Category Filter

Kiosk Mode for Android – Complete Guide

System Requirements

To activate Kiosk mode on your Android device, you should have

  • A device running Android v4.1 or above.
  • An active internet connection on your devices.

This locks your device down to a purpose-specific machine well suited for work-related applications. The end-users can only perform that operations and actions that are approved by the organization on their kiosk lockdown-activated devices.

Note:

For devices enrolled in the Android Enterprise program, kiosk activation is available only on devices enrolled in Device Owner mode.


Exception:

For all devices running MIUI versions that have MIUI optimization turned on, Write System Permissions cannot be enabled. This leads to several issues including kiosk exiting unexpectedly, apps not getting installed silently, and so on. MIUI optimization must be disabled to fix such issues. To disable MIUI optimization:

  • Go to Settings > Build Number.
  • Tap on the build number 6 to 8 times to enable Developer options.
  • Select Developer Options from Settings > Additional Settings.
  • Disable MIUI optimization from the list of available options.

Set up and Enable lockdown Mode

Set up Kiosk Mode

Enroll Devices with Hexnode UEM

The first step is to enroll your devices with the Mobile Device Management software. All methods of enrollment are explained in this section.

Open Enrollment (No Authentication)

Open Enrollment requires only the server name and no enrollment credentials. It is the easiest and fastest method of enrollment. All the devices that are enrolled using Open Enrollment get assigned to a default user.

Organizations may prefer open enrollment to set up kiosks seamlessly. If you wish to display digital signages or simply set up a customized screen with the required apps, open enrollment is the perfect choice for your organization.

To set up Open Enrollment:

  1. Navigate to Enroll > Settings on your Hexnode portal.
  2. Set the Request Modes as either Email or Text/SMS, or both.
  3. Under Authentication Modes, enable No Authentication, and choose a default user and set a default password, which is for Windows devices.
  4. Under Enrollment Restrictions, choose the device models to be allowed for enrollment, enable/disable pre-approved enrollment, and enforce assigned user.
  5. Choose the Enrollment Ownership.
  6. Re-enrollment Options can be set either to enroll as a new device or to retain configurations and change owner.
  7. Click Save.

To create a new user,

  1. Head on to Manage > Users on your Hexnode portal.
  2. Click on New User.
  3. Enter the Display Name and Email address. Enable Send enrollment request to send the enrollment request immediately after the user is created.
  4. Clicking on Save will save the user details on the Hexnode portal and send the enrollment request to the user.

An enrollment request will be sent via mail/SMS to the user, consisting of the Server name and QR code.
The devices can now be enrolled using open enrollment.

Enrollment with Authentication

Enrollment with authentication requires the server name and an authentication password. This password is randomly generated and can be used only once.

Authenticated enrollment makes sure that only the right users have the right access to the devices. If you want to set up kiosks and make it available only for the required users, go with enrollment with authentication.

Note:

If the agent is removed from the device, but is still enrolled in the portal, a new enrollment request has to be sent to re-enroll the device.



To set up enrollment with authentication,

  1. Navigate to Enroll > Settings on your Hexnode portal.
  2. Set the Request Modes as either Email or Text/SMS, or both.
  3. Under Authentication Modes, enable Enforce Authentication, and choose to send the enrollment request to AD/Azure AD/Local/Google/Okta User or allow users to enroll with their dedicated credentials using Self Enrollment.
  4. There are several options available under Enrollmet Restrictions. It includes choosing the device models that can be enrolled, enabling pre-approved enrollment, and enforcing assigned user enrollment.
  5. Choose the Enrollment Ownership.
  6. Re-enrollment Options can be set either to enroll as a new device or to retain configurations and change owner.
  7. Save the settings.

To create a new user,

  1. Head on to Manage > Users on your Hexnode portal.
  2. Click on New User.
  3. Enter the Display Name and Email address. Enable Send enrollment request to send the enrollment request immediately to the user.
  4. Save these settings. This will add the user details on the Hexnode portal and will initiate the ‘enrollment request’ deployment to the users.

An enrollment request will be sent via mail/SMS to the user, consisting of server name, password, and QR code. The devices can now be enrolled with authentication.

Self-Enrollment

Self-enrollment allows users to enroll their devices in Hexnode UEM manually. If an organization needs to set up kiosks only for the users in their directory services, enroll devices using self-enrollment.

Self Enrollment using AD User allows the user to directly enroll in Hexnode UEM if they already have their dedicated Active Directory credentials.

To configure Active Directory,

  1. Go to the Admin tab and select Active Directory settings.
  2. Configure Active Directory settings and enable Allow self-enroll.
  3. Click Save.

Once the AD users are imported to the Hexnode console,

  1. Go to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the AD users.

Self Enrollment using Azure AD user allows the user to directly enroll in Hexnode UEM if they already have their dedicated Azure AD credentials.

To configure Azure AD,

  1. Go to the Admin tab and select Azure AD.
  2. Configure Azure AD and enable Allow self-enroll.
  3. Click Save.

Once the Azure AD users are imported to the MDM console,

  1. Go to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the Azure AD users.

Self Enrollment using Local User: The admin creates a default user and a dedicated password manually or assigns a common password or individual passwords for the users and sends it to them as a bulk mail. The devices can be enrolled with these credentials.

  1. Go to Enroll > All Enrollments > Enterprise > Self-Enrollment – Local.
  2. Create a new user by clicking on the Create a new user button. Click on the Change Password button to change the passwords of existing users.

Self Enrollment using Google User allows the user to directly enroll in Hexnode UEM if they already have their dedicated Google Workspace (G Suite) credentials.

To configure G Suite,

  1. Go to the Admin tab and select G Suite.
  2. Configure G Suite.

Once the G Suite users are imported to the Hexnode console,

  1. Go to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the G Suite users.

Self Enrollment using Okta User allows users to enroll their devices in Hexnode UEM if they already have their dedicated Okta credentials. Before configuring Okta enrollment, you have to configure the Okta domain in Hexnode.

To configure Okta with Hexnode,

  1. Go to Admin > Okta.
  2. Configure Okta and enable Allow self-enroll.
  3. Click Save.

Once the Okta users and groups are imported to the Hexnode console,

  1. Navigate to Manage > Directory Services.
  2. Select the domain or OUs or groups.
  3. Click on Actions and select New Enrollment.
  4. Click on Send to send the enrollment request to the Okta users or groups.

The devices can now be self-enrolled.

Bulk Enrollment

Hexnode UEM allows you to enroll devices in bulk. To do this,

  1. Go to Enroll > All Enrollments > Invite > Email.
  2. Choose the required domain.
  3. Under Send enrollment request to, toggle the button to Bulk User.
  4. Upload the CSV file containing the fields name, email and ownership. All other fields – mobile, devicename, SerialNumber and platform – are optional. The ownership field can have the values personal, corporate or selectuser. selectuser allows the user to select ownership details while enrolling.
  5. Click Next and verify the details of the CSV uploaded.
  6. Click Next and then choose the method to send the enrollment request either via Email/SMS.
  7. Click on Send, and the enrollment email/SMS will be sent to all the users.

Pre-Approved Enrollment

Pre-approved enrollment lets the administrator set up policies for devices even before the devices are enrolled in Hexnode UEM. The configurations/restrictions are automatically applied once the device is enrolled. Pre-approved enrollment is set up by adding a CSV file with all the device details. You can also add DEP devices as pre-approved devices in the portal.

Notes:

  1. Android devices can also be enrolled in many other ways as listed below:
  2. ROM enrollment method can be used to set up devices in kiosk mode when the devices boot up for the first time.

Install Hexnode MDM App to Android Devices

Hexnode UEM Android app can be downloaded from Google Play.
When the installation is complete,

  1. Open the Hexnode MDM app and enter the server address into the field and tap Next. The server address will be <yourportalname>.hexnodemdm.com.
  2. The rest of the process differs with the enrollment type.
    • If you are enrolling without authentication, you’ll be asked to activate device administration. Make sure to grant the Device Administration permission while enrolling the devices.
    • If you are self-enrolling devices, you’ll need to provide your Directory or Local user credentials. Now, tap Next and activate Device Administration.
    • If you are enrolling devices using any other methods, provide the email address and the password obtained from the enrollment email/SMS. Tap Next and activate Device Administration.
    • Note:

      On Samsung Knox devices, you should agree to the terms and conditions of Samsung’s privacy policy.

  3. When this is done and you tap on the Enroll button, your device is all set to receive commands from the administrator.

Associate Kiosk Policy with Enrolled Devices

To turn your device into a Kiosk, you need to push the kiosk policy.

  1. Go to the Policies tab.
  2. Create a new policy and provide a name.
  3. Proceed to Kiosk Lockdown > Android Kiosk Lockdown.
  4. Lock down your device onto either Single App/Multi App kiosk mode.
  5. Click on the Configure button and add the required apps in kiosk mode.
  6. Go to the Policy Targets tab.
  7. Select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  8. Click Save.

The policy will be automatically associated with the device.

Enable Android device lockdown

In Android Marshmallow (6.0) and above, you’ll need to allow ‘Draw over apps’. To allow this,

  1. Go to Settings > App Settings > Configure Apps.
  2. Select Draw over apps.
  3. Select Hexnode UEM and turn on Permit drawing over other apps.

Note:

Skip this step in older Android versions.


When the policy is applied, Hexnode UEM will be launched and you’ll be asked to
  1. Enable usage access on some devices. If you don’t have an option to enable usage access, just ignore it.
  2. Activate Kiosk: Tap on the prompt, select Hexnode Kiosk in the ‘complete action using’ popup and choose Always Select.
    Notes:

    • All devices below Android 10, after initial activation, enter Kiosk mode automatically.
    • On devices running Android 10 or above, enrolled as Hexnode UEM device admin, Hexnode UEM cannot be set as the default home app (launcher). You have to manually grant Hexnode MDM app permissions, whenever kiosk is activated on the device.
    • Samsung Knox devices with Android v5.0+ and devices enrolled in Android Enterprise as Device Owner, enter Kiosk mode upon policy application without the prompt to activate Kiosk.

Advanced Bulk Deployment Options

If you are into shipping, like, thousands of devices to several other industries, they won’t be willing to download the Hexnode app and enter the server address on every device they have. In such a case, you can make the Hexnode MDM app as a system app, MDM pre-configured and kiosk mode pre-activated.
A system app will have access and permission to edit root directories and files, so you’ll have additional benefits.
You can make a custom ROM with Hexnode MDM app as the system app.

Additional Benefits

You will benefit from these additional features if you add Hexnode UEM as a system app.

  1. Silent app installation: Apps can be installed without user intervention if Hexnode UEM is installed on the device as a system app.
  2. Non-removable MDM app: Add the app to “/system/priv-app/” folder to make the Hexnode MDM app non-removable.

Make Hexnode UEM a System App before the Device is Turned On

Used by enterprises collaborating with OEM vendors, devices are manufactured with specially configured ROM, with all privileges and permissions granted to Hexnode UEM. Flashing a custom ROM makes Hexnode UEM a system app even before the device is turned on for the first time, and automatically enrolls the device in the MDM.

Major Kiosk Features

Hexnode Kiosk features are endless. Here’s a list of selected features that most of the industries are looking for. For a full list of features, see Hexnode Android Kiosk web page.

Hexnode Browser Lite

The Hexnode Browser Lite is a single tabbed browser that opens the web apps added in either single app/multi-app kiosk mode. It can also open the external URLs within the web app, provided the URLs are whitelisted. To enable the Hexnode Browser Lite in Kiosk mode,

  1. Head onto Policies > New Policy > Kiosk Lockdown.
  2. Select Single App or Multi App mode under Android Kiosk Lockdown.
  3. Whitelist all the apps that you need including web apps.
  4. Select Website Kiosk Settings, and start to configure the policy.
  5. Choose Hexnode Browser Lite to browse the web apps and whitelisted URLs.
  6. You can specify whether to open the web apps in full screen or not on the device.
  7. Go to Policy Targets and select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  8. Click Save.

Hexnode Kiosk Browser

The Hexnode Kiosk Browser enables secure multi-tabbed browsing, by restricting user access to URLs and web apps permitted by the enterprise alone. To enable the Hexnode Kiosk browser in Kiosk mode,

  1. Head onto Policies > New Policy > Kiosk Lockdown.
  2. Select Single App or Multi App mode under Android Kiosk Lockdown.
  3. Whitelist all the apps that you need including web apps.
  4. Select Website Kiosk Settings, click Configure.
  5. Choose Hexnode Kiosk Browser, single tab or multi-tab to browse the web apps and whitelisted URLs.
  6. You can specify whether to open the web apps in full screen or not on the device. You can also choose to make the browse icon visible or not in the device.
  7. Associate the policy with the required target entities by navigating to Policy Targets. Form here you can attach the policy with devices, users, groups and domains.
  8. Save the settings.
Notes:

  • If “Another browser” is chosen, the browser app needs to be installed on the device. Any URL, even if blacklisted, can still be opened with these browsers.
  • If no browser is enabled, the web pages can be viewed with Hexnode’s single-tabbed browser, “Hexnode Browser Lite”.
  • Hexnode Kiosk Browser is available on Android v4.1+.


When Multi-tabbed browsing is enabled, the Hexnode Kiosk browser will get downloaded to the device. It will be installed silently only on Samsung Knox, LG GATE, Kyocera business phones, devices with Hexnode UEM as a system app, and devices enrolled in Android for Work as Device Owner.

Advanced Website Kiosk Settings

Hexnode allows you to configure advanced configurations for a set of whitelisted web apps opened in Hexnode Browser Lite or Hexnode Kiosk Browser. It allows you to configure additional settings to set up the perfect kiosk experience tailored for your use case. To configure advanced website kiosk settings,

  1. Go to Policies, create a new policy or continue with an existing one.
  2. Select Kiosk Lockdown > Android Kiosk Lockdown > Website kiosk Settings > Configure.
  3. Select Hexnode Browser Lite or Hexnode Kiosk Browser. Choose whether to open apps in full screen and refresh web apps periodically. You can also whitelist a set of websites if needed.
  4. Now, go to Advanced Website Kiosk Settings > Configure.
  5. Configure the advanced settings based on your use case and click on the Save button.

Digital Signage Display

Hexnode’s digital signage module transforms your devices into images/video streaming screens. This feature enables you to display images and play videos for advertising/informational purposes in Android kiosk mode. You can play the media files in loops and add custom background music to it. To enable digital signage display on your devices,

  1. Navigate to Policies.
  2. Select an existing policy or create a new one by clicking New Policy.
  3. From Kiosk Lockdown > Android Kiosk Lockdown, select Digital Signage Display and start configuring.
  4. Check the option Enable digital signage and upload the files to be set in digital signage.
Notes:

  • Supported formats: JPG & PNG (Images), MP4 & Matroska (MKV) (Videos), MP3 & Ogg (Audio)
  • Supported on Android running 4.4+.

Hexnode Messenger

The Kiosk messenger module enables the admin to broadcast text messages to user devices, even while they are in Kiosk mode. The communication is unidirectional, from admin to user only.

  1. Head onto Policies and create a new policy.
  2. Go to Kiosk Lockdown > Android Kiosk Lockdown > Peripheral Settings and click Configure.
  3. Under the Messenger category, enable View messages sent by admin.
  4. Save the settings.

Now, the broadcast messages can be sent to the enrolled devices via the Hexnode Messenger.

Update Enterprise Apps

Hexnode UEM makes it possible to update Enterprise apps set up in Kiosk, without taking them out of the Kiosk mode. You can either,

  1. Method 1: Replace the old APK file with the new one in the Hexnode app inventory.
  2. Method 2: Add the new APK file as a new enterprise app in Hexnode app inventory & push them to target devices.

Hide Apps

App icons can be hidden away, yet run the app in the background, with the Background Apps feature in Kiosk mode. This enables the enterprise to install an app in the device but restrict the user from tampering with it. Hidden apps can’t be set as a Default app.

Add PDF and Video shortcuts in single/multi app mode

Hexnode UEM allows admins to create shortcuts for PDF and video files in the portal. These PDF and video shortcuts can be added in Single App/Multi App kiosk mode. Hexnode provides its own Hexnode Document Reader and Hexnode Media Player to open PDF and video shortcuts respectively. Users are also free to choose their own apps to open these file shortcuts.

Set up a Default Kiosk app

A default app can be set in Kiosk mode which would launch automatically as per the auto-launch period set in the policy and would run in the foreground at all times. You can access the other apps in multi-app Kiosk mode by pressing the back button and returning to the home page. The default app launches automatically when the device enters Kiosk mode or when the device stays idle for a set time.

Setting up a default Kiosk app can be done in the Kiosk Lockdown > Android Kiosk Lockdown > Launcher > Auto-Launch. You can also customize the kiosk launcher and choose the desired size for the kiosk app icon as per its requirements.

Kiosk Screensaver

With Hexnode’s Kiosk Screensaver feature, enterprises can transform their Android devices into images/video streaming screens while in kiosk mode. It allows users to display images and play videos as screensavers for devices locked in kiosk mode. To enable kiosk screensaver,

  1. Head onto Policies and create a new policy.
  2. Go to Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Screensaver and click Configure.
  3. Check the option Enable Screensaver and upload the files to be set as the screensaver.
  4. Save the settings.

Reporting

Hexnode UEM stores the device, user, compliance, location, data management, application, and audit data, which can be accessed from the “Reports” tab. Choose any report, click on “Export” and select the file format – PDF or CSV, for it to be saved to your computer. It allows you to generate the following kiosk reports:

  1. Kiosk active devices: It lists all the devices that are currently locked down into kiosk mode.
  2. Kiosk enabled devices: It lists all the devices to which a kiosk policy has been associated but not currently in kiosk mode.
  3. Kiosk exited devices: It lists all the devices that have exited from the kiosk mode.


Hexnode mdm reports to audit the kiosk lockdown mode on Android devices

Peripheral Settings

From Wi-Fi and Bluetooth configurations to Display and App settings, Peripheral Settings include a broad range of peripheral controls for the devices in Android Kiosk mode. For a detailed description of the configurations, refer to the Peripheral Settings document.

Disable Android device lockdown

Disabling or exiting Kiosk mode can be done from the portal as well as from the device.

After ensuring your devices are connected to a network, you can use any of the following methods to disable/remove Kiosk mode from the MDM console.

  • Disable Kiosk Mode from Manage tab
    1. On the Manage tab, choose the devices and click on Actions.
    2. Select Disable Kiosk Mode.

With this method, you can temporarily get the device out of kiosk mode. You can get back into kiosk mode by clicking Manage > Actions > Enable Kiosk Mode.

  • Remove the policy from the device
    1. Head to the Manage > Devices and click on your device name.
    2. From the device details page, continue onto Policies sub-tab.
    3. Click on the trash icon near the policy name.
  • Remove the device from policy targets
    1. Go to Policies and click on the policy name.
    2. Continue onto Policy Targets.
    3. Click on the remove option near the device name.
  • Delete the policy
    1. Navigate to Policies.
    2. Select the policy that associates the kiosk mode with your device. Click on Manage > Move to Archive.
    3. After archiving the policy, go to Policies > Archived Policies.
    4. Select the policy you want to delete. Click on Manage > Delete.
  • Disenroll the device from Manage tab
    1. From the Manage tab, choose the device and click on Actions.
    2. Select Disenroll Device.

You can also setup exit-alternatives where the users themselves can exit kiosk lockdown mode from the device end. These methods do not require internet connectivity. They are mentioned below.

  • Using Kiosk Exit Settings via Policy tab
    1. Go to Policies and create a new policy. You can also continue with the existing policy if you like.
    2. Go to Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings.
    3. Click Configure.
    4. Check the option ‘Allow manually exiting kiosk mode’ to give the users a means to manually exit kiosk mode.
    5. You have the following options:
      Restriction Description
      Kiosk exit password Setup a local kiosk exit password which can be used to exit kiosk mode on the device.
      Note:

      • When a local kiosk password is defined via Policies, you cannot exit from the Android kiosk mode using the global exit passcode.

      Number of taps to display the popup to enter the exit passcode Enter the number of times the user must tap in quick succession to display the popup asking for the kiosk exit password.
      The number of taps must be within the range of 5 to 15.
      Exit manually from kiosk mode while an app is open Check this option to allow exiting from kiosk mode when an app is open on the screen. A pop up requesting the exit password will appear after tapping on the blank part of the screen for the selected number of times.
      Note:

      • Ensure ‘Enable status bar’ option is disabled in ‘Kiosk Lockdown > Android Kiosk Lockdown > Peripheral Settings’.
      Reboot and tap to exit from kiosk mode Check this option to let the user disable kiosk mode after reboot. Tap the screen for the selected number of times and give the exit password before the specified ‘Re-launch app –seconds after reboot’ time set.
      Relaunch app – seconds after reboot If, ‘Reboot and tap to exit from kiosk mode’ is checked, specify the number of seconds after which the app launches itself in kiosk mode once the device is rebooted.


  • Using Global Exit Settings via Admin for Android
    1. Head onto the Admin > General Settings.
    2. The Exit Passcode is mentioned under Global Exit Settings (Android). This password is known as ‘global exit password’.
    3. On the device end, tap the screen for as many times set under Number of taps to display the popup to enter the exit passcode. You can find this option under ‘Policies > New Policy > Kiosk Lockdown > Kiosk Exit Settings’. A pop-up is displayed where the user can enter the global exit password.

  • Setting Global password for Android Kiosk exit

  • Exiting Kiosk Mode via Peripheral Settings
    • If you’ve enabled ‘Show option to manually exit kiosk lockdown’ from ‘Kiosk Lockdown’ > ‘Peripheral Settings’ > ‘Hexnode UEM Settings’, an option will be available to enter the kiosk exit password. Use the password set under Admin > General Settings > Global Exit Settings (Android) or Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings.
      If both local and global passwords are specified, use the local kiosk password defined via policies to exit kiosk mode.

Exiting a single purpose kiosk via peripheral settings

Notes:

  • If you’ve set up an app with zero second auto-launch delay, ensure that the ‘Status bar’ is disabled and tap ten times rapidly on the status bar at the top-left area of the screen, to enter the Kiosk exit password. Exit manually from kiosk mode while an app is open should be enabled in the Kiosk Exit Settings of the Kiosk policy.