SOLVED

Android device password not applying in Kiosk mode

%3CLINGO-SUB%20id%3D%22lingo-sub-293202%22%20slang%3D%22en-US%22%3EAndroid%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293202%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20I'm%20missing%20something%20here%20and%20please%20correct%20me%20if%20what%20I'm%20doing%20is%20not%20possible%20or%20by%20design.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20setting%20up%20an%20Android%20tablet%20for%20single%20application%20use%20in%20Kiosk%20mode.%26nbsp%3B%20I'm%20using%20a%20QR%20code%20to%20enrol%20the%20device%20and%20get%20it%20configured.%26nbsp%3B%20%26nbsp%3BEverything%20is%20working%20perfectly%20*except*%20no%20device%20password%20is%20being%20applied%20and%20I%20can%20specifically%20see%20the%20password%20policies%20failing%20to%20apply.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20667px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F61053i7AC8F11B18AFDFE3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202018-11-30%20152106.jpg%22%20title%3D%22Annotation%202018-11-30%20152106.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20configured%20the%20device%20password%20in%20the%20same%20policy%20that%20deploys%20the%20single%20use%20app.%26nbsp%3B%20So...%20Device%20Configuration%20-%26gt%3B%20Profiles%20-%26gt%3B%20Platform%20%3D%20Android%20Enterprise%2C%20Profile%20Type%20%3D%20Device%20Restrictions%20(Device%20Owner).%26nbsp%3B%20I've%20enforced%20to%20at%20least%20use%20a%20numeric%20pin%2C%20minimum%20lenght%20%3D%204%2C%26nbsp%3B%20Keyguard%20%3D%20Not%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20ultimately%20is%20.....%20is%20it%20possible%20to%20configure%20a%20device%2Fscreen%20lock%20password%2Fpin%20on%20a%20kiosk%20device%3F%26nbsp%3B%20My%20use%20case%20here%20is%20the%20device%20is%20for%20single%20app%20use%2C%20by%20a%20trusted%20person.%26nbsp%3B%20The%20person%20will%20know%20the%20pin%20to%20unlock%20the%20device%2C%20but%20the%20device%20does%20not%20have%20any%20other%20purpose%20than%20running%20this%20one%20application%2C%20and%20the%20device%20should%20not%20be%20used%20for%20anything%20else%20other%20than%20running%20this%20one%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20all%20the%20settings%20I've%20configured%20applying%20successfully%2C%20except%20the%20device%20password%20ones.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advise%20on%20if%20this%20is%20possible%20and%20if%20so%2C%20where%20I%20can%20start%20troubleshooting%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-293202%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edevice%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ekiosk%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elock%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elock%20screen%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358880%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358880%22%20slang%3D%22en-US%22%3EIt's%20a%20real%20Kiosk%20mode%20device.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294464%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294464%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20very%20much%20for%20replying%20Shuchi.%26nbsp%3B%20This%20is%20good%20to%20know.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294064%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294064%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20by%20design%20in%20Android%20Enterprise%20-%20Dedicated%20Devices%20(Kiosk)%20mode.%26nbsp%3B%20You%20can%20configure%20the%20PIN%2Fpassword%20via%20compliance%20or%20configuration%20policy%20but%20it%20doesn't%20get%20enforced%20as%20there%20is%20no%20Company%20Portal%20on%20the%20device%20in%20this%20scenario.%20The%20solution%20is%20to%20include%20in%20your%20documentation%20and%20processes%20that%20the%20owner%2Ftechnician%20sets%20up%20a%20PIN%20after%20device%20is%20setup.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792734%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792734%22%20slang%3D%22en-US%22%3EGood%20morning%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20experiencing%20the%20same%20issue%20on%20fully%20managed%20corporate%20devices%2C%20can%20you%20confirm%20if%20it's%20possible%20to%20force%20a%20PIN%20on%20these%20devices%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805781%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388479%22%20target%3D%22_blank%22%3E%40Durrante%3C%2FA%3E%26nbsp%3BI%20would%20expect%20it%20to%20work%20in%20that%20scenario.%20Forcing%20a%20PIN%20complexity%20is%20a%20very%20big%20deal%20for%20user%20assigned%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806552%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806552%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66779%22%20target%3D%22_blank%22%3E%40Noel%20Fairclough%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20use%20a%203rd%20party%20app%20to%20set%20a%20PIN%2C%20the%20policies%20to%20indeed%20get%20enforced%20-%20you%20just%20need%20to%20get%20the%20initial%20PIN%20there.%3C%2FP%3E%3CP%3EWe%20wrote%20our%20own%20little%20app%20to%20do%20this%20function%20and%20is%20pushed%20down%20to%20the%20clients%20as%20part%20of%20the%20profile.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806578%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102423%22%20target%3D%22_blank%22%3E%40Brett%20James%3C%2FA%3E%26nbsp%3B%2C%20so%20there's%20no%20way%20of%20setting%20a%20pin%20requirement%20via%20Intune%20natively%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-927267%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-927267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66779%22%20target%3D%22_blank%22%3E%40Noel%20Fairclough%3C%2FA%3EAnd%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104003%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20in%20a%20%22worst%20case%20scenario%22%20with%20passcode%20forcing%3A%3C%2FP%3E%3CUL%3E%3CLI%3EI%20have%20enrolled%20an%20android%20device%20in%20Kiosk%20mode%20using%20QR%20code%20(so%20100%25%20corporate%20with%20no%20user%20associated).%3C%2FLI%3E%3CLI%3EAfter%20testing%20around%20the%20kiosk%20mode%20(which%20I'm%20very%20happy%20with%20by%20the%20way)%20I've%20tried%20around%20passlocking%20the%20device.%3C%2FLI%3E%3CLI%3E%26nbsp%3BI've%20sent%20a%20%22reset%20passcode%22%20action%20from%20the%20intune%20portal%20.%20Quite%20happy%20this%20applied%20almost%20immediatly%20after%20showing%20a%20message%20around%20the%20lines%20of%20%3A%20%22this%20will%20reset%20passcode%20on%20the%20device%2C%20it%20will%20appear%20here%20(I%20supposed%20the%20screen%20from%20where%20the%20passcode%20is%20reseted)%20for%20the%20next%207%20days%22%3C%2FLI%3E%3CLI%3EI%20still%20haven't%20found%20the%20passcode%20from%20the%20screen.%20Have%20also%20tried%20looking%20into%20getting%20that%20from%20the%20company%20portal%20as%20indicated%20on%20some%20microsoft%20documentation%2C%20impossible%20to%20access%20(using%20tenant%20global%20admin%20or%20simple%20user)%20so%20stuck%20with%20not%20knowing%20temporary%20passcode%3C%2FLI%3E%3CLI%3EFinally%20I%20had%20a%20(not%20at%20all)%20brilliant%20idea%3A%20wipe%20the%20device.%20Just%20to%20realise%20that%20the%20passcode%20that%20was%20enforced%20by%20intune%20is%20set%20before%20Android%20even%20launches%2C%20which%20prevent%20any%20%22wiping%22%20from%20happening%2C%20apparently%20needs%20android%20to%20have%20started%20first...%3C%2FLI%3E%3C%2FUL%3E%3CP%3EQuite%20a%20few%20lessons%20learned%20there%2C%20but%20no%20way%20to%20get%20my%20device%20back%20for%20know%20while%20I%20have%20global%20admin%20on%20our%20tenant....%20Any%20help%20welcomed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1539849%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1539849%22%20slang%3D%22en-US%22%3EWith%20you%20app%20can%20you%20set%20the%20passcode%20via%20an%20application%20config%3F%20Also%20is%20it%20possible%20to%20change%20the%20pin%20like%20the%20native%20reset%20passcode%20command%20but%20specify%20it%20to%20what%20you%20want%3F%20You%20mentioned%20some%20third%20party%20apps%20any%20that%20you%20can%20recommend%3F%20Cheers%20%3Athumbs_up%3A%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1539854%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1539854%22%20slang%3D%22en-US%22%3E%40BrettJames%20with%20you%20app%20can%20you%20set%20the%20passcode%20via%20an%20application%20config%3F%20Also%20is%20it%20possible%20to%20change%20the%20pin%20like%20the%20native%20reset%20passcode%20command%20but%20specify%20it%20to%20what%20you%20want%3F%20You%20mentioned%20some%20third%20party%20apps%20any%20that%20you%20can%20recommend%3F%20Cheers%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677685%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102431%22%20target%3D%22_blank%22%3E%40Shuchi%20Mehta%3C%2FA%3E%26nbsp%3B%20How%20does%20one%20enter%20PIN%20on%20device%20after%20device%20set%20up%3F%20(kiosk)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677710%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677710%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F797154%22%20target%3D%22_blank%22%3E%40Eaglebeek76%3C%2FA%3E%26nbsp%3B%20In%20my%20use%20case%2C%20I%20have%20the%20policy%20configured%20to%20Exit%20Kiosk%20Mode%20with%20a%20PIN.%26nbsp%3B%20So%2C%20once%20you%20exit%20Kiosk%20Mode%20(by%20pressing%20back%20button%20on%20screen%20multiple%20times)%20you%20can%20get%20to%20the%20settings%20app%20on%20device%20and%20then%20Set%20the%20screen%20lock%20as%20PIN.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677731%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677731%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102431%22%20target%3D%22_blank%22%3E%40Shuchi%20Mehta%3C%2FA%3E%26nbsp%3B%20Before%20I%20try%20this%2C%20how%20does%20one%20reenter%20kiosk%20mode%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677738%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20device%20password%20not%20applying%20in%20Kiosk%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F797154%22%20target%3D%22_blank%22%3E%40Eaglebeek76%3C%2FA%3E%26nbsp%3B%20you%20would%20swipe%20up%20(or%20go%20to%20apps)%20and%20search%20for%20Managed%20Home%20screen%20app.%20Once%20you%20click%20on%20that%20it%20takes%20you%20back%20to%20the%20Kiosk%20Mode%2Fscreen.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi everyone,

I'm not sure if I'm missing something here and please correct me if what I'm doing is not possible or by design.  

 

I'm setting up an Android tablet for single application use in Kiosk mode.  I'm using a QR code to enrol the device and get it configured.   Everything is working perfectly *except* no device password is being applied and I can specifically see the password policies failing to apply.  

Annotation 2018-11-30 152106.jpg

 

I've configured the device password in the same policy that deploys the single use app.  So... Device Configuration -> Profiles -> Platform = Android Enterprise, Profile Type = Device Restrictions (Device Owner).  I've enforced to at least use a numeric pin, minimum lenght = 4,  Keyguard = Not configured.

 

 

My question ultimately is ..... is it possible to configure a device/screen lock password/pin on a kiosk device?  My use case here is the device is for single app use, by a trusted person.  The person will know the pin to unlock the device, but the device does not have any other purpose than running this one application, and the device should not be used for anything else other than running this one application.

 

I can see all the settings I've configured applying successfully, except the device password ones.  

 

Any advise on if this is possible and if so, where I can start troubleshooting?  

 

 

 

13 Replies
best response confirmed by Noel Fairclough (Contributor)
Solution

This is by design in Android Enterprise - Dedicated Devices (Kiosk) mode.  You can configure the PIN/password via compliance or configuration policy but it doesn't get enforced as there is no Company Portal on the device in this scenario. The solution is to include in your documentation and processes that the owner/technician sets up a PIN after device is setup.

Thank you very much for replying Shuchi.  This is good to know.  

It's a real Kiosk mode device. :)
Good morning,

I'm experiencing the same issue on fully managed corporate devices, can you confirm if it's possible to force a PIN on these devices?

@Durrante I would expect it to work in that scenario. Forcing a PIN complexity is a very big deal for user assigned devices.

@Noel Fairclough 

If you use a 3rd party app to set a PIN, the policies to indeed get enforced - you just need to get the initial PIN there.

We wrote our own little app to do this function and is pushed down to the clients as part of the profile.

@Brett James , so there's no way of setting a pin requirement via Intune natively?

@Noel FaircloughAnd @microsoft 

I am in a "worst case scenario" with passcode forcing:

  • I have enrolled an android device in Kiosk mode using QR code (so 100% corporate with no user associated).
  • After testing around the kiosk mode (which I'm very happy with by the way) I've tried around passlocking the device.
  •  I've sent a "reset passcode" action from the intune portal . Quite happy this applied almost immediatly after showing a message around the lines of : "this will reset passcode on the device, it will appear here (I supposed the screen from where the passcode is reseted) for the next 7 days"
  • I still haven't found the passcode from the screen. Have also tried looking into getting that from the company portal as indicated on some microsoft documentation, impossible to access (using tenant global admin or simple user) so stuck with not knowing temporary passcode
  • Finally I had a (not at all) brilliant idea: wipe the device. Just to realise that the passcode that was enforced by intune is set before Android even launches, which prevent any "wiping" from happening, apparently needs android to have started first...

Quite a few lessons learned there, but no way to get my device back for know while I have global admin on our tenant.... Any help welcomed.

@BrettJames with you app can you set the passcode via an application config? Also is it possible to change the pin like the native reset passcode command but specify it to what you want? You mentioned some third party apps any that you can recommend? Cheers

@Shuchi Mehta  How does one set up PIN on device after device setup? (kiosk)

@Eaglebeek76  In my use case, I have the policy configured to Exit Kiosk Mode with a PIN.  So, once you exit Kiosk Mode (by pressing back button on screen multiple times) you can get to the settings app on device and then Set the screen lock as PIN. 

@Shuchi Mehta  Before I try this, how does one reenter kiosk mode? 

@Eaglebeek76  you would swipe up (or go to apps) and search for Managed Home screen app. Once you click on that it takes you back to the Kiosk Mode/screen.