The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring compliance control of mobile devices with corporate security requirements

You can define these policy settings only for Android devices.

Compliance control allows you to monitor Android devices for compliance with corporate security requirements and take actions in case of non-compliance. Corporate security requirements regulate how the user can work with the device. For example, real-time protection must be enabled on the device, anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device non-compliance criterion.
• Action that will be taken on a device if the user does not fix the non-compliance within the set time period.
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).

  When the specified time period is over, the selected action will be taken on the user's device.

  If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

To configure compliance control, you can perform the following actions:

• Enable or disable existing compliance rules.
• Edit an existing compliance rule.
• Add a new rule.
• Delete a rule.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling and disabling compliance rules

You can define these policy settings only for Android devices.

To enable or disable existing rules of compliance control of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, enable or disable the existing compliance rules by using the toggle buttons in the Status column.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Editing compliance rules

You can define these policy settings only for Android devices.

To edit a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, select the rule that you want to edit, and then click Edit.
4. In the Rule window that opens, edit the rule as follows:
   1. In the Action column, configure the list of actions to be performed in case of non-compliance with the rule by adding new actions, editing the existing actions, or deleting them.
   2. Optionally, specify the time period in which a user can fix the non-compliance by using the Time to rectification column for each action.
   3. Click the Save button to save the rule.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding compliance rules

You can define these policy settings only for Android devices.

To add a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, click Rule.
4. In the Rule window that opens, define the rule as follows:
   1. Select the non-compliance criterion for the rule.
   2. Click Add, and then select the action to be performed in case of non-compliance with the rule in the Action column.

      You can add several actions.

   3. Specify the time period in which a user can fix the non-compliance by using the Time to rectification column for each action.
   4. Click the Save button to save the rule.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting compliance rules

You can define these policy settings only for Android devices.

To delete a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, select the rule that you want to delete, and then click Delete.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

List of non-compliance criteria

You can define these policy settings only for Android devices.To ensure that an Android device complies with corporate security requirements, Kaspersky Endpoint Security for Android can check the device against the following criteria:

• Real-time protection is disabled.

  Real-time protection must be enabled.

  For more information on configuring real-time protection, see the "Configuring real-time protection" section.

• Anti-malware databases are out of date.

  The anti-malware database of Kaspersky Endpoint Security for Android must be regularly updated.

  For more information on defining the settings of anti-malware database updates, see the "Configuring anti-malware protection" section.

• Forbidden apps are installed.

  The device must not have applications installed that are classified as Block from launching, as specified in the App Control section.

  For more information on creating rules for applications, see the "Configuring App Control" section.

• Apps from forbidden categories are installed.

  The device must not have applications installed that fall under a category that is classified as Block from launching, as specified in the App Control section.

  For more information on creating rules for application categories, see the "Configuring App Control" section.

• Not all required apps are installed.

  The device must have specific applications installed that are classified as Force to install, as specified in the App Control section.

  For more information on creating rules for applications, see the "Configuring App Control" section.

• Operating system version is out of date.

  The device must have an allowed version of the operating system.

  For using this non-compliance criterion, you must specify the range of allowed operating system versions in the Minimum operating system version and Maximum operating system version drop-down lists.

• Device has not been synchronized for a long time.

  The device must be regularly synchronized with the Administration Server.

  For using this non-compliance criterion, you must specify the maximum time interval between device synchronizations in the Synchronization period drop-down list.

• Device has been rooted.

  The device must not be rooted.

  For more information, see the "Detecting device hacks (root)" section.

• Unlock password is not compliant with security requirements.

  The device must be protected with an unlock password that complies with the unlock password strength requirements.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

List of actions in case of non-compliance

You can define these policy settings only for Android devices.

If the user does not fix a non-compliance issue within the specified time, the following actions are available:

• Block all apps except system apps.

  All apps on the user's mobile device, except system apps, are blocked from starting.

• Lock device.

  Mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.

• Wipe corporate data.

  The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

  • On a personal device, KNOX container and mail certificate are wiped.
  • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
• Fully reset device to factory settings.

  All data is deleted from the mobile device and the settings are rolled back to their factory values.