Kiosk device policy

The Kiosk policy lets you restrict devices to Kiosk mode by limiting the apps that can run, as follows:

  • For Samsung SAFE devices: You can specify that only a specific app or apps can be used. This policy is useful for corporate devices that are designed to run only a specific type or class of apps. This policy also lets you choose custom images for the device home screen and lock screen wallpapers for when the device is in Kiosk mode.

  • For for dedicated Android Enterprise devices, which are also known as corporate owned single use (COSU) devices: You can whitelist apps and set lock task mode. By default, Secure Hub and Google Play services are whitelisted.

  • For Windows 10 Desktop and Tablet devices: You can enable or disable Kiosk mode for one or more applications.

Citrix Endpoint Management does not control which part of the device locks in Kiosk mode. The device manages the Kiosk mode settings after you deploy the policy. To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Samsung SAFE settings

To put a Samsung SAFE device into Kiosk mode

  1. Enable the Samsung SAFE API key on the mobile device, as described in Samsung MDM license key device policies. This step lets you enable policies on Samsung SAFE devices.

  2. Enable Firebase Cloud Messaging for Android devices, as described in Firebase Cloud Messaging. This step enables Android devices connect back to Endpoint Management.

  3. Add a Kiosk device policy, as described in the next section.

  4. Assign those three device policies to the appropriate delivery groups. Consider whether you want to include other policies, such as App inventory, in those delivery groups.

    To remove the devices from Kiosk mode, create a Kiosk device policy that has Kiosk mode set to Disable. Update the delivery groups to remove the Kiosk policy that enabled Kiosk mode and to add the Kiosk policy that disables Kiosk mode.

To add a Kiosk device policy for Samsung SAFE

All apps that you specify for Kiosk mode must already be installed on the user devices.

Some options apply only to the Samsung Mobile Device Management (MDM) API 4.0 and later.

  • Kiosk mode: Click Enable or Disable. The default is Enable. When you click Disable, all the following options disappear.
  • Launcher package: Citrix recommends that you leave this field blank unless you have developed an in-house launcher to enable users to open the Kiosk app or apps. If you use an in-house launcher, enter the full name of the launcher application package.
  • Emergency phone number: Enter an optional phone number. Anyone can use this number to contact your company to find a lost device. Applies only to MDM 4.0 and later.
  • Allow navigation bar: Select whether to let users see and use the navigation bar while in Kiosk mode. Applies only to MDM 4.0 and later. The default is On.
  • Allow multi-window mode: Select whether to let users use multiple windows while in Kiosk mode. Applies only to MDM 4.0 and later. The default is On.
  • Allow status bar: Select whether to let users see the status bar while in Kiosk mode. Applies only to MDM 4.0 and later. The default is On.
  • Allow system bar: Select whether to let users see the system bar while in Kiosk mode. The default is On.
  • Allow task manager: Select whether to let users see and use the task manager while in Kiosk mode. The default is On.
  • Change Common SAFE passcode: This setting helps protect against inadvertent changes to the Common SAFE passcode field. When this setting is Off, you can’t change the Common SAFE passcode field. The default is Off.
  • Common SAFE passcode: If you set a general passcode policy for all Samsung SAFE devices, enter that optional passcode in this field.
  • Wallpapers
    • Define a home wallpaper: Select whether to use a custom image for the home screen while in Kiosk mode. The default is Off.
      • Home image: When you enable Define a home wallpaper, select the image file by clicking Browse and navigating to the file location.
    • Define a lock wallpaper: Select whether to use a custom image for the lock screen while in Kiosk mode. The default is Off. Applies only to MDM 4.0 and later.
      • Lock image: When you enable Define a lock wallpaper, select the image file by clicking Browse and navigating to the file location.
  • Apps: For each app that you want to add to Kiosk mode, click Add and then do the following:
    • New app to add: Enter the full name of the app to add. For example, com.android.calendar lets users use the Android calendar app.
    • Click Save to add the app or click Cancel to cancel adding the app.

Windows Desktop and Tablet settings

For Windows tablets we support multiple app kiosk configuration (AssignedAccess) starting from Windows 10, version 1803. We also support single app kiosk configuration (AssignedAccess) starting from Windows 10, version 1709.

Prerequisites:

Kiosk policy for Windows Desktop and Tablet only applies to local users and users enrolled in Azure Active Directory.

Note:

The upgrade to Citrix Endpoint Management 10.19.1 removes your previous Kiosk device policies for Windows Desktop and Tablet. Be sure to add a Kiosk policy for one or more applications.

Image of Device Policies configuration screen

  • Kiosk mode: Enables or disables Kiosk mode.
  • Application user model ID (AUMID): The ID of the app that you want to allow in Kiosk mode. To get a list of the AUMIDs for all Microsoft Store apps installed for the current device user: Run the following PowerShell command.

$installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
{
    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    {
        $aumidList += $app.packagefamilyname + "!"+ $id
    }
}

$aumidList

Run multiple apps in Kiosk mode

Windows OS support: Windows 10 Enterprise or Education; Windows 10 Pro or Windows 10 S, minimum version 1803. CEM supports users enrolled in Azure AD. To add the Azure AD device, join the device to the domain.

Configure multiple apps

  • UWP and Win32 apps: Click Add and select the Universal Windows Platform (UWP) apps or Windows desktop app (Win32).
  • UWP AUMID or Win32 path: Provide the AUMID for each UWP app and the path for each Win32 app. For example,
    • UWP AUMID: Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
    • Win32 path: %windir%\system32\mspaint.exe or C:\Windows\System32\mspaint.exe
  • Start layout: Only the default Start screen for apps is available.
  • Default XML: Only the default XML Script is available.
  • Select user type: Specify the user type to receive the Kiosk policy. Your options:
    • Local: CEM creates a new user for the target device or adds an existing user.
    • Azure AD: CEM adds users enrolled in Azure AD.
  • User name: Enter the user name to receive the Kiosk policy.
    • To create a local user name on the target device, type the name. Ensure your local user name doesn’t contain the domain. If you enter an existing name, CEM doesn’t create a new user or change the current password.
    • To add an Azure AD user, enter the name in the format azuread\user. The user portion can either be the Name entered when creating a new user in Azure AD, or the User name entered when creating a new user in Azure AD. The assigned user can not be an Azure AD administrator.
  • Password: There is no password configuration for the Azure AD users. Type the password only for the local user name.
  • Show task bar: Enable the taskbar to provide users with an easy way to view and manage applications. The default is Off.
  • Click Next and save the changes.

Chrome OS settings

Assign the Kiosk policy to a specific delivery group rather than the All Users group. After successfully enrolling the device and signing out, Kiosk mode launches on the device.

To remove the device from Kiosk mode, select the device and delete it from the administrator console. This removes all of the policies pushed from the Endpoint Management console to the device.

Kiosk policy for Chrome OS

  • Heartbeat setting: Monitor the status of the device. The default is On.
  • Device log upload enabled: Store the record of events from the Chrome device. You can locate the .log file in the G Suite domain. The default is On.
  • Device status alert delivery: Send alert notifications via email or text messages. Only configured emails and mobile numbers get notifications.
    • Email addresses: If you select the Email box, specify the email addresses to receive the alerts. Save the changes.
    • Mobile numbers: If you select the SMS box, specify the phone numbers to receive the alerts. Save the changes.

Configure multiple kiosk apps

Kiosk policy for Chrome OS

To add multiple apps, click Add.

  • App name: Enter the full name of the app to add.
  • App ID: Specify the ID of the app that you want to allow in Kiosk mode.
  • URL: Specify the URL to download the app. You can enter a specific URL or download the app from the App Store.
  • Extension policy: Customize the browsing experience by adjusting Chrome functionality and behavior. Enter a configuration code that contains a valid JSON object.
  • Click Next and save the changes. Users can start the apps in Kiosk mode after you deploy the policy.

Auto launch apps in Kiosk mode

Prerequisite:

Before configuring auto launch, add the apps to the Kiosk policy.

Configure auto launch apps

  • Auto launch kiosk app: Launches the Kiosk policy when users start the device.
    • App name: Enter the full name of the app to auto launch.
    • App ID: Specify the ID of the app that you want to allow in Kiosk mode.
    • Enable auto login cancel: When the device starts, provide users with the option to sign in using the regular sign-in screen. The default is On.
    • Prompt for network when offline: Let users select a network when the device enters Kiosk mode. The default is On.

Android Enterprise settings

To whitelist an app, click Add. You can whitelist multiple apps. For more information, see Android Enterprise.

  • Apps to whitelist: Enter the package name of the app you want to whitelist or select the app from the list.
    • Click Add new to enter the package name of the app approved to show in the list.
    • Select the existing app from the list. The list shows apps that are uploaded in Endpoint Management. By default, Secure Hub and Google Play services are whitelisted. Kiosk policy whitelisted apps
  • Lock task mode: Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.