In this quick walkthrough we're going show you how to enroll and configure your Android device for a kiosk walkthrough in a point of sale (POS) use case.
In order to complete this demo please make sure you have the following:
- A valid VMware TestDrive account. Sign up here.
- An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal.
- Factory reset Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0
- Workspace ONE UEM Admin Role: Device Administrator at Retail Holding Company
- Network access from your device and TCP port 443 enabled on your network
- The POS app used in this setup, Loyverse, is used solely to illustrate locking the device down into a retail kiosk. Loyverse is available at no charge in Google Play and an account is not required.
A common Android use case in retail, education, and healthcare environments is kiosk mode, also known as single app mode, where devices are locked down to provide restricted, single purpose functionality. Using the Workspace ONE UEM launcher app to replace the native launcher is the method to achieve the kiosk functionality. Workspace ONE UEM makes the device lockdown into kiosk a simple and fast process.
- Single app mode enables you to lock each device into a single app and prevent access to other features or settings on the device.
- On the device, the lockdown process happens after the simple device enrollment. Workspace ONE UEM handles all of the locking down.
- Work Managed Device enrollment is the method to get a device into single app mode.
On a factory reset device device, when prompted for a Google account, enter the unique Workspace ONE UEM DPC identifier (referred to as the "hashtag"):
Download and install the AirWatch Agent.
Enroll with your Workspace ONE UEM enrollment email and TestDrive user credentials:
Workspace ONE UEM enrollment email: firstname.lastname@example.org E.g., email@example.com
Username: TestDrive username
Password: TestDrive password
When prompted for your group (OG), chose Retail - Kiosk Demo.
If your device is not encrypted, Android will guide you through the encryption process.
Choose "fast encryption".
After encryption, follow the prompts to complete the "device owner" configuration, creating the Work Managed Device.
While this process appears on the surface to be the same as a work profile configuration, it is not. This step is unique to the Work Managed Device in that the agent is setting up as "device owner" for 100% institutionally-controlled use.
Continue accepting all prompts and complete enrollment. Before the device begins provisioning with the profiles and app, note the enrollment type in the AirWatch Agent: Work Managed Device.
Device will provision with the Launcher profile, Launcher app, and Loyverse POS app. Accept Launcher setup prompts. Device should lockdown with the Loyverse POS app .
- Single app mode prevents use of any app exit function and can control undesirable hardware button functions.
- When you turn a smart device into a single purpose device, where only the locked-down app's functionality is allowed, support costs are drastically reduced.
On the device, attempt to switch apps. You will not be allowed and a notification will appear on the bottom the screen.
If using a video camera to display your device, as a further demonstration, reboot the device and show the device boot up into single app mode.
Console - Launcher Administration
- Any public or internal Android APK may be pushed and locked down into single app mode, creating a dedicated use device with dramatically reduced support costs.
- A single profile and a single app uploaded into the console is all you need to do in order to provision hundreds, thousands of kiosk devices.
In the console, use the admin role Device Administrator at Retail Holding Company.
Find your device, and drill into device details. On the apps tab, view the Launcher profile called Retail - Android - Kiosk. Verify its installation status.
Additionally, you may also verify the app installation statuses of this use case from the Apps tab in device details.
Drill into the WWE - Retail Kiosk - POS profile. You should be able to view its configuration, including the app setup in kiosk mode.
- The Device Administrator admin role is restricted from certain console resources. Use the role's restrictive configuration as a value add-on to the security discussion of roles-based access in Workspace ONE UEM. Lower level admins can be prevented from editing profiles and other settings managed at higher levels.
- Use your sandbox role to run through either an actual profile configuration or application setup, if needed.
- Within device details, the Troubleshooting tab features "Event Log" and "Commands" views, enabling admins to perform targeted searches for analysis, and most importantly saving copious amounts of time working with a troubled remote devices.
- With the "Event Log" view, detailed debug information and server check-ins, including a filters by event type, date, severity, module, and category.
On the "Commands" view, detailed listings of pending, queued, and completed commands sent to the device are available.
Navigate to the troubleshooting tab by clicking on the More tab within the device details menu. Within Troubleshooting, you can show Event Log and Command views with the filters described in the above talking points.
- All Workspace ONE UEM managed organizational data, the POS app, and the Launcher are removed from the device.
- Workspace ONE UEM compliance can be used to enterprise wipe devices in the event, for instance, a device moves outside of a designated IP range range.
From the console, send an enterprise wipe to the single app mode device. Note that all of the organization's data--the app--will be removed and the device will become unlocked. The device will be returned to its unmanaged state and all Workspace ONE UEM has been removed.