All Collections
Configuring Chromebook Kiosks
Configuring Chromebook Kiosks

How to lock down Chromebooks for use as a SmartPass Kiosk

Updated over a week ago

Having students create passes using a shared kiosk Chromebook rather than logging in and creating their passes on their own devices can be a beneficial way to monitor student movement and provide options for spaces where individual device use isn't feasible. However, this shared device comes with its security risks.

When teachers and staff have to log into staff accounts to log into SmartPass, it creates the risk that students can access staff emails and network information. Students would also be able to have access to any other site or information connected to that account.

To prevent this open access, or force awkwardly shared logins, schools with Enterprise Enrollment options in Google Admin can configure Chromebooks for managed guest sessions that only allow the device to access SmartPass.

Video Overview

Steps for Creating Managed Sessions

Below are the steps that schools have found to be successful for creating managed SmartPass sessions.

Let us know if you have questions or need help working through these steps!

Step 1: Set up Google OU Structure

  1. In the Google Admin Console, you will need to ensure that you have your students’ daily use devices in an Organizational Unit (OU) separate from your kiosk devices.

Below is a sample OU structure for a district that has a variety of devices in different grade levels. You can see that under the kiosks OU there is a separate one for SmartPass. This is critical for devices to be segmented correctly with the settings that follow.

💡 Please Note: The settings that follow are recommended settings to modify/configure. Some of these settings are managed as part of best practices for student security & safety and may be pre-set by or different for your district. Some settings below are included for you as potential recommendations based on general safety/security best practices. This list is not comprehensive, just the basics we’ve seen success with.

Step 2: Configure Chrome Settings

Under Chrome > Settings > Users & Browsers

  • General

    • Custom wallpaper - Design one for your school that also identifies it as being a SmartPass kiosk (Will be used in another setting as well)

      • While this isn’t a critical setting it is strongly recommended so all users can quickly visually identify the kiosk

  • Startup

  • Import Settings

    • Disable or do not allow all settings

  • Content

    • URL Blocking (Please note - If you use URL blocking, teachers must login using their assigned dedicated kiosk login, not their primary account.)

      • Blocked URLs

        • *

          • The * blocks every website/URL except those in the exception list

      • Blocked URL Exceptions

        • (this sometimes creates errors so remove this line if you get an error)

  • Drive Syncing - don’t allow

  • Printing - disable printing & related settings

  • User experience

Under Chrome > Settings > Devices

  • Sign-In Settings

    • Device Wallpaper image - Design one for your school that also identifies it as being a SmartPass kiosk (same as before)

  • Kiosk Settings

    • Auto-launch managed guest session

    • URL Blocking

      • Blocked URLs

        • *

          • The * blocks every website/URL except those in the exception list

      • Blocked Exceptions

        • **

          • The * at the end of the URL notes that it applies to all sites within the SmartPass domain


      • See this link for more information on how to access the blacklist and blacklist exception settings

Under Chrome > Settings > Managed guest session settings

  • General

    • Allow managed guest sessions

      • Session Name = SmartPass Kiosk

    • Auto-Launch Delay = 0-1 seconds

    • Maximum user session length = unlimited/empty

    • Custom wallpaper - use the same SmartPass kiosk one used in other settings

  • Security

    • Duplicate from user & browser settings (these likely come from student settings as well)

  • Startup

  • Content

    • Duplicate from user & browser settings (these likely come from student settings as well)

  • Printing

    • Disable all printing & related options

  • User experience

    • Managed bookmarks

    • Dinosaur game - Do not allow

    • Steam - Do not allow

    • Fullscreen after unlock


  • Power and Shutdown

    • Wake locks

      • Allow wake locks

      • Allow screen wake locks for power management

    • Idle settings

      • Lid close - sleep

      • Idle actions - sleep

Step 3: Additional Chrome Settings (Optional)

Under Chrome > Settings > Users & Browsers

  • Sign-in settings

    • Disable browser sign-in

  • Security

    • Never allow use of password manager

    • Do not allow locking screen

    • Do not allow incognito

    • Always save history

    • Do not allow history clearing

    • Geolocation (follow district teacher device policies)

    • Remainder should duplicate students’ settings

  • Session settings

    • Do not show sign out button

  • Network

    • Duplicate students’ settings

  • User experience

    • Dinosaur game - Do not allow

    • Steam - Do not allow

  • Power & Shutdown

    • Idle settings - Sleep when idle

Under Chrome > Settings > Devices

  • Enrollment & Access

    • Disabled Device Instructions - Have match your student info but include school/kiosk info

  • Sign-In Settings

    • Sign-in restriction - Do NOT allow any user to sign in

    • Sign-in screen - Never show user names & photos

    • Device off-hours - do not enable

    • Device Wallpaper image - Design one for your school that also identifies it as being a SmartPass kiosk

  • Device Update Settings

    • Kiosk-updates - make sure these match your Student OU policies (recommend allowing updates, not forcing specific versions)

Step 4: Device Enrollment & Moving OUs

  1. Enroll Chromebook kiosk device according to your normal student device policies

  2. Move all kiosk devices for SmartPass into the OU you just created and configured

  3. Deploy devices to classrooms

💡 Important Note About WiFi:

By using a guest session on the Chromebook, no user will be able to sign into the device and auto-connect to wifi. Because of this, you’ll need to make sure that when you enroll the device that it picks up and maintains a connection to a PSK WLAN so teachers do not have to sign into a network using their credentials.

Alternatively, you can auto-enroll devices to a specific WLAN that does not require unique identifier logins for access.

Step 5: In the classroom…

  1. Teacher opens kiosk and it auto-logs in to the wifi and guest user session then loads the SmartPass login screen

  2. Teacher logs in with their SmartPass dedicated kiosk login credentials

    1. Important Note: Due to the managed guest settings, teachers will NOT be able to use their normal teacher account credentials to log in and must use the SmartPass provided dedicated login information

  3. Students use kiosked device for SmartPass access only


Can I get a list of all dedicated kiosk credentials for my school?

Yes, if you need a a list of all dedicated logins for all rooms, please contact our Technical Support team through the chat feature in the bottom-right corner of your account, or send an email to [email protected]

My school already has a different Chromebook policy. Can I still use kiosk mode?

Yes. This guide is meant to be more of a suggestion and/or list of best practices that have been successful for creating managed SmartPass sessions using Chromebooks. Your school is not required to apply this same configuration to use Kiosk Mode.

Did this answer your question?