Hey,
The guide you posted covers Android Enterprise work profile which is not the same scenario you are describing. Kiosk devices are enrolled as Dedicated devices and then put in to Kiosk mode in the configuration profile.
A dedicated devices is not linked to a specific user and during initial setup of a dedicated devices I cant remember that you ever are asked to set a pin, face unlock in that scenario. If you are please tell us a bit more about your configuration and enrollment method and make sure you are enrolling it as a Dedicated Device and that you don't have another policy forcing biometric or pin on your kiosk devices.
https://learn.microsoft.com/en-us/mem/intune/enrollment/android-kiosk-enroll
As you mentioned you have the capability to enable/disable those features with Knox and OEMConfig but I have never had to disable those on a Dedicated devices.
I would suggest the following:
- Make sure you are enrolling your devices as Dedicated devices
- If you are using the Kiosk mode, make sure its enabled in your configuration
- Double check that you don't have another policy forcing biometrics or security features to your Dedicated devices
hope this helps, and if it does don't forget to click accept answer.