What is Android Kiosk Custom Launcher?

It replaces the device's home screen with a custom launcher, restricting access to only apps installed through the device policy. Apps are displayed alphabetically on a single page.

What is Android Single App Kiosk Mode?

It locks the device to a single app, automatically installing it and setting it as the preferred home intent. Users cannot remove the app, and the status bar is disabled.

What is the purpose of Network Escape Hatch?

Network Escape Hatch prompts the user to temporarily connect to a network to refresh the device policy if a network connection can’t be made at boot time.

How do I configure Web App Kiosk Mode?

Configure Single App Kiosk Mode and set Google Chrome to FORCE_INSTALLED. Use URL allow/block lists in Chrome's managed configuration to control accessible websites.

How do I allow users to install apps from unknown sources?

Set the 'Untrusted Apps Policy' to 'ALLOW_INSTALL_DEVICE_WIDE' within the 'Advanced Security Overwrites' section of the policy.

What is the difference between 'Allow Install from Unknown Sources' and 'Allow to install unknown apps'?

'Allow Install from Unknown Sources' enables installing apps from outside the Google Play Store. 'Allow to install unknown apps' grants specific apps permission to install other apps.

How do I configure WiFi settings remotely on Android devices?

Use the 'NetworkConfigurations' property with the ONC standard. Specify the network's GUID, Name, Type (WiFi), SSID, Security, and AutoConnect settings.

What are the required fields for WiFi configuration using Open Network Configuration?

The required fields include GUID (unique identifier), Name (friendly name), Type (WiFi), SSID, Security (e.g., WPA-PSK), and AutoConnect (true/false).

Common Policy Configurations

As you probably already know, the possibilities of the Android Device Management Policies configuration are endless. Below you will find a repository of the most common configurations our users use to configure their projects.

Kiosk Custom Launcher

Replaces the home screen with a launcher that locks down the Device to the Apps installed via the applications setting. Apps appear on a single page in alphabetical order.

Kiosk Custom Launcher Enabled = true.
Kiosk Customization (optional): There are many options available that you can use to customize the Custom Kiosk mode behavior.

Tip

We recommend enabling Network Escape Hatch (networkEscapeHatchEnabled: true), as it allows users to temporarily connect to a network if the Device cannot establish connectivity at boot time, ensuring that Device Policies can be properly refreshed.

{
  "config": {
    "applications": [...],
    "networkEscapeHatchEnabled": true,
    "kioskCustomization": {
      "deviceSettings": "SETTINGS_ACCESS_ALLOWED"
    }
  }
}

Single App kiosk mode

The App is automatically installed in kiosk mode: it’s set as the preferred home intent and whitelisted for lock task mode. Device setup won’t be complete until the App is installed. After installation, users won’t be able to remove the App. You can only set this Install Type for one App per policy. When this is present in the Policy, the status bar will be automatically disabled.

App configuration:
- Install type: KIOSK.
Policy configuration (optional).

Persistent Preferred Activities:

Receiver Activity: name of your receiver activity i.e.:com.applivery.kiosk.demo001/.AppliveryDeviceAdminReceiver
Categories: i.e.
android.intent.category.LAUNCHER.
android.intent.category.HOME.
android.intent.category.DEFAULT.
Actions: i.e.: android.intent.action.MAIN.

Tip

We recommend enabling Network Escape Hatch (networkEscapeHatchEnabled: true), as it allows users to temporarily connect to a network if the Device cannot establish connectivity at boot time, ensuring that Device Policies can be properly refreshed.

{
  "config":{
    "applications":[
      {
        "packageName":"com.applivery.kiosk.demo001",
        "installType":"KIOSK",
        "defaultPermissionPolicy":"GRANT",
        "permissionGrants":[
          {
            "permission":"android.permission.BIND_DEVICE_ADMIN",
            "policy":"GRANT"
          }
        ]
      }
    ],
    "persistentPreferredActivities":[
      {
        "receiverActivity":"com.applivery.kiosk.demo001/.AppliveryDeviceAdminReceiver",
        "actions":[
          "android.intent.action.MAIN"
        ],
        "categories":[
          "android.intent.category.LAUNCHER",
          "android.intent.category.HOME",
          "android.intent.category.DEFAULT"
        ]
      }
    ],
    "networkEscapeHatchEnabled":true
  }
}

Web App kiosk mode

You can also use Google Chrome in kiosk mode to display a specific URL as a single app, achieving the desired behavior on your dedicated device.

To set up this configuration, follow the steps outlined in the Single App Kiosk Mode section above, which involves configuring both the Persistent Preferred Activities setting and the Network Escape Hatch.

Web app configuration:
- Install type: KIOSK.
Google Chrome configuration:
- Install type: FORCE_INSTALLED.
- Managed configuration:
  
  URL allow list:["allowed URL"].
  
  URL block list:["*"].

Note

Multiple web Apps are allowed, separated by commas, i.e: ["allowed URL1", "allowed URL2"]

{
  "applications": [
    {
      "packageName": "com.google.enterprise.webapp.xbf6a96eb033caa10",
      "installType": "KIOSK",
      "defaultPermissionPolicy": "GRANT"
    },
    {
      "packageName": "com.android.chrome",
      "installType": "FORCE_INSTALLED",
      "defaultPermissionPolicy": "GRANT",
      "managedConfiguration": {
        "URLAllowlist": "["applivery.com/docs/"]",
        "URLBlocklist": "["*"]"
      }
    }
  ],
  "persistentPreferredActivities": [
    {
      "receiverActivity": "com.android.chrome/com.google.android.apps.chrome.Main",
      "actions": [
        "android.intent.action.MAIN"
      ],
      "categories": [
        "android.intent.category.HOME",
        "android.intent.category.DEFAULT"
      ]
    }
  ],
  "networkEscapeHatchEnabled": true,
  "kioskCustomization": {
    "systemNavigation": "NAVIGATION_DISABLED"
  }
}

Allow install from Unknown Sources

Sometimes you will need to allow your users to install Apps (.apk or .aab files) from 3rd parties or your Private App Store in Applivery MAM. This is normally blocked by default in all Policies, so you will need to customize the following policy property to make it possible:

Advanced Security Overrides:
- Untrusted Apps Policy = ALLOW_INSTALL_DEVICE_WIDE.
Play Store Mode = BLACKLIST.

{
  "config": {
    "applications": [...],
    "advancedSecurityOverrides": {
      "untrustedAppsPolicy": "ALLOW_INSTALL_DEVICE_WIDE"
    }
    "playStoreMode: "BLACKLIST"
  }
}

Allow to install unknown Apps

Sometimes you will need to allow users to grant specific Apps permission to install other Apps (.apk files) on their Device. This is different from the Unknown Sources setting, which allows the installation of Apps from sources other than the Google Play Store.

This feature provides more granular control over which Apps can install other Apps on your Android device. It is often used for Apps like file managers or web browsers that may need to download and install .apk files.

Warning

Remember that allowing Apps to install unknown Apps can pose a security risk, opening the door for potentially harmful or unverified Apps to be installed on your Device.

{
  "advancedSecurityOverrides": {
    "untrustedAppsPolicy": "ALLOW_INSTALL_DEVICE_WIDE",
    "developerSettings": "DEVELOPER_SETTINGS_ALLOWED"
  }
}

Network configuration

Sometimes you will need to remotely deploy network configuration, including Wi-Fi and others. This is something that can be done by using the Open Network Configuration property, which supports deploying multiple configurations at the same time using the ONC standard.

The most common properties are:

GUID: unique identifier for this network.
Name: friendly network name.
Type: type of network. Allowed values are: VPN, WiFi, Tether, Ethernet, Cellular.
Security: Security type. Allowed values are: WEP-PSK, WEP-8021X, WPA-PSK, WPA-EAP.
AutoConnect: Indicating that the network should be connected to automatically when possible true or false.

{
  "NetworkConfigurations": [{
    "GUID": "a",
    "Name": "Example A",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example A",
      "Security": "None",
      "AutoConnect": true
    }
  }, {
    "GUID": "b",
    "Name": "Example B",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example B",
      "Security": "WEP-PSK",
      "Passphrase": "1234567890"
    }
  }, {
    "GUID": "c",
    "Name": "Example C",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example C",
      "Security": "WPA-PSK",
      "Passphrase": "baseball"
    }
  }]
}

You can read more about Open Network Configuration specs here.

Key Takeaways

Android Device Management policies can be configured using JSON.

Kiosk mode can be customized for various use cases (custom launcher, single app, web app).

Network Escape Hatch is recommended for Kiosk mode configurations.

Administrators can control application installation sources and permissions.

Network configurations can be deployed remotely using the ONC standard.