Configuring Kiosk as a Login Hook

In some situations, it may be desirable to configure Kiosk to utilize the Login Hook functionality built in to macOS to run Kiosk at login, immediately immersing the user into the Kiosk environment and preventing access to other areas of the operating system.

The following wrapper and activation scripts are provided to assist in configuring Kiosk so that it can easily be used as desired in these environments.

Login Wrapper

The login wrapper script is simply a shell script that can be configured as a login hook to launch Kiosk. As it is common to deploy login hooks in multiple client environments, the example below includes logic for also copying an initial preferences file and triggering license activation on the first launch.

This simplifies the deployment process, allowing Kiosk to automatically be configured and activated without any additional manual configuration required.

if [ ! -f ~/Library/Preferences/com.intelliscapesolutions.kiosk.plist ]; then
        cp <path-to-loginhook-scripts>/com.intelliscapesolutions.kiosk.plist ~/Library/Preferences/
        defaults read com.intelliscapesolutions.kiosk > /dev/null
        osascript <path-to-loginhook-scripts>/ActivateKiosk.scpt &


Once you've created the wrapper script, binding it to the login hook feature is straightforward:

$ sudo defaults write LoginHook /path/to/login/

The script will automatically be executed whenever any user logs in to the system, and login will not proceed until the Kiosk browser has exited. If properly configured in an environment where the Mac automatically logs a user on at boot, this will ensure that Kiosk is automatically launched, while preventing access to the desktop environment.

Activation Script

To facilitate easy license activation on multiple clients, the following AppleScript can be used to trigger activation automatically. Please see the login wrapper script above for recommended execution of the script.

The hostname of the local system is retrieved and included as the name on the license, and simplifies identifying the system in the licensing portal in the future.

set hostnam to replaceText(" ", "%20", computer name of (system info))
set activationURL to "kiosk://activate/?key=<activation key>&name=" & hostname & "&email=<customer>%40<domain>.com"
delay 3
tell application "Kiosk" to activate
open location activationURL
on replaceText(find, replace, subject)
        set prevTIDs to text item delimiters of AppleScript
        set text item delimiters of AppleScript to find
        set subject to text items of subject

        set text item delimiters of AppleScript to replace
        set subject to subject as text
        set text item delimiters of AppleScript to prevTIDs

        return subject
end replaceText

Cleanup Script

If it is desirable to clean up Kiosk's configured preferences (for example, to periodically reset to a default state, or for testing purposes) the following script may be used:

defaults delete com.intelliscapesolutions.kiosk
rm ~/Library/Preferences/com.intelliscapesolutions.kiosk.plist
rm -Rf ~/Library/Containers/com.intelliscapesolutions.kiosk/

Security Considerations

Please Note: The login hook functionality available in macOS executes the provided script as the root user. Running GUI applications and other performing other routine tasks as the root user is not a recommended practice due to the security implications of performing those functions as a privileged administrator of the system. This is particularly an issue in kiosk environments, where users often may be anonymous and untrusted to the organization, and could potentially be loading untrusted web content in the browser under that context.

Therefore, it is strongly recommended that you consider alternative approaches, such as running the Kiosk application as part of the current user's regular login items, or using a dedicated user if desired. While we provide this guide in good faith to assist you in configuring Kiosk in the described scenario, we cannot accept any responsibility or liability as a result of configuring your system in this manner.

Still have questions, comments or other feedback?

Send us a message! We'd be glad to help you.