Having students create passes using a shared kiosk Chromebook rather than logging in and creating their passes on their own devices can be a beneficial way to monitor student movement and provide options for spaces where individual device use isn't feasible. However, this shared device comes with its security risks.
When teachers and staff have to log into staff accounts to log into SmartPass, it creates the risk that students can access staff emails and network information. Students would also be able to have access to any other site or information connected to that account.
To prevent this open access, or force awkwardly shared logins, schools with Enterprise Enrollment options in Google Admin can configure Chromebooks for managed guest sessions that only allow the device to access SmartPass.
Video Overview
Steps for Creating Managed Sessions
Below are the steps that schools have found to be successful for creating managed SmartPass sessions.
Let us know if you have questions or need help working through these steps!
Step 1: Set up Google OU Structure
In the Google Admin Console, you will need to ensure that you have your students’ daily use devices in an Organizational Unit (OU) separate from your kiosk devices.
Below is a sample OU structure for a district that has a variety of devices in different grade levels. You can see that under the kiosks OU there is a separate one for SmartPass. This is critical for devices to be segmented correctly with the settings that follow.
💡 Please Note: The settings that follow are recommended settings to modify/configure. Some of these settings are managed as part of best practices for student security & safety and may be pre-set by or different for your district. Some settings below are included for you as potential recommendations based on general safety/security best practices. This list is not comprehensive, just the basics we’ve seen success with.
Step 2: Configure Chrome Settings
Under Chrome > Settings > Users & Browsers
General
Custom wallpaper - Design one for your school that also identifies it as being a SmartPass kiosk (Will be used in another setting as well)
While this isn’t a critical setting it is strongly recommended so all users can quickly visually identify the kiosk
Startup
Homepage = https://smartpass.app/login
New Tab page = https://smartpass.app/login
New tab page -
Do not show content suggestions
Do not show Google Lens
Pages to load on startup = https://smartpass.app/login
Profile picker availability - Do not show profile picker
Import Settings
Disable or do not allow all settings
Content
URL Blocking (Please note - If you use URL blocking, teachers must login using their assigned dedicated kiosk login, not their primary account.)
Blocked URLs
*
The * blocks every website/URL except those in the exception list
Blocked URL Exceptions
The * at the beginning of the URL notes that it applies to all sites within the SmartPass domain
smartpass.app
Drive Syncing - don’t allow
Printing - disable printing & related settings
User experience
Managed bookmarks
Bookmark editing - disable
Browser guest mode - Allow
Under Chrome > Settings > Devices
Sign-In Settings
Device Wallpaper image - Design one for your school that also identifies it as being a SmartPass kiosk (same as before)
Kiosk Settings
Auto-launch managed guest session
URL Blocking
Blocked URLs
*
The * blocks every website/URL except those in the exception list
Blocked Exceptions
*smartpass.app*
The * at the end of the URL notes that it applies to all sites within the SmartPass domain
smartpass.app
See this link for more information on how to access the blacklist and blacklist exception settings
Under Chrome > Settings > Managed guest session settings
General
Allow managed guest sessions
Session Name = SmartPass Kiosk
Auto-Launch Delay = 0-1 seconds
Maximum user session length = unlimited/empty
Custom wallpaper - use the same SmartPass kiosk one used in other settings
Security
Duplicate from user & browser settings (these likely come from student settings as well)
Startup
Homepage = https://smartpass.app/login
New Tab page = https://smartpass.app/login
New tab page - Do not show Google Lens
Pages to load on startup = https://smartpass.app/login
Browser launch on startup - Automatically launch
Content
Duplicate from user & browser settings (these likely come from student settings as well)
Printing
Disable all printing & related options
User experience
Managed bookmarks
Dinosaur game - Do not allow
Steam - Do not allow
Fullscreen after unlock
smartpass.app*
Power and Shutdown
Wake locks
Allow wake locks
Allow screen wake locks for power management
Idle settings
Lid close - sleep
Idle actions - sleep
Step 3: Additional Chrome Settings (Optional)
Under Chrome > Settings > Users & Browsers
Sign-in settings
Disable browser sign-in
Security
Never allow use of password manager
Do not allow locking screen
Do not allow incognito
Always save history
Do not allow history clearing
Geolocation (follow district teacher device policies)
Remainder should duplicate students’ settings
Session settings
Do not show sign out button
Network
Duplicate students’ settings
User experience
Dinosaur game - Do not allow
Steam - Do not allow
Power & Shutdown
Idle settings - Sleep when idle
Under Chrome > Settings > Devices
Enrollment & Access
Disabled Device Instructions - Have match your student info but include school/kiosk info
Sign-In Settings
Sign-in restriction - Do NOT allow any user to sign in
Sign-in screen - Never show user names & photos
Device off-hours - do not enable
Device Wallpaper image - Design one for your school that also identifies it as being a SmartPass kiosk
Device Update Settings
Kiosk-updates - make sure these match your Student OU policies (recommend allowing updates, not forcing specific versions)
Step 4: Device Enrollment & Moving OUs
Enroll Chromebook kiosk device according to your normal student device policies
Move all kiosk devices for SmartPass into the OU you just created and configured
Deploy devices to classrooms
💡 Important Note About WiFi:
By using a guest session on the Chromebook, no user will be able to sign into the device and auto-connect to wifi. Because of this, you’ll need to make sure that when you enroll the device that it picks up and maintains a connection to a PSK WLAN so teachers do not have to sign into a network using their credentials.
Alternatively, you can auto-enroll devices to a specific WLAN that does not require unique identifier logins for access.
Step 5: In the classroom…
Teacher opens kiosk and it auto-logs in to the wifi and guest user session then loads the SmartPass login screen
Teacher logs in with their SmartPass dedicated kiosk login credentials
Important Note: Due to the managed guest settings, teachers will NOT be able to use their normal teacher account credentials to log in and must use the SmartPass provided dedicated login information
Students use kiosked device for SmartPass access only
FAQ
Can I get a list of all dedicated kiosk credentials for my school?
Yes, if you need a a list of all dedicated logins for all rooms, please contact our Technical Support team through the chat feature in the bottom-right corner of your account, or send an email to [email protected]
My school already has a different Chromebook policy. Can I still use kiosk mode?
Yes. This guide is meant to be more of a suggestion and/or list of best practices that have been successful for creating managed SmartPass sessions using Chromebooks. Your school is not required to apply this same configuration to use Kiosk Mode.