With tvOS devices and single-purpose devices finding an exponential level of usage in organizations, ensuring devices are locked to specific apps and/or settings becomes a cumbersome task for system administrators. With Kiosk for tvOS devices, this can be easily and efficiently solved as it lets you lock the devices to specific and/or settings as well as ensure the user cannot move away from the app or modify the settings. Additionally, users cannot access any other features present on the device. Kiosk can be understood better from the following flow diagram:
Provisioning app(s) under Kiosk
- You can provision apps already present in any one of the managed devices or added to the App Repository. This can include pre-installed apps, store apps and enterprise apps.
- In case the app provisioned under Kiosk is not available on the device, the app gets automatically distributed and installed on the device. The app distribution status is shown when viewing the device individually or in a group, in the Device Mgmt view.
- In case of Store apps, these apps can be manually updated by the device user in case App Store is provisioned as an app in Kiosk. Otherwise you need to update the app via MDM.
- In case of enterprise apps, you need to update the latest version of the source file (.ipa) to the App Repository and then update the app on the devices.
- If a profile is updated and then re-distributed, the version of the enterprise app initially used during profile creation is one that gets distributed even if there's there's an updated version available in the App Repository. In case of Store apps, the latest version is distributed. The updated enterprise app needs to be seperately distributed as explained here.
As the name suggests, MDM lets you automate installation of Kiosk-provisioned apps(both Store and enterprise apps) to ensure seamless Kiosk profile association. To automate Kiosk-app installation, VPP needs to be configured to ensure apps install without requiring Apple ID and only apps purchased through VPP can be installed silently on the devices. In case of enterprise app, there is no such requirement. This is supported only for single-app kiosk. You can learn more about silent installation of apps using VPP here.
It is recommended that you ensure the app has adequate licenses, before associating the Kiosk profile to groups/devices. You can know license details of any app by, navigating to App Repository and clicking on the app.
App Update Automation
In addition to silent installation of Kiosk-provisioned apps, MDM also allows you to update these apps silently without any user intervention. This is supported only for single-app kiosk. In case of updating VPP-purchased apps, devices secured with a passcode are automatically locked over-the-air and if the device has no passcode, the device will be temporarily inoperable or be provisioned with MDM as the Kiosk app during the update. If the apps provisioned under Kiosk are not purchased via VPP, you need to remove the Kiosk profile, update the apps and then re-associate the Kiosk profile. For enterprise apps, the app gets updated in the background without affecting the app usage. The apps will be updated silently only if VPP is configured to ensure apps install without requiring Apple ID
It is recommended that you update the apps during scheduled device maintenance to avoid operational breakages.
- To facilitate app automation, the Kiosk-provisioned apps must be purchased/approved through VPP.
|Kiosk Mode||Specify the mode based on whether the device is to be locked to a single app or multiple apps. In multi-app Kiosk mode, the device can still access Phone and Settings|
|Allowed App(s)||Select the app(s) to be provisioned under Kiosk in the device. Usage of the device is singled down to access/using only the Kiosk app(s). Any app in the enrolled device and apps in the app repository can be specified. If the app is not available in the device, it is recommended to push the app first and then the Kiosk profile.|
|SETTINGS (Applicable only if Kiosk Mode is configured as 'Single App')|
|Touch||Enabling this will lock the device to a single screen. User cannot perform any touch operations, other than waking up the device.|
|Screen Rotation||Screen rotation can be enabled or disabled using this option|
|Volume Buttons||If volume buttons are disabled, user cannot increase or decrease the volume on the device by using the physical buttons on the device|
|Ringer Switch||Diasbling this restricts the user from changing the existing settings. If the device is in silent mode, then the device will remain the same and user will not have any control over it|
|Sleep/Wake Button||Diasbling this restricts the user from changing the existing settings. If the device is awake, then the device will remain the same and user will not have any control over it|
|Auto Lock||Enable/Disable Auto Lock option in the device.This configuration overrides the Auto-lock option set in Passcode policy, if both the policies distibuted to the same device..|
|Speak Selection||Enable/Disable speak selection in the device.|
|Mono Audio||Enable/Disable Mono Audio in the device.|
|VoiceOver||Enable/Disable VoiceOver in the device|
|Zoom||Enable/Disable Zoom accessibility settings in the device|
|Invert Colours||Enable/Disable Invert Colours options in the device|
|Assistive Touch||Enable/Disable Assistive Touch in the device|
- It is recommended to associate only one Kiosk profile to the managed devices.
- You can provsion only those app(s) which are already present in App Repository or Inventory alone, for Kiosk. If the App(s) is/are not present, first add the app(s) to the App Repository and distribute and install the app(s) in the devices. Click here to know more about adding and distributing apps and click here to know how to install apps silently.
- If Kiosk has been applied but the app(s) are/is not present in the device, you can distribute and install the app(s) on the device. On successful installation of the app(s), the Kiosk Profile automatically gets re-associated to the device. If you've configured multi-app Kiosk but some of the apps are not present in the device, then Kiosk will be configured for the apps present in the device.
- On configuring Kiosk Profile, if you choose to restrict Sleep/Wake button on a device, it is recommended to keep the screen-out time on the device to "None", so that the device does not go to Sleep Mode. In case the device goes to Sleep Mode, it is required to restart the device by long-pressing the Power Button.
- Click here to know more about the behaviour of app permissions, when a device is in Kiosk.