Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Kiosk Security Hardening: Closing Browser Loopholes in Lockdown Mode

Jump To

Kiosk Security Hardening is the tactical process of transforming a standard browser into a “Digital Fortress.” In a standard Lockdown Mode, a device might appear restricted, but “loopholes” often remain—such as access to the file system via “Print to PDF” dialogs, or unauthorized navigation via hidden address bars and pop-up windows.

Hardening involves systematically closing these exits using Boolean Logic Gates within the UEM.

1. Overview

This document provides the standard operating procedure for hardening web-based kiosks. By utilizing the Hexnode Kiosk Browser, Hexnode Browser Lite, or Microsoft Edge (for Windows) alongside Advanced Website Kiosk Settings, IT admins can eliminate common breakout techniques and ensure the device remains in a persistent, secure state.

2. Prerequisites

  • Device OS Status:
    • Android: Device Owner / Samsung Knox / Android TV OS.
    • Windows: Windows 10 (version 1803+) or Windows 11 — Pro, Enterprise, and Education editions only.
    • iOS: Supervised Devices (iOS 10+ for certain gesture settings).
  • App Configuration: Hexnode Browser Lite, Hexnode Kiosk Browser, or Microsoft Edge must be set as the handler in the Kiosk Lockdown policy.

3. Implementation: Closing the Loopholes

Phase 1: Browser-Level Hardening

The most common loopholes are found within the browser interface itself. Configure these settings in Policies > New Policies > Create a fully custom policy > Kiosk Lockdown > [OS] > Advanced Website Kiosk Settings (iOS/Android)/ Website Kiosk (Windows)..

  • Address Bar Restrictions:
    • Windows (Edge): Disable “Users can modify URLs in the address bar” to prevent users from typing unauthorized URLs.
    • Android/iOS: Do not allowlist unrestricted websites unless strictly required.
  • Navigation & Gestures:
    • Windows/iOS: Disable “Swipe gestures for forward/backward navigation” (Edge) and “Enable navigation gesture” (iOS) to prevent users from bypassing restrictions via touch gestures.
    • Android: Uncheck “Show Back button” and “Show Forward button” under the Browser Toolbar settings to prevent navigation to unauthorized cached pages.
    • iOS: Disable “Pull down to refresh the web page” if it exposes native browser loading behaviors.
  • Session Data Exfiltration (Clear on Idle):
    • Windows: Configure Idle timeout actions to automatically Close browser, Clear browsing history, Clear download history, and Clear cookies/cached files. Enable “Delete downloaded files in the kiosk upon ending the session“.
    • Android/iOS: Enable Clear cache, Clear cookies, and Clear web storage on page reload.

Phase 2: Hardware & OS Hardening

A browser is only as secure as the “frame” it sits in. If a user can reach the notification bar or the task manager, the kiosk is compromised.

  • Disable Status Bar/Notifications: Prevents users from accessing the Settings menu via the clock, network, or notification icons.
  • Button Lockdown: Disable Power, Home, and Volume buttons to prevent hardware-based reboots or “Safe Mode” entries.

4. Advanced: The “Print-to-Escape” Loophole

One of the most frequent (and overlooked) breakouts occurs when a website allows a user to “Print.” This opens a system dialog that allows the user to browse the local file system to “Save as PDF.”

  • Hardening Strategy:
    • Android: In Advanced Website Kiosk Settings, ensure “Show Print icon” on the browser toolbar is explicitly unchecked.
    • Global Action: Within Hexnode’s Peripheral Settings/Restrictions, explicitly block/uncheck Allow Printing. This suppresses the print dialog entirely, keeping the user within the browser micro-perimeter.

5. Persistence & Self-Healing

If a session is abandoned or glitches, the device must safely reset itself without reverting to the unlocked OS home screen.

  • Inactivity Reloads:
    • Android/iOS: Set “Reload web app after every X second(s) of inactivity” to ensure abandoned kiosks reset to the safe home screen.
    • Windows: Configure “Browser Timeout” for the Hexnode Kiosk Browser to auto-restart the app after a set idle time.
  • Kiosk Exit Passcode: Ensure a Global Exit Passcode is set within the UEM. This prevents users from exiting the kiosk via secret multi-tap gestures or unauthorized disassociation.

6. Troubleshooting

  • “White Screen of Death”: Often caused by the browser blocking a required background URL or redirect. Review Web Activity logs to find and whitelist required background domains, or enable the “Redirect from blocked URL” (iOS) setting to safely route users back to the homepage instead of a dead screen.
  • Genie Assistance: For custom Windows kiosk XML layouts, use the Hexnode Genie chatbot/assistant to help generate a hardened Start Menu configuration that hides the taskbar and system apps.

7. Audit Checklist

  • Is the Address Bar restricted/hidden from user modification?
  • Are all inactivity timeouts and “Clear cache/cookies on reload/idle” enabled to wipe user PII?
  • Are all hardware/software buttons (Volume/Power/Recent Apps) disabled or mapped to “Null”?
  • Has the “Print-to-File” dialog been tested and blocked (Print icon hidden)?
  • Are touch gestures (swipe to navigate, pull to refresh) disabled?
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework