The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the work profile

Expand all | Collapse all

To configure the settings of the Android work profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Android work profile.
5. In the Android work profile workspace, select the Create work profile check box.
6. Specify the work profile settings:
   • On the General tab, specify the data sharing, contact, and other settings:
     • Settings in the Data access and sharing section:
       • Prohibit personal profile apps to share data with work profile apps

         Restricts sharing of files, pictures, or other data from personal profile apps with work profile apps.

         If the check box is selected, apps in personal profile can't share data with work profile apps.

         If the check box is cleared, the apps in personal profile can share data with work profile apps.

         The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.

         This check box is selected by default.

       • Prohibit work profile apps to share data with personal profile apps

         Restricts sharing of files, pictures, or other data from work profile apps with personal profile apps.

         If the check box is selected, the apps in work profile can't share data with personal profile apps.

         If the check box is cleared, the apps in work profile can share data with personal profile apps.

         The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.

         This check box is selected by default.

       • Prohibit work profile apps to access files in personal profile

         Restricts access of work profile apps to files in personal profile.

         If the check box is selected, the user can't access files in personal profile when using work profile apps.

         If the check box is cleared, the user can access files in personal profile when using work profile apps. Note that the access must be also supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit personal profile apps to access files in work profile

         Restricts access of personal profile apps to files in work profile.

         If the check box is selected, the user can't access files in work profile when using personal profile apps.

         If the check box is cleared, the user can access files in work profile when using personal profile apps. Note that the access must be supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit use of clipboard content across personal and work profiles

         Selecting or clearing this check box specifies whether the device user is allowed to copy data via clipboard across personal and work profiles.

         This check box is selected by default.

       • Prohibit activation of USB debugging mode

         Restricts the use of USB debugging node on the user's mobile device in the work profile. In USB debugging mode, the user can download an app via a workstation, for example.

         If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.

         If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.

         This check box is selected by default.

       • Prohibit the user to add and remove accounts in work profile

         If the check box is selected, the user is prohibited to add and remove accounts in work profile via Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in work profile.

         Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.

         This check box is selected by default.

       • Prohibit screen sharing, recording, and screenshots in work profile apps

         Selecting or clearing this check box specifies whether the device user is allowed to take screenshots, record and share the device screen in work profile apps. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.

         This check box is selected by default.

     • Settings in the Contacts section:
       • Prohibit showing contact name from work profile for incoming calls in personal profile

         Selecting or clearing this check box specifies whether a contact name from work profile will be shown in personal profile for incoming calls.

         This check box is selected by default.

       • Prohibit personal profile apps to access work profile contacts

         Selecting or clearing this check box specifies whether contact management apps (for example, built-in Google Contacts Manager) in personal profile are allowed to access work profile contacts.

         This check box is selected by default.

   • On the Apps tab, specify the following settings:
     • Enable App Control in Work profile only

       Controls the startup of apps in the work profile on the user's mobile device. You can create lists of allowed, blocked, recommended, and required apps as well as allowed and blocked app categories in the App Control section.

       If this check box is selected, depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the work profile. Meanwhile, App Control does not work in the personal profile.

       This check box is cleared by default.

     • Enable Web Protection in work profile only

       Restricts user access to websites in the work profile on the device. You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section. If Web Protection is disabled, Kaspersky Endpoint Security only restricts user access to websites in the Phishing and Malware categories. These categories are selected by default in the Websites of selected categories are forbidden area of Web Protection.

       If this check box is selected, Web Protection for Google Chrome blocks or allows access to websites only in the Android work profile. Meanwhile, Web Protection does not work in the personal profile.

       If this check box is cleared, depending on the Web Protection settings, Kaspersky Endpoint Security blocks or allows access to websites in the personal and work profiles of the mobile device.

       For Samsung Internet Browser, HUAWEI Browser, and Yandex Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

       This check box is cleared by default.

       For Samsung Internet Browser, HUAWEI Browser, and Yandex Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

       You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.

     • Prohibit installation of apps in the work profile from unknown sources

       Restricts installation of apps in the work profile from all sources other than Google Play Enterprise.

       If the check box is selected, the user can install apps from Google Play only. Users use their own Google corporate accounts to install apps.

       If the check box is cleared, the user can install apps in any available way. Only blocked apps the list of which can be created in the App Control section cannot be installed.

       This check box is cleared by default.

     • Prohibit removal of apps from work profile

       Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the work profile.

       This check box is cleared by default.

     • Prohibit display of notifications from work profile apps when screen is locked

       Restricts display of notification contents from work profile apps on the lock screen of the device.

       If the check box is selected, contents of notifications from work profile apps can't be viewed on the device lock screen. To view the notifications, the user has to unlock the device \ work profile.

       If the check box is cleared, notifications from work profile apps are displayed on the device lock screen.

       This check box is cleared by default.

     • Prohibit use of camera for work profile apps

       Selecting or clearing this check box specifies whether work profile apps can access the device camera.

       This check box is selected by default.

       On devices running Android 10 or later, if the Prohibit use of camera check box in the Device Management section is selected, the device camera may be blocked in the work profile even if the Prohibit use of camera for work profile apps check box is cleared.

     • Granting runtime permissions for work profile apps

       The Granting runtime permissions for work profile apps setting allows you to select an action to be performed when work profile apps are running and request additional permissions. This does not apply to permissions granted in device Settings (e.g. Access All Files).

       • Prompt the user for permissions

         When a permission is requested, the user decides whether to grant the specified permission to the app.

       This option is selected by default.

       • Grant permissions automatically

         All work profile apps are granted permissions without user interaction.

       • Deny permissions automatically

         All work profile apps are denied permissions without user interaction.

         Users can adjust app permissions in the device settings before these permissions are denied automatically.

       On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:

       • Location permissions
       • Permissions for camera
       • Permissions to record audio
       • Permission for activity recognition
       • Permissions to access body sensors data

     • Adding widgets of work profile apps to device home screen

       The Adding widgets of work profile apps to device home screen setting allows you to choose whether the device user is allowed to add widgets of work profile apps to device home screen.

       • Prohibit for all apps

         The device user is prohibited from adding widgets of apps installed in the work profile.

         This option is selected by default.

       • Allow for all apps

         The device user is allowed to add widgets of all apps installed in the work profile.

       • Allow only for the listed apps

         The device user is allowed to add widgets of listed apps installed in the work profile.

         To add an app to the list, click Add and enter an app package name. How to get the package name of an app

         To get the package name of an app:

         1. Open Google Play.
         2. Find the required app and open its page.

         The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

         To get the package name of an app that has been added to Kaspersky Security Center:

         1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
         2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

         In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

         If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

         To remove an app from the list, select the app and click Delete.

   • On the Certificates tab, you can configure the following settings:
     • Duplicate installation of the VPN certificates in personal profile

       Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and installed to the work profile will also be installed to the personal profile.

       By default, VPN certificates received from Kaspersky Security Center are installed in the work profile.This setting is applied when a new VPN certificate is issued.

       This check box is cleared by default.

     • Duplicate installation of root certificates in personal profile

       Selecting or clearing the check box specifies whether the root certificates added in the Root certificates policy section and installed to the work profile will also be installed to the personal profile.

       This check box is cleared by default.

   • On the Password tab, specify work profile password settings:
     • Require to set password for work profile

       Allows to specify the requirements for work profile password according to company security requirements.

       If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting to set up work profile password according to company requirements.

       If the check box is cleared, editing password settings is not available.

       This check box is cleared by default.

     • Minimum number of characters

       The minimum number of characters in the user password. Possible values: 4 to 16 characters.

       The user's password is 4 characters long by default.

       The following is applicable only to personal and work profiles:

       • In personal profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 10 or later.
       • In work profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 12 or later.

       The values are determined by the following rules:

       • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
       • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
     • Minimum password complexity requirements (Android 12 or earlier)

       Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

       • Numeric

         The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

         This option is selected by default.

       • Alphabetic

         The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

       • Alphanumeric

         The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

       • Not specified

         The user can set any password.

       • Complex

         The user must set a complex password according to the specified password properties:

         • Minimum number of letters
         • Minimum number of digits
         • Minimum number of special symbols (for example, !@#$%)
         • Minimum number of uppercase letters
         • Minimum number of lowercase letters
         • Minimum number of non-letter characters (for example, 1^&*9)
       • Complex numeric

         The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

       This option applies only to devices running Android 12 or earlier.

     • Maximum number of incorrect password attempts before deletion of work profile

       Specifies the maximum number of attempts by the user to enter password to unlock the device. When the policy is applied, the work profile will be deleted from the device after the maximum number of attempts is exceeded.

       Possible values are 4 to 16.

       The default value is not set. This means that the attempts are not limited.

     • Maximum password age, in days

       Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

       The default value is 0. This means that the password won't expire.

     • Number of days to notify that a password change is required

       Specifies the number of days to notify the user before the password expires.

       The default value is 0. This means that the user won't be notified about password expiration.

     • Number of recent passwords that can't be used as a new password

       Specifies the maximum number of previous user passwords that can't be used as a new password. This setting will apply only when the user sets new password on the device.

       The default value is 0. This means that the new user password can match any previous password except the current one.

     • The period of inactivity before the device screen locks, in seconds

       Specifies the period of inactivity before the device locks. After this period, the device will lock.

       The default value is 0. This means that the device won't lock after a certain period.

     • Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0 or later)

       Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

       The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

       This option applies only to devices running Android 8.0 or later.

     • Allow biometric unlock methods (Android 9+)

       If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

       This check box is selected by default.

       This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow use of fingerprints

       The use of fingerprints to unlock the screen.

       This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

       If the check box is selected, the use of fingerprints on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

       This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

       This check box is selected by default.

       This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

       On some Xiaomi devices with Android work profile, the work profile may be unlocked by a fingerprint only if you set the Period of inactivity before the device screen locks value after setting a fingerprint as the screen unlocking method.

     • Allow face scanning (Android 9 or later)

       If the check box is selected, the use of face scanning on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

       This check box is selected by default.

       This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow iris scanning (Android 9 or later)

       If the check box is selected, the use of iris scanning on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

       This check box is selected by default.

       This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

   • On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their work profile if it was locked.
     • Passcode length

       The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.

       The passcode length is 4 digits by default.

     • Passcode

       This field is displayed if you view the policy settings for a certain user device, not a group of devices.

       This field displays the passcode required to unlock work profile. A new passcode is generated after the user unlocks work profile with the passcode.

       This field is not editable.

7. To configure work profile settings on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.