The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control

This section contains instructions on how to monitor device compliance with corporate requirements and how to configure compliance control rules.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of Android devices with corporate security requirements

You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device check criterion (for example, absence of blocked apps on the device).
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).
• Actions that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock the device).

  If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

To create a rule for checking devices for compliance with a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Compliance Control section.
5. To receive notifications about devices that do not comply with the policy, in the Non-compliance notification section select the Notify administrator check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

6. To notify the device user that the user's device does not comply with the policy, in the Non-compliance notification section select the Notify user check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.

7. In the Compliance Control rules section, compile a list of rules for checking the device for compliance with the policy.
8. To add a rule, click Add.

   The Compliance Rule Wizard starts. Proceed through the wizard by using the Next button.

9. Select a non-compliance criterion for the rule.

   The following criteria are available:

   • Real-time protection is disabled

     Checks whether the security app is not installed on the device or is not running.

   • Anti-malware databases are out of date

     Checks whether the anti-malware databases were last updated 3 or more days ago.

   • Forbidden apps are installed

     Checks whether the list of apps on the device contains apps that are set as forbidden in the App Control.

   • Apps from forbidden categories are installed

     Checks whether the list of apps on the device contains apps from the categories that are set as forbidden in the App Control.

   • Not all required apps are installed

     Checks whether the list of apps on the device does not contains an app that is set as required in the App Control.

   • Operating system version is out of date

     Checks whether the Android version on the device is within the allowed range.

     For this criterion, specify the minimum and maximum allowed versions of Android. If the maximum allowed version is set to Any, it means that future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.

   • Device has not been synchronized for a long time

     Checks how long ago the device last synchronized with Administration Server.

     For this criterion, specify the maximum period after the last sync.

   • Device has been rooted

     Checks whether the device is hacked (whether root access is gained on the device).

   • Unlock password is not compliant with security requirements

     Checks whether the unlock password on the device does not comply with the settings defined in the Device Management section of the policy.

   • Installed version of Kaspersky Endpoint Security for Android is not supported

     Checks whether the security application installed on the device is not obsolete.

     This criterion applies only to the application installed by using a Kaspersky Endpoint Security for Android installation package and if the up-to-date version is specified in the Upgrade of Kaspersky Endpoint Security for Android section of Additional properties of the policy.

     For this criterion, you also need to specify the minimum allowed version of Kaspersky Endpoint Security for Android.

   • SIM card usage is not compliant with security requirements

     Checks whether the device SIM card has been replaced or removed compared to the previous check state.

     You can also enable the check for inserting an additional SIM card.

     In some cases, replacement, removal, and insertion of an eSIM is also checked.

10. Select the actions to be performed on the device if the specified non-compliance criterion is detected. You can add multiple actions. They are combined by the AND logical operator.

    The following actions are available:

    • Block all apps except system ones

      All apps on the user's mobile device, except system apps, are blocked from starting.

      As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.

    • Lock device

      The mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.

    • Wipe corporate data

      The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

      • On a personal device, KNOX container and mail certificate are wiped.
      • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
      • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
    • Full reset

      All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

    • Lock work profile

      The work profile on the device is locked. To obtain access to the work profile, you must unlock it. If the reason for locking the work profile is not rectified after it is unlocked, the work profile will be locked again after the specified time period.

      The action is only applicable to Android 6+.

      After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.

    • Wipe data of all apps

      The action is only applicable to devices running Android 9.0 and later in device owner mode or with created Android work profile.

      If the device works in device owner mode, data of all apps on the device is wiped. If Android work profile is created on the device, data of all apps in the work profile is wiped.

      As a result, apps are rolled back to their default state.

    • Wipe data of specified app

      The action is only applicable to devices running Android 9.0 and later in device owner mode or with created Android work profile.

      For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app

      To get the package name of an app:

      1. Open Google Play.
      2. Find the required app and open its page.

      The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

      To get the package name of an app that has been added to Kaspersky Security Center:

      1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
      2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

      In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

      If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

      As a result, the app is rolled back to its default state.

      The new rule appears in the Compliance Control rules section.

11. To temporarily disable a rule that you have created, use the toggle switch opposite the selected rule.
12. In the Actions when user accounts are disabled in Active Directory section, you can configure the actions to perform on devices when a user account is disabled in Active Directory.

    Please keep in mind that this configuration requires integration with Microsoft Active Directory.

    To enable automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:

    • Wipe corporate data
    • Reset to factory settings
13. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of iOS MDM devices with corporate security requirements

Expand all | Collapse all

Compliance Control allows you to monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

• Status (whether the rule is enabled or disabled).
• Non-compliance criteria (for example, absence of the specified apps or operating system version).
• Actions performed on the device if non-compliance is found (for example, wipe corporate data or send an email message to the user).

To create a rule:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Compliance Control section.
5. In the Compliance Control rules section, click Add.

   The Compliance Control Rule Wizard starts.

6. Select the Enable rule check box if you want to activate the rule. If the check box is cleared, the rule is disabled.
7. On the Non-compliance criteria tab, click Add criterion and select a non-compliance criterion for the rule. You can add multiple criteria. They are combined by the AND logical operator.

   The following criteria are available:

   • List of apps on device

     Checks whether the list of apps on the device contains forbidden apps or does not contain required apps.

     For this criterion, you need to select a check type (Contains or Does not contain) and specify the app's bundle ID. How to get the bundle ID of an app

     To get the bundle ID of a native iPhone or iPad app,

     Follow the instruction in Apple documentation.

     To get the bundle ID of any iPhone or iPad app:

     1. Open App Store.
     2. Find the required app and open its page.

        The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

     3. Copy this identifier (without letters "id").
     4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

        This downloads a text file.

     5. Open the downloaded file and find there the "bundleId" fragment.

     The text that directly follows this fragment is the bundle ID of the required app.

     To get the bundle ID of an app that has been added to Kaspersky Security Center:

     1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
     2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

     In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

     If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

   • Operating system version

     Checks the version of the operating system on the device.

     For this criterion, you need to select a comparison operator (Equal to, Not equal to, Less than, Less than or equal to, Greater than, or Greater than or equal to) and specify the iOS version.

     Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Less than and Greater than operators.

   • Management mode

     Checks the device's management mode.

     For this criterion, you need to select a mode (Supervised device or Non-supervised device).

   • Device type

     Checks the device type.

     For this criterion, you need to select a type (iPhone or iPad).

   • Device model

     Checks the device model.

     For this criterion, you need to select an operator (Included in the list or Not included in the list), and then specify models that will be checked or excluded from the check, respectively.

     To specify a model, type at least one character in the Identifier field, and then select the required model from the appeared list. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".

     In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone9.1" and "iPhone9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.

     If you type a value that is not on the list, nothing will be found. However, you can click the OK button in the field to add the typed value to the criterion.

   • Device is roaming

     Checks whether the device is roaming (if you select True) or not (if you select False).

   • Device password is set

     Checks whether a password is set (if you select True) or not (if you select False).

     If you select True, select whether the device password must match (if you select Matches policy) or must not match (if you select Does not match policy) the settings specified in the Password Settings section.

   • Device free space

     Checks whether the amount of free space on the device becomes less than the threshold that you specify.

     For this criterion, specify the threshold amount of free space, and then select the measurement unit (GB or MB).

   • Device is not encrypted

     Checks whether the device is not encrypted.

     Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this parameter in the device properties: in the console tree, select Additional > Mobile Device Management > Mobile devices, and then double-click the required device).

   • SIM card has been changed

     Checks whether the device SIM card has been replaced or removed compared to the previous check state.

     You can also enable the check for inserting an additional SIM card.

     On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device's operating system recognizes each added eSIM as a new one. In this case, you need to delete the compliance control rule from the policy.

   • Last sync earlier than

     Checks how long ago the device last synchronized with Administration Server.

     For this criterion, specify the maximum time after the last sync, and then select the measurement unit (Hours or Days).

     We do not recommend that you specify a value less than the value of the Updating frequency for information about devices parameter in the iOS MDM Server settings.

   If you specify criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Included in the list operator selected, contains an iPad model), an error message is displayed. You cannot save such a rule.

8. On the Actions tab, specify actions to be performed on the device if all specified non-compliance criteria are detected.

   Actions are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the Administration Server. To prevent repetitive actions from a single non-compliance detection, set the Updating frequency for information about devices parameter in the iOS MDM Server settings to 30 minutes.

   Add an action in one of the following ways:

   • Click the Add action button if the action should be taken on the device immediately after non-compliance is detected.
   • Click the Add postponed action button if you want to also set a time period in which the user can fix the non-compliance. If the non-compliance is not fixed within this period, the action is performed on the device.

   The following actions are available:

   • Send email message to user

     The device user is informed about the non-compliance by email.

     For this action, you need to specify the user's email address(es). If necessary, you can edit the default text of the email message.

   • Wipe corporate data

     All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. This action is performed by sending the Wipe corporate data command.

   • Install profile

     The configuration profile is installed on the device. This action is performed by sending the Install profile command.

     For this action, you need to specify the ID of the configuration profile to be installed.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Delete profile

     The configuration profile is deleted from the device. This action is performed by sending the Remove profile command.

     For this action, you need to specify the ID of the configuration profile to be removed.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Delete all profiles

     All previously installed configuration profiles are deleted from the device.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.

   • Update operating system

     The device operating system is updated.

     For this action, you need to select the specific operation (Download and install, Download only, or Install only if you want to install a previously downloaded version) and the iOS version to be downloaded and/or installed.

   • Change Bluetooth settings (supervised only)

     For this action, you need to select whether you want to enable or disable Bluetooth on the device.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Reset to factory settings

     All data is deleted from the device and the settings are rolled back to their default values.

   • Delete managed app

     For this action, you need to specify the bundle ID of the managed app that you want to delete from the device. An app is considered managed if it has been installed on a device through Kaspersky Security Center. How to get the bundle ID of an app

     To get the bundle ID of a native iPhone or iPad app,

     Follow the instruction in Apple documentation.

     To get the bundle ID of any iPhone or iPad app:

     1. Open App Store.
     2. Find the required app and open its page.

        The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

     3. Copy this identifier (without letters "id").
     4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

        This downloads a text file.

     5. Open the downloaded file and find there the "bundleId" fragment.

     The text that directly follows this fragment is the bundle ID of the required app.

     To get the bundle ID of an app that has been added to Kaspersky Security Center:

     1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
     2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

     In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

     If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Delete all managed apps

     All managed apps are deleted from the device. An app is considered managed if it has been installed on a device through Kaspersky Security Center.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.

   • Delete profile(s) of specified type

     For this action, you need to select the type of the profile to be deleted from the device (for example, Web Clips or Calendar subscriptions).

     As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.

   • Change roaming settings

     For this action, you need to select whether you want to enable or disable data roaming on the device.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   If you specify actions that contradict each other (for example, Enable Bluetooth and Disable Bluetooth at the same time, an error message is displayed. You cannot save such a rule.

9. Click the OK button to save the rule and close the wizard.

   The new rule appears in the list in the Compliance Control rules section.

10. Click the Apply button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.