SOLVED
Home

Android device password not applying in Kiosk mode

%3CLINGO-SUB%20id%3D%22lingo-sub-293202%22%20slang%3D%22en-US%22%3EAndroid%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293202%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20I'm%20missing%20something%20here%20and%20please%20correct%20me%20if%20what%20I'm%20doing%20is%20not%20possible%20or%20by%20design.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20setting%20up%20an%20Android%20tablet%20for%20single%20application%20use%20in%20Kiosk%20mode.%26nbsp%3B%20I'm%20using%20a%20QR%20code%20to%20enrol%20the%20device%20and%20get%20it%20configured.%26nbsp%3B%20%26nbsp%3BEverything%20is%20working%20perfectly%20*except*%20no%20device%20password%20is%20being%20applied%20and%20I%20can%20specifically%20see%20the%20password%20policies%20failing%20to%20apply.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20667px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F61053i7AC8F11B18AFDFE3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202018-11-30%20152106.jpg%22%20title%3D%22Annotation%202018-11-30%20152106.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20configured%20the%20device%20password%20in%20the%20same%20policy%20that%20deploys%20the%20single%20use%20app.%26nbsp%3B%20So...%20Device%20Configuration%20-%26gt%3B%20Profiles%20-%26gt%3B%20Platform%20%3D%20Android%20Enterprise%2C%20Profile%20Type%20%3D%20Device%20Restrictions%20(Device%20Owner).%26nbsp%3B%20I've%20enforced%20to%20at%20least%20use%20a%20numeric%20pin%2C%20minimum%20lenght%20%3D%204%2C%26nbsp%3B%20Keyguard%20%3D%20Not%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20ultimately%20is%20.....%20is%20it%20possible%20to%20configure%20a%20device%2Fscreen%20lock%20password%2Fpin%20on%20a%20kiosk%20device%3F%26nbsp%3B%20My%20use%20case%20here%20is%20the%20device%20is%20for%20single%20app%20use%2C%20by%20a%20trusted%20person.%26nbsp%3B%20The%20person%20will%20know%20the%20pin%20to%20unlock%20the%20device%2C%20but%20the%20device%20does%20not%20have%20any%20other%20purpose%20than%20running%20this%20one%20application%2C%20and%20the%20device%20should%20not%20be%20used%20for%20anything%20else%20other%20than%20running%20this%20one%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20all%20the%20settings%20I've%20configured%20applying%20successfully%2C%20except%20the%20device%20password%20ones.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advise%20on%20if%20this%20is%20possible%20and%20if%20so%2C%20where%20I%20can%20start%20troubleshooting%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-293202%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edevice%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ekiosk%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elock%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elock%20screen%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358880%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358880%22%20slang%3D%22en-US%22%3EIt's%20a%20real%20Kiosk%20mode%20device.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294464%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294464%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20very%20much%20for%20replying%20Shuchi.%26nbsp%3B%20This%20is%20good%20to%20know.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294064%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294064%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20by%20design%20in%20Android%20Enterprise%20-%20Dedicated%20Devices%20(Kiosk)%20mode.%26nbsp%3B%20You%20can%20configure%20the%20PIN%2Fpassword%20via%20compliance%20or%20configuration%20policy%20but%20it%20doesn't%20get%20enforced%20as%20there%20is%20no%20Company%20Portal%20on%20the%20device%20in%20this%20scenario.%20The%20solution%20is%20to%20include%20in%20your%20documentation%20and%20processes%20that%20the%20owner%2Ftechnician%20sets%20up%20a%20PIN%20after%20device%20is%20setup.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792734%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792734%22%20slang%3D%22en-US%22%3EGood%20morning%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20experiencing%20the%20same%20issue%20on%20fully%20managed%20corporate%20devices%2C%20can%20you%20confirm%20if%20it's%20possible%20to%20force%20a%20PIN%20on%20these%20devices%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805781%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388479%22%20target%3D%22_blank%22%3E%40Durrante%3C%2FA%3E%26nbsp%3BI%20would%20expect%20it%20to%20work%20in%20that%20scenario.%20Forcing%20a%20PIN%20complexity%20is%20a%20very%20big%20deal%20for%20user%20assigned%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806552%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806552%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66779%22%20target%3D%22_blank%22%3E%40Noel%20Fairclough%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20use%20a%203rd%20party%20app%20to%20set%20a%20PIN%2C%20the%20policies%20to%20indeed%20get%20enforced%20-%20you%20just%20need%20to%20get%20the%20initial%20PIN%20there.%3C%2FP%3E%3CP%3EWe%20wrote%20our%20own%20little%20app%20to%20do%20this%20function%20and%20is%20pushed%20down%20to%20the%20clients%20as%20part%20of%20the%20profile.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806578%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102423%22%20target%3D%22_blank%22%3E%40Brett%20James%3C%2FA%3E%26nbsp%3B%2C%20so%20there's%20no%20way%20of%20setting%20a%20pin%20requirement%20via%20Intune%20natively%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-927267%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-927267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66779%22%20target%3D%22_blank%22%3E%40Noel%20Fairclough%3C%2FA%3EAnd%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104003%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20in%20a%20%22worst%20case%20scenario%22%20with%20passcode%20forcing%3A%3C%2FP%3E%3CUL%3E%3CLI%3EI%20have%20enrolled%20an%20android%20device%20in%20Kiosk%20mode%20using%20QR%20code%20(so%20100%25%20corporate%20with%20no%20user%20associated).%3C%2FLI%3E%3CLI%3EAfter%20testing%20around%20the%20kiosk%20mode%20(which%20I'm%20very%20happy%20with%20by%20the%20way)%20I've%20tried%20around%20passlocking%20the%20device.%3C%2FLI%3E%3CLI%3E%26nbsp%3BI've%20sent%20a%20%22reset%20passcode%22%20action%20from%20the%20intune%20portal%20.%20Quite%20happy%20this%20applied%20almost%20immediatly%20after%20showing%20a%20message%20around%20the%20lines%20of%20%3A%20%22this%20will%20reset%20passcode%20on%20the%20device%2C%20it%20will%20appear%20here%20(I%20supposed%20the%20screen%20from%20where%20the%20passcode%20is%20reseted)%20for%20the%20next%207%20days%22%3C%2FLI%3E%3CLI%3EI%20still%20haven't%20found%20the%20passcode%20from%20the%20screen.%20Have%20also%20tried%20looking%20into%20getting%20that%20from%20the%20company%20portal%20as%20indicated%20on%20some%20microsoft%20documentation%2C%20impossible%20to%20access%20(using%20tenant%20global%20admin%20or%20simple%20user)%20so%20stuck%20with%20not%20knowing%20temporary%20passcode%3C%2FLI%3E%3CLI%3EFinally%20I%20had%20a%20(not%20at%20all)%20brilliant%20idea%3A%20wipe%20the%20device.%20Just%20to%20realise%20that%20the%20passcode%20that%20was%20enforced%20by%20intune%20is%20set%20before%20Android%20even%20launches%2C%20which%20prevent%20any%20%22wiping%22%20from%20happening%2C%20apparently%20needs%20android%20to%20have%20started%20first...%3C%2FLI%3E%3C%2FUL%3E%3CP%3EQuite%20a%20few%20lessons%20learned%20there%2C%20but%20no%20way%20to%20get%20my%20device%20back%20for%20know%20while%20I%20have%20global%20admin%20on%20our%20tenant....%20Any%20help%20welcomed.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Noel Fairclough
Contributor

Hi everyone,

I'm not sure if I'm missing something here and please correct me if what I'm doing is not possible or by design.  

 

I'm setting up an Android tablet for single application use in Kiosk mode.  I'm using a QR code to enrol the device and get it configured.   Everything is working perfectly *except* no device password is being applied and I can specifically see the password policies failing to apply.  

Annotation 2018-11-30 152106.jpg

 

I've configured the device password in the same policy that deploys the single use app.  So... Device Configuration -> Profiles -> Platform = Android Enterprise, Profile Type = Device Restrictions (Device Owner).  I've enforced to at least use a numeric pin, minimum lenght = 4,  Keyguard = Not configured.

 

 

My question ultimately is ..... is it possible to configure a device/screen lock password/pin on a kiosk device?  My use case here is the device is for single app use, by a trusted person.  The person will know the pin to unlock the device, but the device does not have any other purpose than running this one application, and the device should not be used for anything else other than running this one application.

 

I can see all the settings I've configured applying successfully, except the device password ones.  

 

Any advise on if this is possible and if so, where I can start troubleshooting?  

 

 

 

8 Replies
Solution

This is by design in Android Enterprise - Dedicated Devices (Kiosk) mode.  You can configure the PIN/password via compliance or configuration policy but it doesn't get enforced as there is no Company Portal on the device in this scenario. The solution is to include in your documentation and processes that the owner/technician sets up a PIN after device is setup.

Thank you very much for replying Shuchi.  This is good to know.  

It's a real Kiosk mode device. :)
Good morning,

I'm experiencing the same issue on fully managed corporate devices, can you confirm if it's possible to force a PIN on these devices?

@Durrante I would expect it to work in that scenario. Forcing a PIN complexity is a very big deal for user assigned devices.

@Noel Fairclough 

If you use a 3rd party app to set a PIN, the policies to indeed get enforced - you just need to get the initial PIN there.

We wrote our own little app to do this function and is pushed down to the clients as part of the profile.

@Brett James , so there's no way of setting a pin requirement via Intune natively?

@Noel FaircloughAnd @microsoft 

I am in a "worst case scenario" with passcode forcing:

  • I have enrolled an android device in Kiosk mode using QR code (so 100% corporate with no user associated).
  • After testing around the kiosk mode (which I'm very happy with by the way) I've tried around passlocking the device.
  •  I've sent a "reset passcode" action from the intune portal . Quite happy this applied almost immediatly after showing a message around the lines of : "this will reset passcode on the device, it will appear here (I supposed the screen from where the passcode is reseted) for the next 7 days"
  • I still haven't found the passcode from the screen. Have also tried looking into getting that from the company portal as indicated on some microsoft documentation, impossible to access (using tenant global admin or simple user) so stuck with not knowing temporary passcode
  • Finally I had a (not at all) brilliant idea: wipe the device. Just to realise that the passcode that was enforced by intune is set before Android even launches, which prevent any "wiping" from happening, apparently needs android to have started first...

Quite a few lessons learned there, but no way to get my device back for know while I have global admin on our tenant.... Any help welcomed.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies