Intune Kiosk Mode and Device Restrictions: Complete Guide - CyberSystem Blog

Kiosk mode and device restrictions in Microsoft Intune allow you to create locked-down device experiences for shared devices, dedicated devices, and scenarios requiring restricted functionality. These configurations are essential for frontline workers, public-facing devices, and specialized use cases.

Understanding Kiosk Mode

Kiosk mode in Intune configures devices to run one app or many apps in a restricted environment. Kiosk mode is ideal for shared devices, digital signage, point-of-sale systems, and dedicated-purpose devices where users should only access specific applications.

Kiosk Mode Types

Single-App Kiosk: Device runs only one application
Multi-App Kiosk: Device runs multiple specified applications
Shared PC Mode: Multi-user device with restricted features

For an overview, see Apply features and settings on your devices using device profiles in Microsoft Intune.

Windows Kiosk Configuration

Creating a Windows Kiosk Profile

Step 1: Access Kiosk Settings

Sign in to the Microsoft Intune admin center
Navigate to Devices > Manage devices > Configuration > Create
Select Windows 10 and later
Select Templates > Kiosk
Select Create

Step 2: Configure Basics

Name: Enter descriptive name
Description: Optional description
Select Next

Step 3: Select Kiosk Mode

Choose the kiosk mode type:

Not Configured: Kiosk mode disabled
Single app, full-screen kiosk:
- Device runs single app or browser
- User locked to that app
- Cannot access other features
Multi app kiosk:
- Device runs multiple specified apps
- Only selected apps available
- Customizable Start menu

Note: Windows 11 supports single-app kiosk only. For Windows 10, both single-app and multi-app kiosk are supported.

Step 4: Configure Kiosk Settings

For Single-App Kiosk:

Kiosk app type: Choose app type (Store app, Win32 app, browser)
Application: Select the app to run
Browser settings: Configure if using browser kiosk

For Multi-App Kiosk:

Kiosk apps: Add multiple apps
Start menu layout: Customize Start menu
Taskbar: Configure taskbar settings

Step 5: Assign and Deploy

Assign to device groups
Deploy the profile

For detailed guidance, see Windows and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune.

Android Kiosk Configuration

Android Enterprise Dedicated Devices

For Android Enterprise dedicated devices:

Single-App Kiosk

Create device restrictions profile
Set Enrollment profile type to Dedicated device
Set Kiosk mode to Single app
Assign the app to the device

Multi-App Kiosk

Install Microsoft Managed Home Screen (MHS) app
Create device restrictions profile
Set Kiosk mode to Multi-app
Configure MHS settings
Add apps to kiosk

For guidance, see Frontline worker for Android devices in Microsoft Intune.

iOS/iPadOS Kiosk Configuration

Guided Access and App Restrictions

Configure iOS/iPadOS kiosk using:

Guided Access: Built-in iOS feature
App restrictions: Restrict app usage
Single App Mode: Lock device to one app

For details, see device restrictions for iOS/iPadOS in Intune.

Device Restrictions

Windows Device Restrictions

Configure device restrictions to control device features:

Common Restrictions:

Block access to Settings app
Restrict app installation
Control browser features
Restrict hardware features
Control power and sleep options

Configuration:

Create device restrictions profile
Configure restriction categories
Assign to device groups

For Windows, see Device restrictions for Windows.

Android Device Restrictions

Common Restrictions:

Camera access
Screen capture
USB debugging
Factory reset
App installation sources

For Android Enterprise, see Device restrictions for Android Enterprise.

iOS/iPadOS Device Restrictions

Common Restrictions:

App installation
Camera access
Siri
App Store
Safari

For iOS/iPadOS, see Device restrictions for iOS/iPadOS.

Best Practices

1. Plan Kiosk Configuration

Identify use case (single-app vs. multi-app)
List required applications
Define user experience requirements
Plan for maintenance and updates

2. Test Thoroughly

Test kiosk configuration in isolated environment
Verify all required apps work correctly
Test user workflows
Validate restrictions

3. Configure Appropriate Restrictions

Balance security with functionality
Only restrict what's necessary
Document restrictions and rationale
Review restrictions regularly

4. Plan for Maintenance

Configure update policies
Plan for app updates
Consider remote management
Document maintenance procedures

5. Monitor and Adjust

Monitor kiosk device status
Gather user feedback
Adjust configuration as needed
Update restrictions based on requirements

Common Scenarios

Scenario 1: Digital Signage

Configuration:

Single-app kiosk
Browser or dedicated app
Auto-start on boot
No user interaction

Scenario 2: Point of Sale

Configuration:

Multi-app kiosk
POS application
Payment processing app
Restricted to essential apps only

Scenario 3: Shared Workstation

Configuration:

Shared PC mode
Multiple users
Restricted settings access
Auto-sign out after inactivity

For Windows scenarios, see Frontline worker for Windows devices in Microsoft Intune.

Additional Resources

Conclusion

Kiosk mode and device restrictions provide powerful capabilities for creating locked-down device experiences. By following these best practices:

✅ Plan kiosk configuration carefully
✅ Test thoroughly before deployment
✅ Configure appropriate restrictions
✅ Plan for maintenance and updates
✅ Monitor and adjust as needed

You can create secure, purpose-built device experiences for shared devices, dedicated devices, and specialized use cases while maintaining necessary functionality.

Remember: Kiosk mode locks devices to specific apps or experiences. Always test configurations thoroughly and ensure all required functionality is available before deploying to production devices.