Apple Kiosk: How to enable kiosk mode on iPhone/iOS devices?
What is Apple Kiosk/iOS Kiosk?
Apple Kiosk Mode or iOS Kiosk Mode is a restrictive mode available in iPhones to lock down devices to a single app or a specific set of apps. It's also commonly know as iOS app lock.
With iOS devices and single-purpose devices finding an exponential level of usage in organizations, ensuring devices are locked to specific apps and/or settings becomes a cumbersome task for system administrators. With Kiosk for iOS devices and iPad Kiosk Mode, this can be easily and efficiently solved as it lets you lock the devices to specific and/or settings as well as ensure the user cannot move away from the app or modify the settings. Additionally, users cannot access any other features present on the device. The other advantage is that, you can also provision Web Shortcuts under Kiosk as well. You can enable kiosk for Apple TV and iOS devices.Kiosk can be understood better from the following flow diagram:
Pre-requisites
- The devices must be Supervised.
- For single-app Kiosk, iPhones and iPads must be running iOS 6 or later versions.
- For multi-app Kiosk, iPhones and iPads must be running iOS 9.3 or later versions.
- For Autonomous Single App Mode, iPhones and iPads must be running iOS 7.0 or later versions
- To facilitate automatic app installation and update, the apps provisioned in Kiosks must be purchased/approved through ABM.
Single App Mode (SAM)
Single App Mode lets you restrict a Supervised device to a single app and ensure only that app to stay in the foreground allowing the users to perform only specific tasks on the designated device. In addition, you can pre-configure device functionalities such as Touch, volume buttons, etc., to prevent users from modifying the configured settings on the device.
- Kiosk with web shortcut(s) - Set up a Kiosk device with access restricted to only a specified web shortcut while blocking access to the web entirely. You can force auto-refresh web shortcuts after specific time intervals. Auto-refresh clears the session and cookies ensuring the data entered by one user is not accessible to other users.
- Digital Signage - Create interactive customer experience by setting up a digital signage, designated for displaying engaging content at POS/POI terminals.
- POS Terminal - Lock devices to any point-of-service application to fit the business needs for hospitality, retail, health care and more.
Multi App Mode
Multi App Mode restricts the corporate devices to two or more apps and web shortcuts approved by the organization, ensuring optimum use of the device for business, minimizing distractions and enhancing data security by preventing users from downloading any unapproved applications. Additionally, Multi App Mode is bundled with the perks of customizing the device Home screen and switching to Single App Mode for a particular duration using Autonomous Apps.
Autonomous Apps
Autonomous app lets you temporarily lock the device into a specific app, preventing users from accessing other apps for a particular duration or until the task is completed. Enabling Autonomous app limits access to features such as auto-correct, spell check, etc., and restricts users from switching between apps, exiting the app or returning to Home screen.
Note: Only apps that support Autonomous Single App Mode functionality as explained in Apple Developer document can be enabled using MDM Kiosk.
Home Screen Layout Customization
Home screen Layout customization lets you tailor the Home screen to your preferences by organizing app or web shortcut icons on the Home screen and providing convenient access to apps/ web shortcuts users need the most. You can also add frequently used apps to the Dock for easier access when user swipes across any of the Home screen, and add pages or folders to the Home screen. Since Home screen customization prevents users from rearranging icons or uninstalling apps pinned to the Home screen, you can define a standardized layout on corporate devices, creating a consistent user experience while accessing the apps.
Note: Only web shortcuts added in the Kiosk profile can be customized to desired position. Web shortcuts added from other profiles will be listed after the ones configured in Kiosk profile.
Automate App Installation
MDM MSP lets you automate installation of apps provisioned in Kiosk (both Store and enterprise apps) to ensure seamless Kiosk profile association. Enterprise apps provisioned in Kiosk will be silently installed on the devices once the profile is distributed to the devices. In case of Store apps, to automate Kiosk app installation, ABM needs to be configured to ensure apps install without requiring Apple ID and only apps purchased through ABM can be installed silently on the devices. You can learn more about silent installation of apps using ABM here.
It is recommended that you ensure the app has adequate licenses, before associating the Kiosk profile to groups/devices. You can know license details of any app by, navigating to App Repository and clicking on the app.
Automate App Updates
In addition to silent installation of apps provisioned in Kiosk, MDM MSP also allows you to update these apps silently without any user intervention. For enterprise apps, the app gets updated in the background without affecting the app usage. The apps will be updated silently only if ABM is configured to ensure apps install without requiring Apple ID. While updating ABM-purchased apps, devices secured with a passcode are automatically locked over-the-air and in case of devices with no passcode, if ME MDM app is installed on the device, the app will be provisioned as the Kiosk app during the update or the device will be temporarily inoperable if ME MDM is not installed on the device. If the apps provisioned under Kiosk are not purchased via ABM, you need to remove the Kiosk profile, update the apps and then re-associate the Kiosk profile.
It is recommended that you update the apps during scheduled device maintenance to avoid operational breakages.
Provisioning app(s)/ web shortcut(s) under Kiosk
- You can provision apps added to the App Repository or already present in any one of the managed devices. This can include pre-installed apps, Store apps and enterprise apps.
- You can add new web shortcuts or provision web shortcuts already configured in other profiles.
- If a web shortcut is edited, it will also be modified in the Kiosk profile and updated in the Kiosk devices.
- In Multi App Mode, web shortcuts and bookmarks created by the users on the device will be displayed in addition to the ones provisioned in Kiosk profile.
Policy Description
PROFILE SETTINGS | DESCRIPTION |
---|---|
Configure | Specify whether the device is to be locked to a single app, autonomous app or multiple apps. In multi-app Kiosk mode, Phone and Settings apps are enabled by default. |
Allowed App(s)/ Web shortcut(s) | Select the app(s) or web shortcut(s) that are allowed to run on the device. If auto-install is not enabled in the Kiosk profile, it is recommended to push the app and ensure it is installed on the device before applying the Kiosk profile |
Add App(s)/ Web shortcut(s) | Allow app(s) that are already present on the device to be provisioned as Kiosk app(s) by specifying the app name and Bundle ID. Add web shortcut(s) by entering the web shortcut name, URL to be linked and icon to be displayed. |
Automatically install requisite apps if not present on the device (Applicable only for Multi App Mode) |
If enabled, apps provisioned in Kiosk will be automatically installed if silent installation is supported. If silent installation isn't supported, the apps get distributed to the App Catalog, from where the user needs to install it. Similarly, web shortcuts provisioned in Kiosk will also be automatically distributed to devices. In case you chose to disable this option after associating the profile, devices to which the policy was previously distributed will remain unaffected. |
Refresh browser if idle for more than (Applicable only for Single App Mode) | Specify the minimum time period of device inactivity, after which the web shortcut will auto-refresh and return to the main URL. Note: Auto-refresh clears session and cookies. |
Autonomous app(s) (Applicable only for Multi App Mode) | Select the app(s) allowed to enter and exit Single App Mode autonomously for a specified duration |
Show ME MDM App (Applicable only for Multi App Mode) | You can choose to show the ManageEngine MDM app or ME MDM app on the device to enable the user to install distributed apps from the App Catalog. |
SETTINGS (Applicable only for Single App Mode) | |
Touch | Enabling this will lock the device to a single screen. User cannot perform any touch operations, other than waking up the device. |
Screen Rotation | Enable or disable Screen rotation on the device. If restricted, the screen will locked in Portrait mode. |
Volume Buttons | If volume buttons are disabled, user cannot increase or decrease the current volume level on the device by using the physical buttons on the device. |
Ringer Switch | Diasbling this restricts the user from changing the existing settings. If the device is in silent mode, then the device will remain the same and user will not have any control over it |
Sleep/Wake Button | Diasbling this restricts the user from changing the existing settings. If the device is awake, then the device will remain the same and user will not have any control over it. If you restrict Sleep/Wake button, it is recommended to keep the screen timeout on the device to "None", so that the device does not go to Sleep Mode. In case the device goes to Sleep Mode, it is required to restart the device by long-pressing the Power Button. |
Auto Lock | Enable/Disable Auto Lock option on the device.This configuration overrides the Auto-lock option set in Passcode policy, if both the policies distibuted to the same device. |
Speak Selection | Enable/Disable Speak Selection on the device. |
Mono Audio | Enable/Disable Mono Audio on the device. |
VoiceOver | Enable/Disable VoiceOver on the device |
Zoom | Enable/Disable Zoom accessibility settings on the device |
Invert Colours | Enable/Disable Invert Colours options on the device |
Assistive Touch | Enable/Disable Assistive Touch on the device |
EDIT SCREEN LAYOUT | |
Dock | Enable or disable this option to add apps/ web shortcut to the Dock. In iPhones, a maximum of 4 apps can be added to the Dock, while in iPads, a maximum of 6 apps can be added. |
Note: Distribute only one Kiosk profile to the managed devices to avoid profile conflicts.
FAQs
- Some of the apps provisioned in Kiosk are not present on the device?
In multi-app mode, Kiosk will be configured only for the apps present on the device. In case you have not automated app installation, you need to manually distribute app(s) that are/is not present on the device and install the app(s) silently or manually from the App Catalog. On successful installation of the app(s), the Kiosk Profile will automatically get re-associated to the device. - How to update apps provisioned in Kiosk using MDM MSP?
Store apps can be manually updated by the user if App Store is provisioned as an app in Kiosk. Otherwise the app update needs to be distributed via MDM MSP as explained here. In case of enterprise apps, you need to update the latest version of the source file (.ipa) on the App Repository and then update the app on the devices. - How can I enable app permissions when a device is put into Kiosk Mode?
Once a device is put into Single App Mode, no permission prompt will be generated. This means that the app cannot access camera, contacts, or location services. These settings should be manually enabled on the device before putting the device into Single App Kiosk. - How to open web shortcuts in a browser?
If you want to provision Web Shortcuts to open in a browser, you can do so only by setting up multi-app Kiosk with the browser app (ex: Safari) as one of the Kiosk apps. Once the web shortcut is opened in a browser, the shortcut icon configured in MDM MSP gets replaced with the icon associated with the particular URL. - What if a device provisioned in Kiosk has lost internet connectivity?
If a Kiosk device has no network connectivity, the remote commands executed from the MDM MSP Console like Scan or disassociating Kiosk profile will not be executed until the device comes into contact with the server. If the device has completely lost contact with the server, MDM MSP Profile need to be removed to recover the device from Kiosk as explained here.