Niklas Blog

Exploring Device Management.

A guide on how to create a Single-App kiosk for Apple iOS devices using Apple Business Manager in combination with Microsoft Intune

06 December 2024

A guide on how to create a Single-App kiosk for Apple iOS devices using Apple Business Manager in combination with Microsoft Intune

In today’s digitally-driven world, businesses and organizations are constantly seeking innovative ways to streamline operations and enhance customer experiences. One such solution for enterprises is a so called kiosk, a product that transforms devices into dedicated platforms for specific tasks or applications.

Whether it’s for customers or frontline-workers, single-app kiosks offer a tailored and secure experience. So this is what this blog should be about: „How to create a kiosk for a specific task using an iOS device managed by Microsoft Intune“.

We’ll delve into the step-by-step process of creating a single-app kiosk using Microsoft Intune, so lets dive into it.

Requirements

Obviously you need Microsoft Intune (including licenses) and at least one iOS device. If you have those ready we firstly need to create a Entra ID group that will hold our devices and the configurations that we are going to create.

Within the Entra ID or Intune portal create a new group and set the „Membership type“ to „Dynamic device“:

Within the group creation wizard we are going to define our dynamic query that will collect all devices. In this example I am going to use Apple Business Manager to allocate devices to my environment so it is easy to assign a tag to the device that our group then will collect.

(device.enrollmentProfileName -match "iOS-SingleAppDemo")

„iOS-SingleAppDemo“ is the tag that I am going to add to my devices that should be single-app kiosk devices for this demo.

Now if you never created a profile in this way (where you of course need an Apple Business Manager account attached to your Intune) then navigate to „Devices“ -> „iOS/iPad OS enrollment“ -> „Enrollment program tokens“…

…here click on „Microsoft Intune…

…and at „Profiles“ we want to create a new „iOS/iPadOS“ profile:

Name the profile exactly like you did in the Entra ID dynamic filter:

And now we are at a point where we define the iOS OOBE. For our single-app kiosk (in this example) we want the device to auto-enroll without being attached to a user and of course we want it supervised (which is the „MDM-mode“ in iOS where you have much more control over the device“. I would recommend to enable „Locked enrollment“ as this ensures that the device enrolls completely to Intune before the user can use it.

In the next step of this wizard you need to define details about the department or company that is responsible for the devices and which steps the iOS OOBE will show. For this example I disabled all except „Location services“ as we need the location for the right time on the device:

Lastly save the profile – it does not need to be assigned to our group because it matches the filter so it will be included.

Creating a kiosk profile

So now we have our Entra ID group and the Apple Business Manager profile ready. Next we are going to create a „Device restrictions“ profile in Intune at the iOS/iPad OS section.

Start by giving the profile a name:

Then within the „Device restrictions“ look for „Kiosk“. To run only one app in full-screen mode without the availability for the user to use the device for other purposes we set the „App to run in kiosk mode“ to „Managed App“ and then choose an app from the „+ Select an app to use for kiosk mode“-link. This app needs to be an Volume-Purchase-Program (VPP) app. Once you`ve selected the app you can set more device restrictions like for example to „Block auto lock“ or „Block screen rotation“…this depends on your scenario:

Save and assign the profile to our earlier created Entra ID group.

Now you should be ready. But you might ask „How do I now assign the tag to a device?“….that’s simple. Go back to „Devices“ -> „iOS/iPad OS enrollment“ -> „Enrollment program tokens“ but now switch to „Devices“ instead of profiles from above. There you will see all iOS devices that have been added to your Apple Business Manager account and synced to Intune. Check the device by its serial number and the click on „Assign profile“ from the top menu:

iOS Single App Kiosk

Enroll a device with this tag and depending on your app it will look something like this – a full-screen app that you cannot leave:

Conclusion

In conclusion, the deployment of single-app kiosks using Microsoft Intune for Apple iOS devices offers a simple way to create secure single-use case devices for public facing devices or frontline-workers that only should use the device for a specific task. From enhancing interactions to improving employee productivity, these kiosks serve as powerful tools for targeted engagement and streamlined operations. Through the comprehensive management capabilities of Microsoft Intune, administrators can efficiently configure and deploy single-app kiosks with ease, ensuring both functionality and security.