Skip to content

Lock down the desktop kiosk

The desktop kiosk app handles what it can from inside its own process. For unattended public kiosks, layer an OS-level profile underneath the app so the operating system itself blocks the escape routes the app fundamentally cannot close.

When launched as the kiosk client, the desktop app:

  • Opens borderless and fullscreen, covering the entire display geometry including the menu-bar strip.
  • On macOS, hides the menu bar and dock via native NSApplicationPresentationOptions (.hideMenuBar | .hideDock) and re-asserts them every time the app regains focus.
  • Blocks ⌘+Q (and the app-menu "Quit") on macOS via the AWT QuitHandler.
  • Attempts to suppress other common shortcuts — Alt+F4, ⌘+W, Alt+Tab, ⌘+Tab, the Windows/Super key, F11, and Escape — for the ones the OS delivers to the app before acting on them itself.
  • Gates exit behind a manager PIN. The manager menu opens with five rapid taps in the top-right corner (for touchscreens) or five F12 presses (for hardware keyboards), and the PIN entry has brute-force lockout. A supervising operator sets the PIN on first run. See Exit kiosk lockdown and recover the PIN for the full operator flow, including PIN recovery.

The desk app is not locked down — it is a staff tool and keeps normal window controls.

Windows — Assigned Access / Shell Launcher

Section titled “Windows — Assigned Access / Shell Launcher”

Windows offers two kiosk mechanisms. The desktop kiosk is a classic Win32 desktop application, so Shell Launcher is the right fit — Assigned Access (single-app kiosk) only accepts UWP/MSIX apps or Microsoft Edge.

Shell Launcher v2 replaces the default Windows shell (explorer.exe) with the Jonot kiosk executable for a designated account. With no Explorer shell there is no desktop, Start menu, or taskbar; if the app exits, Shell Launcher restarts it. Requires Windows 10/11 Enterprise, Education, or IoT Enterprise.

  1. Enable the Shell Launcher optional feature (Enable-WindowsOptionalFeature -Online -FeatureName Client-EmbeddedShellLauncher), or push it from your MDM.
  2. Create a dedicated standard (non-administrator) local account for the kiosk.
  3. Configure Shell Launcher to set that account's custom shell to the Jonot kiosk launcher, with the restart-on-exit action — via the Shell Launcher CSP from your MDM, or locally with the WMI bridge PowerShell sample documented in the Shell Launcher guide.
  4. Set the kiosk account to auto-logon and disable the lock screen, sleep, and fast user switching.

For a quick supervised setup without Enterprise licensing, the Assigned Access "kiosk browser" can point at https://kiosk.jonot.io directly — but it runs the SPA in Edge without the native bridge (no local printing, no offline-host failover), so it is a fallback, not a substitute for the native app.

macOS — OS-level escape-prevention runbook

Section titled “macOS — OS-level escape-prevention runbook”

The app hides the menu bar and dock and blocks ⌘+Q app-side. The OS-level profile covers the routes the app cannot close: Force Quit, Mission Control, Spaces switching, hot corners, Spotlight, and app switching.

Use a dedicated managed or restricted account with auto-login. Deploy from an MDM (Jamf Pro, Kandji, Mosyle, or Intune):

  1. Dedicated standard account + auto-login. Create a non-administrator local account used only for the kiosk. Enable auto-login for that account and disable system sleep with an energy profile. A Managed Login Items payload ensures the kiosk app starts at session start.

  2. Disable Force Quit (⌘+⌥+Esc). Force Quit is the primary escape route that the app cannot block. Disable it with a custom managed-preferences payload for com.apple.loginwindow:

    DisableForceQuitCombinedKey = true
  3. Disable Mission Control and Spaces switching. Use com.apple.symbolichotkeys to disable the Mission Control shortcut (key 32) and Spaces-switching shortcuts (keys 79–81, 118–123).

  4. Disable hot corners. Push a com.apple.dock preference payload with all four wvous-*-corner keys set to 0 (disabled).

  5. Disable Spotlight. Disable the Spotlight keyboard shortcut via com.apple.symbolichotkeys (key 64 for Spotlight search). Note: the standard Restrictions payload's Spotlight key suppresses Internet results only, not Spotlight itself — use the symbolichotkeys approach instead.

  6. Disable app switching (⌘+Tab). Disable the Application Switcher shortcut via com.apple.symbolichotkeys (key 27).

On Linux the cleanest lockdown is a dedicated GNOME Kiosk session that runs the Jonot kiosk app as the session's only window — no panel, no Activities overview, and no application switcher.

  1. Install the gnome-kiosk package (available on recent Fedora and Debian/Ubuntu releases). It provides a minimal Wayland compositor that runs one fullscreen app.
  2. Create a custom session that launches the Jonot kiosk executable as its shell command, so the kiosk app is the session.
  3. Configure GDM auto-login for a dedicated standard user into that kiosk session.
  4. Harden the surrounding system: disable VT switching and Ctrl+Alt+Backspace, block TTY access in logind, and disable automatic screen blanking and power management.

Because the GNOME Kiosk compositor never exposes a switcher or overview, there is no in-session route to another application — the OS enforces what the app's in-process shortcut suppression can only attempt.

LayerProtects against
In-app lockdownMenu bar/dock (macOS), ⌘+Q, accidental exits, shortcuts catchable in-process
OS-level kiosk profileForce Quit, Mission Control, Spaces, hot corners, Spotlight, OS-level app switching
Physical enclosureHardware access — USB ports, power button, the keyboard

Always run the in-app lockdown and an OS-level profile together for unattended public placements. A physical enclosure is the third layer for fully tamper-resistant deployments.