In this quick walkthrough we're going show you how to enroll and configure your Android device for a kiosk walkthrough in a point of sale (POS) use case.
In order to complete this demo please make sure you have the following:
- A valid VMware TestDrive account. Sign up here.
- An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal.
- Factory reset Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0
- Workspace ONE UEM Admin Role: Device Administrator at Retail Holding Company
- Network access from your device and TCP port 443 enabled on your network
- The POS app used in this setup, Loyverse, is used solely to illustrate locking the device down into a retail kiosk. Loyverse is available at no charge in Google Play and an account is not required.
A common Android use case in retail, education, and healthcare environments is kiosk mode, also known as single app mode, where devices are locked down to provide restricted, single purpose functionality. Using the Workspace ONE UEM launcher app to replace the native launcher is the method to achieve the kiosk functionality. Workspace ONE UEM makes the device lockdown into kiosk a simple and fast process.
- Single app mode enables you to lock each device into a single app and prevent access to other features or settings on the device.
- On the device, the lockdown process happens after the simple device enrollment. Workspace ONE UEM handles all of the locking down.
- Work Managed Device enrollment is the method to get a device into single app mode.
On a factory reset device device, when prompted for a Google account, enter the unique Workspace ONE UEM DPC identifier (referred to as the "hashtag"):
When prompted, download and install the Intelligent Hub.
Samsung devices will present this screen. Accept the Terms.
Enroll with your Workspace ONE UEM enrollment email and TestDrive user credentials:
Workspace ONE UEM enrollment email: firstname.lastname@example.org E.g., email@example.com
Username: TestDrive username
Password: TestDrive password
When prompted for your group (OG), chose Retail - Kiosk Demo.
(If using an older Android device, the device will need to encrypt itself. Allow Android to guide you through the encryption process. Enrollment will resume afterwards.)
Follow and accept the Hub prompts to complete the Android "device owner" configuration, setting up a Work Managed Device.
While this process appears on the surface to be the same as the creation of the work profile, it is not. This setup is unique to the Work Managed Device as it sets up the Hub as "device owner" for 100% institutionally-controlled use.
Before the device begins provisioning with the kiosk (lockdown) profile, open the Hub and go to the account menu (upper right), then tap This Device to see the enrollment state.
Note the "Work Managed" enrollment.
Device will soon provision with the Launcher profile, Launcher app, and Loyverse POS app.
Accept Launcher setup prompts. Device should lockdown to the Loyverse POS app.
A demo Loyverse account is not provided because it's not required to demo the kiosk functionality. However, a quick registration of the app can get you into it.
- Single app mode prevents use of any app exit function and can control undesirable hardware button functions.
- When you turn a smart device into a single purpose device, where only the locked-down app's functionality is allowed, support costs are drastically reduced.
On the device, if you attempt to switch apps you will not be allowed, as restricted by the Workspace ONE UEM kiosk security policy.
If sharing your device screen, as a further demonstration, reboot the device and show the device boot up into single app mode, still locked down.
Console - Launcher Administration
- Any public or internal Android APK may be pushed and locked down into single app mode, creating a dedicated use device with dramatically reduced support costs.
- A single profile and a single app uploaded into the console is all you need to do in order to provision hundreds, thousands of kiosk devices.
In the console, use the admin role Device Administrator at Retail Holding Company.
Find your device, and drill into device details. On the apps tab, view the Launcher profile called Retail - Android - Kiosk. Verify its installation status.
Additionally, you may also verify the app installation statuses of this use case from the Apps tab in device details.
Drill into the WWE - Retail Kiosk - POS profile. You should be able to view its configuration, including the app setup in kiosk mode.
- The Device Administrator admin role is restricted from certain console resources. Use the role's restrictive configuration as a value add-on to the security discussion of roles-based access in Workspace ONE UEM. Lower level admins can be prevented from editing profiles and other settings managed at higher levels.
- Use your sandbox role to run through either an actual profile configuration or application setup, if needed.
- Within device details, the Troubleshooting tab features "Event Log" and "Commands" views, enabling admins to perform targeted searches for analysis, and most importantly saving copious amounts of time working with a troubled remote devices.
- With the "Event Log" view, detailed debug information and server check-ins, including a filters by event type, date, severity, module, and category.
On the "Commands" view, detailed listings of pending, queued, and completed commands sent to the device are available.
Navigate to the troubleshooting tab by clicking on the More tab within the device details menu. Within Troubleshooting, you can show Event Log and Command views with the filters described in the above talking points.
- All Workspace ONE UEM managed organizational data, the POS app, and the Launcher are removed from the device.
- Workspace ONE UEM compliance can be used to enterprise wipe devices in the event, for instance, a device moves outside of a designated IP range range.
From the console, send an enterprise wipe to the single app mode device. Note that all of the organization's data--the app--will be removed and the device will become unlocked. The device will be returned to its unmanaged state and all Workspace ONE UEM has been removed.