The Definitive Guide to Kiosk Management and Strategy
Master the fundamentals first. Explore the Definitive Guide to Kiosk Management to align your technical strategy.
In the modern enterprise, “Manual Provisioning” is a liability.
We have normalized Infrastructure as Code (IaC) for the cloud—using Terraform or Ansible to spin up thousands of servers with a single commit. Yet, when it comes to Physical Endpoint Management, many organizations remain stuck in “ClickOps.” Admins log into a GUI, manually click through wizards, and hope they didn’t miss a checkbox.
For a fleet of 10,000 retail kiosks or logistics tablets, this manual approach guarantees configuration drift, security gaps, and slow rollout times.
It is time to treat your Kiosk Fleet like a Kubernetes Cluster.
This guide details how to leverage the Hexnode API to architect a true IaC pipeline for physical devices. We will move beyond simple automation to build a resilient, audit-ready provisioning system that creates locations, enforces policies, and manages state without a single UI interaction.
💡 What is Infrastructure as Code (IaC)?
Think of IaC as a “Digital Blueprint” for your devices. Instead of manually clicking buttons in a portal to set up each kiosk, you write a simple text file that describes exactly how you want your devices to look and behave.
Why it matters:
- Speed: Configure 1,000 kiosks as fast as you can configure one.
- Consistency: Every device gets the exact same settings—zero human error.
- History: Since it’s a file, you can see exactly who changed a setting and when.
Table of Contents
- Why MDM Architects are Abandoning “ClickOps”
- The Strategic Shift: Kiosk as Code
- Phase 1: The Architecture & Prerequisites
- Phase 2: The Idempotent Provisioning Engine
- The “State File” – Your infrastructure’s memory
- Phase 3: The Enterprise Strategy (Day 2 Operations)
- Phase 4: Zero-Touch Enrollment via API
- Conclusion: From Admin to Architect
- ❓ Frequently Asked Questions (FAQs)
Why MDM Architects are Abandoning “ClickOps”
Before we dive into the code, let’s look at why the industry is shifting from manual console management (ClickOps) to Infrastructure as Code (IaC).
| Feature | Manual (ClickOps) | IaC (Hexnode API) |
| Setup Speed | 15–30 mins per device | < 1 second for the entire fleet |
| Audit Trail | Fragmented system logs | Git History (Commit Hash & Author) |
| Configuration Drift | High risk; requires manual audits | Auto-detected and self-remediated |
| Consistency | Human error-prone | 100% bit-identical across 10,000 sites |
| Scalability | Linear effort (More devices = More work) | Exponential (10 devices = 10,000 devices) |
The Strategic Shift: Kiosk as Code
The core philosophy is simple: The Source of Truth is Git, not the Console.
Instead of configuring a store location inside the Hexnode portal, you define the store’s “Desired State” in a version-controlled JSON or YAML file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
The Enterprise Blueprint (store_manifest.json): JSON { "location_code": "NYC-042", "metadata": { "contact": "ops-nyc@enterprise.com", "cost_center": "CC-90210" }, "target_group": "Kiosk-NYC-042-Active", "compliance_profile": "PCI-DSS-Lockdown-v3", "mandatory_apps": [ {"id": "com.hexnode.pos", "version": "2.1.0"}, {"id": "com.hexnode.scanner", "version": "1.4.5"} ] } |
Our provisioning engine reads this manifest and orchestrates the Hexnode API to enforce this state. If the manifest changes, the fleet updates automatically.
Phase 1: The Architecture & Prerequisites
To build this pipeline, we need a secure bridge between your Code Repository and the Hexnode Infrastructure.
Prerequisites:
- Hexnode Enterprise Account with API access.
- ervice Account API Key: Do not use a personal admin key. Generate a dedicated API key with scoped permissions (Write: Policies, Write: Groups, Read: Devices).
- CI/CD Runner: A secure environment (Jenkins, GitHub Actions, GitLab CI) to execute the Python logic.
Phase 2: The Idempotent Provisioning Engine
In an enterprise environment, scripts must be idempotent. Running the script 100 times should result in the same state as running it once, without creating duplicate groups or errors.
Before running the engine, we must define our Desired State. This is the “Code” in Infrastructure as Code.
1. The Manifest & Environment Setup
Create a file named store_manifest.json. This acts as your configuration file for a specific retail site or fleet branch.
|
1 2 3 4 5 6 |
The Manifest (store_manifest.json): { "location_code": "NYC-042", "target_group": "Kiosk-NYC-042-Active", "policy_id": "1024" } |
Environment Variables
For security, do not hardcode your credentials. Set the following environment variables on your local machine or within your CI/CD runner (e.g., GitHub Secrets):
HEXNODE_API_KEY: Your secret API Key from the Hexnode Portal.
HEXNODE_PORTAL_URL: Your portal address (e.g., company.hexnodemdm.com).
3. The Provisioning Script
Here is the logic for a robust provision_store.py script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
import requests import json import sys import os # Configuration: Load from Environment Variables for Security API_KEY = os.getenv("HEXNODE_API_KEY") PORTAL_URL = os.getenv("HEXNODE_PORTAL_URL") # .hexnodemdm.com HEADERS = { "Authorization": API_KEY, "Content-Type": "application/json" } def get_existing_group_id(group_name): """ Check if group exists by iterating through all paginated API results. """ # Start with the initial URL url = f"https://{PORTAL_URL}/api/v1/device_groups/" while url: response = requests.get(url, headers=HEADERS) if response.status_code != 200: print(f"Error fetching groups: {response.status_code}") break data = response.json() groups = data.get('results', []) # Check current page for the group for group in groups: if group['groupname'] == group_name: return group['id'] # Update url to the 'next' page link; if it's None, the loop ends url = data.get('next') return None def create_device_group(group_name): """Creates a group only if it doesn't exist.""" existing_id = get_existing_group_id(group_name) if existing_id: print(f"🔹 Idempotency Check: Group '{group_name}' already exists (ID: {existing_id}).") return existing_id url = f"https://{PORTAL_URL}/api/v1/device_groups/" payload = { "groupname": group_name, "description": "Provisioned via IaC Pipeline [DO NOT EDIT MANUALLY]" } response = requests.post(url, headers=HEADERS, json=payload) if response.status_code == 201: group_id = response.json().get('id') print(f"✅ Created New Group: {group_name} (ID: {group_id})") return group_id else: print(f"❌ Critical Error: Failed to create group. {response.text}") sys.exit(1) def enforce_policy(policy_id, group_id): """ Associates a pre-existing policy to a specific device group. Ensures the 'Desired State' is mapped correctly. """ url = f"https://{PORTAL_URL}/api/v1/actions/associate_policy/" # Payload requires IDs in list format payload = [{ "policies": [policy_id], "devicegroups": [group_id] }] response = requests.post(url, headers=HEADERS, json=payload) if response.status_code == 200: print(f"✅ State Enforced: Policy {policy_id} mapped to Group {group_id}") else: print(f"❌ Mapping Error: {response.status_code} - {response.text}") def main(): # Load Manifest with open("store_manifest.json") as f: config = json.load(f) print(f"🚀 Initializing Provisioning for: {config['location_code']}") # 1. State Enforcement: Device Group group_id = create_device_group(config['target_group']) # 2. State Enforcement: Security Policy policy_id = config['policy_id'] enforce_policy(policy_id, group_id) print("🎉 Infrastructure State Enforced Successfully.") if name == "main": main() |
⚠️ Note on policy management:
For a true IaC workflow, the Policy ID must exist in the Hexnode portal before the script runs. We recommend creating your “Golden Master” Kiosk Policy in the UI once (e.g., PCI-Compliance-Kiosk-v1) and storing its ID in your store_manifest.json. This ensures your automation is connecting verified security profiles rather than creating redundant, unmanaged policies for every site.
The “State File” – Your infrastructure’s memory
In the world of Terraform, State is the source of truth that tracks what you actually deployed. Without a state file, your script is blind to what it did yesterday.
To turn our Python engine into a professional IaC tool, we implement a local_state.json. This file records the mapping between your human-readable manifest and the unique IDs returned by the Hexnode API.
Why State Matters:
- Speed: The script doesn’t have to query the API to “find” IDs every time; it looks at the local state first.
- De-provisioning: If you remove a store from your manifest, the state file tells the script exactly which Hexnode Group ID needs to be deleted.
- Drift Detection: It allows you to compare the Desired State (Manifest) vs. Last Known State (Local) vs. Live Reality (Hexnode API).
How the code evolves:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Python def update_local_state(location_code, group_id, policy_id): """ Saves the successful deployment metadata to a local state file. """ state_file = "fleet_state.json" # Load existing state or create new if os.path.exists(state_file): with open(state_file, 'r') as f: state = json.load(f) else: state = {} # Update state for this specific location state[location_code] = { "hexnode_group_id": group_id, "enforced_policy_id": policy_id, "last_synced": "2026-01-07T15:30:00Z" } with open(state_file, 'w') as f: json.dump(state, f, indent=4) print(f"💾 State updated for {location_code}") |
Phase 3: The Enterprise Strategy (Day 2 Operations)
Writing the script is Step 1. Running it at scale requires a strategy for Governance and Observability.
1. Drift Detection (The “Cron” Job)
The biggest risk in IT is “Shadow Configuration”—a local admin manually changing a policy to troubleshoot an issue and forgetting to revert it.
- The Fix: Run a “Read-Only” version of your script nightly.
- The Logic: Fetch the live configuration from Hexnode and compare it against store_manifest.json.
- The Action: If they differ, trigger a PagerDuty alert or auto-remediate the drift by overwriting the manual change.
2. Security & Secret Management
Never hardcode API keys.
- Vault Integration: Inject HEXNODE_API_KEY at runtime using HashiCorp Vault, AWS Secrets Manager, or GitHub Secrets.
- IP Allowlisting: Configure Hexnode to accept API calls only from the static IP of your CI/CD NAT Gateway.
3. Audit & Compliance (SOC 2 / PCI-DSS)
By moving to IaC, you gain a perfect audit trail for free.
- The “Who”: Git Commit Author.
- The “When”: Git Commit Timestamp.
- The “What”: The Git Diff shows exactly which policy was changed.
- The “Why”: The Pull Request description.
When an auditor asks, “Who changed the Kiosk Lockdown Policy on Tuesday?”, you don’t look at logs; you look at the Git History.
Phase 4: Zero-Touch Enrollment via API
Configuring a group and a policy is only half the battle. The true power of IaC is realized when a device is taken out of the box, powered on, and automatically finds its “Desired State” without an admin ever touching the screen.
Pre-Enrollment Configuration
Instead of waiting for devices to check in, we use the Hexnode API to “Pre-Provision” them. By fetching Apple DEP or Android Zero-Touch profiles via the API, you can map serial numbers to your IaC-created groups before the hardware even leaves the warehouse.
Enterprise Workflow:
- Code: Define the store in store_manifest.json.
- API: Script creates the Hexnode Group and Policy mapping.
- Enrollment: Script triggers a POST /api/v1/enrollment/ request to generate a dynamic enrollment URL or binds the device’s Serial Number to the new Group ID.
The Enrollment API Logic
You can automate the generation of enrollment requests so that store managers receive an automated “Setup” email or SMS the moment your script finishes running.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
def trigger_enrollment(email, group_id): """ Sends an automated enrollment request to the store manager. """ url = f"https://{PORTAL_URL}/api/v1/enrollment/email/" payload = { "email": email, "device_group": group_id } response = requests.post(url, headers=HEADERS, json=payload) if response.status_code == 200: print(f"📩 Enrollment request dispatched to {email}") |
Featured Resource
The Ultimate Guide to Kiosk Management: Everything your business needs to know
Ready to scale globally? Access our comprehensive guide on security, compliance, and lifecycle management for enterprise architects.
Download the White Paper!Conclusion: From Admin to Architect
Transitioning to Infrastructure as Code elevates the role of the Endpoint Administrator. You are no longer a “ticket clicker” but a Platform Architect.
By adopting this Hexnode API-driven workflow, you ensure that 1,000 stores look exactly like 1 store. You eliminate human error, secure your configuration chain, and gain the agility to deploy complex fleets in minutes, not months.
Stop clicking. Start coding.
Kill Configuration Drift for Good.
Transition from ClickOps to IaC with our expert deep dives. Start your 14-day Hexnode free trial now.
SIGNUP NOW!❓ Frequently Asked Questions (FAQs)
📍 Can I manage MDM using Infrastructure as Code (IaC)?
Yes. By leveraging the Hexnode REST API, IT teams can manage physical device fleets using IaC principles. Instead of manual console configuration, administrators define device groups, policies, and app assignments in code (JSON/YAML) and use scripts to automatically provision and enforce these states across thousands of devices.
📍How do I automate Kiosk provisioning with Python?
You can automate Kiosk provisioning by writing a Python script that interacts with the Hexnode API.
The script should:
-
- Create a Device Group for the new location.
- Assign Policies (Lockdown profiles) to that group.
- Trigger Enrollment, ensuring that when devices activate, they automatically inherit the code-defined configuration without human intervention.
![[Infographic] How to reinforce your business with self-service kiosks](https://cdn.hexnode.com/blogs/wp-content/uploads/2021/03/How-to-reinforce-your-business-with-Hexnode-1024x550.png?format=webp)
