Kiosk
With POS devices finding an exponential level of usage, the need to convert mobile devices to single-purpose devices is on the rise. But locking the devices to a single app is an arduous task for admins, as they need to configure these devices to ensure no other apps are installed and users do not navigate away from the locked app. Furthermore, it is difficult to manually manage and restrict the settings on each of these devices. POS devices are usually at critical points in an organization and any user modifications to the settings may lead to device downtime and loss of productivity. With MDM's Kiosk, locking down the devices to a single app and pre-configuring the settings over-the-air becomes a breeze. Another advantage is that ManageEngine MDM Kiosk Mode allows you to provision multiple apps under Kiosk. Once configured, you can ensure these settings cannot be modified by the users. Additionally, you can let the users configure basic settings through Custom Settings app. Kiosk is supported for all devices. However, Non-Samsung devices running 5.0 or above, should be provisioned as Device Owner.
You need to enable Usage Access Permission when prompted on the device to enable or disable some of the Kiosk features like status bar, task manager or custom settings app.
The advantage of Kiosk is that all types of notification services such as the edge notification window, available in Samsung devices, get restricted by default, ensuring users cannot navigate away from the app(s) provisioned under Kiosk.
NOTE: It is better to have only one Kiosk profile associated per device/group. When you associate two Kiosk profiles to the same device/group, the profile that is applied at last gets associated. To avoid confusion, it is recommended not to associate a new Kiosk profile when there is a Kiosk profile already associated. If you want to make modifications, remove the existing profile and associate a new profile or modify the existing profile. Similarly do not combine other profiles with Kiosk since every time the other profiles are modified and updated, Kiosk profile will be re-applied to the devices. You need to enable Usage Access Permission when prompted on the device to enable or disable some of the Kiosk features like status bar, task manager or custom settings app.
Provisioning app(s) under Kiosk
- You can provision apps already present in any one of the managed devices or added to the App Repository. This can include pre-installed apps, store apps and enterprise apps.
- In case the app provisioned under Kiosk is not available on the device, the app gets automatically distributed and installed on the device. The app distribution status is shown when viewing the device individually or in a group, in the Device Mgmt view.
- In case of Store apps, these apps can be manually updated by the device user in case App Store is provisioned as an app in Kiosk. Otherwise you need to update the app via MDM.
- In case of enterprise apps, you need to update the latest version of the source file (.apk) to the App Repository and then update the app on the devices.
- If silent installation isn't supported, the apps get distributed to the App Catalog, from where the user needs to install it.
- If a profile is updated and then re-distributed, the version of the enterprise app initially used during profile creation is one that gets distributed even if there's there's an updated version available in the App Repository. In case of Store apps, the latest version is distributed. The updated enterprise app needs to be separately distributed as explained here.
- ME MDM app requires data access permission for the Kiosk to perform certain functionalities like enabling status bar and notification bar, task manager/recent buttons, launch a specific app after idle time and enabling mobile data, bluetooth etc in custom settings.
- Apps pinned to the Home screen cannot be uninstalled by users, ensuring that essential business apps remain on the device.
Choosing the Launcher
For devices in Multi-app Kiosk, the launcher to be used on the devices can be configured. Choosing MDM launcher, permits the Custom Settings app and Device restrictions to be configured. Along with that, the Default app can be configured under Advanced settings. The Default app will be automatically launched on the device, if inactive for the specified time duration. Configuring these settings, ensures granular control over the device which cannot be achieved using Device launcher. The Device launcher does not support advanced Kiosk settings.
Custom Settings App
In case of Kiosk provisioned devices, users in general cannot view/modify basic settings such as Brightness, Wi-Fi etc., as the screen gets locked to provisioned apps. Custom Settings app, as the name suggests, if configured allows the users to modify these basic settings on Multi-app as well as on Single-app Kiosk. The advantage of this app, is that you can configure basic settings irrespective of the status bar restriction. You can also configure Custom Settings for Single-app Kiosk.
Home Screen Layout Customization
Home Screen Layout Customization lets you organize apps on the Home screen in multi-app Kiosk provisioned devices. You can add frequently used apps to the Dock and pin these apps to the Home screen even when user swipes across various pages. Apps pinned to the Home screen cannot be uninstalled by the users ensuring that the business requisite apps are always present on the device. You can add pages and folders to the Home screen, modify font color of texts displayed on the Home screen, thus improving user experience on the device.
- You can set up a custom kiosk wallpaper by configuring Wallpaper profile along with the same kiosk profile.
- To display device details such as Username, Serial Number etc., on the device lock screen for easy identification, you can use Asset Tagging. In case you've configured wallpaper in the Asset Tag profile, it takes precedence over the wallpaper profile.
- Only web shortcuts added in the Kiosk profile can be customized to desired position. Web shortcuts added from other profiles will be listed after the ones configured in Kiosk profile.
- If a web shortcut is added in home screen layout, it will directly be displayed in the kiosk else if it is added in kiosk without a screen layout it will be displayed inside a folder.
Watch this short video to learn how you can customize your Android Kiosk device's home screen.
Profile Description
Only devices running Android 5.0 or above can be provisioned as Device Owner .
| FEATURE | DESCRIPTION | KNOX-ENABLED SAMSUNG | NON-SAMSUNG | ||
|---|---|---|---|---|---|
| LEGACY | PROFILE OWNER | DEVICE OWNER | |||
| Configure | Single-app Kiosk type locks down the device to display only a single app. Multi-app Kiosk type locks down the device to display only a specific set of apps which will be displayed on the Home screen. This restricts users from accessing other features of the device. |  |
|
 |
|
| Launcher type (Can be configured only if Kiosk type is Multi-app) | You can choose the launcher to be used on a device provisioned with Kiosk.The MDM launcher allows granular control over the devices which cannot be achieved using the Device launcher. | |
|
|
|
| Allowed app(s)/ web shortcut(s) | You can choose app(s) (both Store and enterprise apps) or web shortcut(s) that are allowed to run on the device. Any apps in the App Repository or installed on the managed devices can be specified. | |
|
|
|
| Add app(s)/ web shortcut(s) | Allow app(s) that are already present on the device to be provisioned as Kiosk app(s) by specifying the app name and Bundle ID. Add web shortcut(s) by entering the web shortcut name, URL to be linked and icon to be displayed. | |
|
|
|
| Refresh browser if idle for more than (Can be configured only if Kiosk type is Single Web App) | Specify the maximum period of device inactivity, after which the web shortcut will auto-refresh and will return back to the main URL. Auto-refresh deletes the session and cookies. | |
|
|
|
| Hidden app(s) | You can specify app(s) which should run in the background, without their icon(s) being displayed on the device(s). | |
|
|
|
| Web shortcut idle timeout | Set a timer for web shortcut inactivity(can be scrolling on the same page for a long time). Once the device is idle for more than the defined time, cookies will be cleared. | |
|
|
|
| Automatically install the apps if not present on the device (Can be configured only if Kiosk type is Multi-app) |
If enabled, apps provisioned in Kiosk will be automatically installed if silent installation is supported or users need to install the apps from App Catalog. Similarly web-shortcuts will also be automatically distributed to the devices. In case you chose to disable this option after associating the profile, devices to which the policy was previously distributed will remain unaffected. | |
|
|
|
| Pause Kiosk Password | Specify the password to be entered on the device to temporarily disable Kiosk. | |
|
|
|
| Show ME MDM app (Can be configured only if Kiosk type is Multi-app) |
You can choose to show the ManageEngine MDM app or ME MDM app on the device to enable the user install distributed apps from the App Catalog. | |
|
|
|
| Show Notification Badge | Notification badge contains the number of active app notifications.Choose to enable/disable notification badges for the applications. Note: When status bar and heads up notifications are restricted, notification badge will not work. Notification access permission has to be enabled in the device to show notification badge. | |
|
|
|
| DEVICE RESTRICTIONS | |||||
| Task Manager
|
Restricting this option, prevents users from accessing Task Manager on their devices. So, the users will not be able to access App Settings or go to Default launcher and exit Kiosk. Hence, it is recommended to keep the Task Manager always restricted. | |
|
|
|
| Status Bar
|
Restricting this will disable users from viewing Status bar details like battery, notifications, network details etc. Note: In devices running Android 9.0 or later, only notification bar can be displayed and the Quick Panel settings is restricted by default |
|
|
|
|
| Status Bar expansion
|
Restricting this will prevent users from expanding the Status bar to access the Status bar controls. The user will still be able to view the notifications. | |
Restricted by default | |
Restricted by default |
| Heads-up notification | Restricting this will prevent heads-up notifications from being displayed on the device. Notifications can still be viewed by expanding the status bar, if status bar expansion is enabled. | |
|
|
|
| Home Button (For Android 9.0 and above, when Home Button is restricted Task Manager Button will also be restricted) | By restricting the Home button on the device, users will not be able to view the Home screen. | |
|
|
|
| Device Volume | If device volume is restricted there will be no sound in the device. | |
|
|
|
| Volume Button | You can restrict Volume buttons on the device and also configure the volume levels for media, notification, ringer, and alarm. Note: If device volume is restricted, settings configured in volume control will not work. |
|
|
|
|
| Power Button |
You can restrict the usage of the power button on the device, limiting certain functionalities based on the device type and configuration, and when restricted, the user must restart the device to turn on the display. Note: To avoid frequent restarts, it is recommended not to configure the screen timeout to prevent the device from entering sleep mode. If the device enters sleep mode, it must be restarted by long-pressing the power button. Behaviour on Non-Samsung Devices (Android 9.0 or Above): Restricting the power button disables the ability to restart or shut down the device, but the screen can still be turned on or off using the power button. Behaviour on Samsung Devices (Android 9.0 or Above): Restricting the power button disables restart, shutdown, and screen-off functionality, but the screen can still be turned on using the power button. |
|
|
|
|
| Back Button | Restricting the Back button on a device prevents users from navigating back and exiting the app. | |
|
|
|
| SIM Unlock | Restricting this option will prevent users from unlocking the device using the SIM PIN. This option is not applicable for devices that have a passcode configured. | |
|
|
|
| Unlock device without passcode (Supported from Android 9.0 or later) | Enabling this ensures the Kiosk provisioned device can be unlocked without any passcode. Note: If this option is allowed and a passcode is set in the device prior, users cannot manually power off or restart the device. |
|
|
|
|
| Display app crash dialogs (Supported from Android 9.0 or later) | Enable/Disable the display of error messages when an app crashes on the device. | |
|
|
|
| Multi Window | Multi window mode (split screen mode) allows multiple apps to share the same screen simultaneously. Allow/Restrict split screen mode on devices. |  |
 |
|
|
| Stay awake while charging (Supported from Android 6.0 or later) | Allow/Restrict the device to stay awake while charging. | |
|
|
|
| CUSTOM SETTINGS APP | |||||
| Wi-Fi | Allow the user to configure Wi-Fi settings as well as switch between different SSIDs. | |
|
|
|
| Add Wi-Fi Network | Enable this option to allow users to add/edit Wi-Fi network configurations. Note: Location permission will be enabled by default by MDM when the Wi-fi page is opened in Kiosk custom settings to search nearby Wi-fi networks. |
|
|
|
|
| Flashlight | Allow the usage of Flashlight by the device users. | |
|
|
|
| Brightness | Allow the users to modify the brightness of the device screen. | |
|
|
|
| Screen Orientation | You can pre-configure the screen orientation or allow users to modify it. To enable this policy, grant the Modify system settings/change system settings permission in the ME MDM app. This permission is required to access the device's system settings. The device cannot be used until this permission is granted. | |
|
|
|
| Screen Timeout | You can pre-configure the screen timeout or allow users to modify it. Additionally, the screen can be set to Always On when connected to a charger. To enable this policy, grant the Modify system settings/change system settings permission in the ME MDM app. This permission is required to access the device's system settings. The device cannot be used until this permission is granted. | |
|
|
|
| Mobile Networks | Allow/Restrict users from configuring network settings like Access Point Name (APN), Data roaming, Network operators, etc. | |
|
|
|
| Bluetooth | Allow/Restrict the usage of Bluetooth. If enabled, the user will be re-directed to device settings. Specify the time duration for which Bluetooth can be used. Device will enter Kiosk after the specified time duration. | |
|
|
|
| Portable Hotspot and Tethering | Allow/Restrict Hotspot and tethering. If enabled, the user will be re-directed to device settings. Specify the time duration for which Hotspot can be used. Device will enter Kiosk after the specified time duration. | |
|
|
|
| APN Settings | Allow/Restrict users from configuring Access Point Name (APN) settings. If enabled, the user will be re-directed to device settings. Specify the time duration for which APN settings can be accessed. Device will enter Kiosk after the specified duration. | |
|
|
|
| Device Settings timeout | Specify the time duration for which users can access the device settings (maximum 120 seconds). | |
|
|
|
| Battery Optimization | Enable this option to allow users to configure battery optimization. | |
|
|
|
| Battery optimized apps | Specify the apps for which the battery usage needs to be optimized. | |
|
|
|
| Set Locale and Language | Enable this option to allow users to switch locale languages. | |
|
|
|
| ADVANCED SETTINGS | |||||
| Default app | Enabling this, ensures the device automatically launches a particular app after a specified period of inactivity. This is applicable only if the Kiosk type is Multi app. | |
|
|
|
| Default app name | The Default app can be chosen from the apps to be provisioned on the device, specified initially. | |
|
|
|
| Launch default app when it is inactive for | Specify the time duration after which the app has to be launched on the device automatically (minimum 20 seconds). | |
|
|
|
| EDIT SCREEN LAYOUT | |||||
| Dock | Enable this option to add frequently used apps to the dock for easier access from the Home screen | |
|
|
|
| Icon Size | Set icon size of the apps displayed on the Home screen | |
|
|
|
| Font color | Set font color of the icon names displayed on the Home screen | |
|
|
|
| Allow user to change app position | Enable this option to allow users to rearrange the icons on the Home screen | |
|
|
|
Enabling Phone Calls in Kiosk Mode
To enable phone calls in kiosk mode, add the following system applications to your kiosk profile's allowed apps or Hidden app list:
For Android devices:
For Samsung devices: The apps can be added from com.android.server.telecom, com.samsung.android.incallui, and com.samsung.android.dialer.
How to Add an Apps to the Kiosk Profile?
Managing Kiosk Profile: Pause and Resume
While managing devices under Kiosk, there might be a pertinent need to pause Kiosk for certain purposes. Assume there is an enterprise app provisioned under Kiosk and it has stopped working. So, the IT admin will have to view the logs to understand and diagnose the issue. MDM lets you pause Kiosk in three different ways:
1. Pause Kiosk Mode:
Method 1: Using Inventory Action (MDM console)
- Navigate to the Inventory tab and select the device.
- Click on Actions and choose Pause Kiosk from the dropdown.
- Provide a reason for pausing Kiosk.
- Choose how to resume Kiosk:
- Only when initiated from the server (manual resume)
- Set a time frame for automatic resume.
- Click OK to confirm.
Method 2: Using Pause Kiosk Passcode (On-Device)
- Navigate to the MDM Console > Inventory > Actions > Pause Kiosk.
- A randomly generated passcode (valid for 30 minutes) will be displayed.
- This passcode is unique each time and uses a secure combination of letters and numbers to ensure security.
- It expires automatically after 90 minutes to prevent unauthorized access without admin awareness.
Entering the Passcode on the Device
- If the ME MDM app is not allowed in the kiosk allowed apps list:
- Press the Home button 4 times consecutively.
- A prompt will appear asking for the kiosk passcode.
- If the ME MDM app is allowed in the kiosk allowed apps list:
- Open the ME MDM app.
- Navigate to Settings > Exit Kiosk and enter the passcode.
- If the ME MDM app is not allowed and the Home button is restricted:
- Long-press Volume Up + Volume Down keys (increasing from 0% to 100% and back) 5 times consecutively
- This will launch the ME MDM app.
- Navigate to Settings > Exit Kiosk, and enter the passcode.
Method 3: Using Remote Chat Commands
The most probable reason for pausing Kiosk is to troubleshoot the device and this is usually done via Remote Troubleshoot. MDM lets you pause Kiosk right from the device view screen using chat. You can use the chat option present in the device view screen not only to interact with the user but also to execute certain commands such as pausing Kiosk and resuming it if need be. You can pause Kiosk using the command /EXIT-KIOSK, troubleshoot the device and the resume Kiosk using the command /ENTER-KIOSK. You can know more about chat commands in our Remote Troubleshooting guide.
- Navigate to Device Management->Remote control and Open the device view screen in MDM Console.
- Use the chat option to send the command: /EXIT-KIOSK
- The device will exit Kiosk mode, allowing troubleshooting.
Note:1. MDM supports pausing Kiosk and resuming Kiosk using different methods. For example, you can pause Kiosk using remote chat commands and resume it using Inventory Actions.
2. In SIM card locked devices, on device restart, you need to enter SIM unlock password to resume Kiosk
3. Once the Kiosk paused device is restarted, you can resume Kiosk right from the notification shown on the device.
2. Resume Kiosk Mode
Method 1: From MDM console (Inventory Action) : In the MDM console, Navigate to Inventory > Device Details > Actions. Select Resume Kiosk.
Method 2: From Notification : Once the kiosk mode is paused, a notification will be displayed on the device. The user can tap on this notification to resume kiosk mode.
Method 3: From ME MDM App: Open the ME MDM app on the device. Navigate to the Settings tab and tap on the “Resume Kiosk Mode” option to reactivate kiosk mode.
Troubleshooting tips
- How do I resolve missing app or settings prompts in kiosk mode?
If a settings prompt (e.g., Bluetooth pairing or USB debugging enable) doesn’t appear: Ensure the Settings app is allowed in your kiosk profile. If not, add it as an allowed app or background app, then test again.
If an app isn’t appearing: Identify its package name using tools like Current Activity. Check if the app is listed under allowed apps in your kiosk profile. If missing, add it and verify. - Why aren’t the Home, Power, or Recent Apps buttons working in kiosk mode?
Cause:
If the device has a passcode enabled, it must be unlocked to restart or power off (security restriction). Additionally, if the kiosk profile allows "Unlock device without passcode", the passcode screen is removed, but the system still treats the device as locked. Hence, power/restart functions remain disabled.
Resolution:- Option 1: Remove the passcode (either manually or from Inventory Actions). If security is a concern, use Option 2.
- Option 2: Restrict "Unlock device without passcode" in the kiosk profile.
- What if a Kiosk provisioned device loses internet connectivity?
Once the Kiosk profile is associated to devices, ensure that these devices don't lose network connectivity. Else, these devices will be locked under Kiosk. If the device has lost connection with the server, you can recover the device from Kiosk as explained here. - Why can't I pause Kiosk using Time bound passcode?
While configuring the time passcode to pause Kiosk ensure the device time matches with the server time. If there is a mismatch, the user will be unable to use this passcode to pause Kiosk. You can prevent users from modifying the time on the device by configuring the Date/Time Settings under Restrictions and prevent the users from modifying these settings. - How should I configure physical keyboard in kiosk mode?
The device automatically recognizes when a physical keyboard is connected and disables the on-screen keyboard. If the on-screen keyboard needs to be enabled, navigate to the Custom settings app>Keyboard Settings and toggle on the Show on-screen keyboard option. - Why is the on-screen keyboard not working when external input device is connected?
When any external input device is physically connected, the mobile device recognizes it as a physical keyboard and disables the on-screen keyboard. To enable the on-screen keyboard, navigate to the Custom settings app>Keyboard Settings and toggle on the Show on-screen keyboard option.