Jamf iPad Kiosk Mode: How to Lock Down a Fleet of iPads

Set up Jamf iPad kiosk mode once, scope the Configuration Profile to a Smart Group, and every supervised iPad in that group locks to your visitor sign-in app automatically — no USB cable, no per-device configuration, no IT ticket each morning to verify the kiosk is still locked.

This guide covers the Jamf Pro-specific path: creating a Smart Group filtered on supervised devices, building the App Lock Configuration Profile, assigning it to that group, and adding your visitor app to the ASAM allowlist. We’ll also cover the single-device management command and the most common places the setup breaks.

Not sure whether Jamf is the right tool, or comparing Guided Access against MDM enforcement? The iPad kiosk mode guide maps every method with honest tradeoffs before you commit infrastructure.

How Jamf iPad Kiosk Mode Works

What Jamf calls “App Lock” is Apple’s AppLock MDM payload — a configuration profile payload that restricts a supervised iPad to one app at the operating system level. The Home bar disappears, the app switcher is inaccessible, and no on-device action can return a visitor to the home screen.

Jamf Pro delivers that payload through a Configuration Profile scoped to a device group. The profile syncs to the device at the next check-in and iOS enforces the lock from that point forward. The practical advantage over a per-device command: any supervised iPad that joins the scoped group receives the profile and locks itself automatically.

Two Jamf tools can achieve this:

• App Lock Configuration Profile — the scalable path for fleets. Scope to a Smart Group; Jamf handles deployment.
• Enable Single App Mode command — a transient, one-off command sent from the device record. Right for testing or a single temporary kiosk.

Prerequisites: Supervised iPads and Smart Groups

Supervised device first. Single App Mode is a supervised-only feature. Push the App Lock profile to an unsupervised iPad and Jamf reports the profile as applied — the iPad silently ignores it. Check on the device under Settings → General → VPN & Device Management: a supervision notice means it’s supervised; a management profile without a supervision badge means it isn’t.

Two paths to supervision:

• Apple Business Manager — the fleet path. iPads purchased from an authorized reseller or manually enrolled through ABM can be supervised over the air during initial device setup. No USB required per device.
• Apple Configurator 2 — the small-fleet path. Free Mac app, USB connection required per device. Right for one or two kiosks.

Create a Smart Group for kiosk iPads. In Jamf Pro, navigate to Mobile Devices → Smart Device Groups → New. Name it something specific — “Supervised Reception iPads” — then add a criterion:

• Device Supervised → is → Yes

Add a second criterion for site, department, or building if you want to scope narrowly. Smart Groups update automatically: any supervised iPad that matches the criteria gets added, receives the profile on the next check-in, and locks without any manual step.

Building the App Lock Configuration Profile

In Jamf Pro, go to Mobile Devices → Configuration Profiles → New.

General tab: Name the profile clearly — “Reception Kiosk — App Lock” — and set Level to Device Level.

App Lock payload: Click Add in the payload list and select App Lock. Configure:

• Bundle ID: Enter the Bundle ID of your visitor sign-in app. For InstaCheckin, the Bundle ID is listed in the InstaCheckin admin portal under Settings → Device Setup. For other apps, find it in Apple Configurator 2 (select the installed app → Get Info) or in the app developer’s IT admin documentation.
• Disable Sleep/Wake Button: Enable this to prevent the screen from going dark between visitors.
• Disable Volume Buttons: Enable this for wall-mounted kiosks where you don’t want visitors adjusting audio.
• Enable Touch: Leave this on — visitors need to interact with the sign-in screen.

Scope tab: Under Targets → Device Groups, add the Smart Group you created. Don’t scope to individual devices; the group ensures the policy applies automatically as new supervised iPads enroll.

Save and publish. Jamf pushes the profile on the device’s next scheduled check-in. To apply it immediately, open the device record and click Inventory Update or use the Send Remote Command button.

When the profile lands, the iPad locks immediately: the home screen disappears and the specified app runs in the foreground with no exit route for visitors.

The ASAM Allowlist: Letting the App Self-Lock

Most visitor sign-in apps use Autonomous Single App Mode (ASAM) rather than depending on a remote MDM command to lock and unlock between visitors. ASAM lets the app lock itself via Apple’s accessibility APIs, once an MDM profile has authorized it to do so.

In Jamf Pro, add ASAM authorization through a Restrictions Configuration Profile — either in a separate profile or alongside the App Lock payload:

Restrictions payload → Autonomous Single App Mode → Add Bundle ID

Enter the Bundle ID of your visitor sign-in app in the permitted Bundle IDs list. Apple documents the key as AutonomousSingleAppModePermittedAppIDs in its device management restrictions reference. Scope this profile to the same Smart Group as the App Lock profile.

With ASAM authorized, the app controls the lock-unlock cycle locally:

1. A visitor approaches — the app locks itself, suppressing the Home bar and app switcher.
2. The visitor completes sign-in, a host notification fires, and the screen resets for the next visitor.
3. A staff member needs to take the iPad out of kiosk mode — they enter an admin passcode inside the app, which releases the ASAM lock.

The MDM profile stays on the device throughout. App Lock ensures the device defaults to the kiosk app even when ASAM hasn’t fired; ASAM handles the runtime lock-unlock without requiring an IT admin each time.

When the Profile Applies but the iPad Stays Unlocked

Jamf reports “Installed” — iPad isn’t locked

Almost always a supervision problem. The AppLock payload is supervised-only; an unsupervised device accepts the profile and ignores the restriction silently. Re-enroll through ABM or Configurator with supervision enabled, then push the profile again. Our iPad Single App Mode guide covers the supervision process for both paths.

The kiosk app isn’t launching

The App Lock profile references a Bundle ID. If that Bundle ID doesn’t match an installed app, the lock fails. Confirm the app shows up under the device’s Apps tab in Jamf Pro with a status of Installed, then trigger a sync. One wrong character in the Bundle ID is enough to cause a silent failure.

Profile shows “Conflict”

Two configuration profiles are sending competing App Lock restrictions to the same device. Open the device’s profile list, find the duplicate Kiosk or App Lock profiles, and remove whichever shouldn’t be there.

FAQ

Does Jamf iPad kiosk mode survive a reboot?

Yes. When the iPad reboots and reconnects to Jamf, the App Lock Configuration Profile re-applies automatically. The device comes back up locked to the same app — staff don’t need to re-configure anything. This is the main practical difference from Guided Access, which clears when the iPad loses power.

Do I need Jamf Pro, or will Jamf Now work?

Jamf Now supports App Lock via Configuration Profiles and works for small fleets. The navigation differs slightly from Jamf Pro, but the underlying Apple AppLock payload is identical. Jamf Pro is the right choice if you need advanced Smart Group criteria, scripting capabilities, or fleet management at scale.

Can a visitor exit kiosk mode on-device?

No. With MDM-managed App Lock, there’s no on-device exit path — no triple-click shortcut, no Settings escape. The only exits are removing the profile from Jamf Pro, sending a Disable Single App Mode command from the device record, or a factory reset via recovery mode. With ASAM enabled, the app can exit via its own admin passcode, but the MDM profile remains on the device.

What’s the difference between App Lock and the Enable Single App Mode command?

App Lock is a persistent profile — it stays on the device until an admin removes it. The “Enable Single App Mode” management command in Jamf is transient: it locks the device until you send the matching “Disable Single App Mode” command. Use the profile for a permanent reception kiosk. Use the command if you need to lock a device temporarily for a trade show or one-off event.

How do I find the Bundle ID of the app in Jamf Pro?

Navigate to Mobile Devices → [device record] → Apps tab. Jamf lists the Bundle ID in the app detail view. You can also find it in Apple Configurator 2 (select the installed app → Get Info) or in the app developer’s IT admin documentation.

Deploy InstaCheckin on Your Jamf-Managed Kiosks

InstaCheckin’s iPad app is built for MDM-managed kiosk deployments. The InstaCheckin admin portal lists the Bundle ID and sample App Lock configuration — you don’t have to dig through developer documentation. Lock it down with Jamf’s App Lock profile, add the Bundle ID to the ASAM allowlist, and visitors see only the sign-in flow: photo capture, optional NDA or waiver signature, and a host notification by email or SMS the moment they arrive.

For offices running an unstaffed front desk, pairing the InstaCheckin kiosk with an AI receptionist for overflow and after-hours calls keeps reception covered even when no one’s sitting at the desk.

Start a free trial and connect InstaCheckin to your existing Jamf Pro deployment.