Contents
- Configuration and Management
- Getting Started
- Control
- Protection
- Configuring anti-malware protection on Android devices
- Protecting Android devices on the internet
- Protection of stolen or lost device data
- Configuring device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting device hacks (root)
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Management of mobile devices
- Managing KES devices
- Managing iOS MDM devices
- Signing an iOS MDM profile by a certificate
- Adding a configuration profile
- Installing a configuration profile on a device
- Removing the configuration profile from a device
- Adding a provisioning profile
- Installing a provisioning profile to a device
- Removing a provisioning profile from a device
- Configuring managed apps
- Installing an app on a mobile device
- Removing an app from a device
- Installing and uninstalling apps on a group of iOS MDM devices
- Configuring roaming on an iOS MDM mobile device
- Viewing information about an iOS MDM device
- Disconnecting an iOS MDM device from management
- Configuring kiosk mode for iOS MDM devices
- Management of mobile device settings
- Configuring connection to a Wi-Fi network
- Configuring email
- Configuring device status in Kaspersky Security Center
- Managing app configurations
- Managing app permissions
- Creating a report on installed mobile apps
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Key features of mobile device management in MMC-based Administration Console
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Bypassing the Activation Lock on supervised iOS devices
- Configuring the Access Point Name (APN)
- Configuring the Android work profile
- Adding an LDAP account
- Adding a calendar account
- Adding a contacts account
- Configuring calendar subscription
- Managing web clips
- Setting wallpaper
- Adding fonts
- Working with commands for mobile devices
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuration and Management
This Help section is intended for specialists who administer Kaspersky Secure Mobility Management, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Getting Started
This section describes the actions that you are recommended to perform when getting started with Kaspersky Secure Mobility Management.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Starting and stopping the application
Kaspersky Security Center automatically starts and stops administration plug-ins of Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS.
Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use group policies to configure user permissions to manage app components.
On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.
You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, such as running a scheduled malware scan or synchronizing the device with Kaspersky Security Center. This issue is attributable to the specific features of the embedded software of these devices.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Creating an administration group
To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.
To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.
After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.
To create administration group, follow the steps below:
- In the console tree, select the Managed devices folder.
- In the workspace of the Managed devices folder or subfolder, select the Devices tab.
- Click the New group button.
This opens the window in which you can create a new group.
- In the Group name window type the group name and click OK.
A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Group policies for managing mobile devices
A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices. You can create a group policy using the Policy Wizard.
You can use a policy to configure settings of both individual devices and a group of devices. For a group of devices, administration settings can be configured in the window of group policy properties. For an individual device, they can be configured in the window of local application settings. Individual management settings specified for one device may differ from the values of settings configured in the policy for a group to which this device belongs.
Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and secondary Administration Servers), in local application settings.
The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator.
To keep corporate security of mobile devices up to date, you can monitor users' devices for compliance with the group management policy.
The security level indicator is displayed in the upper part of the group policy window. The security level indicator will help you configure the policy so as to ensure a high level of device protection. The protection level indicator status changes depending on the policy settings:
High protection level – an appropriate level of device protection is provided. All protection components function according to the settings recommended by Kaspersky.
Medium protection level – the protection level is lower than recommended. Some critical protection components are disabled (for example, Web Protection). Important issues are marked with the 
icon.
Low protection level – there are problems that may lead to infection of the device and loss of data. Some critical protection components are disabled (for example, real-time protection of devices is disabled). Critical issues are marked with the 
icon.
For more details on managing policies and administration groups in the Administration Console of Kaspersky Security Center, please refer to Kaspersky Security Center Help.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Creating a group policy
This section describes the process of creating group policies for devices on which Kaspersky Endpoint Security for Android mobile app are installed and policies for iOS MDM devices.
Policies created for an administration group are shown in the group workspace in the Administration Console of Kaspersky Security Center on the Policies tab. The icon indicating the policy status (active / inactive) appears before the policy name. Several policies for different apps can be created in one group. Only one policy for each app can be active. When a new active policy is created, the previous active policy becomes inactive.
You can modify a policy after it is created.
To a policy for managing mobile devices:
- From the console tree, select an administration group for which you want to create a policy.
- In the workspace of the group, select the Policies tab.
- Click the New policy link to start the Policy Wizard.
This starts the Policy Wizard.
Step 1. Choose an application for creating a group policy
At this step, select the application for which you want to create a group policy in the list of applications:
- Kaspersky Endpoint Security for Android – for devices using the Kaspersky Endpoint Security for Android mobile app.
It is recommended to create a separate policy for HUAWEI and Honor devices that do not have Google play services. This way you can send links to HUAWEI AppGallery to the users of all such devices.
- Kaspersky Device Management for iOS – for iOS MDM devices.
A policy for mobile devices can be created if the Kaspersky Endpoint Security for Android Administration Plug-in and the Kaspersky Device Management for iOS Administration Plug-in are installed on the administrator's desktop. If the plug-ins are not installed, the name of the relevant application does not appear in the list of applications.
Proceed to the next step of the Policy Wizard.
Step 2. Enter a group policy name
At this step, type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically.
Proceed to the next step of the Policy Wizard.
Step 3. Create a group policy for the application
At this step, the Wizard prompts you to select the status of the policy:
- Active policy. The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy.
- Inactive policy. The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state.
Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.
Exit the Wizard.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring synchronization settings
To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:
- By schedule. Synchronization by schedule is performed by using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.
- Forced. Forced synchronization is performed by using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. It might be useful when a device is in battery saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.
To configure the settings of mobile device synchronization with the Kaspersky Security Center:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Synchronization section.
- Select the frequency of synchronization in the Synchronize drop-down list.
- To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.
The device user can manually perform synchronization in the app settings (
→ Settings → Synchronization → Synchronize). - To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
- To receive the device's location history, select the Send device location history during synchronization check box in the Device location history block. The location history will be sent to the Administration Server during each synchronization.
The functionality must be used in accordance with the requirements of local legislation, with the notification or consent (depending on the requirements of the legislation) of the person using the device to enable the location tracking functionality on the device.
Enabling this setting and specifying the geofence area will result in increased device power consumption.
This setting works only if the Device location history informational event type is stored in the Administration Server database. The events are configured in the Events section of the policy properties. For more details, please refer to the Kaspersky Security Center Help. - In the How often to get the device location drop-down list, specify the frequency of getting the device location. The default value is Every 15 minutes.
Due to technical limitations on Android devices, the device location may be retrieved less often than specified.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the "Sending commands" section.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing revisions to group policies
Kaspersky Security Center lets you track group policy modifications. Every time you save changes made to a group policy, a revision is created. Each revision has a number.
You can manage revisions only for Kaspersky Endpoint Security for Android policies. You cannot manage revisions for a Kaspersky Device Management for iOS policy.
You can perform the following actions on group policy revisions:
- Compare a selected revision to the current one.
- Compare selected revisions.
- Compare a policy with a selected revision of another policy.
- View a selected revision.
- Roll back policy changes to a selected revision.
- Save revisions as a .txt file.
For more details about managing revisions of group policies and other objects (for example, user accounts), please refer to Kaspersky Security Center Help.
To view the history of group policy revisions:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Revision history section.
A list of policy revisions is displayed. It contains the following information:
- Policy revision number.
- Date and time the policy was modified.
- Name of the user who modified the policy.
- Action performed on the policy.
- Description of the revision made to policy settings.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Removing a group policy
To remove a group policy:
- In the console tree, select an administration group for which you want to remove a policy.
- In the workspace of the administration group on the Policies tab select the policy you want to remove.
- In the context menu of the policy, select Delete.
As a result, the group policy is deleted. Before the new group policy is applied, mobile devices belonging to the administration group continue to work with the settings specified in the policy that has been deleted.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Restricting permissions to configure group policies
Kaspersky Security Center administrators can configure the access permissions of Administration Console users for different functions of the Kaspersky Secure Mobility Management integrated solution depending on the job duties of users.
In the Administration Console interface, you can configure access rights in the Administration Server properties window on the Security and User roles tabs. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.
You can also configure user permissions specific to functional areas. Information about the correspondence between functional areas and policy tabs is given in Annex.
For each functional area, the administrator can assign the following permissions:
- Allow editing. The Administration Console user is allowed to change the policy settings in the properties window.
- Block editing. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.
For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, please refer to Kaspersky Security Center Help.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Control
This section contains information about how to remotely monitor mobile devices in the Administration Console of Kaspersky Security Center.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring restrictions
This section provides instructions on how to configure user access to the features of mobile devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Special considerations for devices running Android 10 or later
Android 10 introduced numerous changes and restrictions targeting API 29 or higher. Some of these changes affect the availability or functionality of some of the app's features. These considerations apply only to devices running Android 10 or later.
Ability to enable, disable, and configure Wi-Fi
- Wi-Fi networks can be added, deleted, and configured in the Administration Console of Kaspersky Security Center. When a Wi-Fi network is added to a policy, Kaspersky Endpoint Security receives this network configuration when it first connects to Kaspersky Security Center.
- When a device detects a network configured through Kaspersky Security Center, Kaspersky Endpoint Security prompts the user to connect to that network. If the user chooses to connect to the network, all of the settings configured through Kaspersky Security Center are automatically applied. The device then automatically connects to that network when in range, without showing further notifications to the user.
- If a user's device is already connected to another Wi-Fi network, sometimes the user may not be prompted to approve a network addition. In such cases, the user must turn Wi-Fi off and on again to receive the suggestion.
- When Kaspersky Endpoint Security suggests a user connect to a Wi-Fi network and the user refuses to do so, the app's permission to change the Wi-Fi state is revoked. Kaspersky Endpoint Security then cannot suggest connecting to Wi-Fi networks until the user grants the permission again by going to Settings → Apps & notifications → Special App access → Wi-Fi Control → Kaspersky Endpoint Security.
- Only open networks and networks encrypted with WPA2-PSK are supported. WEP and WPA encryption are not supported.
- If the password for a network previously suggested by the app is changed, the user must manually delete that network from the list of known networks. The device will then be able to receive a network suggestion from Kaspersky Endpoint Security and connect to it.
- When a device OS is updated from Android 9 or earlier to Android 10 or later, and/or Kaspersky Endpoint Security installed on a device running Android 10 or later is updated, the networks that were previously added via Kaspersky Security Center cannot be modified or deleted through Kaspersky Security Center policies. The user, however, can manually modify or delete such networks in the device settings.
- On devices running Android 10, a user is prompted for the password during an attempt to connect manually to a protected suggested network. Automatic connection does not require entering the password. If a user's device is connected to some other Wi-Fi network, the user must first disconnect from that network to connect automatically to one of the suggested networks.
- On devices running Android 11, a user may manually connect to a protected network suggested by the app, without entering the password.
- When Kaspersky Endpoint Security is removed from a device, the networks previously suggested by the app are ignored.
- Prohibiting use of Wi-Fi networks is not supported.
Camera access
- On devices running Android 10, use of the camera cannot be completely prohibited. Prohibiting use of the camera for a work profile is still available.
- If a third-party app attempts to access the device's camera, that app will be blocked, and the user will be notified about the issue. However, the apps that use the camera while running in background mode cannot be blocked.
- When an external camera is disconnected from a device, a notification about the camera not being available may be displayed in some cases.
Managing screen unlock methods
- Kaspersky Endpoint Security now resolves the password strength requirements into one of the system values: medium or high.
- If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.
- If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
- Using a fingerprint to unlock the screen can be managed for a work profile only.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring restrictions for Android devices
To keep an Android device secure, configure the Wi-Fi, camera, and Bluetooth usage settings on the device.
By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.
To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device Management section.
- In the Restrictions section, configure usage of Wi-Fi, camera, and Bluetooth:
- To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.
On devices running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.
- To disable the camera on the user's mobile device, select the Prohibit use of camera check box.
When camera usage is prohibited, the app displays a notification upon opening and then closes shortly after. On Asus and OnePlus devices, the notification is shown in full screen. The device user can tap the Close button to exit the app.
On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.
- To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.
On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.
On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.
- To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring iOS MDM device feature restrictions
To ensure compliance with corporate security requirements, configure restrictions on the operation of the iOS MDM device. For information about available restrictions, refer to the context help of the administration plug-in.
To configure iOS MDM device feature restrictions:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Features Restriction section.
- In the Features restriction settings section, select the Apply settings on device check box.
- Configure iOS MDM device feature restrictions.
- Click the Apply button to save the changes you have made.
- Select the Restrictions for applications section.
- In the Applications restriction settings section, select the Apply settings on device check box.
- Configure restrictions for apps on the iOS MDM device.
- Click the Apply button to save the changes you have made.
- Select the Restrictions for Media Content section.
- In the Media content restriction settings section, select the Apply settings on device check box.
- Configure restrictions for media content on the iOS MDM device.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, restrictions on features, apps, and media content will be configured on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring user access to websites
This section contains instructions on how to configure access to websites on Android and iOS devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring access to websites on Android devices
You can use Web Protection to configure access of Android device users to websites. Web Protection supports website filtering by categories defined in Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, those from the "Gambling, lotteries, sweepstakes", or "Internet communication" categories). Web Protection also protects the personal data of users on the internet.
To enable Web Protection:
- The Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement) should be accepted. Kaspersky Endpoint Security uses Kaspersky Security Network (KSN) to scan websites. The Web Protection Statement contains the terms of data exchange with KSN.
You can accept the Web Protection Statement for the user in Kaspersky Security Center. In this case, the user is not required to take any action.
If you have not accepted the Web Protection Statement and prompt the user to do this, the user must read and accept the Web Protection Statement in the app settings.
If you have not accepted the Web Protection Statement, Web Protection is not available.
Web Protection on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser.
If the Kaspersky Endpoint Security for Android app in device owner mode is not enabled as an Accessibility Features service, Web Protection is supported only by the Google Chrome browser and checks only the domain of a website. To allow other browsers (Samsung Internet Browser, Yandex Browser, and HUAWEI Browser) support Web Protection, enable Kaspersky Endpoint Security as an Accessibility Features service. This will also enable the Custom Tabs feature operation.
The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.
Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.
Web Protection is enabled by default: user access to websites in the Phishing and Malware categories is blocked. On devices managed by the Kaspersky Endpoint Security for Android app in device owner mode, Web Protection is supported only by the Google Chrome browser and checks only the domain of a website. To allow other browsers (Samsung Internet Browser, Yandex Browser, and HUAWEI Browser) to support Web Protection, Kaspersky Endpoint Security must be enabled as an Accessibility Features service.
To configure the settings of the device user's access to websites:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Web Protection.
- To use Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
- Click the Web Protection Statement link at the top of the section.
This opens Statement regarding data processing for purpose of using Web Protection window.
- Read and accept Privacy Policy by selecting the corresponding check box. To view Privacy Policy, click the Privacy Policy link.
If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app (
→ About → Terms and conditions → Privacy Policy). - Select the Web Protection Statement acceptance mode:
- I have read and accept the Web Protection Statement
- Request acceptance of the Web Protection Statement from the device user
- I do not accept the Web Protection Statement
If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.
- Click OK to close the window.
Step 5. Accept the Statement regarding data processing for purpose of using Web Protection.
- Click the Web Protection Statement link at the top of the section.
- Select the Enable Web Protection check box.
- If you want the app to check a full URL when opening a website in Custom Tabs, select the Check full URL when using Custom Tabs check box.
Custom Tabs is an in-app browser that allows the user to view web pages without having to leave the app and switch to a full web browser version. This option provides better detection of a URL and its check against the configured Web Protection rules. If the check box is selected, Kaspersky Endpoint Security for Android opens the website in a full version of the browser and checks whole web address of the website. If the check box is cleared, Kaspersky Endpoint Security for Android checks only the domain of a website in Custom Tabs.
- Select one of the following options:
- If you want the app to restrict user access to websites depending on their content, do the following:
- In the Web Protection section, in the drop-down list select Websites of selected categories are forbidden.
- Create a list of blocked categories by selecting check boxes next to the categories of websites to which the app will block access.
Step 8. Web Protection section. Select the categories of websites to block access to.
- If you want the app to allow or restrict user access only to websites specified by the administrator, do the following:
- In the Web Protection section, in the drop-down list select Only listed websites are allowed or Only listed websites are blocked.
If Kaspersky Endpoint Security for Android is not set as an Accessibility feature, Web Protection may block an allowed website that loads some elements from a website with a domain that is not in the list of allowed domains.
- Create a list of websites by adding addresses of websites to which the app will allow or block access, depending on the value selected in the drop-down list. You can add websites by link (full URL, including the protocol, e.g.
https://example.com).To make sure that the app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser, include the same URL twice, once with the HTTP protocol (e.g.,
http://example.com) and once with the HTTPS protocol (e.g.,https://example.com).For example:
https://example.com—The main page of the website is either allowed or blocked. This URL can only be accessed through the HTTPS protocol.http://example.com—The main page of the website is either allowed or blocked, but only when accessed through the HTTP protocol. Other protocols like HTTPS are not affected.https://example.com/page/index.html—Only theindex.htmlpage of the website will be allowed or blocked. The rest of the website is not affected by this entry.
The app also supports regular expressions. When entering the address of an allowed or blocked website, use the following templates:
https://example\.com/.*—This template blocks or allows all child pages of the website, accessed via the HTTPS protocol (for example,https://example.com/about).https?://example\.com/.*—This template blocks or allows all child pages of the website, accessed via both the HTTP and HTTPS protocols.https?://.*\.example\.com—This template blocks or allows all subdomain pages of the website (e.g.,https://pictures.example.com).https?://example\.com/[abc]/.*—This template blocks or allows all child pages of the website where the URL path begins with 'a', 'b', or 'c' as the first directory (e.g.,https://example.com/b/about).https?://\w{3,5}.example\.com/.*—This template blocks or allows all child pages of the website where the subdomain consists of a word with 3 to 5 characters (e.g.,http://abde.example.com/about).
Use the expression
https?to select both the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.
- In the Web Protection section, in the drop-down list select Only listed websites are allowed or Only listed websites are blocked.
Step 9. Web Protection section. Specify the list of websites to allow access to.
- If you want the app to block user access to all websites, in the Web Protection section, in the drop-down list, select All websites are blocked.
- If you want the app to restrict user access to websites depending on their content, do the following:
- To lift content-based restrictions on user access to websites, clear the Enable Web Protection check box.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Managing the website list
You can manage the list of websites with the following buttons:
- Add - Click to add a website to the list by entering a URL or regular expression.
- Import - Click to add multiple websites to the list by specifying a
.txtfile which contains the required URLs or regular expressions. The file must be encoded in UTF-8. URLs or regular expressions in the file must be separated by semicolons or by line breaks. - Edit - Click to change the address of a website.
- Delete - Click to remove a website from the list. To remove multiple websites from the list, select them with the CTRL+A, CTRL+left-click, or SHIFT+left-click hotkeys, and then click Delete.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring access to websites on iOS MDM devices
Configure Web Protection settings to control access to websites for iOS MDM device users. Web Protection controls a user's access to websites based on lists of allowed and blocked websites. Web Protection also lets you add website bookmarks on the bookmark panel in Safari.
By default, access to websites is not restricted.
Web Protection settings can be configured for supervised devices only.
To configure access to websites on the user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Web Protection section.
- In the Web Protection settings section, select the Apply settings on device check box.
- To block access to blocked websites and allow access to allowed websites:
- In the Web Filter Mode drop-down list, select the Limit adult content mode.
- In the Allowed websites section, create a list of allowed websites.
The website address should begin with
"http://"or"https://". Kaspersky Device Management for iOS allows access to all websites in the domain. For example, if you have added http://www.example.com to the list of allowed websites, access is allowed to http://pictures.example.com and http://example.com/movies. If the list of allowed websites is empty, the application allows access to all websites other than those included in the list of blocked websites. - In the Forbidden websites section, create a list of blocked websites.
The website address should begin with
"http://"or"https://". Kaspersky Device Management for iOS blocks access to all websites in the domain.
- To block access to all websites other than allowed websites on the tab list:
- In the Web Filter Mode drop-down list, select the Allow bookmarked websites only mode.
- In the Bookmarks section, create a list of bookmarks of allowed websites.
The website address should begin with
"http://"or"https://". Kaspersky Device Management for iOS allows access to all websites in the domain. If the bookmark list is empty, the application allows access to all websites. Kaspersky Device Management for iOS adds websites from the list of bookmarks on the bookmarks tab in Safari in the user's mobile device.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, Web Protection will be configured on the user's mobile device according to the mode selected and lists created.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Compliance control
This section contains instructions on how to monitor device compliance with corporate requirements and how to configure compliance control rules.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Compliance control of Android devices with corporate security requirements
You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:
- Device check criterion (for example, absence of blocked apps on the device).
- Time period allocated for the user to fix the non-compliance (for example, 24 hours).
- Actions that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock the device).
If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.
To create a rule for checking devices for compliance with a group policy:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Compliance Control section.
- To receive notifications about devices that do not comply with the policy, in the Non-compliance notification section select the Notify administrator check box.
If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.
- To notify the device user that the user's device does not comply with the policy, in the Non-compliance notification section select the Notify user check box.
If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.
- In the Compliance Control rules section, compile a list of rules for checking the device for compliance with the policy.
- To add a rule, click Add.
The Compliance Rule Wizard starts. Proceed through the wizard by using the Next button.
- Select a non-compliance criterion for the rule.
The following criteria are available:
- Real-time protection is disabled
Checks whether the security app is not installed on the device or is not running.
- Anti-malware databases are out of date
Checks whether the anti-malware databases were last updated 3 or more days ago.
- Forbidden apps are installed
Checks whether the list of apps on the device contains apps that are set as forbidden in the App Control.
- Apps from forbidden categories are installed
Checks whether the list of apps on the device contains apps from the categories that are set as forbidden in the App Control.
- Not all required apps are installed
Checks whether the list of apps on the device does not contains an app that is set as required in the App Control.
- Operating system version is out of date
Checks whether the Android version on the device is within the allowed range.
For this criterion, specify the minimum and maximum allowed versions of Android. If the maximum allowed version is set to Any, it means that future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.
- Device has not been synchronized for a long time
Checks how long ago the device last synchronized with Administration Server.
For this criterion, specify the maximum period after the last sync.
- Device has been rooted
Checks whether the device is hacked (whether root access is gained on the device).
- Unlock password is not compliant with security requirements
Checks whether the unlock password on the device does not comply with the settings defined in the Device Management section of the policy.
- Installed version of Kaspersky Endpoint Security for Android is not supported
Checks whether the security application installed on the device is not obsolete.
This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the latest version is specified in the Upgrade of Kaspersky Endpoint Security for Android section of Additional properties of the policy.
For this criterion, you also need to specify the minimum allowed version of Kaspersky Endpoint Security for Android.
- SIM card usage is not compliant with security requirements
Checks whether the device SIM card has been replaced or removed compared to the previous check state.
You can also enable the check for an additional SIM card.
In some cases, replacement, removal, and insertion of an eSIM is also checked.
- Device is within or outside the geofence areas
Specifying the geofence area will result in increased device power consumption.
For this criterion, select the specific requirement that must be monitored:
- The device is within any of the geofence areas in the list (the geofence areas are combined using the OR logical operator).
- The device is outside all of the geofence areas in the list (the geofence areas are combined using the AND logical operator).
In the List of geofence areas block, you can add, edit, or delete geofence areas.
To add a new geofence area:
- Click the Add button.
Opens the Add geofence area window.
- Specify the Geofence area name.
- In the Coordinates of the geofence area perimeter section, specify a latitude and a longitude for each point.
If you want to add more than 3 points, click the Add point button. To delete a point, click the X button.
For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.
A geofence area perimeter must not contain intersecting lines.
- You can view the specified geofence area in the Yandex.Maps program, by clicking the View on map button.
- Click the Add button to add the specified geofence area.
The new geofence area appears in the list.
To edit a geofence area:
- Select the geofence area you want to edit, and then click the Edit button.
- Specify the new geofence area settings, as described earlier.
- Click the Add button.
The edited geofence area appears in the list.
To delete a geofence area:
- Select the geofence area you want to delete, and then click the Delete button.
The geofence area is removed from the list.
- Kaspersky Endpoint Security for Android has no access to precise or background location
Checks whether the Kaspersky Endpoint Security for Android app is not allowed to access the precise location of the device or use the device location in the background.
- Real-time protection is disabled
- Select the actions to be performed on the device if the specified non-compliance criterion is detected. You can add multiple actions. They are combined by the AND logical operator.
Some of the actions are continuous. Continuous actions remain in effect until one of the following conditions are met:
- The non-compliance criterion no longer applies.
- A policy is applied in which the corresponding Compliance Control rule is deleted.
The following actions are available:
- Block all apps except system apps
All apps on the user's mobile device, except system apps, are blocked from starting.
As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.
- Lock device
The mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.
- Wipe corporate data
The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
- On a personal device, KNOX container and mail certificate are wiped.
- If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
- Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
- Full reset
All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.
- Lock work profile
The work profile on the device is locked. To obtain access to the work profile, you must unlock it. If the reason for locking the work profile is not rectified after it is unlocked, the work profile will be locked again after the specified time period.
The action is only applicable to Android 6 or later.
After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.
- Wipe data of all apps
The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.
If the device works in device owner mode, data of all apps on the device is wiped. If Android work profile is created on the device, data of all apps in the work profile is wiped.
As a result, apps are rolled back to their default state.
- Wipe data for a specified app
The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.
For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app
As a result, the app is rolled back to its default state.
- Prohibit safe boot
The user is not allowed to boot the device in safe mode.
The action is only applicable to devices running Android 6 or later in device owner mode.
This is a continuous action.
- Prohibit use of camera
The user is not allowed to use any cameras on the device.
This is a continuous action.
- Prohibit use of Bluetooth
The device user is not allowed to turn on and configure Bluetooth in Settings.
The action is only applicable to personal devices running Android 12 or earlier, devices operating in device owner mode, or devices with created Android work profile.
This is a continuous action.
- Prohibit use of Wi-Fi
The device user is not allowed to use Wi-Fi and configure it in Settings.
The action is only applicable to devices operating in device owner mode (all Android versions), personal devices running Android 9 or earlier.
This is a continuous action.
- Prohibit USB debugging features
The user is not allowed to use USB debugging features and developer mode on the device.
The action is only applicable to devices operating in device owner mode or devices with created Android work profile.
This is a continuous action.
- Prohibit airplane mode
The user is not allowed to enable airplane mode on the device.
The action is only applicable to devices running Android 9 or later in device owner mode.
This is a continuous action.
The new rule appears in the Compliance Control rules section.
- To temporarily disable a rule that you have created, use the toggle switch opposite the selected rule.
- In the Actions when user accounts are disabled in Active Directory section, you can configure the actions to perform on devices when a user account is disabled in Active Directory.
These parameters require integration with Microsoft Active Directory.
To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:
- Wipe corporate data
- Reset to factory settings
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Compliance control of iOS MDM devices with corporate security requirements
Compliance Control allows you to monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:
- Status (whether the rule is enabled or disabled).
- Non-compliance criteria (for example, absence of the specified apps or operating system version).
- Actions performed on the device if non-compliance is found (for example, wipe corporate data or send an email message to the user).
To create a rule:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Compliance Control section.
- In the Compliance Control rules section, click Add.
The Compliance Control Rule Wizard starts.
- Select the Enable rule check box if you want to activate the rule. If the check box is cleared, the rule is disabled.
- On the Non-compliance criteria tab, click Add criterion and select a non-compliance criterion for the rule. You can add multiple criteria. They are combined by the AND logical operator.
The following criteria are available:
- List of apps on device
Checks whether the list of apps on the device contains forbidden apps or does not contain required apps.
For this criterion, you need to select a check type (Contains or Does not contain) and specify the app's bundle ID. How to get the bundle ID of an app
- Operating system version
Checks the version of the operating system on the device.
For this criterion, you need to select a comparison operator (Equal to, Not equal to, Less than, Less than or equal to, Greater than, or Greater than or equal to) and specify the iOS version.
Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Less than and Greater than operators.
- Management mode
Checks the device's management mode.
For this criterion, you need to select a mode (Supervised device or Non-supervised device).
- Device type
Checks the device type.
For this criterion, you need to select a type (iPhone or iPad).
- Device model
Checks the device model.
For this criterion, you need to select an operator (Included in the list or Not included in the list), and then specify models that will be checked or excluded from the check, respectively.
To specify a model, type at least one character in the Identifier field, and then select the required model from the appeared list. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".
In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone 9.1" and "iPhone 9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.
If you type a value that is not on the list, nothing will be found. However, you can click the OK button in the field to add the typed value to the criterion.
- Device is roaming
Checks whether the device is roaming (if you select True) or not (if you select False).
- Device password was set
Checks whether a password is set (if you select True) or not (if you select False).
If you select True, select whether the device password must match (if you select Matches policy) or must not match (if you select Does not match policy) the settings specified in the Password Settings section.
- Device free space
Checks whether the amount of free space on the device becomes less than the threshold that you specify.
For this criterion, specify the threshold amount of free space, and then select the measurement unit (GB or MB).
- Device is not encrypted
Checks whether the device is not encrypted.
Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this parameter in the device properties: in the console tree, select Additional > Mobile Device Management > Mobile devices, and then double-click the required device).
- SIM card has been changed
Checks whether the device SIM card has been replaced or removed compared to the previous check state.
You can also enable the check for inserting an additional SIM card.
On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device's operating system recognizes each added eSIM as a new one. In this case, you need to delete the compliance control rule from the policy.
- Last sync earlier than
Checks how long ago the device last synchronized with Administration Server.
For this criterion, specify the maximum time after the last sync, and then select the measurement unit (Hours or Days).
We do not recommend that you specify a value less than the value of the Updating frequency for information about devices parameter in the iOS MDM Server settings.
If you specify criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Included in the list operator selected, contains an iPad model), an error message is displayed. You cannot save such a rule.
- List of apps on device
- On the Actions tab, specify actions to be performed on the device if all specified non-compliance criteria are detected.
Actions are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the Administration Server. To prevent repeat actions from a single instance of non-compliance, set the Updating frequency for information about devices parameter in the iOS MDM Server settings to 30 minutes.
Add an action in one of the following ways:
- Click the Add action button if the action should be taken on the device immediately after non-compliance is detected.
- Click the Add postponed action button if you want to also set a time period in which the user can fix the non-compliance. If the non-compliance is not fixed within this period, the action is performed on the device.
The following actions are available:
- Send email message to user
The device user is informed about the non-compliance by email.
For this action, you need to specify the user's email address(es). If necessary, you can edit the default text of the email message.
- Wipe corporate data
All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. This action is performed by sending the Wipe corporate data command.
- Install profile
The configuration profile is installed on the device. This action is performed by sending the Install profile command.
For this action, you need to specify the ID of the configuration profile to be installed.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.
- Delete profile
The configuration profile is deleted from the device. This action is performed by sending the Remove profile command.
For this action, you need to specify the ID of the configuration profile to be removed.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.
- Delete all profiles
All previously installed configuration profiles are deleted from the device.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.
- Update operating system
The device operating system is updated.
For this action, you need to select the specific operation (Download and install, Download only, or Install only if you want to install a previously downloaded version) and the iOS version to be downloaded and/or installed.
- Change Bluetooth settings (supervised only)
For this action, you need to select whether you want to enable or disable Bluetooth on the device.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.
- Reset to factory settings
All data is deleted from the device and the settings are rolled back to their default values.
- Delete managed app
For this action, you need to specify the bundle ID of the managed app that you want to delete from the device. An app is considered managed if it has been installed on a device through Kaspersky Security Center. How to get the bundle ID of an app
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.
- Delete all managed apps
All managed apps are deleted from the device. An app is considered managed if it has been installed on a device through Kaspersky Security Center.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.
- Delete profile(s) of a specific type
For this action, you need to select the type of the profile to be deleted from the device (for example, Web Clips or Calendar subscriptions).
As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.
- Change roaming settings
For this action, you need to select whether you want to enable or disable data roaming on the device.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.
If you specify actions that contradict each other (for example, Enable Bluetooth and Disable Bluetooth at the same time, an error message is displayed. You cannot save such a rule.
- Click the OK button to save the rule and close the wizard.
The new rule appears in the list in the Compliance Control rules section.
- In the Actions when user accounts are disabled in Active Directory section, you can configure the actions to perform on devices when a user account is disabled in Active Directory.
These parameters require integration with Microsoft Active Directory.
To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:
- Wipe corporate data
- Reset to factory settings
If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
App control
This section contains instructions on how to configure user access to apps on a mobile device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
App control on Android devices
The App Control component allows you to manage apps on Android devices to keep these devices secure.
You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.
Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.
In device owner mode, you have extended control over the device. App Control operates without notifying the device user:
- Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
- Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.
To configure the settings of app startup on the mobile device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App Control section.
- In the Operation mode section, select the mode of app startup on the user's mobile device:
- To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Blocked apps mode. The app will hide blocked app icons.
- To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
- If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, only add a record to the event log check box.
During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.
- If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
- If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.
Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.
- Create a list of categories and apps to configure startup of apps.
Mobile app packages previously created in the Kaspersky Security Center can be added to the list. How to get the package name of an app
For details on app categories, please refer to the Appendices.
For a list of the apps that belong to each category, please visit the Kaspersky website.
- If you want Kaspersky Endpoint Security for Android to create a report on installed apps, in the Report on installed mobile apps block, select the Send data on installed apps check box to send information about apps installed on mobile devices, and specify the following settings if required:
- To send data about the system apps installed on users' devices to the Administration Server, select the Send data on system apps check box.
- To send data about the service apps installed on users' devices to the Administration Server, select the Send data on service apps check box.
If a system app or a service app is configured in the App Control settings, the app data is sent regardless of the state of the Send data on system apps or the Send data on service apps check boxes respectively.
Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed to a device or removed from it.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
App control on iOS MDM devices
Kaspersky Security Center allows you to manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launching on devices.
These restrictions apply only to supervised iOS MDM devices.
Open Restrictions for applications section
To open settings for app restrictions on iOS MDM devices:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Restrictions for applications section.
Restrict app installation
By default, the user can install any apps on the supervised iOS MDM device.
To restrict the apps that can be installed on the device:
- Select the Allow installation of apps from the list (supervised only) check box.
- In the table, click Add to add an app to the list.
- Specify the app's bundle ID. Specify the
com.apple.webappvalue to allow all web clips. How to get the bundle ID of an app - Click the Apply button to save the changes you have made.
Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Only apps from the list and system apps will be available for installation. All other apps can't be installed on the device.
The specified apps can be installed on the device in the following ways (if the corresponding options are enabled in the Features restrictions section):
- Installation from Apple Configurator or iTunes
- Installation from App Store
- Automatic loading
Specify prohibited apps
By default, all apps can be displayed and launched on the supervised iOS MDM device.
To specify prohibited apps:
- Select the Prohibit displaying and launching apps from the list (supervised only) check box.
- In the table, click Add to add an app to the list.
- Specify the app's bundle ID. Specify the
com.apple.webappvalue to restrict all web clips. How to get the bundle ID of an app - Click the Apply button to save the changes you have made.
Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Apps from the list will be prohibited from being displayed and launching on the device. All other apps will be displayed and available to run.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Statuses of mobile devices
Mobile device statuses defined by Kaspersky Security Center
Administration Console allows you to quickly assess the current status of Kaspersky Security Center and managed mobile devices by checking traffic lights. The traffic lights are shown in the workspace of the Administration Server node, in the Mobile Device Management folder, in the Mobile devices subfolder. The subfolder workspace displays a table of managed mobile devices.
A traffic light is a colored icon in the Management column of the table. Each traffic light can be any of these colors (see the table Color codes of traffic lights). The color of a traffic light depends on the current status of Kaspersky Security Center and on the events that were logged.
A device can have one of the following statuses: OK, Critical, or Warning.
The statuses are assigned and sent to Kaspersky Security Center, in accordance with the following requirements:
- One reason for status assignment is detected on the device — the device gets the status which is displayed in the list of managed devices.
- Several reasons for status assignment are detected on the device — Kaspersky Secure Mobility Management selects the most critical status and sets it as general.
- No reasons for status assignment are detected on the device — Kaspersky Secure Mobility Management does not send the structure of statuses to Kaspersky Security Center, and the status is set as OK.
Color codes of traffic lights
Icon
Status
Traffic light color meaning
Light blue
Mobile device detected on the network and included in none of the administration groups.
Events have been logged that are unrelated to potential or actual threats to the security of managed devices.
Green
Mobile device included in an administration group, with the OK status.
Administrator's intervention is required.
Yellow
Mobile device included in an administration group, with the Warning status.
Events have been logged that are unrelated to potential or actual threats to the security of managed devices.
Red
Mobile device included in an administration group, with the Critical status.
Serious problems have been encountered. An administrator's intervention is required to solve them.
Mobile device included in an administration group, having lost its connection with the Administration Server.
Can be any of the colors: light blue, green, yellow, red.
The administrator's goal is to keep traffic lights green on all of the devices.
You can select Properties from the context menu of the mobile device, and then go to the Protection section to view the logged events that affect traffic lights and the status of Kaspersky Security Center (see the table Name, description, and traffic light colors of logged events).
Name, description, and traffic light colors of logged events
Traffic light color |
Event type display name |
Description |
|---|---|---|
Red |
License expired on %1 device(s) |
Events of this type occur when the commercial license has expired. Once a day, Kaspersky Security Center checks whether the license has expired on the devices. When the commercial license expires, Kaspersky Security Center provides only basic functionality. To continue using Kaspersky Security Center, renew your commercial license. |
Red |
Security application is not running on: %1 device(s) This does not apply to iOS MDM devices. |
Events of this type occur when the security application installed on the device is not running. Make sure that Kaspersky Endpoint Security is running on the device. |
Red |
Protection is disabled on: %1 device(s) |
Events of this type occur when the security application on the device has been disabled for longer than the specified time interval. Check the current status of real-time protection on the device and make sure that all the protection components that you need are enabled. |
Red |
Critical events have been registered on the Administration Server |
Events of this type occur when Administration Server critical events are detected. Check the list of events stored on the Administration Server, and then fix the critical events one by one. |
Red |
Errors have been logged in events on the Administration Server |
Events of this type occur when unexpected errors are logged on the Administration Server side. Check the list of events stored on the Administration Server, and then fix the errors one by one. |
Red |
Lost connection to %1 device(s) |
Events of this type occur when the connection between the Administration Server and the device is lost. View the list of disconnected devices, and then try to reconnect them. |
Red |
%1 device(s) have not connected to the Administration Server in a long time |
Events of this type occur when the device has not connected to the Administration Server within the specified time interval, because the device was turned off. Make sure that the device is turned on and that Network Agent is running. |
Red |
Databases are outdated on: %1 device(s) |
Events of this type occur when the anti-malware databases have not been updated on the device within the specified time interval. Follow the instructions to update Kaspersky databases. |
Red |
Active threats are detected on %1 device(s) |
Events of this type occur when active threats are detected on managed devices. View information about the detected threats, and then follow the recommendations. |
Red |
Too many viruses have been detected on: %1 device(s) |
Events of this type occur when viruses are detected on managed devices. View information about the detected viruses, and then follow the recommendations. |
Red |
Virus outbreak |
Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period of time. View information about the detected threats, and then follow the recommendations. |
Yellow |
Malware scan has not been performed in a long time on: %1 device(s) |
Events of this type occur when you need to perform a malware scan on managed devices. Run a virus scan. |
Green |
Managed device(s): %3. Unassigned device(s) detected: %1 |
Events of this type occur when new devices are detected in administration groups. |
Green |
Security application is installed on all managed devices |
Events of this type occur when Kaspersky Endpoint Security is installed on all managed devices. |
Green |
Kaspersky Security Center is functioning properly |
Events of this type occur when Kaspersky Security Center is functioning properly. |
Green |
Protection is enabled |
Events of this type occur when the real-time protection is enabled on managed devices. |
Green |
Security application is not installed |
Events of this type occur when the anti-malware application is not installed on managed devices. |
Green |
Malware scan is running on schedule |
Events of this type occur when the Malware scan task is running on schedule. |
Light blue |
End User License Agreement for Kaspersky mobile software has not been accepted |
Events of this type occur when the administrator has not yet accepted the End User License Agreement for Kaspersky mobile software. |
Light blue |
End User License Agreement for Kaspersky software updates has not been accepted |
Events of this type occur when the administrator has not yet accepted the End User License Agreement for Kaspersky software updates. |
Light blue |
Kaspersky Security Network Statement for Kaspersky software updates has not been accepted |
Events of this type occur when the administrator has not yet accepted the Kaspersky Security Network Statement for Kaspersky software updates. |
Light blue |
New versions of Kaspersky applications are available |
Events of this type occur when new versions of Kaspersky applications are available for installation on managed devices. |
Light blue |
Updates are available for Kaspersky applications |
Events of this type occur when updates are available for Kaspersky applications. |
Light blue |
Full scan has never been performed on %1 device(s) |
Events of this type occur when a full scan has never been performed on the specified number of devices. |
Mobile device statuses defined by Kaspersky Secure Mobility Management
These are additional statues that function together with the statuses defined by Kaspersky Security Center (see the table Name, description, and traffic light colors of logged events).
Kaspersky Secure Mobility Management defines the status of mobile devices, based on the policy settings, and then sends the structure of statuses to Kaspersky Security Center when it is synchronized. The administrator can change the device status in the policy, depending on the severity level of the condition (see the table Default values, reasons, and conditions for status assignment). In this case, the value set by the administrator overrides the default value defined by Kaspersky Secure Mobility Management.
Default values, reasons, and conditions for status assignment
Condition |
Reason for status assignment |
Default value |
|---|---|---|
Real-time protection is not running. |
One of the following reasons:
|
Critical |
Web Protection is not running. |
One of the following reasons:
|
Warning |
App Control is not running. |
The Accessibility permission is not granted. |
Warning |
Device lock is not available.
|
One of the following reasons:
|
Warning |
Device locate is not available. |
One of the following reasons:
|
Warning |
The versions of the KSN Statement do not match. |
The version of the Kaspersky Security Network Statement that the user accepted in the policy and the version of the Kaspersky Security Network Statement on the device do not match. |
Warning |
The versions of the Marketing Statement do not match. |
The version of the Statement regarding data processing for marketing purposes that the user accepted in the policy and the version of the Statement regarding data processing for marketing purposes on the device do not match. |
OK |
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Software inventory on Android devices
You can inventory apps on Android devices connected to Kaspersky Security Center. Kaspersky Endpoint Security for Android receives information about all apps installed on mobile devices. Information acquired during inventory is displayed in the device properties in the Events section. You can view detailed information on each installed app, including its version and publisher.
To enable software inventory:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App Control section.
- In the Software inventory section, select the Send data on installed apps check box.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring the display of Android devices in Kaspersky Security Center
For convenient operations with the list of mobile devices, you should configure the settings for displaying devices in Kaspersky Security Center. By default, the list of mobile devices is displayed in the Additional → Mobile Device Management → Mobile devices console tree. Device information is updated automatically. You can also manually update the list of mobile devices by clicking the Update button in the upper right corner.
After connecting the device to Kaspersky Security Center, devices are added to the mobile device list automatically. The mobile device list may contain detailed information about that device: model, operation system, IP address, and others.
You can configure the device name format and select the device status. The device status informs you about how the components of Kaspersky Endpoint Security for Android are operating on the user's mobile device.
Kaspersky Endpoint Security for Android components could be non-operational for the following reasons:
- The user disabled the component in the device settings.
- The user did not grant the app the necessary permissions for the component to operate (for example, there is no permission to determine the device location for the corresponding Anti-Theft command).
To display the device status, you must enable the Determined by the application condition in the administration group properties (Properties > Device status > Set device status to Critical if and Set device status to Warning if). In the administration group properties, you can also select other criteria for forming the mobile device status.
To configure the display of Android devices in Kaspersky Security Center:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device information section.
- In the Device name in Kaspersky Security Center section, select the device name format for the device name in the Administration Console:
- Device model [email, device ID]
- Device model [email (if any) or device ID]
A device ID is a unique ID that Kaspersky Endpoint Security for Android generates from the data received from a device as follows:
- On personal devices running Android 9 and earlier, the app uses the IMEI. For later versions of Android, the app uses SSAID (Android ID) or checksum of other data received from the device.
- In device owner mode, the app uses IMEI on all Android versions.
- When a work profile is created on devices running Android 11 or earlier, the app uses IMEI. On other Android versions, the app uses the SSAID (Android ID) or checksum of other data received from the device.
- Set the Lock attribute in the locked position (
). - In the Device status in Kaspersky Security Center section, select the appropriate device status if a component of Kaspersky Endpoint Security for Android is not working:
(Critical), 
(Warning) or 
(OK).In the list of mobile devices, the device status will be changed according to the selected status.
- Set the Lock attribute in the locked position.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Protection
This section contains information about how to remotely manage protection of mobile devices in the Administration Console of Kaspersky Security Center.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring anti-malware protection on Android devices
For the timely detection of threats, viruses, and other malicious applications, you should configure the settings for real-time protection and autorun of malware scans.
Kaspersky Endpoint Security for Android detects the following types of objects:
- Viruses, worms, Trojans, and malicious tools
- Adware
- Apps that can be exploited by criminals to harm your device or personal data
Anti-Malware has a number of limitations:
- When Anti-Malware is running, a threat detected in the external memory of the device (such as an SD card) cannot be neutralized automatically in the Work profile (Applications with a briefcase icon, Configuring the Android work profile). Kaspersky Endpoint Security for Android does not have access to external memory in the Work profile. Information about detected objects is displayed in app notifications. To neutralize objects detected in the external memory, the object files have to be deleted manually and the device scan restarted.
- Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
- On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
To configure the mobile device real-time protection settings:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Protection section.
- In the Protection section, configure the settings of mobile device file system protection:
- To enable real-time protection of the mobile device against threats, select the Enable Protection check box.
Kaspersky Endpoint Security for Android scans only new apps and files from the Downloads folder.
- To enable extended protection of the mobile device against threats, select the Extended protection mode check box.
Kaspersky Endpoint Security for Android will scan all files that the user opens, modifies, moves, copies, installs or saves on the device, as well as newly installed mobile apps.
On devices running Android 8.0 or later, Kaspersky Endpoint Security for Android scans files that the user modifies, moves, installs and saves, as well as copies of files. Kaspersky Endpoint Security for Android does not scan files when they are opened, or source files when they are copied.
- To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Cloud protection (KSN) check box.
- To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and riskware check box.
- To enable real-time protection of the mobile device against threats, select the Enable Protection check box.
- In the Action on threat detection list, select one of the following options:
- Delete
Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.
- Skip
If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.
- Quarantine
- Delete
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
To configure autorun of malware scans on the mobile device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Scan section.
- To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and riskware check box.
- In the Action on threat detection list, select one of the following options:
- Delete
Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.
- Skip
If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.
- Quarantine
- Ask user
The Kaspersky Endpoint Security for Android app displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.
When the app detects several objects, the Ask user option allows the device user to apply a selected action to each file by using the Apply to all threats check box.
Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.
If during a scan Kaspersky Endpoint Security for Android detects malicious apps on users' devices, the actions differ depending on the device management mode.
- Delete
- The Scheduled scan section lets you configure the settings of the automatic launch of the full scan of the device file system. To do so, click the Schedule button and specify the frequency and start time of the full scan in the Schedule window.
If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.
To keep mobile device protection up to date, configure the anti-malware database update settings.
By default, anti-malware database updates are disabled for when the device is roaming. Scheduled updates of anti-malware databases are not performed.
To configure the settings of anti-malware database updates:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Database update section.
- If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is in the roaming zone, select the Allow database update while roaming check box in the Database update while roaming section.
Even if the check box is cleared, the user can manually start an anti-malware database update when the device is roaming.
- In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-malware database updates:
- Kaspersky servers
Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases from Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.
- Administration Server
Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.
- Other source
Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you should enter the address of an HTTP server in the field below (e.g., http://domain.com/).
- Kaspersky servers
- In the Scheduled database update section, configure the settings for automatic anti-malware database updates on the user's device. To do so, click the Schedule button and specify the frequency and start time of updates in the Schedule window.
If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Protecting Android devices on the internet
To protect the personal data of a mobile device user on the internet, enable Web Protection. Web Protection blocks malicious websites that distribute malicious code, and phishing websites designed to steal your confidential data and gain access to your financial accounts. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. Web Protection also lets you configure a user's access to websites based on predefined lists of allowed and blocked websites.
Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time.
Web Protection on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser.
If the Kaspersky Endpoint Security for Android app in device owner mode is not enabled as an Accessibility Features service, Web Protection is supported only by the Google Chrome browser and checks only the domain of a website. To allow other browsers (Samsung Internet Browser, Yandex Browser, and HUAWEI Browser) support Web Protection, enable Kaspersky Endpoint Security as an Accessibility Features service. This will also enable the Custom Tabs feature operation.
The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.
Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.
To enable Web Protection in Google Chrome, HUAWEI Browser, Samsung Internet Browser, or Yandex Browser:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Web Protection.
- To use Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
- Click the Web Protection Statement link at the top of the section.
This opens Statement regarding data processing for purpose of using Web Protection window.
- Read and accept Privacy Policy by selecting the corresponding check box. To view Privacy Policy, click the Privacy Policy link.
If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app (
→ About → Terms and conditions → Privacy Policy). - Select the Web Protection Statement acceptance mode:
- I have read and accept the Web Protection Statement
- Request acceptance of the Web Protection Statement from the device user
- I do not accept the Web Protection Statement
If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.
- Click OK to close the window.
- Click the Web Protection Statement link at the top of the section.
- Select the Enable Web Protection check box.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Protection of stolen or lost device data
This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Sending commands to a lost or stolen mobile device
To protect data on a mobile device that is lost or stolen, you can send special commands.
You can send commands to the following types of managed mobile devices:
- Android devices managed via the Kaspersky Endpoint Security for Android app
- iOS MDM devices
Each device type supports a dedicated set of commands (see the tables below).
Commands for Android devices
Commands for protecting data on a lost or stolen Android device
Command |
Command execution result |
|---|---|
Lock |
The mobile device is locked. To obtain access to data, you must unlock the device. |
Unlock |
The mobile device is unlocked. After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed. |
Locate device |
The mobile device's location coordinates are obtained. On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails. The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting. |
Mugshot |
The mobile device is locked. The mugshot photo is taken by the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed. When attempting to unlock the device, the user automatically consents to the mugshot. If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use camera has been revoked via Quick Settings, the notification is not displayed but the photo taken is black. |
Alarm |
The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low). |
Wipe app data |
The data of a specified app is wiped from the mobile device. The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile. |
Wipe data of all apps |
The data of all apps is wiped from the mobile device. The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile. |
Wipe corporate data |
The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
|
Reset to factory settings |
All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands. |
Get device location history |
The mobile device's location history for the last 14 days is displayed. This command works only if the Device location history informational event type is stored in the Administration Server database. The events are configured in the Events section of the policy properties. For more details, please refer to the Kaspersky Security Center Help. |
Commands for iOS MDM devices
Commands for protecting data on a lost or stolen iOS MDM device
Command |
Command execution result |
|---|---|
Lock |
The mobile device is locked. To obtain access to data, you must unlock the device. |
Reset password |
The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements. |
Wipe corporate data |
All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. |
Reset to factory settings |
All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands. |
Enable Lost Mode (supervised only) |
Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows the message and phone number that you can edit. If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network. |
Locate device (supervised only) |
The location of the mobile device is obtained. You can click the link in the command log to view device coordinates and check the device location on a map. This command is supported only for supervised devices that are in Lost Mode. |
Play sound (supervised only) |
The sound is played on the lost mobile device. This command is supported only for supervised devices that are in Lost Mode. |
Disable Lost Mode (supervised only) |
Lost Mode is disabled on the mobile device, and the device is unlocked. This command is supported only for supervised devices. |
Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.
On devices running Android 10 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.
For the complete list of available commands, please refer to the "Commands for mobile devices" section. To learn more about sending commands from Administration Console, please refer to the "Sending commands" section.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Unlocking a mobile device
You can unlock a mobile device by using the following methods:
- Send the mobile device unlock command.
- Enter the one-time unlock code on the mobile device (only for Android devices).
On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time unlock code. You cannot use commands to unlock the device.
To learn more about sending commands from the list of mobile devices in Administration Console, please refer to the "Sending commands" section.
A one-time unlock code is a secret application code for unlocking the mobile device. The one-time code is generated by the application and is unique to each mobile device. You can change the length of the one-time code (4, 8 or 16 digits) in group policy settings in the Anti-Theft section.
To unlock the mobile device using a one-time code:
- In the console tree, select Mobile Device Management → Mobile devices.
- Select a mobile device for which you want to get a one-time unlock code.
- Open the mobile device properties window by double-clicking.
- Select Apps → Kaspersky Endpoint Security for Android.
- Open the Kaspersky Endpoint Security properties window by double-clicking.
- Select the Anti-Theft section.
- A unique code for the selected device is shown in the One-time code field of the One-time device unlock code section.
- Use any available method (such as email) to communicate the one-time code to the user of the locked device.
- The user enters the one-time code on the screen of the device that is locked by Kaspersky Endpoint Security for Android.
The mobile device is unlocked.
After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Data encryption
To protect data against unauthorized access, you must enable encryption of all data on the device (for example, account credentials, external devices and apps, as well as email messages, SMS messages, contacts, photos, and other files). For access to encrypted data, you must specify a special key – device unlock password. If data is encrypted, access to it can be obtained only when the device is unlocked.
Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this parameter in the device properties: in the console tree, select Additional > Mobile Device Management > Mobile devices, and then double-click the required device).
To encrypt all data on an Android device:
- Enable screen lock on the Android device (Settings → Security → Screen lock).
- Set a device unlock password that is compliant with corporate security requirements.
It is not recommended to use a pattern lock for unlocking the device. On certain Android devices running Android 6 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device instead of a pattern lock. This issue is related to the operation of the Accessibility Features service. To unlock the device screen in this case, convert the pattern lock into a numeric password. For more details about converting a pattern lock into a numeric password, please refer to the Technical Support website of the mobile device manufacturer.
- Enable encryption of all data on the device (Settings → Security → Encrypt data).
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Deleting data on Android devices after failed password entry attempts
You can configure deleting all data on an Android device (that is, resetting the device to factory settings) after the user makes too many failed attempts to enter the screen unlock password.
These settings apply to devices operating in device owner mode and to personal devices on which the Kaspersky Endpoint Security for Android app is enabled as a device administrator.
To configure wiping all data:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Anti-Theft section.
- In the Data wipe on device section, select the Wipe all data after failed attempts to enter unlock password check box.
- In the Maximum number of attempts to enter unlock password field, specify the number of attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
- Click the Apply button to save the changes you have made.
Mobile device settings are configured after the next device synchronization with Kaspersky Security Center. If the user exceeds the specified number of attempts to enter the correct screen unlock password, the Kaspersky Endpoint Security for Android app wipes all device data.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring device unlock password strength
To protect access to a user's mobile device, you should set a device unlock password.
This section contains information about how to configure password protection on Android and iOS devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring a strong unlock password for an Android device
To keep an Android device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.
You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password is not compliant with security requirements criterion.
On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
To configure the use of an unlock password:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device Management section.
- If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password check box in the Screen lock section.
If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.
- Specify the following options, if required:
- Minimum number of characters
- Minimum password complexity requirements (Android 12 or earlier in device owner mode)
- Maximum password age, in days
- Number of days to notify that a password change is required (for device owner mode)
- Number of recent passwords that can't be used as a new password (all Android versions; Android 10 or later in device owner mode)
- Period of inactivity before the device screen locks, in seconds
- Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0 or later in device owner mode)
- Allow biometric unlock methods (Android 9 or later; Android 10 in device owner mode)
- Allow use of fingerprints (all Android versions; Android 10 in device owner mode)
- Allow face scanning (Android 9 or later; Android 10 in device owner mode)
- Allow iris scanning (Android 9 or later; Android 10 in device owner mode)
- Allow the device to start up before prompting the password
- Unlock password
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
On some HUAWEI devices, an issue message about too simple screen unlocking method appears.
To set a correct PIN code on a HUAWEI device, the user must do the following:
- In the issue message, tap the Edit button.
- Enter the current PIN code.
- In the Set new password window, tap the Change unlock method button.
- Select the Custom PIN unlock method.
- Set the new PIN code.
The PIN code must be compliant with policy requirements.
A correct PIN code is now set on the device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring a strong unlock password for iOS MDM devices
To protect iOS MDM device data, configure the unlock password strength settings.
By default, the user can use a simple password. A simple password is a password that contains successive or repetitive characters, such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.
To configure the strength settings for an iOS MDM device unlock password:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Password section.
- In the Password settings section, select the Apply settings on device check box.
- Configure unlock password strength settings:
- To allow the user to use a simple password, select the Allow simple password check box.
- To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
- To require use of a password, select the Force use of password check box. If the check box is cleared, the mobile device can be used without a password.
- In the Minimum password length list, select the minimum password length in characters.
- In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").
- In the Maximum password lifetime field, specify the period of time in days during which the password will stay current. When this period expires, Kaspersky Device Management for iOS prompts the user to change the password.
- In the Enable Auto-Lock in list, select the amount of time after which iOS MDM device Auto-Lock should be enabled.
- In the Password history field, specify the number of used passwords (including the current password) that Kaspersky Device Management for iOS will compare with the new password when the user changes the old password. If passwords match, the new password is rejected.
- In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
- In the Maximum number of access attempts, select the number of access attempts that the user can make to enter the iOS MDM device unlock password.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, Kaspersky Device Management for iOS checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not conform to the policy, the user is prompted to change the password.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring a virtual private network (VPN)
This section contains information on configuring virtual private network (VPN) settings for secure connection to Wi-Fi networks.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring VPN on Android devices (only Samsung)
To securely connect an Android device to Wi-Fi networks and protect data transfer, you should configure the settings for VPN (Virtual Private Network).
Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.
The following requirements should be considered when using a virtual private network:
- The app that uses the VPN connection must be allowed in Firewall settings.
- Virtual private network settings configured in the policy cannot be applied to system applications. The VPN connection for system applications has to be configured manually.
- Some applications that use the VPN connection need to have additional settings configured at first startup. To configure settings, the VPN connection has to be allowed in application settings.
To configure VPN on a user's mobile device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
- In the VPN section, click the Configure button.
This opens the VPN network window.
- In the Connection type drop-down list, select the type of VPN connection.
- In the Network name field, enter the name of the VPN tunnel.
- In the Server address field, enter the network name or IP address of the VPN server.
- In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.
You can specify several DNS search domains, separating them with blank spaces.
- In the DNS server(s) field, enter the full domain name or IP address of the DNS server.
You can specify several DNS servers, separating them with blank spaces.
- In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.
If the range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.
- Additionally configure the following settings for networks of the IPSec Xauth PSK and L2TP IPSec PSK types:
- In the IPSec shared key field, enter the password for the preset IPSec security key.
- In the IPSec ID field, enter the name of the mobile device user.
- For an L2TP IPSec PSK network, additionally specify the password for the L2TP key in the L2TP key field.
- For a PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring VPN on iOS MDM devices
To connect an iOS MDM device to a virtual private network (VPN) and protect data during the connection to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a VPN connection for selected website domains in Safari.
To configure the VPN connection on a user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the VPN section.
- Click the Add button in the VPN networks section.
This opens the VPN network window.
- In the Network name field, enter the name of the VPN tunnel.
- In the Connection type drop-down list, select the type of VPN connection:
- L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
- PPTP (Point-to-Point Tunneling Protocol). The connection supports authentication of iOS MDM device user using MS-CHAP v2 passwords and two-factor authentication.
The PPTP connection is no longer supported.
- IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
- IPSec (Cisco). The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
- Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall of version 8.0(3).1 or later. To configure the VPN connection, install the Cisco AnyConnect app from App Store on the iOS MDM device.
- Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, of version 6.4 or later with the Juniper Networks IVE package of version 7.0 or later. To configure the VPN connection, install the JUNOS app from App Store on the iOS MDM device.
- F5 SSL. The connection supports F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure the VPN connection, install the F5 BIG-IP Edge Client app from App Store on the iOS MDM device.
- SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices of version 10.5.4 or later, SonicWALL SRA devices of version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, E-Class NSA with SonicOS of version 5.8.1.0 or later. To configure the VPN connection, install the SonicWALL Mobile Connect app from App Store on the iOS MDM device.
- Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from App Store on the iOS MDM device.
- Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
- In the Server address field, enter the network name or IP address of the VPN server.
- In the Account name field, enter the account name for authorization on the VPN server. You can use macros from the Macros available drop-down list.
- Configure the security settings for the VPN connection according to the selected type of virtual private network. For information about these settings, refer to the context help of the administration plug-in.
- For IKEv2 and IPsec connections, if necessary, set up Per App VPN functionality for supported system apps (Email, Calendar, Safari, and Contacts). For details, refer to the Configuring Per App VPN on iOS MDM devices section or the context help of the administration plug-in.
- If necessary, configure the settings of the VPN connection via a proxy server:
- Select the Proxy server settings tab.
- Select the proxy server configuration mode and specify the connection settings.
- Click OK.
As a result, the settings of the device connection to a VPN via a proxy server are configured on the iOS MDM device.
- Click OK.
The new VPN is displayed in the list.
- Click the Apply button to save the changes you have made.
As a result, a VPN connection will be configured on the user's iOS MDM device once the policy is applied.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring Per App VPN on iOS MDM devices
The Per App VPN functionality allows a device to establish a VPN connection when supported system apps (Email, Calendar, Safari, and Contacts) are launched. This functionality is available for IKEv2 and IPsec connections.
To enable the Per App VPN functionality:
- Perform the initial setup of the VPN connection. For more details on the pre-configuring process, please refer to the Configuring VPN on iOS MDM devices section.
- Select the Enable Per App VPN check box.
Set up Per App VPN for supported system apps (Email, Calendar, Safari, and Contacts) in the corresponding policy sections.
When you select the Enable Per App VPN check box, the Turn on VPN automatically for system apps check box becomes available and is also selected. This means that the device will automatically activate the VPN connection when associated system apps initiate network communication.
To specify the Per App VPN configuration for the Email, Calendar, and Contacts apps:
- Go to the corresponding policy section.
- Click Add to create a new account or select the existing account in the list and click Edit.
- In the Per App VPN settings section, select the Enable Per App VPN (iOS 14+) check box.
- Choose this Per App VPN configuration from the Select Per App VPN configuration drop-down list and click OK to save the changes.
To specify the Per App VPN configuration for Safari:
- Go to the Safari policy section.
- Click Add.
The Adding domain for Safari window opens.
- Choose this Per App VPN configuration from the Per App VPN configuration drop-down list.
- In the Domain for the VPN connection that will be activated field, specify the website domain that will trigger the VPN connection in Safari. The domain should be in the
"www.example.com"format. - Click OK to add the domain to the list.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring Firewall on Android devices (only Samsung)
Configure Firewall settings to monitor network connections on the user's mobile device.
To configure Firewall on a mobile device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
- In the Firewall window, click Configure.
The Firewall window opens.
- Select the Firewall mode:
- To allow all inbound and outbound connections, move the slider to Allow all.
- To block all network activity except that of apps on the list of exclusions, move the slider up to Block all but exceptions.
- If you have set the Firewall mode to Block all but exceptions, create a list of exclusions:
- Click Add.
This opens the Exclusion for Firewall window.
- In the App name field, enter the name of the mobile app.
- In the Package name field, enter the system name of the mobile app package (for example,
com.mobileapp.example). - Click OK.
- Click Add.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Protecting Kaspersky Endpoint Security for Android against removal
For mobile device protection and compliance with corporate security requirements, you can enable protection against removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app using the Kaspersky Endpoint Security for Android interface. When removing the app using the tools of the Android operating system, you are prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.
On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
To enable protection against removal of Kaspersky Endpoint Security for Android:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Additional section.
- In the Removal of Kaspersky Endpoint Security for Android section, clear the Allow removal of Kaspersky Endpoint Security for Android check box.
To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If an attempt is made to remove the app, the mobile device will be locked.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Detecting device hacks (root)
Kaspersky Secure Mobility Management enables you to detect device hacks (root). System files are unprotected on a hacked device and can therefore be modified. Moreover, third-party apps from unknown sources could be installed on hacked devices. Upon detection of a hack attempt, we recommend that you immediately restore normal operation of the device.
Kaspersky Endpoint Security for Android uses the following services to detect when a user obtains root privileges:
- Embedded service of Kaspersky Endpoint Security for Android. A Kaspersky service that checks whether a mobile device user has obtained root privileges (Kaspersky Mobile Security SDK).
If the device is hacked, you receive a notification. You can view hacking notifications in the workspace of the Administration Server on the Monitoring tab. You can also disable notifications about hacks in the event notification settings.
On devices running Android, you can impose restrictions on the user's activity on the device if the device is hacked (for example, lock the device). You can impose restrictions by using the Compliance Control component. To do this, in the compliance rule settings, select the Device has been rooted criterion.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring a global HTTP proxy on iOS MDM devices
To protect the user's internet traffic, configure the connection of the iOS MDM device to the internet via a proxy server.
Automatic connection to the internet via a proxy server is available for controlled devices only.
To configure global HTTP proxy settings on the user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Global HTTP Proxy section.
- In the Global HTTP proxy settings section, select the Apply settings on device check box.
- Select the type of global HTTP proxy configuration.
By default, the manual type of global HTTP proxy configuration is selected, and the user is prohibited from connecting to captive networks without connecting to a proxy server. Captive networks are wireless networks that require preliminary authentication on the mobile device without connecting to the proxy server.
- To specify the proxy server connection settings manually:
- In the Proxy settings type drop-down list, select Manual.
- In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
- In the User name field, set the user account name for proxy server authorization. You can use macros from the Macros available drop-down list.
- In the Password field, set the user account password for proxy server authorization.
- To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
- To configure the proxy server connection settings using a predefined PAC (Proxy Auto Configuration) file:
- In the Proxy settings type drop-down list, select Automatic.
- In the URL of PAC file field, enter the web address of the PAC file (for example: http://www.example.com/filename.pac).
- To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
- To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
- To specify the proxy server connection settings manually:
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, the mobile device user will connect to the internet via a proxy server.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding security certificates to iOS MDM devices
To simplify user authentication and ensure data security, add certificates on the user's iOS MDM device. Data signed with a certificate is protected against modification during network exchange. Data encryption using a certificate provides an added level of security for data. The certificate can be also used to verify the user's identity.
Kaspersky Device Management for iOS supports the following certificate standards:
- PKCS#1 – encryption with a public key based on RSA algorithms.
- PKCS#12 – storage and transmission of a certificate and a private key.
To add a security certificate on a user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Certificates section.
- Click the Add button in the Certificates section.
The Certificate window opens.
- In the File name field, specify the path to the certificate:
Files of PKCS#1 certificates have the cer, crt, or der extensions. Files of PKCS#12 certificates have the p12 or pfx extensions.
- Click Open.
If the certificate is password-protected, specify the password. The new certificate appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, the user will be prompted to install certificates from the list that has been created.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding a SCEP profile to iOS MDM devices
You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.
A SCEP profile with the following settings is added by default:
- The alternative subject name is not used for registering certificates.
- Three attempts 10 seconds apart are made to poll the SCEP server. If all attempts to sign the certificate have failed, you have to generate a new certificate signing request.
- The certificate that has been received cannot be used for data signing or encryption.
You can edit the specified settings when adding the SCEP profile.
To add a SCEP profile:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the SCEP section.
- Click the Add button in the SCEP profiles section.
The SCEP profile window opens.
- In the Server web address field, enter the web address of the SCEP server on which the Certification Center is deployed.
The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.
- In the Name field, enter the name of the Certification Center deployed on the SCEP server.
- In the Subject field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.
Attributes can contain details of the country (C), organization (O), and common user name (CN). For example: /C=RU/O=MyCompany/CN=User/. You can also use other attributes specified in RFC 5280.
- In the Type of alternative name of subject drop-down list, select the type of alternative name of the subject of the SCEP server:
- No – alternative name identification is not used.
- RFC 822 name – identification using the email address. The email address must be specified according to RFC 822.
- DNS name – identification using the domain name.
- URI – identification using the IP address or address in FQDN format.
You can use an alternative name of the subject for identifying the user of the iOS MDM device.
- In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the subject type: the user's email address, domain, or web address.
- In the NT subject name field, enter the DNS name of the iOS MDM device user on the Windows NT network.
The NT subject name is contained in the certificate request sent to the SCEP server.
- In the Number of polling attempts on SCEP server field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed.
- In the Frequency of attempts (sec) field, specify the period of time in seconds between attempts to poll the SCEP server to get the certificate signed.
- In the Registration request field, enter a pre-published registration key.
Before signing a certificate, the SCEP server requests the mobile device user to supply a key. If this field is left blank, the SCEP does not request the key.
- In the Key Size drop-down list, select the size of the registration key in bits: 1024 or 2048.
- If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use for signing check box.
- If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.
It is prohibited to use the SCEP server certificate as a data signing certificate and a data encryption certificate at the same time.
- In the Certificate fingerprint field, enter a unique certificate fingerprint for verifying the authenticity of the response from the Certification Center. You can use certificate fingerprints with the SHA1 or MD5 hashing algorithm. You can copy the certificate fingerprint manually or select a certificate using the Create from certificate button. When the fingerprint is created using the Create from certificate button, the fingerprint is added to the field automatically.
The certificate fingerprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.
- Click OK.
The new SCEP profile appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Restricting SD card usage (only Samsung)
Configure SD card settings to control usage of the SD card on the user's mobile device.
To restrict SD card usage on a mobile device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
- In the SD card settings section specify the needed restrictions:
- Click the Apply button to save the changes you have made.
SD card settings are now configured.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Management of mobile devices
This section contains information about how to remotely manage mobile devices in the Administration Console of Kaspersky Security Center.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing KES devices
In Kaspersky Security Center, you can manage KES mobile devices in the following ways:
- Centrally manage KES devices by using commands.
- View information about the settings for management of KES devices.
- Install applications by using mobile app packages.
- Disconnect KES devices from management.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Device owner mode
This section contains information about how to manage the settings of Android mobile devices in device owner mode. For information about device owner mode deployment, see here.
Device owner mode offers the following features and control options for Android mobile devices:
- Restrictions on Android operating system features
- Management of Google Chrome settings
- Silent installation of required apps and removal of blocked apps in App Control
- Kiosk mode
- Management of Exchange ActiveSync for Gmail
- NDES and SCEP integration
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Restricting Android features on devices
You can restrict Android operating system features in device owner mode. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and manage system updates.
You can restrict Android features in the Feature restrictions section.
To open the Feature restrictions section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device owner mode > Feature restrictions section.
Restrict device features
On the Device Features tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit factory reset
- Prohibit screen sharing, recording, and screenshots
- Prohibit changing language (Android 9 or later)
- Prohibit changing date, time, and time zone (Android 9 or later)
- Prohibit adding and removing Google accounts
- Prohibit adjusting volume and mute device
- Prohibit outgoing phone calls
- Prohibit sending and receiving SMS messages
- Prohibit changing credentials
- Prohibit keyguard camera
- Prohibit keyguard notifications
- Prohibit keyguard trust agents
- Disable keyguard swipe
- Prohibit adjusting brightness (Android 9 or later)
- Prohibit ambient display (Android 9 or later)
- Force screen on when plugged in to AC charger (Android 6 or later)
- Force screen on when plugged in to USB charger (Android 6 or later)
- Force screen on when plugged in to wireless charger (Android 6 or later)
- Prohibit changing wallpaper (Android 7.0 or later)
- Prohibit status bar (Android 6 or later)
- Prohibit adding users
- Prohibit switching user (Android 9 or later)
- Prohibit removing users
- Prohibit safe boot (Android 6 or later)
- Prohibit unmuting microphone
- Prohibit disabling microphone (Android 12 or later)
Restrict app features
On the Apps tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit use of camera
- Prohibit camera toggle (Android 12 or later)
- Prohibit use of Google Play
- Prohibit use of Google Chrome
- Prohibit use of Google Assistant
- Prohibit installation of apps from unknown sources
- Prohibit modification of apps in Settings
- Prohibit installation of apps
- Prohibit uninstallation of apps
- Prohibit disabling app verification
- Granting runtime permissions for apps
Restrict storage features
On the Storage tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit debugging features
- Prohibit mounting physical external media
- Prohibit file transfer over USB
- Prohibit backup service (Android 8.0 or later)
Restrict network features
On the Network tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit use of Wi-Fi
- Prohibit enabling/disabling Wi-Fi (Android 13 or later)
- Prohibit changing Wi-Fi settings
- Prohibit Wi-Fi Direct (Android 13 or later)
- Prohibit sharing pre-configured Wi-Fi networks (Android 13 or later)
- Prohibit adding Wi-Fi networks (Android 13 or later)
- Prohibit changing pre-configured Wi-Fi networks
- Prohibit airplane mode (Android 9 or later)
- Prohibit use of Bluetooth (Android 8.0 or later)
- Prohibit changing Bluetooth settings
- Prohibit outgoing data sharing over Bluetooth (Android 8.0 or later)
- Prohibit changing VPN settings
- Prohibit resetting network settings (Android 6 or later)
- Prohibit changing mobile network settings
- Prohibit use of cellular data while roaming (Android 7.0 or later)
- Prohibit use of Android Beam via NFC
- Prohibit use of tethering
Restrict location services
On the Location Services tab of the Feature restrictions section, you can configure the following settings:
- Prohibit use of location
- Prohibit sharing location
- Prohibit changing location settings (Android 9 or later)
Restrict system updates
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
On the Updates tab of the Feature restrictions section, you can configure the following settings:
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring kiosk mode for Android devices
Kiosk mode is a Kaspersky Endpoint Security for Android feature that lets you limit the set of apps available to a device user, whether a single app or multiple apps. You can also efficiently manage some device settings.
The kiosk mode settings apply to devices managed via Kaspersky Endpoint Security for Android in device owner mode.
Kiosk mode does not affect the work of the Kaspersky Endpoint Security for Android app. It runs in the background, shows notifications, and can be updated.
Kiosk mode types
The following kiosk mode types are available in Kaspersky Endpoint Security:
- Single-app mode
Kiosk mode with only a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings. If the app that you want to add to kiosk mode is not installed on the device, kiosk mode activates after the app is installed.
On devices with Android 9 or later, the app launches directly in kiosk mode.
On devices with Android 8.0 or earlier, the specified app must support kiosk mode functionality and call the
startLockTask()method itself to launch the app. - Multi-app mode
Kiosk mode with multiple apps. In this mode, a device user can open only the set of apps that are allowed on the device and specified in the kiosk mode settings.
Presettings
Pre-configuration for kiosk mode includes the following:
- Before specifying apps that are allowed to be run on the device in kiosk mode, you need first to add these apps in App Control > List of categories and apps and mark them as required. Then, they will appear in the App package list of the kiosk mode.
- Before activating kiosk mode, we recommend that you prohibit launching of Google Assistant by enabling the corresponding restriction in Policy > Device owner mode > Feature restrictions > Apps > Prohibit use of Google Assistant. Otherwise, Google Assistant launches in kiosk mode and allows non-trusted apps to be opened.
Open the kiosk mode settings
To open the kiosk mode settings:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device owner mode → Kiosk mode section.
Configure single-app mode
To configure single-app mode:
- In the Kiosk mode drop-down list, select Single-app mode.
- In the App package drop-down list, select an app package with the app that is allowed to be run on the device.
- Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
- Select the Allow navigation to additional apps check box if you want to add other apps that a device user can navigate to. For more details, see the Add additional apps section below.
- Click the Apply button to save the changes you have made.
Configure multi-app mode
To configure multi-app mode:
- In the Kiosk mode drop-down list, select Multi-app mode.
- Click Add, select apps that are allowed to be run on the device, and then click OK.
- Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
- Select the Allow navigation to additional apps check box if you want to add other apps that a device user can navigate to. For more details, see the Add additional apps section below.
- Click the Apply button to save the changes you have made.
Kiosk mode restrictions
You can set the following restrictions in kiosk mode:
- Prohibit status bar (Android 9 or later)
- Prohibit Overview button (Android 9 or later)
- Prohibit Home button (Android 9 or later)
- Prohibit displaying system notifications (Android 9 or later)
Add additional apps
Besides locking the device to a single app or set of apps, you can also specify additional apps, that the main app can use. These additional apps provide full functionality of the apps added to kiosk mode. A device user cannot launch additional apps manually.
To add additional apps in the Kiosk mode section:
- Select the Allow navigation to additional apps check box.
- Click Add, specify the desired app package name, and then click OK. How to get the package name of an app
- Click the Apply button to save the changes you have made.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting to an NDES/SCEP server
You can configure a connection to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). To do this, you need to set up a connection to the CA using SCEP and specify a certificate profile.
To add a connection to a certificate authority and specify a certificate profile:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device owner mode > NDES and SCEP section.
- In the Connection to certificate authority (CA) section, click Add.
The Connection to certificate authority dialog appears.
- Specify the following settings, and then click OK:
- In the Certificate profiles section, click Add.
The Certificate profile dialog appears.
- Specify the following certificate profile settings and click OK:
- Click Apply to save the changes you have made.
Manage connections and certificate profiles
You can later edit or remove the added connections and certificate profile.
To edit a connection or certificate profile:
- Select the needed connection or certificate profile in the corresponding section.
- Click Edit, make the required changes, and click OK.
- Click Apply to save the changes you have made.
After you edit the certificate profile in policy settings, the corresponding certificate on the device is deleted automatically during the next synchronization with Administration server and a new certificate is installed.
To remove a connection or certificate profile:
- Select the needed connection or certificate profile in the corresponding section.
- Click Delete, and then click OK.
If you remove a certificate authority connection, all certificate profiles that use this connection are also removed.
- Click Apply to save the changes you have made.
After you delete the certificate profile in policy settings, the corresponding certificate on the device will be deleted automatically during the next synchronization with Administration server.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Enabling certificate-based authentication of KES devices
To enable certificate-based authentication of a KES device:
- Open the system registry of the client device that has Administration Server installed (for example, locally, using the regedit command in the Start → Run menu).
- Go to the following hive:
- For 32-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM
- For 64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\KLLIM
- For 32-bit systems:
- Create a key with the LP_MobileMustUseTwoWayAuthOnPort13292 name.
- Specify REG_DWORD as the key type.
- Set the key value on 1.
- Restart the Administration Server service.
Mandatory certificate-based authentication of the KES device using a shared certificate will be enabled after you run the Administration Server service.
The first connection of the KES device to the Administration Server does not require a certificate.
By default, certificate-based authentication of KES devices is disabled.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Creating a mobile applications package for KES devices
A Kaspersky Endpoint Security for Android license is required to create a mobile applications package for KES devices.
To create a mobile applications package:
- In the Remote installation folder of the console tree, select the Installation packages subfolder.
The Remote installation folder is a subfolder of the Advanced folder by default.
- Click the Help button and select Mobile apps packages are intended for installation on mobile devices without Kaspersky Security Center. For example, a mobile apps package can be sent to a user by email or can be published on a Web Server for further download and installation in the drop-down list.
- In the Mobile apps package management window, click the New button.
- The New package wizard starts. Follow the instructions of the wizard.
The newly created mobile applications package is displayed in the Mobile apps package management window.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Viewing information about a KES device
To view information about a KES device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter KES devices by protocol type (KES).
- Select the mobile device for which you want to view the information.
- From the context menu of the mobile device select Properties.
The properties window of the KES device opens.
The properties window of the mobile device displays information about the connected KES device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Disconnecting a KES device from management
To disconnect a KES device from management, the user has to remove Network Agent from the mobile device. After the user has removed Network Agent, the mobile device details are removed from the Administration Server database, and the administrator can remove the mobile device from the list of managed devices.
To remove a KES device from the list of managed devices:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter KES devices by protocol type (KES).
- Select the mobile device that you must disconnect from management.
- In the context menu of the mobile device, select Delete.
The mobile device is removed from the list of managed devices.
If Kaspersky Endpoint Security for Android has not been removed from the mobile device, that mobile device reappears in the list of managed devices after synchronization with the Administration Server.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing iOS MDM devices
This section describes advanced features for management of iOS MDM devices through Kaspersky Security Center. The application supports the following features for management of iOS MDM devices:
- Define the settings of managed iOS MDM devices in centralized mode and restrict features of devices through configuration profiles. You can add or modify configuration profiles and install them on mobile devices.
- Install apps on mobile devices by means of provisioning profiles, bypassing App Store. For example, you can use provisioning profiles for installation of in-house corporate apps on users' mobile devices. A provisioning profile contains information about an app and a mobile device.
- Install apps on an iOS MDM device through the App Store. Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server.
Every 24 hours, a push notification is sent to all connected iOS MDM devices in order to synchronize data with the iOS MDM Server.
For information about the configuration profile and the provisioning profile, as well as apps installed on an iOS MDM device, please refer to the properties window of the device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Signing an iOS MDM profile by a certificate
You can sign an iOS MDM profile by a certificate. You can use a certificate that you issued yourself or you can receive a certificate from trusted certification authorities.
To sign an iOS MDM profile by a certificate:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
- In the context menu of the Mobile devices folder, select Properties.
- In the properties window of the folder, select the Connection settings for iOS devices section.
- Click the Browse button under the Select certificate file field.
The Certificate window opens.
- In the Certificate type field, specify the public or private certificate type:
- If the PKCS #12 container value is selected, specify the certificate file and the password.
- If the X.509 certificate value is selected:
- Specify the private key file (one with the *.prk or *.pem extension).
- Specify the private key password.
- Specify the public key file (one with the *.cer extension).
- Click OK.
The iOS MDM profile is signed by a certificate.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding a configuration profile
To create a configuration profile, you can use Apple Configurator 2, which is available at the Apple Inc. website. Apple Configurator 2 works only on devices running macOS; if you do not have such devices at your disposal, you can use iPhone Configuration Utility on the device with Administration Console instead. However, Apple Inc. does not support iPhone Configuration Utility any longer.
To create a configuration profile using iPhone Configuration Utility and to add it to an iOS MDM Server:
- In the console tree, select the Mobile Device Management folder.
- In the workspace of the Mobile Device Management folder, select the Mobile Device Servers subfolder.
- In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
- In the context menu of the iOS MDM Server, select Properties.
The Mobile Device Server properties window opens.
- In the properties window of the iOS MDM Server, select the Configuration profiles section.
- In the Configuration profiles section, click the Create button.
The New configuration profile window opens.
- In the New configuration profile window, specify a name and ID for the profile.
The configuration profile ID should be unique; the value should be specified in Reverse-DNS format, for example, com.companyname.identifier.
- Click OK.
iPhone Configuration Utility then starts if you have it installed.
- Reconfigure the profile in iPhone Configuration Utility.
For a description of the profile settings and instructions on how to configure the profile, please refer to the documentation enclosed with iPhone Configuration Utility.
After you configure the profile with iPhone Configuration Utility, the new configuration profile is displayed in the Configuration profiles section in the properties window of the iOS MDM Server.
You can click the Modify button to modify the configuration profile.
You can click the Import button to load the configuration profile to a program.
You can click the Export button to save the configuration profile to a file.
The profile that you have created must be installed on iOS MDM devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Installing a configuration profile on a device
To install a configuration profile to a mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device on which you want to install a configuration profile.
You can select multiple mobile devices to install the profile on them simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Install profile section and click the Send command button.
You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install profile.
The Select profiles window opens showing a list of profiles. Select from the list the profile that you want to install on the mobile device. You can select multiple profiles to install them on the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.
- Click OK to send the command to the mobile device.
When the command is executed, the selected configuration profile will be installed on the user's mobile device. If the command is successfully executed, the current status of the command in the command log will be shown as Done.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
You can view the profile that you installed and remove it, if necessary.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Removing the configuration profile from a device
To remove a configuration profile from a mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device from which you want to remove the configuration profile.
You can select multiple mobile devices to remove the profile from them simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Remove profile section and click the Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu of the device, and then selecting Remove profile.
The Remove profiles window opens showing a list of profiles.
- Select from the list the profile that you want to remove from the mobile device. You can select multiple profiles to remove them from the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.
- Click OK to send the command to the mobile device.
When the command is executed, the selected configuration profile will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding a provisioning profile
To add a
to an iOS MDM Server:- In the console tree, open the Mobile Device Management folder.
- In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
- In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
- In the context menu of the iOS MDM Server, select Properties.
The Mobile Device Server properties window opens.
- In the properties window of the iOS MDM Server, go to the Provisioning profiles section.
- In the Provisioning profiles section, click the Import button and specify the path to a provisioning profile file.
The profile will be added to the iOS MDM Server settings.
You can click the Export button to save the provisioning profile to a file.
You can install the provisioning profile that you imported on iOS MDM devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Installing a provisioning profile to a device
To install a provisioning profile on a mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device on which you want to install the provisioning profile.
You can select multiple mobile devices to install the provisioning profile simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Install provisioning profile section and click the Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu of that mobile device, and then selecting Install provisioning profile.
The Select provisioning profiles window opens showing a list of provisioning profiles. Select from the list the provisioning profile that you want to install on the mobile device. You can select multiple provisioning profiles to install them on the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.
- Click OK to send the command to the mobile device.
When the command is executed, the selected provisioning profile will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log is shown as Completed.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
You can view the profile that you installed and remove it, if necessary.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Removing a provisioning profile from a device
To remove a provisioning profile from a mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device from which you want to remove the provisioning profile.
You can select multiple mobile devices to remove the provisioning profile from them simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Remove provisioning profile section and click the Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu and then selecting Remove provisioning profile.
The Remove provisioning profiles window opens showing a list of profiles.
- Select from the list the provisioning profile that you need to remove from the mobile device. You can select multiple provisioning profiles to remove them from the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.
- Click OK to send the command to the mobile device.
When the command is executed, the selected provisioning profile will be removed from the user's mobile device. Applications that are related to the deleted provisioning profile will not be operable. If the command is executed successfully, the current status of the command will be shown as Completed.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring managed apps
Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. An app is considered managed if it has been installed on a device through Kaspersky Endpoint Security. A managed app can be managed remotely by means of Kaspersky Endpoint Security.
To add a managed app to an iOS MDM Server:
- In the console tree, open the Mobile Device Management folder.
- In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
- In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
- In the context menu of the iOS MDM Server, select Properties.
This opens the properties window of the iOS MDM Server.
- In the properties window of the iOS MDM Server, select the Managed applications section.
- Click the Add button in the Managed applications section.
The Add an application window opens.
- In the Add an application window, in the App name field, specify the name of the app to be added.
- In the Apple ID or link to manifest file field, specify the Apple ID of the application to be added, or specify a link to a manifest file that can be used to download the app.
- If you want a managed app to be removed from the user's mobile device along with the iOS MDM profile when removing the latter, select the Remove together with iOS MDM profile check box.
- If you want to block the app data backup through iTunes, select the Block data backup check box.
- If you want to configure settings of the managed app, click the App configuration button.
The App configuration window opens.
- In the App configuration window, click the Browse button to select and upload a configuration file in PLIST format.
To generate a configuration file, you may use a configuration generator (for example, https://appconfig.jamfresearch.com/generator) or refer to the official documentation on the app to be configured.
An example of configured basic parameters for the Microsoft Outlook app.
An example of a configuration file for the Microsoft Outlook app.
- After the PLIST file is imported, the app configuration will be displayed in the App configuration window.
You can change the configuration by editing the text of the PLIST file after its import.
- Click OK to apply the app configuration.
- Click OK once again to close the Add an application window.
The added app is displayed in the Managed applications section of the properties window of the iOS MDM Server.
It is also possible to change or delete the configuration of an already added app.
To change the configuration of a managed app:
- In the Managed applications section, select the managed app from the list, and then click the Modify button.
The Changing mobile app settings window opens.
- In the Changing mobile app settings window, click the App configuration button.
The App configuration window opens.
- Click the Browse button to select and upload a configuration file in PLIST format.
- If necessary, edit the text of the PLIST file after its import.
- Click OK to apply the app configuration.
- Click OK to close the Changing mobile app settings window.
Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.
To delete a managed app configuration:
- In the Managed applications section, select the managed app from the list, and then click the Modify button.
The Changing mobile app settings window opens.
- In the Changing mobile app settings window, click the Delete configuration button.
The applied configuration of the managed app is deleted.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Installing an app on a mobile device
To install an app on an iOS MDM mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device on which you want to install an app.
You can select multiple mobile devices to install the application on them simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Install app section and click the Send command button.
You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install app.
The Select apps window opens showing a list of profiles. Select from the list the application that you want to install on the mobile device. You can select multiple applications to install them on the mobile device simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.
- Click OK to send the command to the mobile device.
When the command is executed, the selected application will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log will be shown as Completed.
You can click the Resend button to send the command to the user's mobile device again. You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
Information about the application installed is displayed in the properties of the iOS MDM mobile device. You can remove the application from the mobile device through the command log or the context menu of the mobile device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Removing an app from a device
To remove an app from a mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device from which you want to remove the app.
You can select multiple mobile devices to remove the app from them simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Remove app section and click the Send command button.
You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Remove app.
The Remove apps window opens showing a list of applications.
- Select from the list the app that you need to remove from the mobile device. You can select multiple apps to remove them simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.
- Click OK to send the command to the mobile device.
When the command is executed, the selected app will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Installing and uninstalling apps on a group of iOS MDM devices
Kaspersky Security Center allows you to install and remove apps on iOS MDM devices by sending commands to these devices.
Selecting devices
To select iOS MDM devices on which apps should be installed or removed:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
- Select the iOS MDM device on which apps should be installed or removed.
You can also select multiple devices and send commands simultaneously. To select a group of devices, do one of the following:
- To select all devices in the workspace, filter the list of devices as required and press Ctrl+A.
- To select a range of devices, hold down the Shift key, click the first device in the range, and then click the last device in the range.
- To select individual devices, hold down the Ctrl key and click devices you want to include in the group.
Installing apps on devices
Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. For more information, refer to Adding a managed app.
To install apps on selected iOS MDM devices:
- Right-click the selected devices. In the context menu that appears, select All commands, and then select Install app.
For a single device, you can also select Show command log in the context menu, proceed to the Install app section, and click the Send command button.
The Select apps window opens showing a list of managed apps.
- Select the apps you want to install on iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
- Click OK to send the command to the devices.
When the command is executed on a device, the selected apps are installed. If the command is successfully executed, the command log will show its current status as Completed.
Removing apps from devices
To remove apps from selected iOS MDM devices:
- Right-click the selected devices. In the context menu that appears, select All commands, and then select Remove app.
For a single device, you can also select Show command log in the context menu, proceed to the Remove app section, and click the Send command button.
The Remove apps window opens showing a list of previously installed apps.
- Select the apps you want to remove from iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
- Click OK to send the command to the devices.
When the command is executed on a device, the selected apps are uninstalled. If the command is successfully executed, the command log will show its current status as Completed.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring roaming on an iOS MDM mobile device
To configure roaming:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device owned by the user for whom you want to configure roaming.
You can select multiple mobile devices to configure roaming on them simultaneously.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the Configure roaming section and click the Send command button.
You can also send the command to the mobile device by selecting All commands → Configure roaming from the context menu of the device.
- In the Roaming settings window, specify the relevant settings:
Roaming is configured for the selected devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Viewing information about an iOS MDM device
To view information about an iOS MDM device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device for which you want to view the information.
- From the context menu of the mobile device select Properties.
The properties window of the iOS MDM device opens.
The properties window of the mobile device displays information about the connected iOS MDM device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Disconnecting an iOS MDM device from management
If you want to stop managing an iOS MDM device, you can disconnect it from management in Kaspersky Security Center.
As an alternative, you or the device owner can remove the iOS MDM profile from the device. However, after that you nevertheless must disconnect the device from management, as described in this section. Otherwise, you will not be able to start managing this device again.
To disconnect an iOS MDM device from the iOS MDM Server:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the workspace, filter iOS MDM devices:
- Click the No filter specified, records total: <number> link.
- On the Management protocol list, select iOS MDM.
- Select the mobile device that you want to disconnect.
- In the context menu of the mobile device, select Delete.
The iOS MDM device is marked in the list for removal. Within one minute, the device is removed from the iOS MDM Server database, after which it is automatically removed from the list of managed devices.
After the iOS MDM device is disconnected from management, all installed configuration profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile option has been enabled in the iOS MDM Server settings, will be removed from the mobile device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring kiosk mode for iOS MDM devices
Kiosk mode is an iOS feature that lets you limit the set of apps available to a device user to a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings.
The kiosk mode settings apply to iOS MDM devices managed through Kaspersky Security Center.
Open the kiosk mode settings
To open the kiosk mode settings:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Kiosk mode section.
Configure kiosk mode
To enable kiosk mode:
- Click the Enable kiosk mode (supervised only) check box to activate kiosk mode on a supervised device.
- In the App's bundle ID field, enter the unique identifier of an app selected for kiosk mode (for example, com.apple.calculator). How to get the bundle ID of an app
To select a different app, you need to disable kiosk mode, save the changes to the policy, and enable kiosk mode for a new app.
The app that is selected for kiosk mode must be installed on the device. Otherwise, the device will be locked until kiosk mode is disabled.
The use of the selected app must also be allowed in the policy settings. If the use of the app is prohibited, kiosk mode will not be enabled until the selected app is removed from the list of forbidden apps.
In some cases, if the use of the selected app is prohibited in the policy settings, kiosk mode can still be enabled.
- Specify the settings that will be enabled on the device in kiosk mode. For available settings, see the "Kiosk mode settings" section below.
- Specify the settings that the user can edit on the device in kiosk mode.
- Click the Apply button to save the changes you have made.
Once the changes to the policy are saved, kiosk mode is enabled. The selected app is forced to open on a supervised device, while the use of other apps is prohibited. The selected app reopens immediately after the device is restarted.
To edit the kiosk mode settings, you need to disable kiosk mode, save changes to the policy, and then enable kiosk mode again with the new settings.
To disable kiosk mode:
- Select the Disable kiosk mode (supervised only) check box to deactivate kiosk mode on a supervised device.
- Click the Apply button to save the changes you have made.
Once the changes to the policy are saved, kiosk mode is disabled. The use of all apps is allowed on a supervised device.
Now, you can enable kiosk mode again with the new settings.
Kiosk mode settings
- Auto-Lock
- Touch (not recommended to disable)
- AssistiveTouch
- Voice Control
- VoiceOver
- Speak Selection
- Volume Buttons
- Mono Audio
- Zoom
- Auto-Rotate Screen
- Invert Colors
- Ring/Silent Switch
- Sleep/Wake Button
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Management of mobile device settings
This section contains information about how to remotely manage the settings of mobile devices in the Administration Console of Kaspersky Security Center.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring connection to a Wi-Fi network
This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting Android devices to a Wi-Fi network
For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.
To connect the mobile device to a Wi-Fi network:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Wi-Fi section.
- In the Wi-Fi networks section, click Add.
This opens the Wi-Fi network window.
- In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
- Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device. In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
- Select the Automatic connection to network check box if you want the device to connect to the Wi-Fi network automatically.
- In the Network protection section, select the type of Wi-Fi network security (open or secure network protected with the WEP, WPA/WPA2 PSK, or 802.1.x EAP protocol).
The 802.1.x EAP security protocol is supported only in the Kaspersky Endpoint Security for Android app version 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.
- If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
- In the Password field, set a network access password if you selected a secure network at step 9.
- Select the Use proxy server option if you want to use a proxy server to connect to a Wi-Fi network. Otherwise, select the Do not use proxy server option.
- If you selected Use proxy server, in the Proxy server address and port field, enter the IP address or DNS name of the proxy server and port number, if necessary.
On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.
If you are using a proxy server to connect to a Wi-Fi network, you can use a policy to configure the settings for connecting to the network. On devices running Android 8.0 or later, you must manually configure the proxy server settings. On devices running Android 8.0 or later, you cannot use a policy to change the Wi-Fi network connection settings, except for the network access password.
If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.
- In the Do not use proxy server for addresses field, generate a list of web addresses that can be accessed without the use of the proxy server.
For example, you can enter the address
example.com. In this case, the proxy server will not be used for the addressespictures.example.com,example.com/movies, etc. The protocol (for example,http://) can be omitted.On devices running Android version 8.0 or later, the proxy server exclusion for web addresses does not work.
- Click OK.
The added Wi-Fi network is displayed in the list of Wi-Fi networks.
This list contains the names of suggested wireless networks.
On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear on the saved networks list on these devices.
On devices operating in device owner mode and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.
You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
On devices running Android version 10 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting iOS MDM devices to a Wi-Fi network
For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.
To configure the connection of an iOS MDM device to a Wi-Fi network:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Wi-Fi section.
- Click the Add button in the Wi-Fi networks section.
This opens the Wi-Fi network window.
- In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
- If you want the iOS MDM device to connect to the Wi-Fi network automatically, select the Automatic connection check box.
- To make it impossible to connect iOS MDM devices to a Wi-Fi network requiring preliminary authentication (captive network), select the Disable captive networks detection check box.
To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.
- If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden Network check box.
In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
- In the Network protection drop-down list, select the type of protection of the Wi-Fi network connection:
- Disabled. User authentication is not required.
- WEP. The network is protected using Wireless Encryption Protocol (WEP).
- WPA/WPA2 (Personal). The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access).
- WPA2 (Personal). The network is protected using WPA2 protocol (Wi-Fi Protected Access 2.0). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
- Any (Personal). The network is protected using the WEP, WPA or WPA2 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
- WEP (Dynamic). The network is protected using the WEP protocol with the use of a dynamic key.
- WPA/WPA2 (Enterprise). The network is protected using the WPA/WPA2 encryption protocol with use of the 802.1X protocol.
- WPA2 (Enterprise). The network is protected using the WPA2 encryption protocol with the use of one key shared by all users (802.1X). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
- Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication.
If you have selected WEP (Dynamic), WPA/WPA2 (Enterprise), WPA2 (Enterprise) or Any (Enterprise) in the Network protection list, in the Protocols section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.
In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.
- Configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
- In the Authentication section, click the Configure button.
The Authentication window opens.
- In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
- To require the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
- In the Password field, enter the password of the account for authentication on the Wi-Fi network.
- In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network. If the list does not contain any certificates, you can add them in the Certificates section.
- In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.
The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel.
- Click OK.
As a result, the settings of the account for user authentication upon connection to the Wi-Fi network will be configured on the iOS MDM device.
- In the Authentication section, click the Configure button.
- If necessary, configure the settings of the Wi-Fi network connection via a proxy server:
- In the Proxy server section, click the Configure button.
- In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings.
- Click OK.
As a result, the settings of the device connection to the Wi-Fi network via a proxy server are configured on the iOS MDM device.
- Click OK.
The new Wi-Fi network is displayed in the list.
- Click the Apply button to save the changes you have made.
As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the authentication technology.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring email
This section contains information on configuring mailboxes on mobile devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring a mailbox on iOS MDM devices
To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.
By default, the email account is added with the following settings:
- Email protocol – IMAP.
- The user can move email messages between the user's accounts and synchronize account addresses.
- The user can use any email clients (other than Mail) to use email.
- The SSL connection is not used during transmission of messages.
You can edit the specified settings when adding the account.
To add an email account of the iOS MDM device user:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Email.
- Click the Add button in the Email account section.
The Email account window opens.
- In the Description field, enter a description of the user's email account.
- Select the email protocol:
- POP
- IMAP
- If necessary, specify the IMAP path prefix in the IMAP path prefix field.
The IMAP path prefix must be entered using upper-case letters (for example: GMAIL for Google Mail). This field is available if the IMAP account protocol is selected.
- In the User name as displayed in messages field, enter the user name to be displayed in the From: field for all outgoing messages.
- In the Email address field, specify the email address of the iOS MDM device user.
- Configure Additional Settings of the email account:
- To allow the user to move email messages between the user's accounts, select the Allow movement of messages between accounts check box.
If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts, Allow non-managed apps to use documents from managed apps, and Allow managed apps to use documents from non-managed apps check boxes.
- To allow the email addresses used to be synchronized among user accounts, select the Allow sync of recent addresses check box.
- To allow a user to use the Mail Drop service to forward large-sized attachments, select the Allow Mail Drop check box.
- To allow the user to use only the standard iOS mail client, select the Allow use of only Mail app check box.
- To allow the user to move email messages between the user's accounts, select the Allow movement of messages between accounts check box.
- Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
- To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
- To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
- To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the
icon in the Mail app in the To field.
- In the Inbound mail server and Outbound mail server sections, click the Settings button to configure the server connection settings:
- Server address and port: Names of hosts or IP addresses of inbound mail servers and outbound mail servers and server port numbers.
- Account name: Name of the user's account for inbound and outbound mail server authorization.
- Authentication type: Type of user's email account authentication on inbound mail servers and outbound mail servers.
- Password: Account password for authentication on the inbound and outbound mail server protected using the selected authentication method.
- Use one password for incoming and outgoing mail servers: use one password for user authentication on incoming and outgoing mail servers.
- Use SSL connection: usage of the SSL (Secure Sockets Layer) data transport protocol that uses encryption and certificate-based authentication to secure data transmission.
- Click OK.
The new email account appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, email accounts from the compiled list will be added on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring an Exchange mailbox on iOS MDM devices
To enable the iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.
By default, an account with the following settings is added on the Microsoft Exchange server:
- Email is synchronized once per week.
- The user can move messages between the user's accounts and synchronize account addresses.
- The user can use any email clients (other than Mail) to use email.
- The SSL connection is not used during transmission of messages.
You can edit the specified settings when adding the Exchange ActiveSync account.
To add the Exchange ActiveSync account of the iOS MDM device user:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Exchange ActiveSync section.
- Click the Add button in the Exchange ActiveSync accounts section.
The Exchange ActiveSync account window opens on the General tab.
- In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can use macros from the Macros available drop-down list.
- In the Server address field, enter the network name or IP address of the Microsoft Exchange server.
- To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data, select the Use SSL connection check box.
- In the Domain field, enter the name of the iOS MDM device user's domain. You can use macros from the Macros available drop-down list.
- In the Account User Name field, enter the name of the iOS MDM device user.
If you leave this field blank, Kaspersky Device Management for iOS prompts the user to enter the user name when applying the policy on the iOS MDM device. You can use macros from the Macros available drop-down list.
- In the Email address field, specify the email address of the iOS MDM device user. You can use macros from the Macros available drop-down list.
- In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
- Select the Additional tab and configure the additional settings of the Exchange ActiveSync account:
- Number of Days to Sync Mail for <time period>.
- Authentication type.
- Allow movement of messages between accounts.
If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts, Allow non-managed apps to use documents from managed apps, and Allow managed apps to use documents from non-managed apps check boxes.
- Allow sync of recent addresses.
- Allow use of only Mail app.
- Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
- To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
- To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
- To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
- Click OK.
The new Exchange ActiveSync account appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list will be added on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring an Exchange mailbox on Android devices (only Samsung)
To work with corporate mail, contacts, and the calendar on the mobile device, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).
Configuration of an Exchange mailbox is possible only for Samsung devices.
To configure an Exchange mailbox on a mobile device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
- In the Exchange ActiveSync window, click the Configure button.
The Exchange mail server settings window opens.
- In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
- In the Domain field, enter the name of the mobile device user's domain on the corporate network.
- In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
- To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
- To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring device status in Kaspersky Security Center
To configure the device status in Kaspersky Security Center:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
- In the policy properties window, select the Device information section.
- In the window that opens, select the OK, Critical, or Warning status for each of the following conditions:
- Real-time protection is not running
- Web Protection is not running
- App Control is not running
- Device lock is not available
- Device locate is not available
- The versions of the KSN Statement do not match
- The versions of the Marketing Statement do not match
- Click the OK button.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing app configurations
This section provides instructions on how to manage settings and edit configurations of the apps installed on your users' devices.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing Google Chrome settings
The Google Chrome settings section lets you manage settings of Google Chrome installed in Android work profile or on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode.
To open the Google Chrome settings section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App configuration > Google Chrome settings section.
Manage content settings
On the Content tab of the Google Chrome settings section, you can specify the following content settings:
- Set default cookie settings
- Allow cookies on these sites
- Block cookies on these sites
- Allow cookies on these sites for one session only
- Set default JavaScript settings
- Allow JavaScript on these sites
- Block JavaScript on these sites
- Set default pop-up settings (based on Google abusive pop-ups database)
- Allow pop-ups on these sites
- Block pop-ups on these sites (based on Google abusive pop-ups database)
- Set user location tracking settings
Manage proxy settings
On the Proxy tab of the Google Chrome settings section, you can specify the following proxy settings:
Manage search settings
On the Search tab of the Google Chrome settings section, you can specify the following search settings:
- New tab URL
- Parameters for search URL that uses POST
- Parameters for suggest URL that uses POST
- Parameters for image URL that uses POST
Manage password settings
On the Passwords tab of the Google Chrome settings section, you can specify the following password settings:
Manage page settings
On the Pages tab of the Google Chrome settings section, you can specify the following page settings:
Manage other settings
On the Other tab of the Google Chrome settings section, you can specify the following settings:
- Enable printing
- Set Google Safe Browsing settings
- Disable saving browser history
- Disable proceeding from Google Safe Browsing warning page
- Enable network prediction
- Set Restricted Mode for YouTube
- Set availability of Incognito mode
- Enable search suggestions
- Set translation settings
- Enable bookmark editing
- Managed bookmarks
- Block access to these URLs
- Allow access to these URLs (exceptions to blocked URLs)
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing Exchange ActiveSync for Gmail
The Exchange ActiveSync section lets you manage Exchange ActiveSync settings for Gmail installed in Android work profile or on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode.
To open the Exchange ActiveSync section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App configuration > Exchange ActiveSync section.
- Specify the following settings:
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring other apps
The Other apps section lets you configure apps installed on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode or to apps installed in Android work profile.
When configuring some apps, the certificates installed on devices via the Kaspersky Security Center can be used. In this case, you need to specify a certificate alias in the app configuration:
VpnCertfor VPN certificates.MailCertfor mail certificates.SCEP_profile_namefor certificates received by using SCEP.
To configure apps via the Other apps section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App configuration > Other apps section.
- In the List of apps configurations section, click the Add button.
The Add app configuration window opens.
- In the window that opens, specify the following parameters:
- In the same window, select how to add configuration:
An example of configured basic parameters for the Microsoft Outlook app.
- Click OK to apply the configuration.
The configuration appears in the List of apps configurations.
- Click the Apply button to save the changes you have made.
The configuration is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
To change an app configuration:
- In the Other apps section, select the app from the list, and then click the Edit button.
The Edit app configuration window opens.
- In the Edit app configuration window, you can edit a configuration of the selected app:
- To upload a new APK file from your computer, click the Select button.
- To add a new setting to the configuration, click the Add button below all the settings, and then specify the required parameters.
- To delete a setting added manually, click the X button in the upper right corner of the setting's field.
- Click OK to close the Edit app configuration window.
- Click the Apply button to save the changes you have made.
The applied configuration is edited. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
To enable or disable the app configuration:
- In the Other apps section, select the app from the list.
- Do either of the following:
- Switch the toggle button to On to enable the configuration.
- Switch the toggle button to Off to disable the configuration.
- Click the Apply button to save the changes you have made.
The applied configuration is edited. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
To delete an app configuration:
- In the Other apps section, select the app from the list, and then click the Delete button.
- Click the Apply button to save the changes you have made.
The applied configuration is deleted. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing app permissions
The App permission management section lets you configure rules for granting runtime permissions to apps installed on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode or to apps installed in an Android work profile.
You can configure rules for granting runtime permissions by creating or editing configuration files for specific apps.
Permission granting rules configured for specific apps have precedence over the general policy for granting permissions to apps installed on devices or in the Android work profile. For example, if you first select the Deny permissions automatically option in an Android work profile section, and then select the Grant permissions automatically option for a specific app in the App permission management section, the permission for this app will be granted automatically.
To add app permissions:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App permission management section.
- Click the Add button.
The Add permission granting rules window opens.
- Select how to add a configuration with permission granting rules:
- Specify the following parameters:
- Click the Add permission button to open the block of the app permission configuration. You can add several permissions.
Select one of the following permissions.
To configure granting rules for app runtime permissions, you need to select one of the following actions for each permission:
You can save only one granting rule for each app permission.
- Click OK to apply the configuration.
The configuration appears in the List of app permissions.
- Click the Apply button to save your changes.
The configuration with permission granting rules is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
To edit app permissions:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App permission management section.
- Select the app in the List of app permissions block, and then click the Edit button.
The Edit permission granting rules window opens.
- Edit the selected permission granting rule as follows:
- To add a new permission to the configuration, click the Add permission button below all the settings, and then select a permission and an action to be performed for this permission.
You can add several permissions.
- To edit an action for an existing permission, select another action in the list.
- To delete a permission that was added manually, click the X button in the upper right corner of the permission's field.
- To add a new permission to the configuration, click the Add permission button below all the settings, and then select a permission and an action to be performed for this permission.
- Click OK to close the Edit permission granting rules window.
- Click the Apply button to save your changes.
The edited configuration with permission granting rules is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
To delete app permissions:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App permission management section.
- Select the app from the List of app permissions block, and then click the Delete button.
- Click the Apply button to save your changes.
The configured permissions for the selected app are deleted. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Creating a report on installed mobile apps
The Report on installed mobile apps lets you get the detailed information about the apps installed on users' Android devices, save this information to a file, send it by email, and print it.
To allow the report to display information, the Send data on installed apps check box in the App Control section must be selected and the An app has been installed or removed (list of installed apps) informational event type must be stored in the Administration Server database.
To enable sending data:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the App Control section.
- In the Report on installed mobile apps section, select the Send data on installed apps check box.
The following settings are now available:
- Select the Send data on system apps check box to send information about system apps. If a system app is configured in the App Control settings, its data is sent regardless of the state of this check box.
- Select the Send data on service apps check box to send information about service apps without interface. If a service app is configured in the App Control settings, its data is sent regardless of the state of this check box.
- Click the Apply button to apply your changes.
- In the policy Properties window, select the Event Configuration section.
- In the workspace of the section, select the Info tab.
- Open the An app has been installed or removed (list of installed apps) event properties by double-clicking any column.
- In the event's Properties window, select the Store in the Administration Server database for (days) check box and set the storage period. By default, the storage period is 30 days.
After the storage period expires, the Administration Server deletes outdated information from the database. For more information about events, please refer to the Kaspersky Security Center Help.
- Click OK to save your changes.
Sending data is enabled.
To configure a report on installed mobile apps:
- In the console tree, go to the Administration Server folder.
- In the workspace of the Administration Server folder, select the Reports tab.
- In the context menu of the report template named Report on installed mobile apps, select Properties.
- In the window that opens, edit the report template properties:
- In the General section, specify the following parameters:
- Report template name.
- Maximum number of entries to display
- Print version
- In the Fields section, select the fields that will be displayed in the report, and the order of these fields, and configure whether the report should be sorted and filtered by each of the fields.
- In the Group section, change the set of client devices the report is created for.
- In the Hierarchy of Administration Servers section, specify the following parameters:
- In the General section, specify the following parameters:
- Click OK to save your changes.
The updated report template appears in the list of report templates.
To create and view a report on installed mobile apps:
- In the console tree, go to the Administration Server folder.
- In the workspace of the Administration Server folder, select the Reports tab.
- Select the report template named Report on installed mobile apps by double-clicking any column.
The report on installed mobile apps opens.
This report displays the following data:
For more information about using reports, managing custom report templates, using report templates to generate new reports, and creating report delivery tasks, please refer to the Kaspersky Security Center Help.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Installing root certificates on Android devices
A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.
Kaspersky Security Center lets you add root certificates to be installed on Android devices to a trusted certificate store.
These certificates are installed on user devices as follows:
- On devices operating in device owner mode, the certificates are installed automatically.
If you delete a root certificate in policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.
- On personal devices (not operating in device owner mode):
- If a work profile was not created, the device user is prompted to install each certificate manually in a personal profile by following the instructions in the notification.
- If a work profile was created, the certificates are installed automatically to this profile. If the Duplicate installation of root certificates in personal profile check box is selected in work profile settings, the certificates can also be installed in a personal profile. The device user is prompted to do this manually by following the instructions in the notification.
If you delete a root certificate in policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.
For instructions on how to install certificates in personal profiles, please refer to Installing root certificates on the device.
To add a root certificate in Kaspersky Security Center:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Root certificates section.
- In the Root certificates section, click Add.
The file explorer opens.
- Select a certificate file (.cer, .pem, or .key) and click Open.
The Certificate window opens.
- View the certificate information and click Install Certificate.
This starts the standard Certificate Import Wizard.
- Follow the wizard's instructions.
After the wizard is finished, the root certificate appears in the list of certificates.
- Click the Apply button to save the changes you have made.
Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring notifications for Kaspersky Endpoint Security for Android
If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.
The Kaspersky Endpoint Security uses the following tools to display the device protection status:
- Protection status notification. This notification is pinned to the notification bar. Protection status notification cannot be removed. The notification displays the device protection status (for example,
) and number of issues, if any. You can tap the device protection status and see the list issues in the app. - App notifications. These notifications inform the device user about the application (for example, threat detection).
- Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).
All Kaspersky Endpoint Security for Android notifications are enabled by default.
On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.
An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.
To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Additional section.
- In the App notifications section, click the Configure button.
The Device notification settings window opens.
- Select the Kaspersky Endpoint Security for Android issues that you want to hide on the user's mobile device and click the OK button.
The Kaspersky Endpoint Security for Android will not display issues in the protection status notification. The Kaspersky Endpoint Security for Android will continue to display protection status notification and app notifications.
Certain Kaspersky Endpoint Security for Android issues are mandatory and impossible to disable (such as issues about license expiration).
- To hide all notifications and pop-up messages, select the Disable notifications and pop-ups when app is background mode.
Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays device protection status (for example,
) and number of issues. Also the app display notifications when user is working with the app (the user updates anti-malware databases manually, for example).Kaspersky experts recommended that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The Kaspersky Endpoint Security for Android notifications that you disable will not be displayed on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Key features of mobile device management in MMC-based Administration Console
Kaspersky Secure Mobility Management provides the following features:
- Connecting Android devices to Kaspersky Security Center by distributing email messages with a link and a QR code to download the Kaspersky Endpoint Security for Android app from Google Play, or by using the app installation package to download from Kaspersky Security Center server.
- Connecting iOS devices to Kaspersky Security Center by distributing email messages with a link and a QR code to download the iOS MDM profile from the iOS MDM Server.
- Remote connection of mobile devices to Kaspersky Security Center and other third-party EMM systems (for example, VMWare AirWatch, MobileIron, IBM Maas360, Microsoft Intune, SOTI MobiControl).
- Remote configuration of the Kaspersky Endpoint Security for Android app, as well as remote configuration of services, apps, and functions of Android devices.
- Remote configuration of mobile devices in accordance with the corporate security requirements.
- Detection and neutralization of threats on mobile devices (Anti-Malware).
- Prevention of leakage of corporate information stored on mobile devices, in case they are lost or stolen (Anti-Theft).
- Control of internet use on mobile devices (Web Protection).
- Control of app installation and removal (App Control).
- Control of compliance with corporate security requirements (Compliance Control).
- Setup of corporate mail on mobile devices, including organizations with a Microsoft Exchange mail server deployed in the company (only for iOS and Samsung devices).
- Configuration of the corporate network (Wi-Fi, VPN) allowing VPN to be used on mobile devices. VPN can be configured only on iOS and Samsung devices.
- Configuration of the mobile device status to be displayed in Kaspersky Security Center when policy rules are violated: Critical, Warning, OK.
- Setup of notifications shown to the user in the Kaspersky Endpoint Security for Android app.
- Configuration of settings on devices supporting Samsung KNOX 2.6 or later.
- Configuration of settings on devices supporting Android work profiles.
- Configuration of settings of Android mobile devices in device owner mode.
- Deployment of the Kaspersky Endpoint Security for Android app through the Samsung KNOX Mobile Enrollment console. Samsung KNOX Mobile Enrollment is intended for batch installation and initial configuration of apps on Samsung devices purchased from official vendors.
- Management of group security policies for mobile devices.
- An upgrade of the Kaspersky Endpoint Security for Android app to the specified version can be performed by using Kaspersky Security Center policies.
- Administrator notifications about the status and events of the Kaspersky Endpoint Security for Android app can be communicated in Kaspersky Security Center or by email.
- Change Control for policy settings (revision history).
- Commands for remote mobile device management. For example, if a mobile device is lost or stolen, you can send commands to locate the device or wipe all corporate data from the device.
- Configuration of screen unlock password settings for mobile devices.
- Configuration of Wi-Fi network settings for mobile devices.
- Adding web clips to open websites from the Home screen of mobile devices.
Kaspersky Secure Mobility Management includes the following protection and management components:
- For Android devices:
- Anti-Malware
- Anti-Theft
- Web Protection
- App Control
- Compliance Control
- For iOS devices:
- Password protection
- Network management
- Web Protection
- Applications restrictions
- Feature restrictions
- Compliance Control
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting iOS MDM devices to AirPlay
Configure the connection to AirPlay devices to enable streaming of music, photos, and videos from the iOS MDM device to AirPlay devices. To be able to use AirPlay technology, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (of the second and third generations), AirPort Express devices, speakers or radio sets with AirPlay support.
Automatic connection to AirPlay devices is available for controlled devices only.
To configure the connection of an iOS MDM device to AirPlay devices:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the AirPlay section.
- In the AirPlay devices section, select the Apply settings on device check box.
- Click the Add button in the Passwords section.
An empty row is added in the password table.
- In the Device name column, enter the name of the AirPlay device on the wireless network.
- In the Password column, enter the password to the AirPlay device.
- To restrict access of iOS MDM devices to AirPlay devices, create a list of allowed devices in the Allowed devices (supervised only) section. To do so, add the MAC addresses of AirPlay devices to the list of allowed devices.
Access to AirPlay devices that are not on the list of allowed devices is blocked. If the list of allowed devices is left blank, Kaspersky Device Management for iOS will allow access to all AirPlay devices.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media content.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting iOS MDM devices to AirPrint
To enable printing of documents from the iOS MDM device wirelessly using AirPrint technology, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users has to be configured on the AirPrint printer.
To configure the connection of an iOS MDM device to an AirPrint printer:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the AirPrint section.
- Click the Add button in the AirPrint printers section.
The Printer window opens.
- In the IP address field, enter the IP address of the AirPrint printer.
- In the Resource Path field, enter the path to the AirPrint printer.
The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:
- printers/Canon_MG5300_series
- ipp/print
- Epson_IPP_Printer
- Click OK.
The newly added AirPrint printer appears on the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Bypassing the Activation Lock on supervised iOS devices
Activation Lock is an iOS feature that is designed to prevent others from using a lost or stolen iOS device or reactivating it without an owner's permission. Kaspersky Security Center allows to bypass the Activation Lock on supervised iOS devices without entering Apple ID and user's password by using a bypass code.
A bypass code is generated when an iOS device is connected to Kaspersky Security Center and becomes supervised.
To disable Activation Lock using a bypass code:
- In the console tree, select Mobile Device Management → Mobile devices.
- In the list of devices, select the device for which you need to view the bypass code by double-clicking.
The properties window of the selected device opens.
- In the properties window of the selected device, select the Advanced iOS MDM settings tab.
- On the Advanced iOS MDM settings tab, click the crossed-out eye icon next to the Bypass code for Activation Lock (supervised only) option.
The bypass code for Activation Lock is displayed.
- On the Activation Lock screen of the supervised iOS device, enter the bypass code in the Apple ID password field. Leave the username field empty.
Activation Lock is disabled on the device.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring the Access Point Name (APN)
To connect a mobile device to data transfer services on a mobile network, you should configure the APN (Access Point Name) settings.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring APN on Android devices (only Samsung)
Configuration of APN is possible only for Samsung devices.
A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile telephony operator. Incorrect access point settings may result in additional mobile telephony charges.
To configure the Access Point Name (APN) settings:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Manage Samsung KNOX → APN section.
- In the APN section, click the Configure button.
The APN settings window opens.
- On the General tab, specify the following access point settings:
- In the APN type drop-down list, select the type of access point.
- In the APN name field, specify the name of the access point.
- In the MCC field, enter the mobile country code (MCC).
- In the MNC field, enter the mobile network code (MNC).
- If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS settings:
- In the MMS server field, specify the full domain name of the mobile carrier's server used for MMS exchange.
- In the MMS proxy server field, specify the network name or IP address of the proxy server and the port number of the mobile carrier's server used for MMS exchange.
- On the Additional tab, configure the additional settings of the Access Point Name (APN):
- In the Authentication type drop-down list, select the type of mobile device user's authentication on the mobile carrier's server for network access.
- In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
- In the Proxy server address field, specify the network name or IP address and port number of the mobile carrier's proxy server for network access.
- In the User name field, enter the user name for authorization on the mobile network.
- In the Password field, enter the password for user authorization on the mobile network.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring APN on iOS MDM devices
The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.
The APN section is out of date. It is recommended to configure APN settings in the Cellular communications section. Before configuring cellular communication settings, make sure that the settings of the APN section have not been applied on the device (the Apply settings on device check box is cleared). The settings of the APN and Cellular communications sections cannot be used concurrently.
To configure an access point on a user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Cellular communications section.
- In the Cellular communication settings section, select the Apply settings on device check box.
- In the APN type list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
- Built-in APN – configuration of cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, please visit the Apple Technical Support website.
- APN – configuration of cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
- Built-in APN and APN – configuration of cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, please visit the Apple Technical Support website.
- In the APN name field, specify the name of the access point.
- In the Authentication type drop-down list, select the type of device user authentication on the mobile operator's server for network access (internet and MMS):
- In the User name field, enter the user name for authorization on the mobile network.
- In the Password field, enter the password for user authorization on the mobile network.
- In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
- Click the Apply button to save the changes you have made.
As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring the Android work profile
This section contains information about working with an Android work profile.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
About Android work profile
Android Enterprise is a platform for managing the corporate mobile infrastructure, which provides company employees with a work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.
You can create the Android work profile (hereinafter also "work profile") on the user's mobile device. Android work profile is a safe environment on the user's device in which the administrator can manage apps and user accounts without restricting the user's use of his/her own data. When a work profile is created on the user's mobile device, the following corporate apps are automatically installed to it: Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the work profile and notifications of these apps are marked with a 
icon. You have to create a separate Google corporate account for the Google Play Market app. Apps installed in the work profile appear in the common list of apps.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring the work profile
To configure the settings of the Android work profile:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Android work profile.
- In the Android work profile workspace, select the Create work profile check box.
- Specify the work profile settings:
- On the General tab, specify the data sharing, contact, and other settings:
- Settings in the Data access and sharing section:
- Prohibit personal profile apps to share data with work profile apps
- Prohibit work profile apps to share data with personal profile apps
- Prohibit work profile apps to access files in personal profile
- Prohibit personal profile apps to access files in work profile
- Prohibit use of clipboard content across personal and work profiles
- Prohibit activation of USB debugging mode
- Prohibit the user to add and remove accounts in work profile
- Prohibit screen sharing, recording, and screenshots in work profile apps
- Settings in the Contacts section:
- Settings in the Data access and sharing section:
- On the Apps tab, specify the following settings:
- Enable App Control in Work profile only
- Enable Web Protection in work profile only
For Samsung Internet Browser, HUAWEI Browser, and Yandex Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.
You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.
- Prohibit installation of apps in the work profile from unknown sources
- Prohibit removal of apps from work profile
- Prohibit display of notifications from work profile apps when screen is locked
- Prohibit use of camera for work profile apps
- Granting runtime permissions for work profile apps
- Adding widgets of work profile apps to device home screen
- On the Certificates tab, you can configure the following settings:
- On the Password tab, specify work profile password settings:
- Require to set password for work profile
- Minimum number of characters
- Minimum password complexity requirements (Android 12 or earlier)
- Maximum number of incorrect password attempts before deletion of work profile
- Maximum password age, in days
- Number of days to notify that a password change is required
- Number of recent passwords that can't be used as a new password
- The period of inactivity before the device screen locks, in seconds
- Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0 or later)
- Allow biometric unlock methods (Android 9+)
- Allow use of fingerprints
- Allow face scanning (Android 9 or later)
- Allow iris scanning (Android 9 or later)
- On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their work profile if it was locked.
- On the General tab, specify the data sharing, contact, and other settings:
- To configure work profile settings on the user's mobile device, block changes to settings.
- Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Unlocking the work profile
The work profile can be locked if the device does not meet the Compliance Control security requirements.
To unlock the work profile, the user of the mobile device must enter a one-time work profile passcode on the locked screen. The passcode is generated by MMC-based Administration Console and is unique for each mobile device. When the device work profile is unlocked, the work profile password is set to default value (1234).
As an administrator, you can view the passcode in the policy settings, which are applied to the mobile device. The length of the passcode can be changed (4, 8, 12 or 16 digits).
To unlock the mobile device using the one-time passcode:
- In the console tree, select Mobile Device Management → Mobile devices.
- Select the mobile device for which you want to get the one-time passcode.
- Open the mobile device properties window.
- Select Apps → Kaspersky Endpoint Security for Android.
- Open the Kaspersky Endpoint Security properties window.
- Select the Android work profile section.
The passcode for the selected device is shown on the Passcode tab in the Passcode field.
Use any available method (such as email) to communicate the one-time passcode to the user.
The user should enter the received one-time passcode on their device.
After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding an LDAP account
To enable the iOS MDM device user to access corporate contacts on the LDAP server, add the LDAP account.
To add the LDAP account of the iOS MDM device user:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the LDAP section.
- Click the Add button in the LDAP accounts section.
The LDAP account window opens.
- In the Description field, enter a description of the user's LDAP account. You can use macros from the Macros available drop-down list.
- In the Account name field, enter the account name for authorization on the LDAP server. You can use macros from the Macros available drop-down list.
- In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
- In the Server address field, enter the name of the LDAP server domain. You can use macros from the Macros available drop-down list.
- To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
- Compile a list of search queries for the iOS MDM device user access to corporate data on the LDAP server:
- Click the Add button in the Search settings section.
A blank row appears in the table with search queries.
- In the Name column, enter the name of a search query.
- In the Search scope column, select the nesting level of the folder for the corporate data search on the LDAP server:
- Base – search in the base folder of the LDAP server.
- One level – search in folders on the first nesting level counting from the base folder.
- Subtree – search in folders on all nesting levels counting from the base folder.
- In the Search base column, enter the path to the folder on the LDAP server with which the search begins (for example: "ou=people", "o=example corp").
- Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
- Click the Add button in the Search settings section.
- Click OK.
The new LDAP account appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, LDAP accounts from the compiled list will be added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding a calendar account
To enable the iOS MDM device user to access the user's calendar events on the CalDAV server, add the CalDAV account. Synchronization with the CalDAV server enables the user to create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.
To add the CalDAV account of the iOS MDM device user:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Calendar section.
- Click the Add button in the CalDAV accounts section.
The CalDAV account window opens.
- In the Description field, enter a description of the user's CalDAV account.
- In the Server address and port field, enter the name of a host or the IP address of a CalDAV server and the number of the CalDAV server port.
- In the Main URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example: http://example.com/caldav/users/mycompany/user).
The URL should begin with
"http://"or"https://". - In the Account name field, enter the account name for authorization on the CalDAV server.
- In the Password field, set the CalDAV account password for authorization on the CalDAV server.
- To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
- Click OK.
The new CalDAV account appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, CalDAV accounts from the compiled list will be added on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding a contacts account
To enable the iOS MDM device user to synchronize data with the CardDAV server, add the CardDAV account. Synchronization with the CardDAV server enables the user to access the contact details from any device.
To add the CardDAV account of the iOS MDM device user:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Contacts section.
- Click the Add button in the CardDAV accounts section.
The CardDAV account window opens.
- In the Description field, enter a description of the user's CardDAV account. You can use macros from the Macros available drop-down list.
- In the Server address and port field, enter the name of a host or the IP address of a CardDAV server and the number of the CardDAV server port.
- In the Main URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).
The URL should begin with
"http://"or"https://". - In the Account name field, enter the account name for authorization on the CardDAV server. You can use macros from the Macros available drop-down list.
- In the Password field, set the CardDAV account password for authorization on the CardDAV server.
- To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of contacts between the CardDAV server and the mobile device, select the Use SSL connection check box.
- Click OK.
The new CardDAV account appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring calendar subscription
To enable the iOS MDM device user to add events of shared calendars (such as the corporate calendar) to the user's calendar, add subscription to this calendar. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other openly published calendars.
To add calendar subscription:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Calendar subscription section.
- Click the Add button in the Calendar subscriptions section.
The Calendar Subscription window opens.
- In the Description field, enter a description of the calendar subscription.
- In the Server web address field, specify the URL of the third-party calendar.
In this field, you can enter the mail URL of the CalDAV account of the user to whose calendar you are subscribing. You can also specify the URL of an iCal calendar or a different openly published calendar.
- In the User name field, enter the user account name for authentication on the server of the third-party calendar.
- In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
- To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
- Click OK.
The new calendar subscription appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, events from shared calendar on the list will be added to the calendar on the user's mobile device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing web clips
A web clip is an app that opens a website from the Home screen of the mobile device. By clicking web clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website).
You can add or delete web clips on user devices and specify web clip icons displayed on the screen.
Managing web clips on Android devices
To manage web clips on a user's Android device:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device management section.
- In the Adding web clips to device home screen section, do any of the following:
- To add a web clip:
- Click the Add button.
The Add web clip window opens.
- In the Name field, enter the name of the web clip to be displayed on the home screen of the Android device.
- In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
- In the Icon field, specify the image for the web clip icon: click Browse... and select an image file. The PNG and JPEG file formats are supported. If you do not select an image for the web clip, a blank square is displayed as the icon.
- Click OK.
The new web clip appears in the list.
The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.
- Click the Add button.
- To edit a web clip:
- Select the web clip that you want to edit, and then click Edit.
The Add web clip window opens.
- Define the new settings of the web clip, as described earlier in this section.
- Click OK.
- Select the web clip that you want to edit, and then click Edit.
- To delete a web clip:
- Select the web clip that you want to delete, and then click Delete.
The web clip disappears from the list.
- Select the web clip that you want to delete, and then click Delete.
- To add a web clip:
- Click the Apply button to save the changes you have made.
Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the web clips you created. After the user installs these web clips, the corresponding icons are added on the home screen of the device.
The deleted web clips are disabled on the home screen of the Android device. If the user taps the corresponding icon, a notification appears that the web clip is no longer available. The user should delete the web clip from the home screen by following a vendor-specific procedure.
Managing web clips on iOS MDM devices
By default, the following restrictions on web clip usage apply:
- The user cannot manually remove web clips from the mobile device.
- Websites that open when the user clicks a web clip icon do not open in full-screen mode.
- The corner rounding, shadow, and gloss visual effects are applied to the web clip icon on the screen.
To manage web clips on a user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Web Clip section.
- In the Web Clip section, do any of the following:
- To add a web clip:
- Click the Add button.
The Web Clip window opens.
- In the Name field, enter the name of the web clip to be displayed on the home screen of the iOS MDM device.
- In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with
"http://"or"https://". - To allow the user to remove a web clip from the iOS MDM device, select the Allow removal check box.
- Click Select and specify the file with the image for the web clip icon that will be displayed on the home screen of the iOS MDM device.
The image must meet the following requirements:
- Image size no greater than 400 х 400 pixels.
- File format: GIF, JPEG, or PNG.
- File size no greater than 1 MB.
The web clip icon is available for preview in the Icon field. If you do not select an image for the web clip, a blank square is displayed as the icon.
If you want the web clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.
- If you want the website to open in full-screen mode on the iOS MDM device when you click the icon, select the Full screen Web Clip check box.
In full-screen mode, the Safari toolbar is hidden and only the website is shown on the device screen.
- Click OK.
The new web clip appears in the list.
- Click the Add button.
- To edit a web clip:
- Select the web clip that you want to edit, and then click Edit.
The Web Clip window opens.
- Define the new settings of the web clip, as described earlier in this section.
- Click OK.
- Select the web clip that you want to edit, and then click Edit.
- To delete a web clip:
- Select the web clip that you want to delete, and then click Delete.
The web clip disappears from the list.
- Select the web clip that you want to delete, and then click Delete.
- To add a web clip:
- Click the Apply button to save the changes you have made.
Once the policy is applied, the web clip icons from the list you have created are added on the home screen of the user's mobile device.
The deleted web clips are removed from the home screen of the iOS MDM device.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Setting wallpaper
You can set the same image as a wallpaper for a home screen and a lock screen on your users' devices that fall under the same policy.
To set a wallpaper on your users' Android devices:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device management section.
- In the Setting wallpaper for home screen and lock screen section, click Set.
The Setting wallpaper window opens.
- In the How to set wallpaper drop-down list, select the way of setting a wallpaper:
- Once the image is imported, you can preview it in the Setting wallpaper window.
- If you want to use the same image as a wallpaper for a lock screen, select the Use the same image for lock screen check box. Otherwise, the image is used only as a home screen wallpaper.
The check box is cleared by default.
- Click the OK button to save the changes you have made.
The imported image is set as a wallpaper on users' devices.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Adding fonts
To add a font on a user's iOS MDM device:
- In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Fonts section.
- Click the Add button in the Fonts section.
The Font window opens.
- In the File name field, specify the path to the font file (a file with the .ttf or .otf extension).
Fonts with the ttc or otc extension are not supported.
Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an undefined error.
- Click Open.
The new font appears in the list.
- Click the Apply button to save the changes you have made.
As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Working with commands for mobile devices
This section contains information about commands for managing mobile devices supported by Kaspersky Security Center. The section provides instructions on how to send commands to mobile devices, as well as how to view the execution statuses of commands in the command log.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Commands for mobile devices
Kaspersky Security Center supports commands for remote mobile device management. For instance, if a mobile device is lost or stolen, you can send commands to locate the device or wipe all corporate data from the device.
You can send commands to the following types of managed mobile devices:
- Android devices managed via the Kaspersky Endpoint Security for Android app
- iOS MDM devices
Each device type supports a dedicated set of commands.
Commands for Android devices
Command |
Command execution result |
|
|---|---|---|
Lock |
The mobile device is locked. To obtain access to data, you must unlock the device. |
|
Unlock |
The mobile device is unlocked. After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed. |
|
Reset to factory settings |
All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands. |
|
Wipe corporate data |
The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
|
|
Synchronize device |
The mobile device data is synchronized with the Administration Server. |
|
Locate device |
The mobile device's location coordinates are obtained. On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails. The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting. |
|
Mugshot |
The mobile device is locked. The mugshot photo is taken by the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed. When attempting to unlock the device, the user automatically consents to the mugshot. If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use camera has been revoked via Quick Settings, the notification is not displayed but the photo taken is black. |
|
Alarm |
The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low). |
|
Wipe app data |
The data of a specified app is wiped from the mobile device. The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile. |
|
Wipe data of all apps |
The data of all apps is wiped from the mobile device. The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile. |
|
Send message |
The message with the specified subject and text is sent to the user's mobile device. You can send only a push notification or both a push notification and a pop-up window. This command is available only if the Send commands to mobile devices permission is given. For more details, please refer to the Kaspersky Security Center Help. |
|
Get device location history |
The mobile device's location history for the last 14 days is displayed. This command works only if the Device location history informational event type is stored in the Administration Server database. The events are configured in the Events section of the policy properties. For more details, please refer to the Kaspersky Security Center Help. |
|
Commands for iOS MDM devices
Command |
Command execution result |
|---|---|
Lock |
The mobile device is locked. To obtain access to data, you must unlock the device. |
Reset password |
The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements. |
Reset to factory settings |
All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands. |
Wipe corporate data |
All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. |
Synchronize device |
The mobile device data is synchronized with the Administration Server. |
Install profile |
The configuration profile is installed on the mobile device. |
Remove profile |
The configuration profile is deleted from the mobile device. |
Install provisioning profile |
The provisioning profile is installed on the mobile device. |
Remove provisioning profile |
The provisioning profile is deleted from the mobile device. |
Install app |
The app is installed on the mobile device. |
Remove app |
The app is removed from the mobile device. |
Enter redemption code |
Redemption code entered for a paid app. |
Schedule operating system update (supervised only) |
Operating system updates are scheduled on the mobile device according to the specified update settings. This command is supported only for supervised devices. |
Configure roaming |
Data roaming and voice roaming enabled or disabled. |
Set Bluetooth state (supervised only) |
Bluetooth is enabled or disabled on the mobile device. This command is supported only for supervised devices running iOS 11.3 or later. |
Enable Lost Mode (supervised only) |
Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows the message and phone number that you can edit. If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network. |
Locate device (supervised only) |
The location of the mobile device is obtained. You can click the link in the command log to view device coordinates and check the device location on a map. This command is supported only for supervised devices that are in Lost Mode. |
Play sound (supervised only) |
The sound is played on the lost mobile device. This command is supported only for supervised devices that are in Lost Mode. |
Disable Lost Mode (supervised only) |
Lost Mode is disabled on the mobile device, and the device is unlocked. This command is supported only for supervised devices. |
Permissions for execution of commands
Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.
On devices running Android 10 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.
Page topThe help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Sending commands
To send a command to the user's mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- Select the user's mobile device to which you need to send a command.
- In the context menu of the mobile device, select Show command log.
- In the Mobile device <device name> management commands window, proceed to the section with the name of the command that you need to send to the mobile device, then click the Send command button.
Depending on the command that you have selected, clicking the Send command button may open the window of advanced settings of the application. For example, when you send the command for deleting a provisioning profile from a mobile device, the application prompts you to select the provisioning profile that must be deleted from the mobile device. Define the advanced settings of the command in that window and confirm your selection. After that, the command will be sent to the mobile device.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.
- Click OK to close the Mobile device <device name> management commands window.
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Viewing the statuses of commands in the command log
The application saves to the command log information about all commands that have been sent to mobile devices. The command log contains information about the time and date that each command was sent to the mobile device, their respective statuses, and detailed descriptions of command execution results. For example, in case execution of a command is unsuccessful, the log displays the cause of the error. Records are stored in the command log for 30 days maximum.
Commands sent to mobile devices can have the following statuses:
- Running—The command has been sent to the mobile device.
- Completed—The command execution has successfully completed.
- Completed with error—The command execution has failed.
- Deleting—The command is being removed from the queue of commands sent to the mobile device.
- Deleted—The command has been successfully removed from the queue of commands sent to the mobile device.
- Error deleting—The command could not be removed from the queue of commands sent to the mobile device.
The application maintains a command log for each mobile device.
To view the log of commands sent to a mobile device:
- In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices.
- In the list of mobile devices, select the one for which you want to view the command log.
- In the context menu of the mobile device, select Show command log.
The Mobile device <device name> management commands window opens. The sections of the Mobile device <device name> management commands window correspond to the commands that can be sent to the mobile device.
- Select sections containing the necessary commands and view information about how the commands are sent and executed in the Command log section.
In the Command log section, you can view the list of commands that have been sent to the mobile device and details about those commands. The Show commands filter allows you to display in the list only commands with the selected status.