Kaspersky Secure Mobility Management
3.0
English

Contents

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control

This section contains instructions on how to configure user access to apps on a mobile device.

In this section

App control on Android devices

App control on iOS MDM devices
Page top
[Topic 141381]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on Android devices

The App Control component allows you to manage apps on Android devices to keep these devices secure.

You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.

In device owner mode, you have extended control over the device. App Control operates without notifying the device user:

  • Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
  • Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.

To configure the settings of app startup on the mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the App Control section.
  5. In the Operation mode section, select the mode of app startup on the user's mobile device:
    • To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Blocked apps mode. The app will hide blocked app icons.
    • To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
  6. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, write to event log only check box.

    During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

  7. If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
  8. If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.

    Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

  9. Create a list of categories and apps to configure startup of apps.

    Mobile app packages previously created in the Kaspersky Security Center can be added to the list. How to get the package name of an app

    To get the package name of an app:

    1. Open Google Play.
    2. Find the required app and open its page.

    The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

    To get the package name of an app that has been added to Kaspersky Security Center:

    1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
    2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

    In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

    If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

    For details on app categories, please refer to the Appendices.

    For a list of the apps that belong to each category, please visit the Kaspersky website.

  10. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 90538]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on iOS MDM devices

Expand all | Collapse all

Kaspersky Security Center allows you to manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launching on devices.

These restrictions apply only to supervised iOS MDM devices.

Open Restrictions for applications section

To open settings for app restrictions on iOS MDM devices:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Restrictions for applications section.

Restrict app installation

By default, the user can install any apps on the supervised iOS MDM device.

To restrict the apps that can be installed on the device:

  1. Select the Allow installation of apps from the list (supervised only) check box.
  2. In the table, click Add to add an app to the list.
  3. Specify the app's bundle ID. Specify the com.apple.webapp value to allow all web clips. How to get the bundle ID of an app

    To get the bundle ID of a native iPhone or iPad app,

    Follow the instruction in Apple documentation.

    To get the bundle ID of any iPhone or iPad app:

    1. Open App Store.
    2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

    3. Copy this identifier (without letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

    5. Open the downloaded file and find there the "bundleId" fragment.

    The text that directly follows this fragment is the bundle ID of the required app.

    To get the bundle ID of an app that has been added to Kaspersky Security Center:

    1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
    2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

    In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

    If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

  4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Only apps from the list and system apps will be available for installation. All other apps can't be installed on the device.

The specified apps can be installed on the device in the following ways (if the corresponding options are enabled in the Features restrictions section):

  • Installation from Apple Configurator or iTunes
  • Installation from App Store
  • Automatic loading

Specify prohibited apps

By default, all apps can be displayed and launched on the supervised iOS MDM device.

To specify prohibited apps:

  1. Select the Prohibit displaying and launching apps from the list (supervised only) check box.
  2. In the table, click Add to add an app to the list.
  3. Specify the app's bundle ID. Specify the com.apple.webapp value to restrict all web clips. How to get the bundle ID of an app

    To get the bundle ID of a native iPhone or iPad app,

    Follow the instruction in Apple documentation.

    To get the bundle ID of any iPhone or iPad app:

    1. Open App Store.
    2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

    3. Copy this identifier (without letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

    5. Open the downloaded file and find there the "bundleId" fragment.

    The text that directly follows this fragment is the bundle ID of the required app.

    To get the bundle ID of an app that has been added to Kaspersky Security Center:

    1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
    2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

    In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

    If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

  4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Apps from the list will be prohibited from being displayed and launching on the device. All other apps will be displayed and available to run.

Page top
[Topic 242959]