Citrix Endpoint Management

Kiosk device policy

The Kiosk policy lets you restrict devices to Kiosk mode by limiting the apps that can run. Citrix Endpoint Management does not control which part of the device locks in Kiosk mode. The device manages the kiosk mode settings after you deploy the policy.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

To set up iPads to run in Kiosk mode, use the App lock device policy. For information about setting up iPads as kiosks, see Configure an iPad as a kiosk. You can also configure an iPad to open only a single website. For information, see the Webclip policy.

Windows Desktop and Tablet settings

For Windows Desktop and Tablet devices, the Kiosk policy applies only to local users and users enrolled in Azure AD.

A single app or multiple apps can run in Kiosk mode on Windows Desktop and Tablet devices.


The Kiosk device policy applies only to Windows 10 devices. To deploy a single-app kiosk on Windows 11 devices, you can use the Custom XML device policy to deploy the XML script we provide to the devices. For more information, see Deploy a single-app kiosk on Windows 11 devices.

Configure multiple apps

  • UWP app AUMID: Click Add, select Universal Windows Platform (UWP) app, and enter the application user model ID (AUMID) for each UWP app. For example, enter the following AUMID:
    • Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
  • Win32 app path and Win32 app AUMID: Click Add, select Windows desktop (Win32) app, and enter the path and the AUMID for each Win32 app. For example, enter the following path and AUMID:
    • %windir%\system32\mspaint.exe or C:\Windows\System32\mspaint.exe
    • {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe
  • Start layout: Only the default start screen for apps is available.
  • Default XML: Only the default XML script is available.
  • Select user type: Specify the user type to receive the Kiosk policy. Your options:
    • Local: Citrix Endpoint Management creates a user for the target device or adds an existing user.
    • Azure AD: Citrix Endpoint Management adds users enrolled in Azure AD.
  • User name: Enter the user name to receive the Kiosk policy.
    • To create a local user name on the target device, enter the name. Ensure that your local user name doesn’t contain the domain. If you enter an existing name, Citrix Endpoint Management doesn’t create a user or change the current password.
    • To add an Azure AD user, enter the name in the format azuread\user. The user portion can be either the Name entered when creating a user in Azure AD, or the User name entered when creating a user in Azure AD. The assigned user cannot be an Azure AD administrator.
  • Password: There is no password configuration for the Azure AD users. Type the password only for the local user name.
  • Show task bar: Enable the taskbar to provide users with an easy way to view and manage applications. The default is Off.
  • Click Next and save the changes.

For a UWP app that you want to allow in Kiosk mode, you need to provide the AUMID. To get a list of the AUMIDs for all Microsoft Store apps installed for the current device user, run the following PowerShell command:

$installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
    foreach ($id in (Get-AppxPackageManifest $app)
        $aumidList += $app.packagefamilyname + "!"+ $id


Android Enterprise settings

You can allow apps and set lock task mode for dedicated Android Enterprise devices, which are also known as corporate owned single use (COSU) devices.

To allow an app, click Add. You can add multiple apps to the allow list. For more information, see Android Enterprise.

  • Apps to allow: Enter the package name of the app you want to allow or select the app from the list.
    • Click Add new to enter the package name of the allowed app in the list.
    • Select the existing app from the list. The list shows apps that are uploaded in Citrix Endpoint Management. By default, Citrix Secure Hub and Google Play services are on the allow list. Kiosk policy allowed apps
  • Lock task mode: Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Block to set the app not to be pinned. Default is Allow.

When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.

Kiosk device policy