Intune iPad Kiosk Mode: Step-by-Step Setup for M365 Admins

A typical Microsoft 365 shop already pays for Microsoft Intune through an E3 or E5 license, has Apple Business Manager half-configured for laptops, and now needs to lock four lobby iPads to a visitor sign-in app before next quarter’s audit. This is the post for that admin.

Intune iPad kiosk mode is Microsoft’s term for delivering Apple’s Single App Mode payload through the Intune admin center. The lock itself is Apple’s — com.apple.app.lock — and the prerequisites are Apple’s: a supervised iPad enrolled through Apple Business Manager. Intune is the channel that pushes the profile over the air.

This is the Intune-specific companion to our iPad kiosk mode pillar. The pillar covers all four kiosk-lock options. This one walks the exact Microsoft Intune admin-center clickpath, screen by screen, plus the four most common reasons the lock does not engage on first deploy.

9:41

Reception · Building 1

Welcome

Tap below to check in or check out. We’ll let your host know you’re here.

Sign in Sign out

Returning visitor

Why Intune for iPad kiosks (versus Apple Configurator)

If you have a Mac and one or two iPads in one office, Apple Configurator 2 is free and takes ten minutes — that clickpath is in our iPad Single App Mode walkthrough. Past about twenty iPads, or any deployment where someone is not on-site to USB-tether each device, Apple Configurator is the bottleneck.

Intune trades the Mac and the cable for an admin-center web UI and a per-device license. The license is already paid for in most M365 E3 and E5 estates, so the marginal cost is usually zero. You scope a configuration profile to a smart group filtered on supervised iPads, and the lock applies inside ten minutes.

The honest tradeoff: Intune is heavier setup the first time — wire up Apple Business Manager, push the ABM token to Intune, configure Automated Device Enrollment. Once that pipeline exists, every new kiosk iPad is a five-minute desk job. Apple Configurator is the opposite curve: cheap on iPad one, expensive on iPad twenty.

Prerequisites: ABM, DEP enrollment, supervised state

Intune iPad kiosk mode has three hard prerequisites. Skip any one and the Single App Mode profile installs but the lock never engages.

1. Apple Business Manager. The free Apple program that lets you supervise iPads at scale and assign them to an MDM. Sign up at business.apple.com with a domain you control. Buy iPads through an ABM-authorized reseller so device serials land in ABM automatically.

2. The Apple MDM Push Certificate and ABM token in Intune. Go to Microsoft Intune admin center → Devices → Enrollment → Apple → Apple MDM Push certificate, download the CSR, upload it to identity.apple.com, and bring the resulting push certificate back. Under the same Apple node, add an Enrollment program token linked to ABM. Full walkthrough in the Microsoft Learn ABM enrollment guide (rel=“noopener”).

(screenshot: Intune admin center, Devices → Enrollment → Apple, MDM push certificate and Enrollment program tokens panels)

3. Supervision via Automated Device Enrollment. In ABM, assign iPad serials to your Intune MDM server. In Intune, create an Enrollment Program profile with Supervised = Yes and Locked enrollment = Yes. On first power-on, the iPad auto-supervises and enrolls into Intune with that profile attached.

If the iPad was bought retail and is not in ABM, you can retrofit supervision through Apple Configurator 2 — but at that point you are paying both the ABM tax and the cable-tethering tax. Either commit to ABM or stay on Apple Configurator.

To confirm an iPad is supervised, open Settings → General → About. The first line should read “This iPad is supervised and managed by [your organization].” That banner is the gate for everything below.

Step 1: Enroll the iPad in Microsoft Intune

With ABM connected and the Enrollment Program profile created, enrollment is a Setup-Assistant-driven flow. Power on a fresh-from-box (or factory-erased) iPad. iPadOS recognizes the serial from ABM, walks the user through the supervised-and-managed prompts, and reports back to Intune within minutes.

Verify enrollment in Microsoft Intune admin center → Devices → iOS/iPadOS → iOS/iPadOS devices. The new iPad appears with its serial, model, iPadOS version, and a Supervised column reading Yes.

Tag the kiosk iPads with a category or a dynamic-membership group so the configuration profile in Step 3 can target them precisely. We typically use a security group called Kiosk-iPads plus a category tag of Kiosk. Static groups also work for small fleets.

(screenshot: Intune admin center, Devices → iOS/iPadOS → iOS/iPadOS devices list view with the supervised column visible)

Step 2: Create the kiosk Configuration Profile

This is the step that actually puts the iPad into kiosk mode. The Single App Mode payload lives inside the iOS/iPadOS Device features template.

In the Microsoft Intune admin center:

1. Go to Devices → iOS/iPadOS → Configuration profiles.
2. Click Create → New Policy. Platform: iOS/iPadOS. Profile type: Templates. Pick the Device features template. Click Create.
3. Basics tab. Name the profile something like iPad Kiosk – InstaCheckin Single App Mode. Add a description so future-you knows why it exists.
4. Configuration settings tab. Scroll to App and Single Sign-On and expand it.
5. Locate App Single App Mode. Set the toggle to Configure.
6. Under App bundle IDs, click Add and enter the kiosk app’s bundle identifier. For an InstaCheckin visitor sign-in deployment, that is io.instacheckin.app. For other apps, the bundle ID is in the App Store listing’s URL or in your Apple Developer account.
7. (Optional) Configure the lock options below the bundle ID — disable Sleep/Wake, disable volume buttons, disable touch on regions. Most kiosks only flip Disable Auto-Lock to keep the screen awake.
8. Scope tags tab. Apply scope tags if your tenant uses them. Assignments is Step 3 — leave it blank.
9. Review + create tab. Confirm the bundle ID and click Create.

(screenshot: Intune admin center, Configuration profiles → Create profile → Device features → App and Single Sign-On expanded, App Single App Mode configured)

If you also need the kiosk to support more than one app — say a visitor sign-in app and a Brother label-printer utility — the right answer is usually Autonomous Single App Mode (ASAM). Add the ASAM-aware app’s bundle ID to the App Lock allowlist under Templates → Device restrictions → App Store, Doc Viewing, Gaming → Apps that may autonomously enter Single App Mode. For the conceptual difference between Single App Mode, ASAM, and Restrictions allowlists, see the iPad kiosk mode pillar.

Step 3: Assign the profile and verify the lock landed

A configuration profile that is not assigned to a group does nothing. Open the profile you just created, click Properties, then Edit next to Assignments.

Under Included groups, click Add groups and pick the kiosk iPad group you tagged in Step 1. Save. Intune calculates assignment delta within a few minutes; the iPad checks in, downloads the profile, and applies the Single App Mode payload. Save-to-lock is usually under fifteen minutes if the iPad is awake and on Wi-Fi.

For a multi-site rollout, scope the same profile to one geography at a time. Push to Kiosk-iPads-NYC, verify, then add Kiosk-iPads-SF the next day. Single App Mode is reversible, but a misconfigured bundle ID across thirty kiosks at once is an unhappy afternoon.

A correctly applied profile shows three signals:

• On the iPad. It reboots into the kiosk app. The Home indicator does not respond, swipes from the corners are ignored, Control Center and Notification Center do not appear. If the kiosk app crashes, iPadOS relaunches it within seconds.
• In the Intune admin center. Under Devices → iOS/iPadOS → iOS/iPadOS devices → click the iPad → Device configuration, the kiosk profile shows status Succeeded. Pending past thirty minutes or Error — jump to troubleshooting.
• In the iPad’s Settings. The supervised banner under Settings → General → About is intact, and Settings → General → VPN & Device Management shows both the Intune profile and the kiosk Single App Mode profile installed.

For iPads mounted behind a tamper-resistant case, the on-iPad signal you go on is “the kiosk app stays foregrounded forever and a triple-press of the side button does nothing.” That is the correct behavior of Single App Mode and the wrong behavior of Guided Access — exactly the boundary you wanted to cross by moving to Intune.

Troubleshooting: profile didn’t apply, iPad not supervised, app crashes

Four issues account for most debug time on first-time Intune kiosk deployments.

Profile shows Pending forever. The iPad is not checking into Intune. Confirm Wi-Fi, power-cycle the iPad, watch the Last check-in timestamp on the device record. If it is more than thirty minutes stale, force a sync from the admin-center Sync button or the Intune Company Portal app on the iPad.

Profile says Succeeded but the iPad is not locked. Almost always a supervision problem. Check Settings → General → About for the supervised banner. If it is missing, the iPad enrolled as a personal device (User Enrollment) instead of through Automated Device Enrollment. Single App Mode requires the ADE path — re-enroll through ABM.

Profile says Succeeded, iPad is supervised, lock still does not engage. The bundle ID is wrong or the kiosk app is not installed. The payload installs cleanly even with an invalid bundle ID — the lock just has nothing to attach to. Verify the bundle ID, push the app as a managed app from Apps → iOS/iPadOS → iOS store app, force a sync.

The kiosk app crashes and iPadOS does not relaunch it cleanly. Single App Mode is supposed to relaunch the locked app on crash, but a buggy app can wedge the lock. Add a Device restrictions profile with Defer software updates so auto-recovery is not short-circuited. If the app keeps crashing, file with the vendor and pin the iPadOS version until the bug is fixed.

For how Jamf handles the same scenarios, see our Jamf iPad kiosk mode walkthrough — the payload is identical, the admin UI is not.

A worked example: locking InstaCheckin into Single App Mode via Intune

Concretely, this is the end-to-end flow for a real deployment — three lobby iPads at a 120-person office that already runs M365 E3, with InstaCheckin as the visitor sign-in app and Microsoft Intune as the MDM.

1. ABM and Intune wired up. ABM account active, MDM push certificate uploaded, ABM token connected, Automated Device Enrollment profile set to Supervised + Locked.
2. Three iPads ordered through an ABM-authorized reseller. Serial numbers land in ABM, auto-assigned to the Intune MDM server.
3. Intune device group Kiosk-iPads-Lobby created with category Kiosk. Each iPad is tagged on first sync.
4. InstaCheckin iPad app pushed as a managed app through Apps → iOS/iPadOS → iOS store app, scoped to Kiosk-iPads-Lobby.
5. Configuration profile created per Step 2, with bundle ID io.instacheckin.app and Disable Auto-Lock toggled on.
6. Restrictions profile pushed alongside it — block screenshots, AirDrop, AirPrint, Siri, iCloud backup, App Store. Same target group.
7. iPadOS update policy deferring updates by 30 days, scoped to the kiosk group.
8. Each iPad paired with InstaCheckin using the kiosk pairing code from the admin portal. Our office visitor management system page covers what the iPad actually does once paired and locked.
9. Each iPad verified — supervised banner present, Device configuration status Succeeded, kiosk app foregrounded, side-button triple-press is a no-op.

Wall-clock time from arrival to all three iPads locked is usually a half day for the first device and twenty minutes apiece for the second and third, because the configuration profile and the device group already exist.

The 30-second version: connect ABM to Intune, supervise the iPads through Automated Device Enrollment, build a Device features profile with the kiosk app’s bundle ID under App and Single Sign-On, scope it to the kiosk group, verify the supervised banner plus the Succeeded status. To see how the same payload looks under a different MDM, the Jamf iPad kiosk mode guide walks the Jamf Pro equivalent.