Category Filter

Kiosk Mode for Android – Complete Guide

System Requirements

To activate Kiosk mode on your Android device, you should have

  • A device running Android v2.3 or above.
  • An active internet connection on your devices.

Note:

For devices enrolled in the Android Enterprise program, kiosk activation is available only on devices enrolled in Device Owner mode.


Exception:

For all devices running MIUI versions that have MIUI optimization turned on, Write System Permissions cannot be enabled. This leads to several issues including kiosk exiting unexpectedly, apps not getting installed silently, and so on. MIUI optimization must be disabled to fix such issues. To disable MIUI optimization:

  • Go to Settings > Build Number.
  • Tap on the build number 6 to 8 times to enable Developer options.
  • Select Developer Options from Settings > Additional Settings.
  • Disable MIUI optimization from the list of available options.

Set up and Enable Kiosk Mode

Set up Kiosk Mode

Enroll Devices with Hexnode MDM

The first step is to enroll your devices with the Mobile Device Management software. All methods of enrollment are explained in this section.

Open Enrollment (No Authentication)

Open Enrollment requires only the server name and no enrollment credentials. It is the easiest and fastest method of enrollment. All the devices that are enrolled using Open Enrollment get assigned to a default user.

Organizations may prefer open enrollment to set up kiosks seamlessly. If you wish to display digital signages or simply set up a customized screen with the required apps, open enrollment is the perfect choice for your organization.

To set up Open Enrollment:

  1. Navigate to Enroll > Settings on your Hexnode portal.
  2. Set the Request Modes as either Email or Text/SMS, or both.
  3. Under Authentication Modes, enable No Authentication, and choose a default user and set a default password, which is for Windows devices.
  4. Under Enrollment Restrictions, choose the device models to be allowed for enrollment, enable/disable pre-approved enrollment, and enforce assigned user.
  5. Choose the Enrollment Ownership.
  6. Re-enrollment Options can be set either to enroll as a new device or to retain configurations and change owner.
  7. Click Save.

To create a new user,

  1. Head on to Manage > Users on your Hexnode portal.
  2. Click on New User.
  3. Enter the Display Name and Email address. Enable Send enrollment request to send the enrollment request immediately after the user is created.
  4. Clicking on Save will save the user details on the Hexnode portal and send the enrollment request to the user.

An enrollment request will be sent via mail/SMS to the user, consisting of the Server name and QR code.
The devices can now be enrolled using open enrollment.

Enrollment with Authentication

Enrollment with authentication requires the server name and an authentication password. This password is randomly generated and can be used only once.

Authenticated enrollment makes sure that only the right users have the right access to the devices. If you want to set up kiosks and make it available only for the required users, go with enrollment with authentication.

Note:

If the agent is removed from the device, but is still enrolled in the portal, a new enrollment request has to be sent to re-enroll the device.



To set up enrollment with authentication,

  1. Navigate to Enroll > Settings on your Hexnode portal.
  2. Set the Request Modes as either Email or Text/SMS, or both.
  3. Under Authentication Modes, enable Enforce Authentication, and choose to send the enrollment request to AD/Azure AD/Local/Google/Okta User or allow users to enroll with their dedicated credentials using Self Enrollment.
  4. Under Enrollment Restrictions, choose the device models to be allowed for enrollment, enable/disable pre-approved enrollment, and enforce assigned user.
  5. Choose the Enrollment Ownership.
  6. Re-enrollment Options can be set either to enroll as a new device or to retain configurations and change owner.
  7. Click Save.

To create a new user,

  1. Head on to Manage > Users on your Hexnode portal.
  2. Click on New User.
  3. Enter the Display Name and Email address. Enable Send enrollment request to send the enrollment request immediately to the user.
  4. Clicking on Save will save the user details on the Hexnode portal and send the enrollment request to the user.

An enrollment request will be sent via mail/SMS to the user, consisting of the Server name, Password, and QR code.
The devices can now be enrolled with authentication.

Self-Enrollment

Self-enrollment allows users to enroll their devices in Hexnode MDM manually. If an organization needs to set up kiosks only for the users in their directory services, enroll devices using self-enrollment.

Self Enrollment using AD User allows the user to directly enroll in Hexnode MDM if they already have their dedicated Active Directory credentials.

To configure Active Directory,

  1. Go to the Admin tab and select Active Directory settings.
  2. Configure Active Directory settings and enable Allow self-enroll.
  3. Click Save.

Once the AD users are imported to the MDM console,

  1. Go to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the AD users.

Self Enrollment using Azure AD user allows the user to directly enroll in Hexnode MDM if they already have their dedicated Azure AD credentials.

To configure Azure AD,

  1. Go to the Admin tab and select Azure AD.
  2. Configure Azure AD and enable Allow self-enroll.
  3. Click Save.

Once the Azure AD users are imported to the MDM console,

  1. Go to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the Azure AD users.

Self Enrollment using Local User: The admin creates a default user and a dedicated password manually or assigns a common password or individual passwords for the users and sends it to them as a bulk mail. The devices can be enrolled with these credentials.

  1. Go to Enroll > All Enrollments > Enterprise > Self-Enrollment – Local.
  2. Create a new user by clicking on the Create a new user button. Click on the Change Password button to change the passwords of existing users.

Self Enrollment using Google User allows the user to directly enroll in Hexnode MDM if they already have their dedicated G Suite credentials.

To configure G Suite,

  1. Go to the Admin tab and select G Suite.
  2. Configure G Suite.

Once the G Suite users are imported to the MDM console,

  1. Go to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the G Suite users.

Self Enrollment using Okta User allows users to enroll their devices in Hexnode MDM if they already have their dedicated Okta credentials. Before configuring Okta enrollment, you have to configure the Okta domain in Hexnode.

To configure Okta with Hexnode,

  1. Go to Admin > Okta.
  2. Configure Okta and enable Allow self-enroll.
  3. Click Save.

Once the Okta users and groups are imported to the Hexnode console,

  1. Navigate to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the Okta users or groups.

The devices can now be self-enrolled.

Bulk Enrollment

Hexnode MDM allows you to enroll devices in bulk. To do this,

  1. Go to Enroll > All Enrollments > Invite > Email.
  2. Choose the required domain.
  3. Under Send enrollment request to, toggle the button to Bulk User.
  4. Upload the CSV file containing the fields name, email and ownership. All other fields – mobile, devicename, SerialNumber and platform – are optional. The ownership field can have the values personal, corporate or selectuser. selectuser allows the user to select ownership details while enrolling.
  5. Click Next and verify the details of the CSV uploaded.
  6. Click Next and then choose the method to send the enrollment request either via Email/SMS.
  7. Click on Send, and the enrollment email/SMS will be sent to all the users.

Pre-Approved Enrollment

Pre-approved enrollment lets the administrator set up policies for devices even before the devices are enrolled in Hexnode MDM. The configurations/restrictions are automatically applied once the device is enrolled. Pre-approved enrollment is set up by adding a CSV file with all the device details. You can also add DEP devices as pre-approved devices in the portal.

Notes:

  1. Android devices can also be enrolled in many other ways as listed below:
  2. ROM enrollment method can be used to set up devices in kiosk mode when the devices boot up for the first time.

Install Hexnode MDM App to Android Devices

Hexnode MDM Android app can be downloaded from Google Play.
When the installation is complete,

  1. Open the Hexnode MDM app and enter the server address into the field and tap Next. The server address will be <yourportalname>.hexnodemdm.com.
  2. The rest of the process differs with the enrollment type.
    • If you are enrolling without authentication, you’ll be asked to activate device administration. Make sure to grant the Device Administration permission while enrolling the devices.
    • If you are self-enrolling devices, you’ll need to provide your Directory or Local user credentials. Now, tap Next and activate Device Administration.
    • If you are enrolling devices using any other methods, provide the email address and the password obtained from the enrollment email/SMS. Tap Next and activate Device Administration.
    • Note:

      On Samsung Knox devices, you should agree to the terms and conditions of Samsung’s privacy policy.

  3. When this is done and you tap on the Enroll button, your device is all set to receive commands from the administrator.

Associate Kiosk Policy to Enrolled Devices

To turn your device into a Kiosk, you need to push the kiosk policy.

  1. Go to the Policies tab.
  2. Click on New Policy and provide a name.
  3. Proceed to Kiosk Lockdown > Android Kiosk Lockdown.
  4. Lock down your device onto either Single App/Multi App kiosk mode.
  5. Click on the Configure button and add the required apps in kiosk mode.
  6. Go to the Policy Targets tab.
  7. Select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  8. Click Save.

The policy will be automatically associated with the device.

Enable Kiosk Mode

In Android Marshmallow (6.0) and above, you’ll need to allow ‘Draw over apps’. To allow this,

  1. Go to Settings > App Settings > Configure Apps.
  2. Select Draw over apps.
  3. Select Hexnode MDM and turn on Permit drawing over other apps.

Note:

Skip this step in older Android versions.


When the policy is applied, Hexnode MDM will be launched and you’ll be asked to
  1. Enable usage access on some devices. If you don’t have an option to enable usage access, just ignore it.
  2. Activate Kiosk: Tap on the prompt, select Hexnode Kiosk in the ‘complete action using’ popup and choose Always Select.
    Notes:

    • All devices below Android 10, after initial activation, enter Kiosk mode automatically.
    • On devices running Android 10 or above, enrolled as Hexnode MDM device admin, Hexnode MDM cannot be set as the default home app (launcher). You have to manually grant Hexnode MDM app permissions, whenever kiosk is activated on the device.
    • Samsung Knox devices with Android v5.0+ and devices enrolled in Android Enterprise as Device Owner, enter Kiosk mode upon policy application without the prompt to activate Kiosk.

Advanced Bulk Deployment Options

If you are into shipping, like, thousands of devices to several other industries, they won’t be willing to download the Hexnode app and enter the server address on every device they have. In such a case, you can make the Hexnode MDM app as a system app, MDM pre-configured and kiosk mode pre-activated.
A system app will have access and permission to edit root directories and files, so you’ll have additional benefits.
You can make a custom ROM with Hexnode MDM app as the system app.

Additional Benefits

You will benefit from these additional features if you add Hexnode MDM as a system app.

  1. Silent app installation: Apps can be installed without user intervention if Hexnode MDM is installed on the device as a system app.
  2. Non-removable MDM app: Add the app to /system/priv-app/ folder to make the Hexnode MDM app non-removable.

Make Hexnode MDM a System App before the Device is Turned On

Used by enterprises collaborating with OEM vendors, devices are manufactured with specially configured ROM, with all privileges and permissions granted to Hexnode MDM. Flashing a custom ROM makes Hexnode MDM a system app even before the device is turned on for the first time, and automatically enrolls the device in the MDM.

Disable Kiosk Mode

Disabling or exiting Kiosk mode can be done from the portal as well as from the device.

To disable Kiosk mode from the MDM console, the device needs to be connected to the Internet. You can either,

  • Disable Kiosk Mode from Manage tab
    1. Choose the devices and click on Actions.
    2. Select Disable Kiosk Mode.

This method won’t remove the device from the Kiosk policy permanently. You can Enable Kiosk Mode from Manage > Actions itself.

In order to remove the devices from the Kiosk policy permanently, either

  • Remove the policy from the device
    1. Head to the Manage tab and choose the device.
    2. Continue onto Policies sub-tab.
    3. Click on the trash icon near the policy name.
  • Remove the device from policy targets
    1. Go to Policies and click on the policy name.
    2. Continue onto Policy Targets.
    3. Click on the remove option near the device name.
  • Delete the policy
    1. Go to the Policies tab.
    2. Select the policies, select Manage > Move to Archive.
    3. After archiving the policies, go to Policies > Archived Policies.
    4. Select the policies you want to delete and click on Manage > Delete.
  • Disenroll the device from Manage tab
    1. Choose the device and click on Actions.
    2. Select Disenroll Device.

If the devices are offline,

  • Tap the screen ten times continuously and enter the Kiosk exit password. A default Kiosk exit passcode is mentioned in the portal.
    1. Head onto the Admin tab > General Settings.
    2. The Exit Passcode is mentioned under Global Exit Settings (Android). This password is known as global exit password.

    A Kiosk exit passcode can be set in the Kiosk policy as well, under Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings. This password is termed as local kiosk password.

  • If you’ve enabled ‘Show option to manually exit kiosk lockdown’ from Kiosk Lockdown > Peripheral Settings > Hexnode MDM Settings, an option will be available to enter the kiosk exit password. Use the password set under Admin > General Settings > Global Exit Settings (Android) or Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings. If both local and global passwords are specified, use the local kiosk password defined via policies to exit kiosk mode.
  • Notes:

    • If you’ve set up an app with zero second auto-launch delay, ensure that the Status bar is disabled and tap ten times rapidly on the status bar at the top-left area of the screen, to enter the Kiosk exit password. Exit manually from kiosk mode while an app is open should be enabled in the Kiosk Exit Settings of the Kiosk policy.
    • You can disable kiosk on your devices after a reboot if ‘Reboot and tap to exit from kiosk mode’ option is enabled from Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings. After rebooting the device, tap on the vacant part of the screen ten times and enter the exit password to exit from the kiosk mode within the specified time delay before app launch.
    • When a local kiosk password is defined via Policies, you cannot exit from the Android kiosk mode using the global exit passcode.

Major Kiosk Features

Hexnode Kiosk features are endless. Here’s a list of selected features that most of the industries are looking for. For a full list of features, see Hexnode Android Kiosk web page.

Hexnode Browser Lite

The Hexnode Browser Lite is a single tabbed browser that opens the web apps added in either single app/multi-app kiosk mode. It can also open the external URLs within the web app, provided the URLs are whitelisted. To enable the Hexnode Browser Lite in Kiosk mode,

  1. Head onto Policies > New Policy > Kiosk Lockdown.
  2. Select Single App or Multi App mode under Android Kiosk Lockdown.
  3. Whitelist all the apps that you need including web apps.
  4. Select Website Kiosk Settings, click Configure.
  5. Choose Hexnode Browser Lite to browse the web apps and whitelisted URLs.
  6. You can specify whether to open the web apps in full screen or not on the device.
  7. Go to Policy Targets and select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  8. Click Save.

Hexnode Kiosk Browser

The Hexnode Kiosk Browser enables secure multi-tabbed browsing, by restricting user access to URLs and web apps permitted by the enterprise alone. To enable the Hexnode Kiosk browser in Kiosk mode,

  1. Head onto Policies > New Policy > Kiosk Lockdown.
  2. Select Single App or Multi App mode under Android Kiosk Lockdown.
  3. Whitelist all the apps that you need including web apps.
  4. Select Website Kiosk Settings, click Configure.
  5. Choose Hexnode Kiosk Browser, single tab or multi-tab to browse the web apps and whitelisted URLs.
  6. You can specify whether to open the web apps in full screen or not on the device. You can also choose to make the browse icon visible or not in the device.
  7. Go to Policy Targets and select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  8. Click Save.
Note:

  • If Another browser is chosen, the browser app needs to be installed on the device. Any URL, even if blacklisted, can still be opened with these browsers.
  • If no browser is enabled, the web pages can be viewed with Hexnode’s single-tabbed browser, Hexnode Browser Lite.
  • Hexnode Kiosk Browser is available on Android v4.1+.


When Multi-tabbed browsing is enabled, the Hexnode Kiosk browser will get downloaded to the device. It will be installed silently only on Samsung Knox, LG GATE, Kyocera business phones, devices with Hexnode MDM as a system app, and devices enrolled in Android for Work as Device Owner.

Advanced Website Kiosk Settings

Hexnode allows you to configure advanced configurations for a set of whitelisted web apps opened in Hexnode Browser Lite or Hexnode Kiosk Browser. It allows you to configure additional settings to set up the perfect kiosk experience tailored for your use case. To configure advanced website kiosk settings,

  1. Go to Policies > New Policy.
  2. Select Kiosk Lockdown > Android Kiosk Lockdown > Website kiosk Settings > Configure.
  3. Select Hexnode Browser Lite or Hexnode Kiosk Browser > Choose whether to open apps in full screen and refresh web apps periodically. You can also whitelist a set of websites if needed.
  4. Now, go to Advanced Website Kiosk Settings > Configure.
  5. Configure the advanced settings based on your use case and click on the Save button.

Digital Signage Display

Hexnode’s digital signage module transforms your devices into images/video streaming screens. This feature enables you to display images and play videos for advertising/informational purposes in Android kiosk mode. You can play the media files in loops and add custom background music to it. To enable digital signage display on your devices,

  1. Navigate to Policies.
  2. Select an existing policy or create a new one by clicking New Policy.
  3. From Kiosk Lockdown > Android Kiosk Lockdown, select Digital Signage Display and click Configure.
  4. Check the option Enable digital signage and upload the files to be set in digital signage.
Notes:

  • Supported formats: JPG & PNG (Images), MP4 & Matroska (MKV) (Videos), MP3 & Ogg (Audio)
  • Supported on Android running 4.4+.

Hexnode Messenger

The Kiosk messenger module enables the admin to broadcast text messages to user devices, even while they are in Kiosk mode. The communication is unidirectional, from admin to user only.

  1. Head onto Policies > New Policy.
  2. Go to Kiosk Lockdown > Android Kiosk Lockdown > Peripheral Settings and click Configure.
  3. Under the Messenger category, enable View messages sent by admin.
  4. Click Save.

Now, the broadcast messages can be sent to the enrolled devices via the Hexnode Messenger.

Update Enterprise Apps

Hexnode MDM makes it possible to update Enterprise apps set up in Kiosk, without taking them out of the Kiosk mode. You can either,

  1. Method 1: Replace the old APK file with the new one in the Hexnode app inventory.
  2. Method 2: Add the new APK file as a new enterprise app in Hexnode app inventory & push them to target devices.

Hide Apps

App icons can be hidden away, yet run the app in the background, with the Background Apps feature in Kiosk mode. This enables the enterprise to install an app in the device but restrict the user from tampering with it. Hidden apps can’t be set as a Default app.

Add PDF and Video shortcuts in Kiosk

Hexnode MDM allows admins to create shortcuts for PDF and video files in the portal. These PDF and video shortcuts can be added in Single App/Multi App kiosk mode. Hexnode provides its own Hexnode Document Reader and Hexnode Media Player to open PDF and video shortcuts respectively. Users are also free to choose their own apps to open these file shortcuts.

Set up a Default Kiosk app

A default app can be set in Kiosk mode which would launch automatically as per the auto-launch period set in the policy and would run in the foreground at all times. You can access the other apps in multi-app Kiosk mode by pressing the back button and returning to the home page. The default app launches automatically when the device enters Kiosk mode or when the device stays idle for a set time.

Setting up a default Kiosk app can be done in the Kiosk Lockdown > Android Kiosk Lockdown > Launcher > Auto-Launch. You can also customize the kiosk launcher and choose the desired size for the kiosk app icon as per its requirements.

Kiosk Screensaver

With Hexnode’s Kiosk Screensaver feature, enterprises can transform their Android devices into images/video streaming screens while in kiosk mode. It allows users to display images and play videos as screensavers for devices locked in kiosk mode. To enable kiosk screensaver,

  1. Head onto Policies > New Policy.
  2. Go to Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Screensaver and click Configure.
  3. Check the option Enable Screensaver and upload the files to be set as the screensaver.
  4. Click Save.

Reporting

Hexnode MDM stores the device, user, compliance, location, data management, application, and audit data, which can be accessed from the Reports tab. Choose any report, click on Export and select the file format – PDF or CSV, for it to be saved to your computer. It allows you to generate the following kiosk reports:

  1. Kiosk active devices: It lists all the devices that are currently locked down into kiosk mode.
  2. Kiosk enabled devices: It lists all the devices to which a kiosk policy has been associated but not currently in kiosk mode.
  3. Kiosk exited devices: It lists all the devices that have exited from the kiosk mode.


Android kiosk mode complete guide - Reporting

Peripheral Settings

From Wi-Fi and Bluetooth configurations to Display and App settings, Peripheral Settings include a broad range of peripheral controls for the devices in Android Kiosk mode. For a detailed description of the configurations, refer to the Peripheral Settings document.