Configuring the Android shared-kiosk mode

To configure the Android shared-kiosk mode, you need to create a staging user role. Then you need to create one kiosk policy for the staging user as well as one or more policies for the shared kiosk users. For example, you can create one policy for managers and another one for employees. Within each policy, you can define the apps that the users, or user group, can access. Then you need to create and add a label to the device. Finally, you need to apply labels to both the staging and shared kiosk policies.

You define user groups with a user group feature, such as LDAP. You cannot define user groups within the Android shared kiosk mode.

To configure the Android shared-kiosk mode, do the following:

  1. Configuring a staging user
  2. Creating a staging policy for the staging user
  3. Creating a shared-kiosk-mode policy for the shared kiosk users
  4. Creating and Adding labels to Android shared kiosk policies
  5. Applying a label to the staging policy
  6. Applying a label to a shared kiosk policy

Configuring a staging user

The first step in allowing users to access the Android shared-kiosk mode is to assign a user to the staging role. The staging user must have the same login as the person in your organization who registered Ivanti Mobile@Work during the initial setup of the software. Also, this user needs to have the Google Device Account role. Ivanti, Inc suggests that you make this user name easy to distinguish by using a name such as "staging-user."

A Google Device Account applies only to Managed Google Play Accounts and new managed devices. The device account allows the staging user to enroll large numbers of managed devices, that is more than ten devices, without applying the limits imposed by Google.

Procedure 

  1. In Admin Portal, go to Devices & Users. Then select Users.
  2. Select the check box next to a user.
  3. From Actions, select Assign Roles. The Assign Role(s) screen displays.
  4. Select the check box next to Use Google Device Account (for Android enterprise device only).
  5. Click Save.

Creating a staging policy for the staging user

You need to create a policy that is dedicated to the staging user. This policy is not active until you apply a label to the staging policy.

Procedure 

  1. In Admin Portal, go to Policies & Configs > Policies.
  2. Click Add New > Android > Android Kiosk Mode.
  3. In the New Android Kiosk App Setting Policy dialog box, enter a Name and Description for the policy.
  4. Select Active for the Status field to enable this policy.
  5. Scroll down to the lower part of the Kiosk Settings section:
    • Disable Quick Settings - Select so that the device will not display the system notification drop-down menu at the top of the screen. If you enable the following options, the settings are displayed as menu items in the shared-kiosk mode on the device.
    • Allow User to Access WIFI Settings. This is an optional setting.
    • Allow User to Access Bluetooth Settings. This is an optional setting.
    • Allow User to Access Location Settings. This is an optional setting.
    • Enter a 4 - 6 digit PIN in the Kiosk Exit PIN field.
      You can assign a pin to the staging user kiosk policy. However, it is not mandatory. Without a kiosk exit pin, the staging user cannot exit the kiosk mode .
    • Select the Enable Shared Device check box. This is a mandatory setting.
      • Enable Login (Only for Staging user) - This option does not apply to shared-kiosk mode.
      • Enable Logout - Select to use and then set the number of hours in the Logout user is session exceeds (0) hours drop-down.
  6. Scroll up to the Kiosk Branding section, customize the kiosk with a background color and background image if desired. See Branding the Android kiosk screen.
  7. Click Save.

Creating a shared-kiosk-mode policy for the shared kiosk users

You want to create one or more policies for the shared kiosk user who has access to the apps on the shared device based on their assigned policies. Each shared kiosk policy specifies a different set of apps available to the assigned user or user groups. For example, one policy could be for day-shift workers and a second one for night-shift workers. Also within these policies, you may want to configure branding to customize the device. This policy is not active until you apply a label to the shared kiosk policy.

You need to install any apps that you wish to include in the kiosk using the App Catalog page before you begin this procedure. You cannot install apps from within the shared-kiosk -mode policy. You can only use the shared-kiosk -mode policy to setup which apps are displayed.

Procedure 

  1. Go to Policies & Configs > Policies
  2. Click Add New > Android > Android Kiosk Mode.

    The New Android Kiosk App Setting Policy dialog box opens.

  3. Enter a Name and Description for the policy.
  4. Select Active for the Status field to turn on this policy.

Branding the Android kiosk screen

You can brand the Android kiosk page to make its appearance more familiar to your device users.

  1. Select Enable Top Banner. De-select If you want to turn off the banner.
  2. Click the Banner Background Color field to display a color palette to select from or enter the hex number for the color you prefer.
  3. Click the Banner Border Color field to display a color palette to select from or enter the hex number for the color you prefer.
  4. Select Image/Logo or Text to set the banner content.

  5. If you selected Image/Logo, drag and drop the image file or click Choose File to select one.

  6. If you selected Text, type the text you want to display in the banner.

  7. To change the Background Image:

    1. Delete the default image.

    2. Drag and drop the preferred image or click Choose File to select one.

    3. Select the preferred layout.

  8. Select the image Layout preferred: Fit, Center, or Tile.

Kiosk Settings

  1. In the Kiosk Settings section, select Enable Lock Task Mode, thus enabling Android Enterprise devices connected to Android Kiosk to increase the level of security on the user devices in kiosk mode by limiting access to whitelisted kiosk and system apps. When a device user swipes away from an app, they will only have access to the white listed and system apps. This feature is only applicable to Android 9 devices in Device Owner (DO) mode. Further options display:
    1. System Info - When selected, displays the date / time, connectivity, battery, and vibration mode in the status bar. Not enabled by default.

    2. Keyguard - Enables the keyguard in lock task mode. Enabled by default.

    3. Global Actions - Enables the menu that is displayed when the device user long-presses the power button. If this option is disabled, the device user may not be able to power off the device. Enabled by default.

    4. Home button - Disabled by default. When enabled, displays the following sub-options:

      • Overview button- Enables the Overview button and the Overview screen during lock task mode. When using the Enable Single App Kiosk mode, Ivanti recommends the Overview button to be de-selected.

      • Notifications - Enables notifications during lock task mode. This includes notification icons on the status bar, heads-up. notifications, and the expandable notification shade. Note: These options are only applicable for Android 9 devices.

  2. Make choices for further options:
    • Disable Quick Settings
      If you select this option, the device does not display the system notification pull-down menu at the top of the shared kiosk screen.
      If you enable the following options, the settings are displayed as menu items in the shared-kiosk mode on the device.
    • Allow User to Access WIFI Settings. This is an optional setting.
    • Allow User to Access Bluetooth Settings. This is an optional setting.
    • Allow User to Access Location Settings. This is an optional setting.
    • Enter Kiosk Mode Immediately on Registration - Selecting this will make the device enter Kiosk mode automatically upon registration. Disabled by default.
    • Kiosk Exit PIN - Create 4-6 Digit PIN for existing Kiosk Mode from device. This PIN applies to all devices in Kiosk mode.
    • Select the Enable Shared Device check box and then click the Enable Logout radio button. This is a mandatory setting.
      • In Logout user if session exceeds [0 is default] hours, select a number from the drop-down.

    • Enable Single App Kiosk - Starting with Ivanti EPMM 11.8.0.0, administrators can select the Enable Single App Kiosk check box and then select the (single) app to pin to the device screen.

      This setting allows one app to be pinned to the device screen in most conditions. The dedicated single app mode will allow other apps to be available on the device, but they will not be available for the device user to directly launch. These other apps will only be launched through the pinned app. For example, Email is the pinned single app, and the device user receives an email with a link to the Gmail Maps app. When the device user taps on that link, it opens the Gmail Maps app.

      The pinned single app will be launched only when it is part of the Allowed App list, the Kiosk Mode Allowed Apps list, and installed on the device. The Allowed Apps listed are from the App Catalog Apps section.

      Ivanti recommends this be used with Lock Task mode and to have the Overview button de-selected.

      Applicable to Work Managed Device mode (DO) and Work Managed Device - non GMS mode (AOSP.)

      Note the following:

      • The Lock Task mode can only be enabled when the screen is in the foreground. If the dedicated single-app is in the foreground, then it is not possible to enable Lock Task mode. Workaround: Device user needs to tap the back or home button; the Lock Task mode becomes enabled.
      • On devices Android 9 and below, when the Single App Kiosk is disabled, then the device user may need to tap the back/home button to see the Kiosk grid screen again. The launched app may remain pinned to the foreground and the Kiosk grid screen may not display due to Android limitations. 

Choose Apps

  1. In the Choose Apps section, select the app or apps that will be available to the shared kiosk user.

  2. Add the permitted apps to the Built-in Apps section.

    1. Click +Add in the Built-in Apps to add apps such as the Built-in Camera or Built-In Dialer to the Kiosk Mode Allowed Apps section.

      The built-in apps must be enabled in Device Owner mode and be for Android 6+ devices. This may not be the case with all manufacturers.

  3. Add apps from the App Catalog Apps section by clicking +Add.
  4. Add apps manually by entering a Package ID in the Manually Add Apps with Package ID field. Then click +Add.
  5. The order that the apps appear in the Kiosk Mode Allowed Apps section reflects how they appear on the device user's screen. To change the position of an app on the screen, change its position in the Kiosk Mode Allowed Apps list by selecting it and dragging it up or down.
  6. All apps allowed in the Kiosk Mode Allowed Apps section have a "broom" icon/option. Based on the specific app's settings, the Ivanti Mobile@Work app will:
    1. Broom with Check mark icon = clear app data when the user logs out of shared kiosk. 
    2. Broom with "Not allowed" icon = do not clear app data when the user logs out of shared kiosk.
  7. All apps allowed in the Kiosk Mode Allowed Apps section have a "gear" icon/option.  Based on the specific app's settings, the Ivanti Mobile@Work app will:
    1. Gear with Check mark icon = allows device-wide settings for the selected app to be made available to the device user. Some apps may need this to get support from Android OS for activities such as completing bluetooth pairing. This is only available in Lock Task Mode. If Lock Task Mode is de-selected, the gear icon will not display.
    2. Gear with "Not allowed" icon = disallows device-wide settings for the selected app to be made available to the device user.
  8. Optionally, hide an app. Select an app in the Kiosk Mode Allowed Apps section and click the "eye" icon to hide the app.
    1. When an app is hidden it can be used by other apps, but not available to launch in the kiosk. For example, a browser can be added to the kiosk but hidden so that it can be used to open URLs from an email app.
    2. The Kiosk itself does not install any app. You need to install any app that you include in the kiosk using Apps@Work or other method.
  9. Click Save.

Creating and Adding labels to Android shared kiosk policies

After you create the staging policy and one or more shared kiosk policies, you need to create and add a filtered label to the policies to push the configuration to the target devices. You must create a label for the staging user and each of the shared kiosk users.

Procedure 

  1. Go to Devices & Users > Labels.
  2. Click Add Label.The "Add a label" page is displayed.
  3. Enter a name and description of the label.
  4. Click the Filter radio button.
  5. Create a rule for the label based on the type of user logged into the device. In the Criteria section, use the Field, Operator, and Value fields (or enter the rule in the Type search expression here field):

    • Field: Enter the user id as "user.user_id".
    • Operator: Enter "Equals" or some other operator to return a single username.
    • Value: Enter the user account name

      Here is an example of a rule for a staging user:

      "user.user_id" = "<StagingUsername>" AND common.retired = "false"

      See the following image for an example of a rule for a kiosk user:

      For more information about field definitions, see Device field definitions.

  6. Click Save.
  7. Apply this label to the related policy. See the following sections.

    The Display Name field on the "Add a label" page changes to reflect the user logged in. This is how the Filtered Label distinguishes which Kiosk Policy is applied.

Apply labels to Android shared kiosk policies

After you create the staging policy and one or more shared kiosk policies, you need to apply a label to the policies to push the configuration to the target devices.

You must assign mutually exclusive labels to the staging and shared kiosk policies. In other words, the labels cannot resolve to a device that could be assigned to both policies at the same time. If that situation occurs, the policy with the higher priority is assigned to the device.

Applying a label to the staging policy

The label must contain local users or LDAP user group information (or some way of associating the target users). These are the users that will use the policy.

Procedure 

  1. Go to Policies & Configs > Policies.
  2. Select the check box next to the staging policy.
  3. Select Actions > Apply to Label. The Apply to Label dialog box opens.
  4. Select the check box next to the label.
  5. Click Apply.

Applying a label to a shared kiosk policy

The label must contain local users or LDAP user group information. These are the users that will use the policy.

Procedure 

  1. Go to Policies & Configs > Policies.
  2. Select the check box next to the shared kiosk user policy.
  3. Select Actions > Apply to Label. The Apply to Label screen dialog box opens.
  4. Select the check box next to the label.
  5. Click Apply.
  6. If needed, repeat the procedure to assign an additional label to another shared kiosk policy.