I have a workstation that multiple users login to and ofc, no one bothers to sign out. We have a DLP policy which blocks external media where the user can request a bypass. When the bypass code is given and says approved, the external media is still inaccessible when the machine has more than 1 user signed in. It does work as intended when it's only 1 user. My theory here is that whatever happens in the API to block USB and drives isn't smart enough to differentiate which user is logged in, and therefore even if 1 user gets the bypass but another does not, the drives will stay blocked.
The obvious solution here is to just tell everyone to sign out/have the current user sign out everyone else but if it's possible, I'd like to implement a solution where that isn't necessary.
Edit: I just realized I've been using "kiosk" wrong for a few years now. It's not a kiosk, just a workstation that multiple people use.