Lock down the desktop kiosk
The desktop kiosk app handles what it can from inside its own process. For unattended public kiosks, layer an OS-level profile underneath the app so the operating system itself blocks the escape routes the app fundamentally cannot close.
What the app handles on its own
Section titled “What the app handles on its own”When launched as the kiosk client, the desktop app:
- Opens borderless and fullscreen, covering the entire display geometry including the menu-bar strip.
- On macOS, hides the menu bar and dock via native
NSApplicationPresentationOptions(.hideMenuBar | .hideDock) and re-asserts them every time the app regains focus. - Blocks ⌘+Q (and the app-menu "Quit") on macOS via the AWT QuitHandler.
- Attempts to suppress other common shortcuts — Alt+F4, ⌘+W, Alt+Tab, ⌘+Tab, the Windows/Super key, F11, and Escape — for the ones the OS delivers to the app before acting on them itself.
- Gates exit behind a manager PIN. The manager menu opens with five rapid taps in the top-right corner (for touchscreens) or five F12 presses (for hardware keyboards), and the PIN entry has brute-force lockout. A supervising operator sets the PIN on first run. See Exit kiosk lockdown and recover the PIN for the full operator flow, including PIN recovery.
The desk app is not locked down — it is a staff tool and keeps normal window controls.
Windows — Assigned Access / Shell Launcher
Section titled “Windows — Assigned Access / Shell Launcher”Windows offers two kiosk mechanisms. The desktop kiosk is a classic Win32 desktop application, so Shell Launcher is the right fit — Assigned Access (single-app kiosk) only accepts UWP/MSIX apps or Microsoft Edge.
Shell Launcher v2
replaces the default Windows shell (explorer.exe) with the Jonot kiosk
executable for a designated account. With no Explorer shell there is no
desktop, Start menu, or taskbar; if the app exits, Shell Launcher restarts it.
Requires Windows 10/11 Enterprise, Education, or IoT Enterprise.
- Enable the Shell Launcher optional feature
(
Enable-WindowsOptionalFeature -Online -FeatureName Client-EmbeddedShellLauncher), or push it from your MDM. - Create a dedicated standard (non-administrator) local account for the kiosk.
- Configure Shell Launcher to set that account's custom shell to the Jonot kiosk launcher, with the restart-on-exit action — via the Shell Launcher CSP from your MDM, or locally with the WMI bridge PowerShell sample documented in the Shell Launcher guide.
- Set the kiosk account to auto-logon and disable the lock screen, sleep, and fast user switching.
For a quick supervised setup without Enterprise licensing, the
Assigned Access "kiosk browser"
can point at https://kiosk.jonot.io directly — but it runs the SPA in Edge
without the native bridge (no local printing, no offline-host failover), so it
is a fallback, not a substitute for the native app.
macOS — OS-level escape-prevention runbook
Section titled “macOS — OS-level escape-prevention runbook”The app hides the menu bar and dock and blocks ⌘+Q app-side. The OS-level profile covers the routes the app cannot close: Force Quit, Mission Control, Spaces switching, hot corners, Spotlight, and app switching.
Use a dedicated managed or restricted account with auto-login. Deploy from an MDM (Jamf Pro, Kandji, Mosyle, or Intune):
-
Dedicated standard account + auto-login. Create a non-administrator local account used only for the kiosk. Enable auto-login for that account and disable system sleep with an energy profile. A Managed Login Items payload ensures the kiosk app starts at session start.
-
Disable Force Quit (⌘+⌥+Esc). Force Quit is the primary escape route that the app cannot block. Disable it with a custom managed-preferences payload for
com.apple.loginwindow:DisableForceQuitCombinedKey = true -
Disable Mission Control and Spaces switching. Use
com.apple.symbolichotkeysto disable the Mission Control shortcut (key 32) and Spaces-switching shortcuts (keys 79–81, 118–123). -
Disable hot corners. Push a
com.apple.dockpreference payload with all fourwvous-*-cornerkeys set to0(disabled). -
Disable Spotlight. Disable the Spotlight keyboard shortcut via
com.apple.symbolichotkeys(key 64 for Spotlight search). Note: the standard Restrictions payload's Spotlight key suppresses Internet results only, not Spotlight itself — use the symbolichotkeys approach instead. -
Disable app switching (⌘+Tab). Disable the Application Switcher shortcut via
com.apple.symbolichotkeys(key 27).
Linux — GNOME kiosk session
Section titled “Linux — GNOME kiosk session”On Linux the cleanest lockdown is a dedicated GNOME Kiosk session that runs the Jonot kiosk app as the session's only window — no panel, no Activities overview, and no application switcher.
- Install the
gnome-kioskpackage (available on recent Fedora and Debian/Ubuntu releases). It provides a minimal Wayland compositor that runs one fullscreen app. - Create a custom session that launches the Jonot kiosk executable as its shell command, so the kiosk app is the session.
- Configure GDM auto-login for a dedicated standard user into that kiosk session.
- Harden the surrounding system: disable VT switching and
Ctrl+Alt+Backspace, block TTY access in
logind, and disable automatic screen blanking and power management.
Because the GNOME Kiosk compositor never exposes a switcher or overview, there is no in-session route to another application — the OS enforces what the app's in-process shortcut suppression can only attempt.
Recommended layering
Section titled “Recommended layering”| Layer | Protects against |
|---|---|
| In-app lockdown | Menu bar/dock (macOS), ⌘+Q, accidental exits, shortcuts catchable in-process |
| OS-level kiosk profile | Force Quit, Mission Control, Spaces, hot corners, Spotlight, OS-level app switching |
| Physical enclosure | Hardware access — USB ports, power button, the keyboard |
Always run the in-app lockdown and an OS-level profile together for unattended public placements. A physical enclosure is the third layer for fully tamper-resistant deployments.