With POS devices and single-purpose devices finding an exponential level of usage in organizations, ensuring devices are locked to specific app and/or settings becomes a cumbersome task for system administrators. Kiosk for Windows devices, easily and efficiently solves this as it lets you silently install apps on devices and lock the device to a single app or a set of specified apps. This ensures the user cannot access any other apps or modify the device settings.
Note: Multi-app Kiosk is applicable only for Windows 10 laptops and desktops.
- Device based :
- Kiosk policy is not supported for Windows Home edition devices.
- Application based :
- Only Universal Windows Platform (UWP) apps, also known as Metro-style apps or Modern apps can be provisioned under Kiosk. To know more about UWP apps, click here.
- The apps to be provisioned under Kiosk must be present in the device. In case of managed apps, these can be distributed via MDM. For silent installation of apps, they must be present in the App Repository. Click here to learn more about adding apps to App Repository.
|Kiosk type||Select whether the device must be provisioned with a single app or multiple apps.|
|Modern apps/Web shortcuts||Specify the store apps or Web shortcuts to be allowed. Only Universal Windows Platform (UWP) apps, also known as Metro-style apps can be configured under Modern apps. To know more about UWP apps, click here.|
|Automatically install the apps if not present on the device
(Can be configured only if Kiosk type is Multi-app)
|If enabled, Kiosk-provisioned apps will be automatically installed if silent installation is supported or if silent installation isn't supported, the apps get distributed to the App Catalog, from where the user needs to install it. In case you chose to disable this option after associating the profile, devices to which the policy was previously distributed will remain unaffected.|
(Applicable only for Single-App Kiosk)
|You can select the browsing mode on the kiosk device.
i) Digital Signage: Opens Microsoft Edge with the allowed app/web shortcut in a full-screen mode. This type of browsing mode can be used for displaying advertisements or menu.
ii) Public Browsing: Opens a multi-tab version of Microsoft Edge. Users are allowed to browse publicly or end their browsing session.
|Idle timeout||Microsoft Edge resets the session after a specified time of user inactivity. You can specify a value between 1 and 1440 minutes. By default, 0 will be entered on the console which means no idle timeout configured.
Note: After the specified time, a message prompts the user to continue or end the session. If there is no user action, Microsoft Edge resets after 30 seconds.
|Desktop apps||To allow windows desktop applications, specify the full path of the executable. Example: C:\Windows\System32\notepad.exe|
|Background apps||Some apps may depend on other apps to perform tasks in the background. For desktop apps, enter the full path of the apps that should be allowed to run on the background. For Modern apps, enter the AUMID. How to obtain AUMID?|
|Auto launch app||Configure an app which will automatically launch when a device starts or the user signs in.|
(Applicable only for Multi-App Kiosk)
|Select whether you want to show or hide the windows taskbar on the device.|
|File Explorer settings
(Applicable only for Multi-App Kiosk)
|Most of the kiosk devices are unattended and public facing. It is important to secure the data from the users accessing these devices. With File Explorer Settings, you can improve data security by preventing the users from accessing and exported files via removable devices. Select whether you want to allow users to access all the folders on the device or only specific folders.
i) Complete explorer restriction: Access to File Explorer is restricted completely.
ii) Allow access to download folder: Allowed to access only the download folder.
iii) Allow access to removable devices: Allowed to access only the removable devices like USB, hard disk etc.
iv) Allow access to download folder and removable devices: Allowed to access both download folder and removable devices.
v) Allow access to all folders: Allowed to access all the folders in the File Explorer without any restriction.
|Username to be displayed on the device login screen||Enter the username that should be displayed on the device login screen. By default, the username will be configured as 'Kiosk'.|
How to obtain AUMID?
- To obtain the App ID, download this PowerShell script and open Command Prompt as an Administrator, in the folder where you have downloaded the PowerShell script.
- Copy the following command and paste it in Command Prompt. Ensure you replace app-name, with the name of the app to be provisioned under Kiosk
- Once executed, the app name and the app ID is shown. The app ID is to be copied and used in MDM.
powershell -ExecutionPolicy ByPass -File aumid.ps1 <app-name>