Kiosk Mode or Assigned Access

By | February 23, 2015

Kiosk Mode & Assigned Access Mode

Kiosk Mode Article reprinted from Kioware and author Jim Kruper date Feb 2014

kiosk mode lockdown browser comparison

lockdown browser comparison

Generally, kiosk mode is usually meant to refer to a particular “mode” that most browsers offer.  “Kiosk Mode” is offered by browser applications (Internet Explorer, Chrome, Firefox etc) to run the application full screen without any browser user interface such as toolbars and menus.  The intent of most people setting up “kiosk mode” is to prevent the user from running anything other than the browser based content in the full screen browser window.

What kind of security does a browser’s Kiosk Mode offer and is it a viable solution for users?  If “Kiosk mode” is meant to create a “Kiosk like environment”, the kiosk mode option on your browser is likely insufficient.

Kiosks tend to be deployed in a self-service environment which means the user of the kiosk is not formally associated with the kiosk.  In short, the user doesn’t own the kiosk and isn’t responsible for the proper functioning of the kiosk.  The user just wants the kiosk to provide a defined service.  This can cause a problem for Kiosk Mode browsers because of the following situations not handled by Kiosk Mode browsers.

Session Management – User Data Security

For most applications, a self-service or public access kiosk needs to clean itself of the current user’s data when the user leaves.  How does the kiosk know a user has left?  The simplest solution is an inactivity timer, but that can be a problem if the kiosk has a queue of users, and the next user steps up and begins using the kiosk before the inactivity timer runs out.  In this case, a proximity switch or security mat is required.  Regardless, when a user’s session is finished the kiosk needs to delete all record of the user.  This means clearing cache, user session data and potentially the print queue.

It is also important for the kiosk to reset to the start page of the application when a user session has ended.  There is nothing more confusing to the next user to see the kiosk at screen #20 of the application.

Full Keyboard Blocking

Sometimes the kiosk deployment uses the standard computer keyboard.  The standard keyboard has a long list of keys that a user should not be able to use.  In a Windows environment, the key combination of Ctrl-Alt-Del can create havoc to a device in a browser kiosk mode state.  In Windows, a sophisticated kiosk owner can change Group Policies to minimize the Ctrl-Alt-Del hazard, but the list of individual keys and key combinations which need to be blocked is extensive. The main issue with Group Policies is that they aren’t intuitive.  Group Policies are difficult to setup properly initially, and can be inadvertently and quickly undone by a future kiosk programmer/staff member.

Application Restart, Memory Management

Kiosks tend to run unattended for long periods of time, and many browser based applications are designed to be run once and then be closed (ex, internet websites).  This means that the application can continue to grab a larger chunk of memory with each run.  This is particularly an issue for a kiosk where the application is being run repeatedly.  At some point enough memory has been used that the operating system starts to suffer and the kiosk stops functioning properly.  The kiosk needs to be smart enough to monitor its own health and when necessary restart the application or even restart the kiosk.  Browser based Kiosk modes do not address this need.

Custom Toolbars

By definition Kiosk Mode removes all of the browser’s toolbars and menus. As such, the application needs to have navigation built-in or a navigation toolbar needs to be displayed.  Forward, Back and Home buttons are a minimum requirement with perhaps a print button and scroll buttons as necessary.

Printers and Other External Devices

For security reasons, it is critical to not show the normal OS print dialog when a user requests a print.  Even more critically for internet content which may have embedded print buttons, the device must properly handle inadvertent print button selection when the kiosk has no printer. This needs to be properly handled or else OS dialogs will be displayed.  This can be both confusing to the user and a serious security risk.

Internet Content, Domain “Allow” Lists

Often a kiosk provides access to a specific website or websites, and it is critical to keep the user on that specific website or websites, or even certain selected pages of that website/websites.  In addition, certain allowed website domains/pages may have links to download files.  These files can be confusing and distracting at best and serious security issues at worst.  As such, file downloading action needs to be blocked.  In addition, there may be links to enable the user to send an email using HTML’s [MailTo] tags.  Clicking this button will attempt to open an email tool which a) likely isn’t installed and will error out (again confusing to the user, potential security issue) or b) if an email tool happens to be installed, then this could almost certainly cause a huge security risk.  The kiosk needs to prevent [MailTo] tags from being clicked.

OS GUI

Windows, in particular, has a bad habit of popping up dialog windows, task bar, charms bar, etc., for a variety of reasons completely unrelated to the application. They are at minimum confusing to a kiosk user and serve as a potential security threat.  The kiosk needs to prevent these items from being displayed to the user.

It is clear that for a majority of self-service applications, browser Kiosk Mode options have limitations that prevent it from being a viable solution.  Moving to a kiosk software solution will provide you with the security that you need.  Using kiosk software solutions, you won’t inadvertently leave open a serious security hole or confusing user experience.   The user experience will benefit while keeping user and company data secure.

Full article and resources page here on KioskIndustry

Thanks to KioWare, Laura Miller and Jim Kruper for the article!

More Useful Links

Text for Easy Shell from thinclient.org which basically describes features of kiosk mode in a thin client or zero client environment using embedded.

HP has announced HP Easy Shell, a Windows-based application that allows HP Thin Client users to control, customize, and protect  their Windows Embedded user experience with intuitive and easy to deploy settings. Designed with simplicity in mind for both end users and admins, HP Easy Shell is the go-to solution for businesses looking to customize their user experiences for Cloud, VDI, single and multi-purpose app environments.

HP Easy Shell provides a more focused user experience without device domain connection requirements or complicated group admin policies. From denying and limiting access to apps and browsers, to fine-tuning the home display and control panels – nearly every security need can be 100% tailored.

Key features of HP Easy Shell:

  • Define user access to websites, single and multi-purpose apps
  • Customize user access to browsers, task manager, and control panels
  • Deploy rapidly across small or mass thin client environments

For more information, please see visit this link.

Author: Staff Writer

Craig Keefner -- With over 40 years in the industry and technology, Craig is widely considered to be an expert in the field. Major early career kiosk projects include Verizon Bill Pay kiosk and hundreds of others. Craig helped start kioskmarketplace and formed the KMA. Note the point of view here is not necessarily the stance of the Kiosk Association or kma.global