Kiosk mode detection
Stay organized with collections
Save and categorize content based on your preferences.
PWA kiosk apps can implement ChromeOS kiosk detection with the Chrome Verified
Access API. It builds on the existing Verified Access API technology with just
a few key differences detailed in this guide.
Setup
The setup steps needed for using the Verified Access API to do kiosk mode
detection are the same as those listed in the
prerequisites for Verified Access.
There are some additional
steps to setup and launch your kiosk app on the managed Chromebook device.
In the Google Admin Console, do the following:
- Follow this guide to
install your kiosk app (step 1) and add your companion extension to the kiosk
app (step 3).
- For the kiosk companion extension, enable the Allow enterprise challenge
setting under Certificate management
Implementation
There are three main components to implement Verified Access kiosk detection: a
PWA kiosk app, companion Chrome extension, and network service.
PWA kiosk app
The PWA is your main kiosk app. It kicks off the process of kiosk mode detection
by sending a message to the companion extension,
letting it know to start the verification process.
Companion Chrome extension
The companion Chrome extension runs with the kiosk PWA and should listen to
incoming messages from the PWA. Upon receiving the message to start the
verification process,
- Call the Verified Access API to create a challenge
- Call the enterprise.platformKeys API on the generated challenge to create a
challenge-response with an Enterprise User Key (user the
"USER" scope)
- Send a request with the challenge-response to the network service to be
verified
Refer to the developer guide
for more information and code samples.
Network service
When your network service receives the request from the extension to verify the
challenge-response, use the
verify method. For
kiosk mode detection, set expectedIdentity to "KIOSK_MODE". If successful,
you should see a response body of an empty string or empty JSON, meaning the
device is in kiosk mode. If the device is not in kiosk mode, a 404 code is
returned in the response body with error message
"Requested entity was not found".
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-16 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-16 UTC."],[[["\u003cp\u003ePWA kiosk apps can utilize the Chrome Verified Access API to detect if a ChromeOS device is in kiosk mode.\u003c/p\u003e\n"],["\u003cp\u003eSetup involves configuring your kiosk app and companion extension in the Google Admin Console, enabling specific settings for enterprise challenge.\u003c/p\u003e\n"],["\u003cp\u003eImplementation requires a PWA kiosk app to initiate verification, a companion Chrome extension to handle the API calls and communication with the network service, and a network service to verify the device's kiosk mode status.\u003c/p\u003e\n"],["\u003cp\u003eThe verification process leverages the Verified Access API to create and validate a challenge-response, confirming kiosk mode if successful.\u003c/p\u003e\n"],["\u003cp\u003eDevelopers should refer to the provided guides and documentation for detailed instructions and code samples to implement this functionality.\u003c/p\u003e\n"]]],[],null,["PWA kiosk apps can implement ChromeOS kiosk detection with the Chrome Verified\nAccess API. It builds on the existing Verified Access API technology with just\na few key differences detailed in this guide.\n\nSetup\n\nThe setup steps needed for using the Verified Access API to do kiosk mode\ndetection are the same as those listed in the\n[prerequisites for Verified Access](/chrome/verified-access/developer-guide#prerequisites_to_verified_access).\nThere are some additional\nsteps to setup and launch your kiosk app on the managed Chromebook device.\n\nIn the [Google Admin Console](https://admin.google.com/), do the following:\n\n- Follow [this guide](https://support.google.com/chrome/a/answer/9781496) to install your kiosk app (step 1) and add your companion extension to the kiosk app (step 3).\n- For the kiosk companion extension, enable the **Allow enterprise challenge** setting under **Certificate management**\n\nImplementation\n\nThere are three main components to implement Verified Access kiosk detection: a\nPWA kiosk app, companion Chrome extension, and network service.\n\nPWA kiosk app\n\nThe PWA is your main kiosk app. It kicks off the process of kiosk mode detection\nby [sending a message to the companion extension](https://chromeos.dev/en/kiosk/connecting-an-extension-from-a-kiosk-pwa),\nletting it know to start the verification process.\n\nCompanion Chrome extension\n\nThe companion Chrome extension runs with the kiosk PWA and should listen to\nincoming messages from the PWA. Upon receiving the message to start the\nverification process,\n\n1. Call the Verified Access API to create a challenge\n2. Call the enterprise.platformKeys API on the generated challenge to create a challenge-response with an Enterprise User Key (user the `\"USER\"` scope)\n3. Send a request with the challenge-response to the network service to be verified\n\nRefer to the [developer guide](/chrome/verified-access/developer-guide)\nfor more information and code samples.\n\nNetwork service\n\nWhen your network service receives the request from the extension to verify the\nchallenge-response, use the\n[verify](/chrome/verified-access/reference/rest/v2/challenge/verify) method. For\nkiosk mode detection, set `expectedIdentity` to `\"KIOSK_MODE\"`. If successful,\nyou should see a response body of an empty string or empty JSON, meaning the\ndevice is in kiosk mode. If the device is not in kiosk mode, a 404 code is\nreturned in the response body with error message\n`\"Requested entity was not found\"`."]]