Example policies: dedicated devices

Dedicated devices are company-owned devices that fulfill a single use case, such as digital signage, ticket printing, or inventory management. This allows admins to further lock down the usage of a device to a single app or small set of apps, and prevents users from enabling other apps or performing other actions on the device.

Device settings

This policy snippet includes the recommended device settings for a dedicated device with minimal access.

"safeBootDisabled": true,
"screenCaptureDisabled": true,
"factoryResetDisabled": true,
"cameraDisabled": true,
// Specifies that system updates will be auto-installed during a daily
// maintenance window between 2am and 4am.
"systemUpdate": {
  "type": "WINDOWED",
  "startMinutes": 120,
  "endMinutes": 240
},

Kiosk mode

Warning: statusBarDisabled and lockTaskAllowed are deprecated. To disable the status bar on a device and approve an app for lock task mode, use installType KIOSK or set kioskCustomLauncherEnabled to true.

In kiosk mode, a designated kiosk app launches automatically when a device boots. The app runs in full-screen mode and is pinned to the home screen to prevent users from leaving the app.

To enable kiosk mode on a device, specify a designated kiosk app for the device by setting its installType to KIOSK. This designated kiosk app will launch automatically when the device boots.

Note: To re-enable the status bar on a device after a device was previously in kiosk mode, the admin will need to change


  installType

to a value other than KIOSK.

"applications": [
  {
    "packageName": "com.example.app",
    "installType": "KIOSK",
    "defaultPermissionPolicy": "GRANT"
  }
]

Link a kiosk app to additional apps

A device can only have a single designated kiosk app (installType set to KIOSK). However, if a kiosk app links to other apps, these additional apps can be added to applications. Ensure that the installType for any additional apps is not KIOSK or BLOCKED.

"applications": [
 {
   "packageName": "com.example.app",
   "installType": "KIOSK",
   "defaultPermissionPolicy": "GRANT"
 },
 {
   "packageName": "com.example.app_to_be_linked",
   "installType": "FORCE_INSTALLED",
   "defaultPermissionPolicy": "GRANT"
 }
]

Enable kiosk mode for web pages

With web apps, you can launch a web page in kiosk mode. A web app turns a web page into an Android app. You use a web app's package name to install it on a device, just like any other Android app.

Using a web app's package name, designate it as the device's kiosk app by setting its installType to KIOSK. Because web apps require Google Chrome to launch, you should also add Chrome to applications. The example below includes additional setting recommendations, such as using managed configurations to explicitly allow the web app's URL in Chrome and disallow other URLs.

"applications": [
 {
   "packageName": "com.google.enterprise.webapp.x6306d4def62b6b3s",
   "installType": "KIOSK",
   "defaultPermissionPolicy": "GRANT"
 },
 {
   "packageName": "com.android.chrome",
   "installType": "FORCE_INSTALLED",
   "managedConfiguration": {
     "URLBlocklist": ["*"],
     "URLAllowlist": ["web.app.url"]
   },
   "defaultPermissionPolicy": "GRANT"
 }
]

Kiosk launcher

If a device requires users to access one or more apps from the home screen, enable the device's custom launcher by enabling kioskCustomLauncherEnabled in the policy. To keep the device unlocked (for public kiosks, for example), enable keyguardDisabled:

"kioskCustomLauncherEnabled": true,
"keyguardDisabled": true,
"applications": [
  {
    "packageName": "com.example.app1",
    "installType": "FORCE_INSTALLED",
    "defaultPermissionPolicy": "GRANT"
  },
  {
    "packageName": "com.example.app2",
    "installType": "FORCE_INSTALLED",
    "defaultPermissionPolicy": "GRANT"
  }
]

You can also develop your own custom launcher app to give users access to multiple apps.