Android Kiosk management

Kiosk mode provides complete control over the device usage and ensures that the devices can be used only for the intended purposes. Android can run tasks in a kiosk mode by configuring the settings through custom policy. . This feature is applicable only for company-owned devices. When Kiosk mode is enabled, a fully-managed device becomes a dedicated device. In a dedicated device, the device user can access only the apps allowed as per the active policy.

Kiosk mode allows the Administrator to disable all the major system UI features, such as notifications, home button, recent apps button, and global actions. WebUI allows Administrator to configure a policy to allow a single app or multiple apps to be installed and locked on a dedicated device.

For complete information on Kiosk mode, refer to the official Android documentation at https://developers.google.com/android/management/policies/dedicated-devices#kiosk_mode.
Prerequisites
  • Device must have Android version 10.0 or later.
  • Device must be a dedicated device enrolled as Device Owner in Android Enterprise.

Kiosk mode configuration

You can enable Kiosk mode on a device in the following ways:
  • If a device requires users to access a single app or multiple apps along with additional custom settings, enable the device's custom launcher by setting kioskCustomLauncherEnabled": true in the policy. If Kiosk mode is enabled with this setting:
    • Only the apps that are allowed through the policy are accessible.
    • The users can click and navigate through the allowlisted apps and cannot leave out of Kiosk mode.
    • User cannot unenroll the device from MCM.

or

  • If a device requires users to restrict only to a designated kiosk app, then set the app's installType to KIOSK in the policy. If Kiosk mode is enabled with this setting:
    • The designated app is pinned to the device screen, and the device user cannot exit the app screen.
    • All other apps and other screens including the homescreen, notifications, and all other screens become inaccessible.
    • User cannot unenroll the device from MCM.
Note: You can either configure "kioskCustomLauncherEnabled": true or for a preferred application set "installType": "KIOSK". If you configure both together, the Android log shows the error "Kiosk install type cannot be used if kioskCustomLauncherEnabled is true".

Additionally to keep the device unlocked (for public kiosks, for example), set "keyguardDisabled": true.

Single app Kiosk mode

Single app kiosk mode restricts device access to a single application. You can set your app as the device’s home app, so that the app is launched automatically when the device starts up or even rebooted.

"applications": [
  {
    "packageName": "com.example.app",
    "installType": "KIOSK",
    "defaultPermissionPolicy": "GRANT"
  }
]

Multiple app kiosk mode

You can also install multiple apps pertinent to the organization's requirements and lock down a device on Kiosk mode. However, Kiosk mode limits the device usage to the specified applications by running only those apps the user needs to access.

A device can only have a single designated kiosk app (installType set to KIOSK). However, if a Kiosk app links to other apps, these additional apps can be added to applications. Ensure that the installType for any additional apps is not set to KIOSK or BLOCKED.

"applications": [
 {
   "packageName": "com.example.app",
   "installType": "KIOSK",
   "defaultPermissionPolicy": "GRANT"
 },
 {
   "packageName": "com.example.app_to_be_linked",
   "installType": "FORCE_INSTALLED",
   "defaultPermissionPolicy": "GRANT"
 }
]

Enabling Kiosk mode

To enable Kiosk mode, perform the following:
  1. Create a custom policy to configure an app or set of apps to be installed on Kiosk mode.
  2. Upload the policy through WebUI.
  3. Add the created app policy to a policy group targeted for dedicated devices.
  4. Deploy the policy group to MDM server or directly onto the selected devices.
Sample JSON code to enable Kiosk mode on a dedicated device:
{
"safeBootDisabled": true,
"screenCaptureDisabled": true,
"factoryResetDisabled": true,
"cameraDisabled": true,
// Specifies that system updates will be auto-installed during a daily
// maintenance window between 2am and 4am.
"systemUpdate": {
  "type": "WINDOWED",
  "startMinutes": 120,
  "endMinutes": 240
},
"kioskCustomLauncherEnabled": true,
"keyguardDisabled": true,
"networkEscapeHatchEnabled": true,
"applications": [
  {
    "packageName": "com.microsoft.office.outlook",
    "installType": "FORCE_INSTALLED",
    "defaultPermissionPolicy": "GRANT"
  },
  ]
For more sample codes, refer to https://developers.google.com/android/management/policies/dedicated-devices#kiosk-launcher

Disabling Kiosk mode

A policy can remotely stop Kiosk mode by removing the app package from the allow list.