Category Filter

How to lock down Windows devices in multi-app kiosk mode?

Kiosk mode is a lockdown mechanism that allows you to restrict your devices to a single app or a few applications of your choice. Multi-app kiosk mode locks your device to a handful of whitelisted applications, thus preventing the users from accessing any other features on the device. Restricting the device to a few apps reduces user distractions and provides users with only the things that they need to access.

Notes

  • This feature is available only on Ultimate and Ultra subscription plans.
  • Windows Multi App Kiosk mode is supported on Windows 10 Pro, Enterprise and Education editions running 1709 or later versions.

Configure multi-app kiosk

Before associating the policy, you must create a local user account on your device and install the Universal Windows Platform (UWP) apps that you want to run in kiosk mode.

Note


The kiosk account should be a local standard user account.

Step 1: Create a Local user account on your Windows 10 device

To create a Local user account on Windows 10 Pro version:

  1. Click on Start button > Settings > Accounts > Family & other people.
  2. Select the option Add someone else to this PC under Other people.
  3. Click on the link I don’t have this person’s sign-in information.
  4. Select the option Add a user without a Microsoft account.
  5. Fill in the kiosk user’s name, password, and other required fields.

To create a Local user account on Windows 10 Enterprise and Education versions:

  1. Click on Start button > Settings > Accounts > Other people.
  2. Select the option Add someone else to this PC
  3. In the inset box, select Users.
  4. Under Actions, select Users > More actions > New User.
  5. Fill in the kiosk user’s name, password, and other required fields.

Now, the user account will be set up on the device.

Step 2: Install the kiosk apps within the local account

After setting up the account, make sure the apps to be set in kiosk mode are installed on both the admin and local user accounts.

Note


Kiosk mode works only with Universal Windows Platform apps (apps that come pre-installed with Windows 10 or sourced from Microsoft Store) and Windows desktop apps (MSI, Win32, Exe apps).

Step 3: Customize and export Start layout

Customizing a start layout involves arranging the apps (to be set in kiosk mode) in a way the user wishes to view them on the start menu and on the device screen. Login to the admin account and follow the steps below to prepare and export the Start layout.

Note

  • Check the Run as administrator option if you are prompted to enable the same (specific to certain folders).
  • The Windows device in which you are setting up the Start menu layout (XML) should have the same OS version of the devices to which you are deploying the policy.

    1. The following steps allow you to customize the Start layout as per your requirement.
      • Pin apps to Start: Choose the desired app from Start by typing in the app name. Right-click the app and click Pin to Start.
      • Apps that are not to be displayed in the layout can be unpinned. Right-click the app and then click Unpin from Start.
      • Drag tiles to group apps.
    2. Right-click Start > select Windows PowerShell.
    3. Enter the below command in Windows PowerShell:
      Export-StartLayout –path .xml

Here, –path is a required parameter that specifies the path and file name of the XML file to be exported.
For example, Export-StartLayout -path C:/Users/Robert/Kiosk.xml

Note


The file name must include the .xml extension. The policy settings require the extensions and the Export-StartLayout cmdlet does not append the file name extension.

Step 4: Create a multi-app kiosk policy

  1. Login to your Hexnode MDM portal and navigate to Policies tab.
  2. Click on New Policy to create a new one or click on any policy name to edit an existing one. EIf you are creating a new policy enter the Policy Name and Description in the provided fields.
  3. Go to Kiosk Lockdown > Windows Kiosk Lockdown, select Multi App > Configure.
  4. Enter the Kiosk account name and click on the + button to select the app to be added in kiosk mode.
  5. Import the Start layout .xml file.
  6. Save the policy.
Note

  • Ensure that the apps to be added in the kiosk mode are present in the local user account.
  • If you add an app in the Start menu layout (XML) but haven’t added that in the kiosk policy, that app cannot be opened on the device.

How to associate the policy with devices/groups?

There are two ways by which you can assign restrictions to the devices in bulk.
If you haven’t saved the policy yet,

  1. Navigate to Policy Targets
  2. Click on + Add Devices, search and select the required devices to which you need to apply the policy and click OK
  3. Click on Save to apply the policies to the devices.

To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and you’re taken to the page which displays the policy list,

  1. Select the required policy, click on Manage and select Associate Targets
  2. Select Device/ User/ Device Group/ User Group/ Domain
  3. Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy and click Associate.

What happens at the device end?

Restart the device after applying the policy for it to take effect. When a user logs into his local user account, the apps added in the kiosk mode will be displayed on the start screen. The user will be unable to access the settings or other apps on the device.

How to exit kiosk mode?

Method 1: Disassociate the Policy

Disassociate the kiosk policy from the device or delete the policy and restart the device.

  1. Login to your Hexnode MDM portal. Navigate to Policies tab
  2. Click on the required policy name and go to Policy Targets. Click on the Remove option corresponding to the device.

OR
  1. Login to your Hexnode MDM portal. Navigate to Manage tab
  2. Click on the required device and go to Policies. Click on the trash icon corresponding to the policy.

Method 2: Archive the policy

  1. Login to your Hexnode MDM portal. Navigate to Policies tab
  2. Select the required Policy, click on Manage > Move to Archive
Notes


The archived policies can be viewed under Policies > Archived Policies.

    • To permanently delete an archived policy,
      1. Login to your Hexnode MDM portal. Navigate to Policies tab > Archived Policies
      2. Select the required policy. Click on Manage > Delete > Confirm deletion.
    • To restore an archived policy,
      1. Login to your Hexnode MDM portal. Navigate to Policies tab > Archived Policies
      2. Select the required policy, click on Manage > Restore.

On restoring an archived policy, the policy targets won’t be restored (the policy stays disassociated from the target device).

Method 3

If the methods mentioned above fail to remove the kiosk policy from the device, press CTRL+ALT+DEL. This locks the screen and allows users to sign in with a different account from the login page. However, the previous user account remains in kiosk mode, and once the user logs in to the account, the kiosk mode gets relaunched.