Overview

Kiosk Mode and Lockdown Mode in SOTI MobiControl restrict a managed device to a specific set of applications and device functions, preventing end users from accessing unauthorized applications, device settings, or system menus. This is a critical security and productivity control for use cases such as retail point-of-sale terminals, warehouse barcode scanners, shared workforce devices, self-service kiosks, digital signage, and field service tablets. By constraining what users can do on a device, organizations reduce the risk of data leakage, malware installation, and unplanned downtime caused by user-initiated configuration changes.

SOTI MobiControl's Lockdown capability integrates with SOTI Snap for custom launcher screen design and with SOTI Identity for Single Sign-On (SSO) access to approved applications. This article explains how Lockdown Mode works, how to configure it, and key considerations for different device types.

What Lockdown Mode Does

When Lockdown Mode is activated on a device, the standard device home screen and launcher are replaced with a customized interface configured by the administrator. Only applications explicitly added to the Lockdown allowlist are presented to the device user. Hardware buttons, notification bars, system settings, and the app drawer can be disabled. Users cannot install new applications, access device settings, or exit the locked interface without administrator credentials or a managed unlock action.

On Android, MobiControl uses Android Enterprise lock task mode to enforce kiosk boundaries at the OS level. This means that even if the user forces the device agent to close, the lockdown remains enforced by the Android OS itself. On Windows devices, MobiControl supports Microsoft's Single-App Kiosk Mode and Multi-App Kiosk Mode, both configurable from within the MobiControl console.

Configuring Lockdown on Android Devices

Step 1: Create a Lockdown Profile

In the SOTI MobiControl web console, navigate to Profiles and create a new profile for your target Android device group. Within the profile, add the Lockdown payload. The Lockdown payload allows you to define which applications are permitted and configure hardware key restrictions.

Step 2: Define Allowed Applications

Add the applications that should appear to users in the Lockdown interface. These must be applications already distributed to the device via an App Policy in MobiControl. Each allowed application can be given an icon label and position within the launcher grid. Applications not listed in the Lockdown configuration are hidden from the user entirely.

Step 3: Configure Hardware Key and UI Restrictions

Within the Lockdown payload, administrators can disable the Home button, Back button, Recent Apps button, Status Bar pull-down, volume keys, and power button (screen off). This prevents users from navigating outside the permitted application set. For shared devices in a warehouse or retail environment, it is common to disable all hardware navigation keys and only expose volume controls.

Step 4: Configure the Lockdown Launcher Screen

SOTI Snap, the SOTI ONE Platform's mobile app builder, can be used to design a branded launcher screen for the Lockdown Mode interface. Administrators design the launcher layout — including background, company logo, app icons, and colour scheme — in SOTI Snap and publish it as the Lockdown home screen. This provides a consistent, professional user experience across all locked-down devices.

Step 5: Assign the Profile

Assign the Lockdown profile to the appropriate device group. Devices will receive the profile on their next check-in with the MobiControl server or immediately if they are currently online. After the profile is applied, the device will display the configured Lockdown interface on its next restart or screen-on event.

Lockdown Preview for Windows Devices

For Windows Modern devices, SOTI MobiControl provides a Lockdown Preview feature that lets administrators view how the configured Lockdown screen will appear on the actual device, directly from the web console, before pushing the profile to production devices. This allows for layout validation and accuracy checking without needing a physical device for review, reducing errors and support calls after deployment.

Single Sign-On in Lockdown Mode