owner in Android Enterprise.
  • iOS/iPadOD: Device must be a supervised device.

Enabling Kiosk mode

To enable Kiosk mode, perform the following steps:
  1. Create a Kiosk policy to specify one or more apps to lock down a device in kiosk mode.
    1. For Apple mobile devices, also create an Appstore policy with the apps specified in the kiosk policy included. The Appstore policy deploys the applications and the kiosk policy locks the device to those apps. Both the policies must specify the same app or apps. Both these policies should be included within a Policy Group and when the Policy Group is defined it handles both the app installation and the lockdown together.
      Important: If you are deploying single-app kiosk mode for Apple devices as part of a Policy Group, include only VPP apps or specify an app that is already owned by the user (who’s apple ID is used on the target device). This is because, deploying a “Public” Appstore app could lead to an undesirable result as user interaction with the App store is required to complete the install, and such interaction will be blocked as soon as the kiosk policy is processed.
  2. Associate the kiosk policy (and Appstore policy as well in case of Apple devices) with policy group targeted for the following enrollment types only.
    1. Android - Dedicated
    2. iOS and iPadOS - Over the Air Enrollment, Automated Device Enrollment
  3. Deploy the policy group to MDM server or directly onto the selected devices.

Kiosk mode policy

You can create kiosk policy in the following ways:
  • From the Kiosk policy page - recommended.
  • As a custom policy with kiosk settings and upload the custom policy through WebUI.
  • From Custom from Template page.
    Note: Kiosk custom policy template is available only for Android. The name of the template isDedicated Device Example Template.
Warning: Android: In case of Android devices, kiosk feature is applicable only for dedicated devices. When you add a kiosk policy created from the Kiosk policy page to an Android policy group with enrollment types other than Dedicated, WebUI warns that the policy group is applicable only for Dedicated. However, with MCM v3.1, when you add a custom or custom from template policy with kiosk settings to an Android policy group with enrolment types other than Dedicated, the policy group is getting saved without any errors. Therefore, it is recommended for the users to ensure that you add the custom or custom from template policy with Android kiosk settings only to an Android policy group with enrolment type as Dedicated.

Single app kiosk mode

Single app kiosk mode restricts device access to a single application. In Android devices, you can set a single app as the device’s home app, so that the app is launched automatically when the device starts up or even rebooted.

Multiple app kiosk mode

You can install multiple apps as per the organization's requirements and lock down a device on Kiosk mode. However, Kiosk mode limits the device usage to the specified applications by running only those apps that the user needs to access.

A device can only have a single designated kiosk app. However, for Android, if a Kiosk app links to other apps, these additional apps can be added as well. Multi-app mode does provide some lock down capabilities, but uses are not permanently locked to a specific app and can choose from the apps that are whitelisted on the device although all other apps present on the device are hidden from view and inaccessible.

For more sample codes, refer to https://developers.google.com/android/management/policies/dedicated-devices#kiosk-launcher

Targeting specific devices at Pre-enrollment​

By deploying a Policy Group to the MDM servers and supplying a suitable Smart Group, kiosk mode configuration can be limited through Device Attribute rules, where for example, a list of serial numbers can be provided and only those enrollments where the device matches one of the serial numbers will it get the kiosk mode setup. ​

Disabling Kiosk mode

Android
To take out kiosk mode, the devices need to be unenrolled from MCM.
Apple
Devices can be taken out of kiosk mode through the Remove Policy action in webUI and selecting the specific kiosk mode policy that is installed on the device.​