Category Filter

How to lock down Windows devices in multi-app kiosk mode?

Kiosk mode is a lockdown mechanism that allows you to restrict your devices to a single app or a few applications of your choice. Multi-app kiosk mode locks your device to a handful of whitelisted applications, thus preventing the users from accessing any other features on the device. Restricting the device to a few apps reduces user distractions and provides users with only the things that they need to access.

Notes:

  • This feature is available only on Ultimate and Ultra subscription plans.
  • Windows Multi App Kiosk mode is supported on Windows 10 Pro, Enterprise and Education editions running 1709 or later versions.

Configure multi-app kiosk

Before associating the policy, you must create a local user account on your device and install the Universal Windows Platform (UWP) apps that you want to run in kiosk mode.

Notes:

  • The kiosk account should be a local standard user account.
  • The multi app kiosk policy can also be applied to an Active Directory user account, provided the user has logged in to the device at least once before applying the kiosk policy.
  • Once the user logs in to the kiosk user account, the kiosk mode status and the name of the kiosk account will be displayed under Enrollment details on the Device Summary page.

Step 1: Create a Local user account on your Windows 10 device

To create a Local user account on Windows 10 Pro version:

  1. Click on Start button
  2. Navigate to Settings > Accounts > Family & other users.
  3. Select the option Add someone else to this PC under Other users.
  4. Click on the link I don’t have this person’s sign-in information.
  5. Select the option Add a user without a Microsoft account.
  6. Fill in the kiosk user’s name, password, and other required fields.

To create a Local user account on Windows 10 Enterprise and Education versions:

  1. Click on Start button.
  2. Navigate to Settings > Accounts > Other people. On some Windows editions the option would be named as Other users.
  3. Select the option Add someone else to this PC
  4. In the inset box, select Users.
  5. Under Actions, select Users > More actions > New User.
  6. Fill in the kiosk user’s name, password, and other required fields.

Now, the user account will be set up on the device.

Step 2: Install the kiosk apps within the local account

After setting up the account, make sure the apps to be set in kiosk mode are installed on both the admin and local user accounts.

Note:


Kiosk mode works only with Universal Windows Platform apps (apps that come pre-installed with Windows 10 or sourced from Microsoft Store) and Windows desktop apps (MSI, Win32, Exe apps).

Step 3: Customize and export Start layout

Customizing a start layout involves arranging the apps (to be set in kiosk mode) in a way the user wishes to view them on the start menu and on the device screen. Login to the admin account and follow the steps below to prepare and export the Start layout.

Notes:

  • Check the Run as administrator option if you are prompted to enable the same (specific to certain folders).
  • The Windows device in which you are setting up the Start menu layout (XML) should have the same OS version of the devices to which you are deploying the policy.

  1. The following steps allow you to customize the Start layout as per your requirement.
    • Pin apps to Start: Choose the desired app from Start by typing in the app name. Right-click the app and click Pin to Start.
    • Apps that are not to be displayed in the layout can be unpinned. Right-click the app and then click Unpin from Start.
    • Drag tiles to group apps.
  2. Right-click Start > select Windows PowerShell.
  3. Enter the below command in Windows PowerShell:
    Export-StartLayout –path .xml

Here, –path is a required parameter that specifies the path and file name of the XML file to be exported.
For example, Export-StartLayout -path C:\Users\Robert\Kiosk.xml

Note:


The file name must include the .xml extension. The policy settings require the extensions and the Export-StartLayout cmdlet does not append the file name extension.

Step 4: Create a multi-app kiosk policy

  1. Log in to your Hexnode MDM portal and navigate to Policies tab.
  2. Click on New Policy to create a new one or click on any policy name to edit an existing one. If you are creating a new policy enter the Policy Name and Description in the provided fields.
  3. Go to Kiosk Lockdown > Windows Kiosk Lockdown, select Multi App > Configure.
  4. Enter the Kiosk account name. If you are using the Microsoft account to enable sign in to the kiosk, you can specify the account name in either of the following formats:
    • AD user – domain\sAMaccountname. (For example, hexnode\alexanderj)
    • Azure AD user – email address.
    • Note:


      Ensure that the kiosk account name provided here is exactly the same as the local user account created.

    Then, the user can login to the kiosk account using their Active Directory credentials.

  5. Click on the + button to select the app to be added in kiosk mode. You can add local apps, public store apps and desktop apps to the kiosk.
  6. Import the Start layout .xml file.
  7. Save the policy.
Notes:

  • Ensure that the apps to be added in the kiosk mode are present in the local user account.
  • If you add an app in the Start menu layout (XML) but haven’t added that in the kiosk policy, that app cannot be opened on the device.
  • Similarly, if you include the app in the multi-app kiosk policy but not in the Start menu layout, it cannot be opened from the Start menu. However, the same application can be accessed in the background.
  • Ensure that you add all the background processing apps to the multi-app kiosk policy. Failure to include them leads to interruptions on the device functioning by prompting the user that the application is blocked.

How to add Desktop apps to kiosk?

Other than local apps and public store apps, Hexnode even allows you to add desktop apps to the kiosk. While customizing a Start Layout, only pin the desktop apps that the user needs to see in the Start Menu. The desktop apps not added to the Start Menu will run in the background whenever necessary, provided you add them to the kiosk. To add desktop apps to the kiosk:

  1. Click on Policies > New Policy to create a new one or click on any policy name to edit an existing one. If you are creating a new policy enter the Policy Name and Description in the provided fields.
  2. Go to Kiosk Lockdown > Windows Kiosk Lockdown, select Multi App > Configure.
  3. Enter the Kiosk account name.
  4. Click on the + button and select Desktop Apps. Click on the Add button after providing the app name and the location of the app on the device. For example, to add Hexnode agent app as a kiosk application, enter HexnodeAgent.exe and C:\Hexnode\Hexnode Agent\Current as the App name and Path respectively.
  5. Import the Start layout .xml file containing the apps that need to be present in the Start Menu.
  6. Save the policy.

How to associate the policy with devices/groups?

There are two ways by which you can assign restrictions to the devices in bulk.
If you haven’t saved the policy yet,

  1. Navigate to Policy Targets
  2. Click on + Add Devices, search and select the required devices to which you need to apply the policy and click OK
  3. Click on Save to apply the policies to the devices.

To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and you’re taken to the page which displays the policy list,

  1. Select the required policy, click on Manage and select Associate Targets
  2. Select Device/ User/ Device Group/ User Group/ Domain
  3. Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy and click Associate.

What happens at the device end?

Restart the device after applying the policy for it to take effect. When a user logs into his local user account, the apps added in the kiosk mode will be displayed on the start screen. The user will be unable to access the settings or other apps on the device.

How to exit kiosk mode?

You can exit devices from kiosk mode either by disassociating or archiving the policy. Besides, you also need to restart the device to remove it from kiosk mode.

Method 1: Disassociate the Policy

Disassociate the kiosk policy from the device or delete the policy and restart the device.

  1. Log in to your Hexnode MDM portal. Navigate to Policies tab
  2. Click on the required policy name and go to Policy Targets. Click on the Remove option corresponding to the device.

Or
  1. Log in to your Hexnode MDM portal. Navigate to Manage tab
  2. Click on the required device and go to Policies. Click on the trash icon corresponding to the policy.

Method 2: Archive the policy

  1. Log in to your Hexnode MDM portal. Navigate to Policies tab
  2. Select the required Policy, click on Manage > Move to Archive
Notes:


The archived policies can be viewed under Policies > Archived Policies.

  • To permanently delete an archived policy,
    1. Login to your Hexnode MDM portal. Navigate to Policies tab > Archived Policies
    2. Select the required policy. Click on Manage > Delete > Confirm deletion.
  • To restore an archived policy,
    1. Login to your Hexnode MDM portal. Navigate to Policies tab > Archived Policies
    2. Select the required policy, click on Manage > Restore.

On restoring an archived policy, the policy targets won’t be restored (the policy stays disassociated from the target device).

Method 3

If the methods mentioned above fail to remove the kiosk policy from the device, press CTRL+ALT+DEL. This locks the screen and allows users to sign in with a different account from the login page. However, the previous user account remains in kiosk mode, and once the user logs in to the account, the kiosk mode gets relaunched.