MaaS360 Open Mic: Managing Kiosk Devices, 17 Oct 2017

MaaS360 Open Mic: Managing Kiosk Devices, 17 Oct 2017


(vault closing) Thank you again everybody for joining us today. We’ll be delving into the spine tingling world of kiosking mobile devices. Something that kind of came about with the advent of tablets and smart phones and things that had screens that you only wanted to run a certain number of applications. This is something that is not new to the scene, I myself when I was in college waited tables we used a system called Micros that was built off of Windows NT, it was a little nice touch screen thing that was strictly used for menuing systems so we’ve moved on from those bulky cash register systems, where you can walk into any number of boutique shops or even major companies and see just an iPad taking care of everything. It’s not unlimited to retail, we find these in use in the medical field as well, for charts, finance, industrial, trucking, things like that, so the use cases pop up everywhere. And normally within the context of larger organizations there are only a few devices out of the total number that need to be kiosked, so if you’re not doing something specific like retail where you have a bunch of point of sale devices, let’s say you’re running a law firm, where you just want a kiosk iPad in a waiting area for example, you don’t have too many to go and it can be all the more frustrating when you can’t just get those certain devices running in kiosks smoothly. So we’ll run through some of the features today and show you how everything goes. I’m gonna share my screen now, alright cool. So we’ll start as always in these, inside the portal. If you’re new to our support series webinar first of all welcome, thank you for joining us. We don’t really do any kinds of sales slides or pitches or marketing material here, this is all gonna be live demo, live walk through of portal features that are available today. So if you want to begin testing this out you can, kiosk mode is part of our basic MDM package for both iOS and Android. Those are the two platforms we’re gonna walk through today. There is a solution available for Windows as well, it’s a little more complex in its setup, and we can talk about that offline if you want to, but by far the largest use case today for kiosk devices is iOS and it is Android, so those are what I’m gonna be focusing on. So device inventory themselves, again, the kiosk functionality that we’re gonna be talking to goes by a couple different names depending on the platform that you’re walking through. So you’ll hear me throw out some different terms as we go through this, for iOS, it’ll be advanced blacklisting and whitelisting, or app lock, for Android it’ll be kiosk mode or COSU and we’ll get to the differences between those and functionality and set up. Now the important thing to remember is that while you can run this a couple of OS versions back, it’s always important to know that the newest and greatest features always come with newer versions of the operating system, so if you are running iOS 9.3 today you might not see everything available tomorrow. It’s really gonna change as the platforms upgrade and upgrade, and in the case of Android, newer features are tied not only to our app version, so you might have to be on the newer version of the MaaS360 application, but it’s also tied to specific OEMs as well. We have more advanced capabilities built out for specific devices that are branded by Samsung, Kyocera, and Zebra. But from the kiosk perspective in the actual device view there will be no distinguishing between the kiosk device and anything else, so it’ll all show up in the same inventory, behavior is just determined by the MDM policy so that being said we’ll get right into it here. Well start with iOS because that is by far the easiest, and you’ll see why when we get to Android. iOS devices though some with it’s own set of limitations when you’re talking about using them for kiosks. First of all, the kind of advanced idea of locking down the devices is tied to supervision. So if you’re running a small mom and pop shop and you go to the Apple store and you just buy an iPad and you come back and you’re like alright let’s get started with this kiosk thing, that’s not gonna work. Supervised mode is not something that can be accomplished out of the box if you’re unfamiliar with it, we have some information about it on our Wiki pages that we can get to you, but basically supervised is either accomplished one of two ways, by physically tethering the device to a Mac computer and running a program called Apple configurator, or by being part of what’s called Apple’s device enrollment program, in which case we can supervise over the air. More information about both of those can be found on Apple systems, due to time limitations I can’t go through all of that today, but just say today that the idea of supervised iOS devices is brand new to you and you’ve never heard of this before, you’re gonna need to start there if you need to kiosk them in any way whatsoever. All of the advanced lockdown capabilities come under supervised settings. And so the first and most basic is what is called app lock. Now app lock on the device itself is called guided access mode, you might be familiar with this. If you go to settings, general, and accessibility, there’s a guided access option in there, basically what happens is you launch an application, you tap the home screen, I think it’s like three or four times rapidly, and it asks you if you want to place the device in guided access. So what’ll happen is that app will remain launched in the foregrounds, pressing the home button will not exit it and all of the background processes that are going on will cease. So it’s really just about making the device about that application. Now from an accessibility perspective it has its uses but when you’re talking about enforcing this through MDM, they’ve changed the name to app lock itself. And this is just a single application. This is not a multi-app screen, this is just one app, launched on the device, that cannot be exited. And like I said, back out processes will cease on this. So other things that might be going on in the background that you want to run, processes can be killed. Upgrades and updates and things like that will cease in the background, then you’ll be just locked in this state, and only the app in the foreground will have any changes taking place to it while this is going on. Now if you want to do some MaaS360 this is great, again for single use purposes. If you’re just running a single application that does sales, advertising, anything like a medical chart, for example, now if the application itself has different areas, you don’t have to worry about that, but if the app has to make a call to another application within the same family, let’s say for example the MaaS360 browser, we make a call to our application, this could hinder that, so you just wanna make sure it’s a single purpose built application that is just gonna be used for a single item. This can be the same with apps that ship on the device, I’ve had people that for whatever needs they want to lock it to calendar, or mail, or to the calculator app, you can do all of that. So it’s just a matter of typing the name of the application that we wanna put into this mode so we’ll say MaaS360 for example. And then there’s some touch input options here that you can disable. Disabling touch input, so this would mean that there would be no screen tapping on this device, it would basically just be whatever’s in the application. You see this a lot in sales, again if you’ve ever been into an Apple store, you see those iPads that are sitting on the desks out there with all the pricing information on it, they might not go so far as to disable touch input, but that’s the basic idea here. Disabling the volume button control, ringer switch controls, sleep wake button and auto lock. This will keep the device on, again something else to keep in mind that a lot of kiosk devices in these situations, you wanna keep plugged into power. And then there’s accessibility options. Not gonna go through all of these, pretty straightforward set up. I don’t really know how else to say it, it’s a single app that runs on a device, users can’t access it. Now there’s also a feature in here that doesn’t get used so much for consumer driven purposes, this is call autonomous app lock. This is more of a development feature, where you have devices that are running applications that can put themselves in app lock at certain points when certain criteria are met. More often than not this is used in development for application testing and things like that, I’m not gonna go down that road, I don’t have any applications that actually support this way. If you’re talking to your app devs, they’ll probably know what this is more than any kind of general iOS admin. So that’s it for app lock, let’s see here, I’m still sharing my device. It’s pretty straightforward we’re gonna do this with the MaaS60 application I think I’ve still got that installed. Alright so this will take place generally pretty quickly on the device itself. Given that I’m even in the correct policy. I’m gonna check that real quick. Also something to make aware, default iOS in the policy. So we should be in good shape. That might be just a matter of time before this makes its way down, so I’ll come back to that in just a second. While we’re waiting for that to load, I’m gonna come back into the other portion of the policy which is gonna be the advanced blacklisting and whitelisting. So as you know, we said that’s locked down to a single application. There’s not gonna be anything else that you can do there except launch the application that’s in use. So again you can navigate to different areas of the application itself but the problem arises, what if I need a custom home page full of applications on an iOS device. Well we’ve got you covered in two different areas here. First is gonna be, both of them are gonna be under supervised settings, but first you’re gonna be in the home screen layout. So within the home screen layout, you would be the admin to determine where the apps are going to lay on the screen. Gonna determine if they’re in folders, if you see the single application, if you’re placed in on the first page of if you’re placed in on the last page. Pretty easy to do here, we’ve come in to manage templates, you can build out a home screen layout and we’ll pre-populate with all the kind of apps that ship on the device itself, and you can get rid of those here if you see that you don’t want to do anything. I don’t want iPod drive, I don’t want all this, but just keep in mind, on this particular portion of the work flow, all you’re doing here is taking the device and removing the applications from the home screen layout. That means that it’s not taken into consideration when you decide where applications go. So this does not actually hide the apps. This means that I don’t care about where those are on the device, I only want to worry about these applications. So you can get rid of pretty much everything here and then just start dragging and dropping around. So if you drag one on top of another you can create a folder, we can get rid of both of these applications and cancel this whole thing out. And you can add applications. Add apps or folders, so we find MaaS360, dragging one second here, I think the reason now it isn’t working for me is because I was showing you on a non-supervised device. So I’m gonna bring the supervised device here, one actually just went into app lock. So that was a good demonstration, if it doesn’t work, let’s check to see if the device is built for supervise, there we go. So this is one in the single app lock mode, it looks like the other one I was using was not a supervised device, should have taken my own advice, checked that first but this one is and I know you can’t see me hitting the home button but I’m hitting the home button a whole bunch of times, and nothing’s happening. So if I don’t allow these certain features, like the sleep wake button, the volume button, all you’re gonna see is the IBM MaaS360 application. Alright so back to the home screen, my apologies for the non-sequitur there. It’s really important that you understand again this is just the layout of the home screen, so where the applications are going to go. If the apps themselves are not gonna be a part of this at all, you can just X them out for the regular apps and then just add what you want. In this case, it’s MaaS360 in settings. This is a limitation of the actual blacklisting feature itself and I’ll show you that in just a second but we’ll just call this Test One. Excuse me. So now that I have a home screen layout, I’m ready to move on to what the nuts and bolts of this are, and this again, because a lot of print times for kiosk is important for admins to be able to determine where the apps are, what the whole user experience is from beginning to end. So there’s actually technically I think I should say three parts to that. I said two but we’ll go back to the policies, one of them is also the wallpaper, I’m not gonna worry about the wallpaper for this demonstration purposes, but you can change the wallpaper obviously in the background and that’s another supervised setting. But the big one is the app compliance. Now there’s really two ways to go about this, either whitelisting an app or blacklisting a series of apps. Now whitelisting is probably going to be the easiest one for any kiosk environment because you don’t wanna manually go through and blacklist every single application that the users get their hands on or that could potentially be pre-installed on the device. It’s also important to note that if you’re using this feature, there is two apps that can never be hidden. There is the settings app, and there is the phone app. This is a limitation of the platform and that’s just the way it is. We can’t hide those applications, they are always going to appear, so there’s nothing you can do about it. Now for the settings I hear a lot of grumbles on that all the time, oh man if they have access to the settings then they can pretty much do whatever. No, leverage the supervised MDM policy to lock down things like account modifications so they can’t put in iCloud accounts. Disable the iTunes store, they won’t be able to log in to any of that stuff as long as you’re leveraging the MDM policies as part of that. So yes, they will see the settings menu. If you’re doing this kind of multi-app mode, there’s nothing we can do about that, but you can at least lock down the device so they can’t change anything within that setting. And also you can hide it in a sub-folder somewhere or put it on another page. Alright, so then we can configure the whitelist of the application and we can auto-whitelist applications that are part of the app catalog, and if that’s the case, that’s really the easiest way to go about this, this is iOS, distributing the outs through the app catalog, have them installed, and just whitelist everything that you’re distributing automatically so you don’t have to worry about going in there by hand and typing every individual application. Now if this is some sort of controlled environment where you want to give users some sort of autonomy to download some applications then you can start adding things in there and you can say alright we’ll let them have DropBox and Gmail and Netflix, but nothing else, for example. But that’s not really a kiosk mode, that’s just really locking down the device from user aspects, so for a kiosk perspective, we’ll just go ahead and say whitelist anything that’s being distributed via the app catalog and save and publish. And I forgot to remove my app lock so let me just go back and change that real quick. This again supersedes everything else. No matter what’s going on in the background, nothing else is going to hit. Now when I say it kills background processes, this of course doesn’t stop it from updating the MDM policy, the APNS push takes care of that. But things like app updates system updates those will all be locked down. There we go. Alright so there’s the apps, I was pushing out three applications, App Catalog, Classroom, MaaS360 I did not apply the template to this which is why it’s not in order. Then you can see here from the perspective of just being able to hide apps on separate pages, this is what it would really be. So from a work perspective, maybe it’s not such a huge deal that people can get in the settings, if you lock down everything else. From a public device perspective there might be some worries there, so you just have to be careful and weigh the options of using iOS devices in this mode as kind of a kiosk. Also keep in mind here that if this is any kind of shared device environment, there’s not a way to remotely zap app information, so if you’re using this kind of setup, you might have to go towards more of a shared device model than an actual kiosk model where users sign in and out and applications get deleted in between user sign ins. This is just to keep personal data safe and of course make sure that if you’re using the shared application the absence of information like email or personal ID, social security numbers, whatever it might be, that the data itself resides in that app until it’s removed. So you gotta just kind of weigh what you’re doing here, but for a straight up kiosk in a retail environment, this could really work out for you if you just need two or three applications running. So that’s the iOS side, again if you have any questions about this, go ahead and get those in to the Q&A chat, we’ll answer those up at the end there. We’ll get now into more of the Android side which from my experience we do see people using the single app mode in iOS on occasion. I’m not saying that the blacklisting whitelisting feature is not used for kiosk type environments, but it’s not used as often in iOS. I think iOS admins have gotten used to over the years the idea that iOS devices are gonna kind of lean in favor of the consumer. So for really strict controls where everything can be locked down and picked at, Android is what we see the most often, and also just because if you’re doing kiosk devices and you’re using them as any sort of point of sale or something like that, it can be cost prohibitive to use iOS devices. They generally run more expensive and you can find cheap Android tablets at Best Buy for $99. Now if you have to set up five point of sale machines at your shop and you need five different tablets, I’m obviously gonna pick the $99 tablet over the $399 iOS device. Now of course that’s up to your company. But I’ve seen this cause a lot of issues, and I’m gonna talk about what a lot of those are from a higher level and I’m gonna offer you two different options here. So the first option is that MaaS360 ourselves have our own kiosk launcher. And we’ve had this for years now. And this will function differently depending on whether or not you’re using Android as a platform in general or using Samsung-specific devices. So if you go into the MDM policy, come under advanced settings, there’s kiosk mode restrictions. Now Android doesn’t have any idea of supervised mode for this so it’s just gonna work out depending on the operating system version you’re running. And the kiosk that we offer is the same idea here as we showed you on the iOS devices but it’s all set up in one. And they show a custom home page with the allowed applications or automatically launch a required app and lock the device to that. Now this is really the second option is only gonna work well on Samsung devices. The first option will be available for everybody, but there’s some caveats there. So you start getting into these custom built OS images, it’s not even custom built, it’s just modified, so every carrier that you can go to in the United States and worldwide that sells Android devices injects their own, for lack of a better term, bloatware onto devices. Different OEMs do it as well. And those pieces of software can behave inconsistently. But the basic idea of this is that you get the MaaS360 set up, you determine the apps that you want on the device, and then you have to manually install them, that’s the first caveat, is that if you’re talking about public applications like you see here I’ve got Gmail and DropBox and MaaS360, they have to make their way to the device first, and when you’re talking basic MDM, there’s only two ways to do that, public app store or enterprise push. And if you’re doing it in enterprise push, the only way to silently install it is if it’s a Samsung branded device. So there’s your first wall if you’re using $99 tablets that you bought from Best Buy. It might not even have a brand written on them. They might be Best Buy branded, or something like that and who knows who made it or where it came from. So that’s the first issue is you have to manually set these devices up ahead of time. Going down you can see different things here where you can block multi-window mode, block the task messenger, hide the navigation bar, hide the status bar, so all those little pieces that you see on Android, they come up by swiping down on the screen or tapping the home button a certain way. We can block all that. But if you look over to the right-hand side of the screen, you’ll see that a lot of these advanced features are only for a certain OEM. These aren’t for standard Androids, so hiding the navigation bars on a Samsung again, or a Kyocera, Safer LG, Safe Kyocera, Zebra, so different functionality based on the operating system and OEM support. This is a second caveat. If you’re going down the road of managing Android devices, there’s just differences between all the different systems, and while I’d love to say that we’re gonna go out there and build OEM support for everybody, we’re not gonna do that. So we look at the purpose built devices, ruggedized devices, Kyocera, Zebra and again Samsung just generally has this available through safe. So we partner with some of those OEMs to get the support in there, because their devices permeate the market as purpose built devices. But there’s some other things that we can do here as well, like blocking hardware keys, enabling admin bypass, which is an extremely useful one. This is something that you don’t see on the iOS side, so we can at the kiosk, as long as the admin has a code, or you can do a dynamic passcode generation so it’s an on-demand passcode that gets brought up via MaaS360 to unlock that single device. So that’s great if you are remote support and this is a POS device that’s in Michigan and you’re working help desk support from Florida, you can generate the pass codes, allow that user to exit the kiosk just while you troubleshoot this issue and then they can put it back in and you can go back to work and they won’t be able to unlock it again without that same code. There’s also some kiosk launcher settings in here, disabling auto rotate, screen orientation and portrait mode, app icon size, name, font size, allowing or disallowing users to rearrange the icons themselves. The logo position, the system has to be whitelisted, so again what you see here at the top is where you have to copy and paste the app ID. For those of you who don’t know how to do that on Android it’s like this. Find Gmail, find the application, come into the app store, here’s the app ID. So you can just find the app, copy and paste it over in this area and then the app is whitelisted. Again this does not put the app on the device, this just adds it to the kiosk mode settings. But down here you don’t wanna do that for system applications, you don’t want to do that for MaaS360 applications necessarily so you can just come in here and choose the different apps that you want to. But this is based on the Google pure experience, so we’re using the app IDs for the Android operating system as Google creates them. Again as a second caveat, or are we on three, I’ve lost count. Here’s another caveat, is that these can change depending on the device filter. So the camera application for Samsung devices does not have the same app ID as the general Android camera. You’ll have to come up here and find out what that is and add it if you want the camera to be part of the kiosk. So what does this look like on the device itself, again you can set wallpapers remotely for this, but I’m gonna show you with our generic wallpaper here. And this is just a sample of the device in kiosk. So MaaS360 and DropBox are in there, I did not have the Gmail app installed so you’re not seeing it on the kiosk screen. This is something you have to be aware of, so if you launch the kiosk and you’re like alright, I don’t see all the applications I wanted, what’s the deal here, you gotta find out where they are and make sure they are installed properly, make sure that you’ve got the app ID correct. Under the settings I can exit the kiosk, using my obscure 90s reference, of 90210. I guess it’s not obscure, but it’s definitely very 90s. So, the actual application itself on Samsungs can be launched automatically, but again, for the other devices on the market that don’t have that specific OEM support, the first time you launch kiosk it’s gonna require interaction from an admin. And that can be done in the actual application itself, so if I bring up the app, go into settings, go into corporate settings, there’s the enable kiosk mode. Just one more time here. Open the MaaS360 application, go to settings, go to corporate settings, and there’s your enable kiosk mode. So when I tap that, the launcher’s gonna go ahead and go, and I’m gonna be back in kiosk. So if I don’t know that code, I can’t access it. So, here’s another kind of I’ll say caveat that I don’t really have the ability to show you here, but this is something that we run across all the time. So let’s say that you’re out there and your buying bulk devices from your carrier, and your carrier happens to carry this little off-brand device that they’re gonna sell to you for 20 bucks or maybe even give to you for free if you sign up for so many lines. Whatever the case may be, they’re gonna give you the bottom barrel device that they have in their environment. The problem is, that those oftentimes come with more bloatware than other devices. Basically it’s sold at a discount and it includes built in advertising. The problem becomes that those certain hooks that those applications have, we’ve seen cases where they extend beyond the reach of our kiosks, so for example, let’s say that you want to allow the system browser in there and you open up the browser and the browser has a nice little button built into it that takes you to another application that’s not part of the kiosk but was pre-installed on the device, that’s a potential back door. It gets you into another application that’s not in the kiosk takes you to an area of the device that you don’t want the user to be in. Same thing with the system tray. System tray itself might have some features where users figure out if they tap in a certain sequence, they can get beyond the reach of the kiosk and into a browser, let’s say that the browser was not part of that. But another application like a map application has something built in that allows them to get around that. Now MaaS360 addresses that when we can. We don’t have every single device on the market, I wish we did, that would be a really awesome library of devices for me to choose from, but it’s cost prohibitive, so we can’t test this in every single scenario that’s out there. What happens is that someone will open a case with us and we’ll look into it and we will do our best to resolve it for that specific scenario, but then oftentimes another one pops up. It’s just kind of the downside of all these cheap devices that are out there, especially when you look at devices that come from countries like China and India where it’s like you don’t know what the carriers are doing. They’re just going in there and doing all sorts of crazy things. We had a customer here in the states that procured very inexpensive devices from China, that for whatever reason they got them super cheap and none of them came with Google Play Services. Well that’s a security risk in itself. If you want Play Services to manage the devices, it’s one of the big reasons why we have trouble managing devices in China, you don’t want to have those devices in a US market where you can get a readily available supply chain of devices that come with Play Services pre-installed. So these are the kinds of things we see on Android all the time, it’s obnoxious I know, and that’s why I like to talk about the second option for kiosk which is gonna be the Android Enterprise Tool Set. Now the Android Enterprise Tool Set was previously called in this case, Android for Work. Android for Android Enterprise, they’re kind of interchangeable right now, we’re gonna move into using the official Google language which is the Android Enterprise Tool Set. And this offers a feature called COSU kiosk mode. Corporate owned single use. And the reason that I really really like this, and I really really like this for everybody, not just specific use cases of course you want to test it out, there are benefits sometimes of using the MaaS360 kiosk over this, and vice versa, but for me personally, where on a day-to-day basis I have to speak to people that use all sorts of different Android devices, I like this solution the most. And the reason being is because it’s baked into the operating system, there is no third party components in this, it’s all Android it’s all Google Systems that are doing the kiosking. Now that means of course, the downside here is that you have to sign up for Android for Work, which isn’t really a big downside because it’s free, and all you need to do it is a Gmail address. So if you don’t even have a Gmail address, you can go out and get one, sign up for this, and if you want a part of this we did a whole big webinar on this two months ago, if you want a part of that we’ll get the replay up for you, you can watch it it’s on our Wiki pages that Rachel will share at the end of our presentation here. And it’s fantastic because it doesn’t matter which company made the device. If you’re running the inexpensive carrier tablet, versus the $900 tablet, you’re going to get the same experience for everybody on the Android platform. This does have a couple of little asterisks at the end, one, it has to support Play Services, we need an officially Google licensed device which most of them are. Again, unless you’re going to places like China or buying really cheap devices off the street, more than the odds are in your favor that you have an officially Google certified device running a legit version of the operating system. On the second one it said it needs to be running 5.0 or above, preferably 5.1.1 or above, and for the best use cases, you want to be on 6.0 or above. So, lollipop or above for support, best experience for marshmallow and above, and this is the kind of second asterisk is this requires a lot more manual set up. So for our kiosk, you can take existing devices that are out there that are already on MaaS360 policies and add them to a kiosk policy and set the launcher off and you’ll have a new kiosk device. For the COSU mode, this requires something through the Enterprise Tool Set it’s called device owner. That likens back to the supervise mode settings that we were talking about. And so if you come into your setup and you go to your mobile device management you can see here, we enable the Android Enterprise Solution Set all it requires is a Gmail address, but devices have to be factory reset. And there’s no really good way right now to go through the DO mode, for every single device type that’s out on the market, however, about a month ago Google announced something called zero touch enrollment, we have a blog piece about that on our Wiki page that you can read more about it. Basically zero touch is only supported on a few devices right now but all the major carriers at least in the United States have bought in, you’ll have to check if you’re in Europe or Asia-Pac, if your carriers are gonna support this, but basically it’s like a DEP type program where you turn on an Android device and as part of the setup process you’re going to be pushed to enroll in MaaS360. Download the application automatically, we can even do side loading of configuration profiles so that no user input is required. But again there’s no way to get into device owner without completely starting over in a factory reset state. So that’s kind of the big asterisks portions of that. One, you have to sign up for Android for Work, two the device has to be factory reset, three you wanna be 5.1.1 or above, so if you’re still running 4.4.4 devices, you’re gonna have issues this isn’t gonna be supported. But, if you can make it past all that, if you can deal with that set up. The COSU setup here is gonna be phenomenal for you because it offers a couple of features that you don’t find in the regular Android kiosk. Even for Samsung devices or other OEM specific devices. First and foremost is that you as the admin can push and install the applications remotely, silently with no user interaction required. Meaning the experience would be, turn on the device, go into the O, enroll in MaaS360 and immediately be placed into the kiosk and all the devices will start downloading and installing the applications without having to set up a Google Play account, without the users having to physically go into the Google Play Store. It’s perfect for any situation where you don’t want to have these kind of credentials set up on the device. So I think that the work that you’re going to put in, to getting into DL, is going to save you time over having to activate these devices anyways, and then putting Google Play credentials that you don’t necessarily want users to have access to. The second is that no matter what, no matter outside of OEM support or anything like that, the kiosk will kick off automatically as soon as you apply the policy. There’s no manual interaction required for this policy to take place on the device. As soon as you save it, whatever you’re doing show a custom home page with allowed applications or automatically launch a required app and display only that, as soon as you do that, it’s gonna take place on the device as soon as that policy hits. So the users don’t have a say in it. No one has to go into the MaaS360 application and hit the launcher. Outside of that, the experience is nearly identical to what I showed you before, let me just mirror out my Android device here again. You know what, sorry, give me one moment here, I think I have to take it out of kiosk. There we go, it wasn’t giving me the popup on the device, which was weird. So we’ll connect this, then I have to take this out, don’t worry about that. So because I had to exit the kiosk to get that running that kind of took away my whole purpose of showing this taking place automatically but, take my word for it and of course you can absolutely test this out yourself. Android for Work is free, Android Enterprise Tool Set is free, all you have to do is get a Gmail address and turn it on and the service is part of our basic MDM package, but corporate settings, enable the kiosk mode, so, this is within the context of the Android Enterprise Tool Set, so again same idea here, we’re giving you the same kind of interface, we’re seeing MaaS360, we’re listing out the applications that are part of that. And you can set up very similar rules as you could in the other one. I mean you’re looking at the same thing, the kiosk launcher settings, disable the auto-rotate, setting the orientation to portrait mode, automatically whitelisting certain system apps and MaaS360 applications. But at the top all of this you’ll see, there are some OS limitations, oh you know what, that’s right, sorry the DO stuff is all gonna be for 6.0 and above now. 5.1.1 will have some functionality but it’s not 100% supported. The COSU portion of this is 6.0 and above, I apologize, I should have stated that at the top. 5.1.1 and above is the stated support for the Android Enterprise program, but the advanced capabilities are all on 6.0 and above, which is why we put that there. So make sure that this again is gonna require some newer devices, make sure that they’re updated on the operating system, you can get some functionality of 5.0 devices but I’m not sure how deep it’s gonna be, at the very least you should be able to create the custom home page and things like that. The advanced tool sets here though, setting the device to kiosk immediately or once any whitelisted app is installed, keep the device on when plugged in, enabling disabling widgets, upgrading the kiosk launcher in the background, same thing here, enabling admin bypass, either dynamically or with a static code for everybody that’s on this. So from the Android perspective this is the easiest one to support across a wide variety of devices, and doesn’t require as much user interaction on the setup. There’s a silent installation of the applications really makes this one. And then automatically whitelist in the end. So from the device side there’s not a lot of terribly interesting stuff to show you here. It’s a kiosk device it’s meant to be used it’s not meant to be ogled over, so there’s not a lot of ooh and ah factor here, but you can see that I can determine where the MaaS360 logo is and of course using our branding we can change that logo you can change the background, the order of the applications as they appear on the device is determined by the order of the applications that are added here, so first one on the screen is gonna be Gmail, MaaS360 and then DropBox and you can see as soon as I entered the kiosk there was Gmail, MaaS360, DropBox. So you can change the order, you can fiddle with where applications appear on the device, how big their icons are going to be, whether or not you’re going to allow rotate on the device and things like that. So if this is gonna be stationary somewhere and you want it to be a single experience whether or not the user flips the device upside down or not all sort of controls in there. So, kiosk again relatively straightforward, didn’t think we were gonna need the full hour on this one but I wanted to make sure to leave a lot of room for questions, because kiosk itself in the execution is pretty simple and straightforward, but there tends to be a lot of hand raising when we talk about this, so we’ll give you time to get stuff in the Q&A chat, if this was all self-explanatory to you we’ll wrap things up early, but I know that while I review those questions, Rachel’s gonna have some housekeeping notes for you. So I’m gonna let her take care of that while I begin going into the Q&A chat. Alright thanks a lot Matt. I’ll give you a minute to look over the Q&A, and attendees, a lot of you have put questions into the Q&A panel, but if you have a question that you haven’t asked yet now is the time to go ahead and get that added to the Q&A panel. You want to like Matt said, I do have just a few quick housekeeping items for you. First of all, I wanted to share with you some new great MaaS360 content that’s coming to the IBM Security Learning Academy. For those of you who have not yet visited the Academy it’s a really really great resource for MaaS360 clients, and clients of other IBM security products as well with lots of free training, and videos, how-tos, learning paths, courses, tutorials, basically anything that’s gonna help you learn your IBM security product. It’s available for free on the Security Learning Academy. So as you can see on this screen, we are working on several new courses and videos on many different topics for MaaS360 as well as a new badge and these will be available to you for free, just like I said, just like all other MaaS360 content on the Academy, is available to you for free. We put a lot of work into creating the content on the Academy that will help you be successful with MaaS360 so we hope you’ll check it out. It’s just www.securitylearningacademy.com and as I’ve said it’s all free to you, so please do take advantage of that. My second item for you is that our next open mic has been scheduled for November 15th, and we’re gonna be talking about what’s new in MaaS360 in the 4th quarter of 2017, during that session. You’ll find out what’s new in the MaaS360 platform, you’ll hear tips for leveraging new Android and iOS features, we’re gonna give you a few sneak peeks of what we’re working on for the rest of the year, so I’ll be sending out an invitation for that soon, probably in the next week or so. So keep an eye on your inboxes for that we hope that you can join us. And with that I think that Matt has had time to read through some of the Q&A, so Matt whenever you’re ready with that first question. Cool, thanks. One of the first questions that I see on there was something that went back and hit on another point that I made earlier. And that was what happens if I have an app in the kiosk that takes me to another application that’s not in the kiosk and users have found a work around essentially. That’s a great question and I should have showed you this before. Within the actual policy itself for Android it’s always a good idea to use the device settings of blacklisting and whitelisting applications, application compliance, so I wouldn’t worry about the blacklist but I would use the whitelist, and block from use any applications that are not on it. So everything that you’re gonna add to the kiosk, I would also add to the whitelist. This is because, like I said there are other workarounds, we can put in a ticket with support and see if there’s anything we can do from a kiosk launcher setting, that will help prevent that, but again there are so many OEMs and so many apps out there that we just simply can’t address all the scenarios. So leveraging blacklisting, if you have an application that then redirects to a browser, if it’s outside of the app, the whitelisting will take care of it. If the application even has a browser built into it however that is a feature that you don’t like of that app, there’s really nothing that we can do in that instance. If it’s going to open up a web view using the Google web view system settings, we can help you with that but if it’s something else, we’ll have to address that with the app developer. But if there’s any kind of redirect externally, whitelisting the apps that are in the kiosk should take care of that as long as the actions to block other apps from use. Next question, and somebody asked this too, I understand I do tend to talk a little fast, I apologize for that, we will be making this recording available and going through all of this again and again so you’ll be able to re-watch this any time that you want. Another question was how come messages app is not included in the system like contact and dialers, this is generally because that messages app tends to be very varied, depending on the actual setup of it, and this is another thing that you have to keep in mind. Going just with messengers, but I hope this will answer some other questions is that a lot of native applications are tied together, so you don’t want to just whitelist messages, you might need to whitelist contacts and dialer too, in order for the full functionality to take place. So it’s very possible that just whitelisting contacts is not enough, because it’s tied to the dialer application you might have to have both of those. Which potentially opens up some functionality within the kiosk that you don’t want your end users to have. And that’s a give and take, there’s really nothing we can do there, so if you are saying for example, if you’ve got an application that’s dependent on having browser access, you might have to have the browser in the kiosk as well. If you want users to have contacts on their device, you might have to have the dialer as well. Or vice versa, so just keep that in mind, those application IDs can be found pretty easily using something called ABK Extractor from the app store. How do you upgrade a public application on device in kiosk mode, what about in enterprise app, any difference between iOS and Android. For iOS the single app launch mode will prevent any updates on the backend, you’ll have to take it out for app updates to take place. For Android it’s relatively straightforward, if it’s a public application and you’re using the MaaS360 kiosk there’s nothing we can do, you have to exit the kiosk and update the applications manually. If it’s an enterprise app on a Samsung device we can push it inside, silently install it. If you’re using the Android for Work COSU kiosk, then you can just push everything out via MaaS360 and it’ll update automatically on the device. Let’s see here, a lot of questions. This is what I thought was gonna happen. Will iOS software update while in kiosk mode. It will if you’re using the whitelist. It will not if you are using the app lock mode. Can you drag to change the order of applications in Android kiosk mode. In the console, it’s not a drag and drop but if you just change the order the apps are listed it’ll change the order they show up in the kiosk mode. If you want users to be able to do that you can allow them that security feature as well. Can you mix regular kiosk mode and COSU. I’m not sure what you mean by that, but I’m guessing asking if you’re having some devices that are on COSU kiosk mode and some devices that are on the MaaS360 kiosk mode, both apply to the same policy, answer to that question is yes. I showed you a Samsung device and a Google Pixel today. And the Google Pixel was in the COSU and the Samsung device was in the MaaS360 kiosk and they were both applied to the same policy. Now there’s two different sections that have to be configured, but one policy can take over both those use cases. Is there a way to place an instructional video on the MaaS360 kiosk mode screen. That’s a good question, something that we get asked a lot is can we push media to the kiosk. It doesn’t really work like that right now, we can see about that in the future but the problem generally is is that everything we do is based on a bundle ID of an application and media doesn’t have bundle ID. So unless you’re willing to make that video an actual application there’s not much we can do there. We can push it to the MaaS360 application so that users can watch it, you just have to make sure that all of our viewing material is part of that whitelist, the MaaS360 secure viewer. I have all Samsung devices, some a little older, 4.2 that use kiosk mode, can those have apps silently installed or can they only be installed manually. If you’re going back to 4.2 you’re gonna miss out on a lot of that silent functionality and they’re definitely not going to support the Android Enterprise Tool Set, so you’re gonna be under a lot of manual work flows on those devices until you can get something that’s upgraded to at least 5.0. How does MaaS360 handle Android updates, pushing updates by vendors. So there’s a couple of good answers to that. Android Enterprise Tool Set on COSU, we can actually determine how updates are installed, whether it’s automatically or not, or it has to be manually fetched by the user. For non-Android enterprise devices, if you’re using Samsungs, there’s gonna be something coming up here called e-fota, E dash F O T A. It will allow you to remotely push updates, but that’s Samsung only. So for your standard Android users that are not in Android for Work kiosk mode, there’s really no good answer for that, it’s all gonna be manual. Is there a way to lock a specific website via Chrome on the Android kiosk mode. Not on Chrome but you can use the MaaS360 browser and do that, so you can lock the MaaS360 browser to a kiosk setting that will just lock it to the website that you want. A couple people asked Windows 10 questions, I apologize I don’t have a good Windows 10 device to get into that, it requires a certain level of licensing that I didn’t have on my little test laptop. But there is a Windows 10 tool set there. We’ll be building some material coming there for that coming up so keep an eye on our Wiki pages for that if you don’t already follow them and Rachel will follow up with the links there. Oh you’ve already got them on the screen, so all the links are there. If you go to ibm.biz/maas360community keep an eye out there, that’s where we post all our new material. Some people I see a couple questions in there people have tried this device owner COSU in the past and they said it didn’t work for them. The one thing I want you to be aware of is that Android for Work enrollment requires some setup and it’s not a given that just because a device is in device owner mode that the device will be enrolled in Android for the Android Enterprise Tool Set. There has to be deployment settings and specific enrollment requests, so it is possible to have a device owner device enrolled in regular MDM. So it’s very likely that that might have been what you are seeing, we can discuss that offline, you’re always welcome to contact me with these questions, [email protected] After I hang up here today, I am out of town for a week, however, so I will get back to you as soon as possible, but if you want to discuss that further we can, or you can reach out to your account manager and they can set you up with one of our engineers who will go on a call with you. Let’s see what else do we have. Where does the auto-generated code appear for kiosk mode. The auto-generated one’s in the device view, so if you’re using the procedurally generated codes that will say unlock one device, you go into the device view for the device in kiosk and there will be a menu action item to generate that code for bypass. It takes a second to sync up, so you want to make sure that the MaaS360 app manually refreshes, otherwise it can take upwards of 15 minutes for that code to reach the device so that you can unlock it. Is there a way to block broadcasting SSIDs and use only a preferred one. There are some things you can do on the Android front, to pretty much lock it down to just the SSIDs that you want to, if you’re using iOS you’re not gonna find that functionality, but if you look into the advanced networking settings on Androids, depending on the device type for the operating system you should find something that’ll fit your use case there. This is a good question, it doesn’t really have to do with what we’re talking about today but it’s a fairly common question, with iOS 11 if you’ve immediately upgraded to iOS 11, you’ll notice that if you are in restricting managed to unmanaged sharing, for MDM managed devices, the iMessage application disappeared for sharing. So if you wanted to go into photos, pick a photo and share it via iMessage, it was no longer appearing as an option. This is an issue on the iOS side, as far as my testing has gone, it’s fixed in iOS 11.1, 11.1 beta 2 is out now, so test that in your environment if you want to get that resolved, this was not something that MaaS360 had the ability to fix. We are having issues with iOS upgrades over the air for unassisted iOS kiosks, how can we tell in MaaS360 that iOS download completed, is there a specific value in harbor in OS under available updates to notify downloaded completed or install completed. Those areas only report back the OS failures, so if you’re using DEP in supervised devices and you push the iOS update and it fails for some reason, then we will come back and report back that failure, but if everything goes through and works, then the only way to tell is that the device will report back with a new version of the operating system. I’m gonna get to one more question. Can Safari be set to full screen in kiosk mode. Yes. There is a trick to it though. Within the actual native applications, we need to just know the app ID. Pretty easy to find on the backend, it’s usually something like com.apple.safari or something like that, so because those, our initial search, when we’re talking about the single app lock, when we type the name of an application we’re pulling the app store. And the app store obviously doesn’t store Safari for us so what we do is we just copy and paste the app ID to that same field and that will put Safari into the full screen app lock for ya. I know I didn’t get to every question, but I hope I got to a decent amount of them, and again feel free to follow up with me via email if you have any further questions, I will be out for the next week but if you have something emergency that needs addressed immediately, please reach out to your account rep, or if this is something that’s not functioning properly please reach out to our support line. Alright thanks a lot Matt and thanks to everyone who joined us today. We hope that the session was valuable for you, if you have not yet done so please take a moment to answer our poll questions, there are just two of them, and again that feedback does help us know how we did today and it helps us to plan future open mics, so that feedback is really valuable. If you have any questions that Matt didn’t answer, or any other questions or topics that you’d like to talk to him about, I did put his email address in the chat panel. So feel free to reach out to him, and again, our next open mic on new features is on November 15th so mark your calendars and keep an eye on your inbox for an invitation, it’ll be coming your way soon. And we hope that we’ll see you there. From everybody here at MaaS360 and IBM Security, we thank you for your time and we hope that you enjoy the rest of your day.

Dereck Turner

1 thought on “MaaS360 Open Mic: Managing Kiosk Devices, 17 Oct 2017

  1. dershope says:

    I have a paid subscription to MaaS360. How do can I get to technical support so I may speak with someone for tech support?

Leave a Reply

Your email address will not be published. Required fields are marked *