Campus Guidelines for Kiosk Workstations

A "kiosk" is a specialized workstation available in a public place for specific uses. The guidelines below are intended for kiosks.

Departments that provide kiosk workstations are required to take measures to reduce risk to kiosk users and the campus network. Kiosks that are not configured according to campus guidelines may be subject to removal from the campus network.

If you need assistance in meeting these standards, please contact your IT administrator.

Kiosk Guidelines:

  1. Kiosks must meet the Minimum Security Standards for Networked Devices, except that the public interface does not require a password. Administrator access must meet all MSSND requirements.

  2. Host IPs must be registered under the Security Contact for your department in Socreg. Security Contacts must respond promptly to any security incidents reported for Kiosk machines.

  3. Kiosk firewalls must be configured to allow scanning by the Systems and Network Security team.

  4. Kiosks should run kiosk configuration management software or implement similar tools to restrict a user's activities when using the kiosk (e.g. set a defined set of www sites a user can visit, prohibit storing data on the local machine, etc.) and to facilitate resetting the kiosk to a "clean" state. Examples of configuration management software and key features are below.*

    Configuration Management Software

    Deployment (laptop/desktop, mobile, cloud)

    Remote Access & Monitoring

    Printing support

    Apps Allow/Deny list

    Free/Paid

    Usage Tracking / Analytics

    Microsoft Intune 

    All

    Yes

    Yes

    Yes

    Paid

    Yes

    ManageEngine Mobile Device Manager

    All

    Yes

    No

    Yes

    Paid

    No

    Hexnode

    All

    Yes

    Yes

    Yes

    Paid

    Yes

    KioCloud Kiosk Management

    Cloud

    Yes

    No

    Yes

    Paid

    Yes

    * This list does not represent endorsement by the University of California or its affiliates.

  5. For kiosks that don't require a login, the kiosk should be configured to reset to a "clean" state after a reasonable amount of idle time (10 minutes is the suggested standard). 

  6. For kiosks that require a login, the workstation should logout automatically after a reasonable amount of idle time (10 minutes is the suggested standard).

  7. Kiosk browsers should be configured not to accept cookies (so that the CAS TGC will not be stored in the browser). This will ensure that a user cannot participate in single sign-in (re-authentication will be required for every application) and thus minimize the chances a user's credentials can be used by someone else if a user does not logout of CAS or quit the browser before leaving the kiosk.

  8. Chrome/Edge is the suggested browser for kiosks.

  9. Signage must be posted on or near kiosk monitors advising users to logout (where possible) or quit the web browser before leaving the kiosk.

  10. Kiosks should be secured from physical tampering or theft.

Reference: How to setup and configure a Kiosk

https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app

https://docs.microsoft.com/en-us/windows/configuration/kiosk-prepare