Kiosk device policy

The Kiosk policy lets you restrict devices to Kiosk mode by limiting the apps that can run, as follows:

  • For Samsung SAFE devices: You can specify that only a specific app or apps can be used. This policy is useful for corporate devices that are designed to run only a specific type or class of apps. This policy also lets you choose custom images for the device home screen and lock screen wallpapers for when the device is in Kiosk mode.

  • For for dedicated Android Enterprise devices, which are also known as corporate owned single use (COSU) devices: You can allow apps and set lock task mode. By default, Secure Hub and Google Play services are on the allow list.

  • For Windows 10 Desktop and Tablet devices: You can enable or disable Kiosk mode for one or more applications.

You can also set up iPads to run in Kiosk mode using the App lock device policy. For more information about setting up iPads as kiosks, see Configure an iPad as a kiosk.

Citrix Endpoint Management does not control which part of the device locks in Kiosk mode. The device manages the kiosk mode settings after you deploy the policy. To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Samsung SAFE settings

To put a Samsung SAFE device into Kiosk mode

  1. Enable the Samsung SAFE API key on the mobile device, as described in Samsung MDM license key device policies. This step lets you enable policies on Samsung SAFE devices.

  2. Enable Firebase Cloud Messaging for Android devices, as described in Firebase Cloud Messaging. This step enables Android devices connect back to Endpoint Management.

  3. Add a Kiosk device policy, as described in the next section.

  4. Assign those three device policies to the appropriate delivery groups. Consider whether you want to include other policies, such as App inventory, in those delivery groups.

    To remove the devices from Kiosk mode, create a Kiosk device policy that has Kiosk mode set to Disable. Update the delivery groups to remove the Kiosk policy that enabled Kiosk mode and to add the Kiosk policy that disables Kiosk mode.

To add a Kiosk device policy for Samsung SAFE

All apps that you specify for Kiosk mode must already be installed on the user devices.

Some options apply only to the Samsung Mobile Device Management (MDM) API 4.0 and later.

  • Kiosk mode: Click Enable or Disable. The default is Enable. When you click Disable, all the following options disappear.
  • Launcher package: Citrix recommends that you leave this field blank unless you have developed an in-house launcher to enable users to open the Kiosk app or apps. If you use an in-house launcher, enter the full name of the launcher application package.
  • Emergency phone number: Enter an optional phone number. Anyone can use this number to contact your company to find a lost device. Applies only to MDM 4.0 and later.
  • Allow navigation bar: Select whether to let users see and use the navigation bar while in Kiosk mode. Applies only to MDM 4.0 and later. The default is On.
  • Allow multi-window mode: Select whether to let users use multiple windows while in Kiosk mode. Applies only to MDM 4.0 and later. The default is On.
  • Allow status bar: Select whether to let users see the status bar while in Kiosk mode. Applies only to MDM 4.0 and later. The default is On.
  • Allow system bar: Select whether to let users see the system bar while in Kiosk mode. The default is On.
  • Allow task manager: Select whether to let users see and use the task manager while in Kiosk mode. The default is On.
  • Change Common SAFE passcode: This setting helps protect against inadvertent changes to the Common SAFE passcode field. When this setting is Off, you can’t change the Common SAFE passcode field. The default is Off.
  • Common SAFE passcode: If you set a general passcode policy for all Samsung SAFE devices, enter that optional passcode in this field.
  • Wallpapers
    • Define a home wallpaper: Select whether to use a custom image for the home screen while in Kiosk mode. The default is Off.
      • Home image: When you enable Define a home wallpaper, select the image file by clicking Browse and navigating to the file location.
    • Define a lock wallpaper: Select whether to use a custom image for the lock screen while in Kiosk mode. The default is Off. Applies only to MDM 4.0 and later.
      • Lock image: When you enable Define a lock wallpaper, select the image file by clicking Browse and navigating to the file location.
  • Apps: For each app that you want to add to Kiosk mode, click Add and then do the following:
    • New app to add: Enter the full name of the app to add. For example, com.android.calendar lets users use the Android calendar app.
    • Click Save to add the app or click Cancel to cancel adding the app.

Windows Desktop and Tablet settings

For Windows Desktop and Tablet devices, the Kiosk policy applies only to local users and users enrolled in Azure AD.

A single app or multiple apps can run in Kiosk mode on Windows Desktop and Tablet devices.

Prerequisites:

  • To run a single app in Kiosk mode: Windows 10, version 1709 or later
  • To run multiple apps in Kiosk mode: Windows 10, version 1803 or later

Configure multiple apps

  • UWP and Win32 apps: Click Add and select Universal Windows Platform (UWP) app or Windows desktop app (Win32).
  • UWP AUMID or Win32 path: Provide the application user model ID (AUMID) for each UWP app and the path for each Win32 app. For example,
    • UWP AUMID: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
    • Win32 path: %windir%\system32\mspaint.exe or C:\Windows\System32\mspaint.exe
  • Start layout: Only the default start screen for apps is available.
  • Default XML: Only the default XML script is available.
  • Select user type: Specify the user type to receive the Kiosk policy. Your options:
    • Local: Endpoint Management creates a user for the target device or adds an existing user.
    • Azure AD: Endpoint Management adds users enrolled in Azure AD.
  • User name: Enter the user name to receive the Kiosk policy.
    • To create a local user name on the target device, enter the name. Ensure that your local user name doesn’t contain the domain. If you enter an existing name, Endpoint Management doesn’t create a user or change the current password.
    • To add an Azure AD user, enter the name in the format azuread\user. The user portion can be either the Name entered when creating a user in Azure AD, or the User name entered when creating a user in Azure AD. The assigned user cannot be an Azure AD administrator.
  • Password: There is no password configuration for the Azure AD users. Type the password only for the local user name.
  • Show task bar: Enable the taskbar to provide users with an easy way to view and manage applications. The default is Off.
  • Click Next and save the changes.

For a UWP app that you want to allow in Kiosk mode, you need to provide the AUMID. To get a list of the AUMIDs for all Microsoft Store apps installed for the current device user, run the following PowerShell command:


$installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
{
    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    {
        $aumidList += $app.packagefamilyname + "!"+ $id
    }
}

$aumidList

Chrome OS settings

Assign the Kiosk policy to a specific delivery group rather than the All Users group. After successfully enrolling the device and signing out, Kiosk mode launches on the device.

To remove the device from Kiosk mode, select the device and delete it from the administrator console. This action removes all the policies pushed from the Endpoint Management console to the device.

Kiosk policy for Chrome OS

  • Heartbeat setting: Monitor the status of the device. The default is On.
  • Device log upload enabled: Store the record of events from the Chrome device. You can locate the .log file in the G Suite domain. The default is On.
  • Device status alert delivery: Send alert notifications via email or text messages. Only configured emails and mobile numbers get notifications.
    • Email addresses: If you select the Email box, specify the email addresses to receive the alerts. Save the changes.
    • Mobile numbers: If you select the SMS box, specify the phone numbers to receive the alerts. Save the changes.

Configure multiple kiosk apps

Kiosk policy for Chrome OS

To add multiple apps, click Add.

  • App name: Enter the full name of the app to add.
  • App ID: Specify the ID of the app that you want to allow in Kiosk mode.
  • URL: Specify the URL to download the app. You can enter a specific URL or download the app from the App Store.
  • Extension policy: Customize the browsing experience by adjusting Chrome functionality and behavior. Enter a configuration code that contains a valid JSON object.
  • Click Next and save the changes. Users can start the apps in Kiosk mode after you deploy the policy.

Auto launch apps in Kiosk mode

Prerequisite:

Before configuring auto launch, add the apps to the Kiosk policy.

Configure auto launch apps

  • Auto launch kiosk app: Launches the Kiosk policy when users start the device.
    • App name: Enter the full name of the app to auto launch.
    • App ID: Specify the ID of the app that you want to allow in Kiosk mode.
    • Enable auto login cancel: When the device starts, provide users with the option to sign in using the regular sign-in screen. The default is On.
    • Prompt for network when offline: Let users select a network when the device enters Kiosk mode. The default is On.

Android Enterprise settings

To allow an app, click Add. You can add multiple apps to the allow list. For more information, see Android Enterprise.

  • Apps to whitelist: Enter the package name of the app you want to allow or select the app from the list.

    Note:

    The Endpoint Management console includes the terms “blacklist” and “whitelist”. We are changing those terms in an upcoming release to “block list” and “allow list”.

    • Click Add new to enter the package name of the allowed app in the list.
    • Select the existing app from the list. The list shows apps that are uploaded in Endpoint Management. By default, Secure Hub and Google Play services are on the allow list. Kiosk policy allowed apps
  • Lock task mode: Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.