This post provides an introduction to using Kiosk Mode with Chromebooks inside G Suite.
There’s a lot of information out there regarding Kiosk Mode but I’ve always found it to be pretty confusing subject so I've tried to distil it down to the fundamentals, or at least stuff I understand.
For the complete newbie, Kiosk Mode is the ability for the Chromebook to present a session without the user having to present any user credentials. It’s a feature that's used in schools to support digital signage and testing environments. The G Suite admin console calls these anonymous ‘logons’ Public Sessions.
So taking into account Public Sessions, there are three policy sets you can use to manage a Chromebook.
Two important points emerge from this;
A Chromebook can load with either with a Public Session or a standard User Policy. The selection is controlled by the Device policy.
The Public Session is defined in the same OU as the Device Policy. The simplest way of thinking about this is that every Device Policy has a Public Policy but it’s normally turned OFF. However if it’s turned ON the Chromebook doesn’t present the normal user logon but falls back to the Public session instead.
Where do I turn on the Public Session ?
In the Chrome Device Policy there is a section called Kiosk Settings.
The setting above allows you to turn on the Public Session. Once enabled the Chromebook will no longer attempt to load a User session but will default to a Public Session instead.
Where are the policies for the Public Session defined and stored?
The Manage Public Session settings link shown above opens the Public Policy for the current OU. You can navigate to the same place by going to Chrome Management, select Public Session Settings and the move to the same OU that contains the Chromebook. This is useful because it emphasizes the point that every part of the tree has a Public Session in the same way it has a User and Device policy and the settings are inherited in the same way.
What are the other controls ?
By default a Public Session will present a landing screen displaying the name of the public session and an Avatar. Authentication is not required so you simply click through the screen.
This policy gives you the option to move through the landing page without clicking (Auto-Launch). In this case the Chrome device will boot and move directly into the public session. Alternatively it’s possible to set a timer to display the landing page for a fixed period before moving on.
What are Kiosk Apps and how to they relate to Public Sessions?
Kiosk Apps provide the ability to replace the Public Session with a single task window.
This is a really useful feature for testing environments, public facing devices and digital signage. Kiosk Apps are downloaded from the Chrome Store just like any other app. Because they have to be suited to this specialised role they are marked for this purpose by the developer. For this reason not all apps in the Chrome Store can be used as Kiosk Apps.
How do you use a Kiosk App?
Using Kiosk Apps is pretty simple. First select a Kiosk App by selecting “Manage Kiosk Applications” We’ll use the Citrix Receiver for this purpose.
Only apps that are marked for Kiosk mode will turn up in this search which is why some of the common apps appear to be missing.
Once the App is selected and the config saved you have the option of selecting which Kiosk App to launch on start. In this context you can only select one app but you can have multiple apps in the list which is a useful feature that we’ll examine later.
If you restart the Chromebook you'll notice that it no longer displays the Public session landing page but opens the Kiosk App in full screen mode. Once fully loaded there’s no way of breaking out of the session short of turning off the Chromebook or signing out. However for a few seconds prior to the app loading it’s possible to drop back into the Public session by pressing Ctrl-Alt-S. This is a useful for tool for troubleshooting if things aren’t working quite how you expected.
One point to note is that if you plan to use a Kiosk App, the setting for Auto-Launch Public Session must be set to NO. Clearly these two features are mutually exclusive - you can either auto-load a Kiosk App or a Public Session.. but not both at the same time because that doesn't make any sense.
As mentioned earlier when you open “Manage Kiosk Applications” option you have the ability to create a list of Kiosk Apps but only one can be used to auto-start a session. However if you plan to Allow Public Sessions and not Auto-Launch the session or the App this list can come in useful.
Once you have defined at least one Kiosk App you will notice that the list is displayed on the load screen as an icon in the bottom left.
This allows you select and start Kiosk Apps to from the Landing Screen which is handy if you have an examination suite and have to support different testing apps. Setting up the devices is as easy as moving round the room and selecting the correct app from the list. Another use-case for this mode is to allow secure access to applications such a Scratch jr for younger year pupils without requiring a logon.
After the Device policy has been amended the list of apps gets updated pretty quickly and does not require a reboot of the device.
What's different in a Public Session policy?
In many respects a Public Session policy is much the same a standard user policy but with a couple of extra features.
First, you can give the session a name which is visible on the landing page. The session can also be time limited which is useful for public facing machines or device located in common areas that you don’t want monopolised for long periods. Leaving this blank or setting to 0 gives you unlimited sessions.
There’s also the ability to present a terms of service banner (ToS) as the session loads. The banner will be displayed in all situations including auto-load of a Kiosk app and can be a useful way of providing pre-test information.
Lastly, don’t forget to spend some time setting up the wallpaper and the Avatar for the Public Session policy. It will allow you to create a nice branding message for your devices.
Last Words.
There’s a lot of information out there regarding Kiosk Mode but I’ve always found it to be pretty confusing subject so I've tried to distil it down to the fundamentals, or at least stuff I understand.
For the complete newbie, Kiosk Mode is the ability for the Chromebook to present a session without the user having to present any user credentials. It’s a feature that's used in schools to support digital signage and testing environments. The G Suite admin console calls these anonymous ‘logons’ Public Sessions.
So taking into account Public Sessions, there are three policy sets you can use to manage a Chromebook.
- Device Policy - Settings that control the action and security of the device prior to the user logon.
- User Policy - Settings that control the environment of an authenticated user session after logon.
- Public Sessions - Settings that relate to an anonymous user session. In some respects a public session is much like a standard user session and is subject to many of the same policies, it’s just that the user not prompted for any credentials before starting the session.
Two important points emerge from this;
A Chromebook can load with either with a Public Session or a standard User Policy. The selection is controlled by the Device policy.
The Public Session is defined in the same OU as the Device Policy. The simplest way of thinking about this is that every Device Policy has a Public Policy but it’s normally turned OFF. However if it’s turned ON the Chromebook doesn’t present the normal user logon but falls back to the Public session instead.
 |
| Build your dream Kiosk. |
Where do I turn on the Public Session ?
In the Chrome Device Policy there is a section called Kiosk Settings.
The setting above allows you to turn on the Public Session. Once enabled the Chromebook will no longer attempt to load a User session but will default to a Public Session instead.
Where are the policies for the Public Session defined and stored?
The Manage Public Session settings link shown above opens the Public Policy for the current OU. You can navigate to the same place by going to Chrome Management, select Public Session Settings and the move to the same OU that contains the Chromebook. This is useful because it emphasizes the point that every part of the tree has a Public Session in the same way it has a User and Device policy and the settings are inherited in the same way.
What are the other controls ?
By default a Public Session will present a landing screen displaying the name of the public session and an Avatar. Authentication is not required so you simply click through the screen.
This policy gives you the option to move through the landing page without clicking (Auto-Launch). In this case the Chrome device will boot and move directly into the public session. Alternatively it’s possible to set a timer to display the landing page for a fixed period before moving on.
What are Kiosk Apps and how to they relate to Public Sessions?
Kiosk Apps provide the ability to replace the Public Session with a single task window.
This is a really useful feature for testing environments, public facing devices and digital signage. Kiosk Apps are downloaded from the Chrome Store just like any other app. Because they have to be suited to this specialised role they are marked for this purpose by the developer. For this reason not all apps in the Chrome Store can be used as Kiosk Apps.
How do you use a Kiosk App?
Using Kiosk Apps is pretty simple. First select a Kiosk App by selecting “Manage Kiosk Applications” We’ll use the Citrix Receiver for this purpose.
Only apps that are marked for Kiosk mode will turn up in this search which is why some of the common apps appear to be missing.
Once the App is selected and the config saved you have the option of selecting which Kiosk App to launch on start. In this context you can only select one app but you can have multiple apps in the list which is a useful feature that we’ll examine later.
If you restart the Chromebook you'll notice that it no longer displays the Public session landing page but opens the Kiosk App in full screen mode. Once fully loaded there’s no way of breaking out of the session short of turning off the Chromebook or signing out. However for a few seconds prior to the app loading it’s possible to drop back into the Public session by pressing Ctrl-Alt-S. This is a useful for tool for troubleshooting if things aren’t working quite how you expected.
One point to note is that if you plan to use a Kiosk App, the setting for Auto-Launch Public Session must be set to NO. Clearly these two features are mutually exclusive - you can either auto-load a Kiosk App or a Public Session.. but not both at the same time because that doesn't make any sense.
As mentioned earlier when you open “Manage Kiosk Applications” option you have the ability to create a list of Kiosk Apps but only one can be used to auto-start a session. However if you plan to Allow Public Sessions and not Auto-Launch the session or the App this list can come in useful.
Once you have defined at least one Kiosk App you will notice that the list is displayed on the load screen as an icon in the bottom left.
This allows you select and start Kiosk Apps to from the Landing Screen which is handy if you have an examination suite and have to support different testing apps. Setting up the devices is as easy as moving round the room and selecting the correct app from the list. Another use-case for this mode is to allow secure access to applications such a Scratch jr for younger year pupils without requiring a logon.
After the Device policy has been amended the list of apps gets updated pretty quickly and does not require a reboot of the device.
What's different in a Public Session policy?
In many respects a Public Session policy is much the same a standard user policy but with a couple of extra features.
First, you can give the session a name which is visible on the landing page. The session can also be time limited which is useful for public facing machines or device located in common areas that you don’t want monopolised for long periods. Leaving this blank or setting to 0 gives you unlimited sessions.
There’s also the ability to present a terms of service banner (ToS) as the session loads. The banner will be displayed in all situations including auto-load of a Kiosk app and can be a useful way of providing pre-test information.
Lastly, don’t forget to spend some time setting up the wallpaper and the Avatar for the Public Session policy. It will allow you to create a nice branding message for your devices.
Last Words.
- Every Device policy has a corresponding Public User Session. When you turn it on it displays an anonymous landing page rather than prompting for a user logon.
- The Public Session Policy can move through to an anonymous user session or launch a full screen application (Kiosk App).
- Although you can only define a single kiosk app to auto-start the full list of apps is visible from the App icon on a Public User Session landing screen.
No comments:
Post a Comment