Authenticated Kiosk Community Site - PosiEd

An authenticated Kiosk Community Site is essential to ensure that only authorized users can access the kiosk and its associated data. Relying on a publicly accessible URL introduces significant risks, particularly when handling sensitive student information—such as in situations involving Apprehended Violence Orders (AVOs). While the likelihood of misuse may seem low, the consequences of unauthorized access could be serious. Implementing authentication provides a crucial layer of security by requiring user login, aligning with data protection standards and helping to safeguard student privacy from unintended exposure.

Pre-Requisites

Community Site is enabled and published.
Customer Community license.
Community user linked to a Contact.

Nominate a kiosk default customer user per school

Here’s a sample video on how to create a customer user from an existing account if no user has been set up yet.

Nominate a default customer user for a kiosk.mp4

If Single Sign-On (SSO) is enabled, ensure that your customer community user’s credentials are configured for SSO. If not, they can log in using their Salesforce username and password instead.

Add customer user to each school public groups

If you have a dedicated customer user for each school kiosk, ensure that each user is added to the corresponding school's public group. Alternatively, if you choose to use a single customer user across all school kiosks, make sure that this user is added to all relevant school public groups to prevent potential record access issues in the future.

Configure Session Settings, Login Hours, Login IP Ranges, and Password Policies for your Customer Community Profiles

This controls how, when, and from where a Kiosk can stay logged in or access the org.

Session Settings

This setting determines how long the Kiosk can remain inactive before Salesforce automatically logs it out. In a typical school setup, setting this to 8–10 hours is generally safe.

Login Hours

Restricts which times of day the Kiosk can log in (e.g., Mon–Fri 8AM–6PM). Outside those hours, Kiosk can’t log in at all.

Login IP Ranges

Restricts which IP addresses the Kiosk can log in from (e.g., only office network). If not in range, login is blocked.

Password Policies

Control how the Kiosk is managed and protect login credentials.

Set up a new Kiosk site

Go to Setup → Digital Experiences → All Sites
Create a new site
Navigate to Administration and add Members
System Administrator

Members added to the site receive administrative rights, allowing them to customize and publish it.

Update Public Access settings

In Builder, go to Settings → General
Uncheck "Guest users can see and interact with the site without logging in" to restrict access only to authenticated users

Go to the Gear icon > Home > click the 3 dots and update the Page Access to Site Default Setting: Requires Login.

Assign Permission Set to Customer User

Go to the Contact associated with the school kiosk
Locate the Community User (Customer User) record
Assign the [PosiEd] Kiosk permission set to ensure proper access and permissions

Give customer user record access via sharing rules

Establish a sharing rule to grant customer users access to records. The following objects need configuration.

Account → Read Only access
Asset → Read Only access
Absence Reason → Read Only access
Absence Submission → Read/Write access
Day Attendance → Read/Write access
Kiosk Definition → Read Only access
Kiosk Reason → Read Only access

Here is a configuration example for an Account to extend record access to customer users.