Kaspersky Secure Mobility Management
4.0
English

Contents

[Topic 136319]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-malware protection on Android devices

For the timely detection of threats, viruses, and other malicious applications, you should configure the settings for real-time protection and autorun of malware scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

  • Viruses, worms, Trojans, and malicious tools
  • Adware
  • Apps that can be exploited by criminals to harm your device or personal data

Anti-Malware has a number of limitations:

  • When Anti-Malware is running, a threat detected in the external memory of the device (such as an SD card) cannot be neutralized automatically in the Work profile (Applications with a briefcase icon, Configuring the Android work profile). Kaspersky Endpoint Security for Android does not have access to external memory in the Work profile. Information about detected objects is displayed in app notifications. To neutralize objects detected in the external memory, the object files have to be deleted manually and the device scan restarted.
  • Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
  • On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.

To configure the mobile device real-time protection settings:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Protection section.
  5. In the Protection section, configure the settings of mobile device file system protection:
    • To enable real-time protection of the mobile device against threats, select the Enable Protection check box.

      Kaspersky Endpoint Security for Android scans only new apps and files from the Downloads folder.

    • To enable extended protection of the mobile device against threats, select the Extended protection mode check box.

      Kaspersky Endpoint Security for Android will scan all files that the user opens, modifies, moves, copies, installs or saves on the device, as well as newly installed mobile apps.

      On devices running Android 8.0 or later, Kaspersky Endpoint Security for Android scans files that the user modifies, moves, installs and saves, as well as copies of files. Kaspersky Endpoint Security for Android does not scan files when they are opened, or source files when they are copied.

    • To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Cloud protection (KSN) check box.
    • To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and riskware check box.
  6. In the Action on threat detection list, select one of the following options:
    • Delete

      Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

    • Skip

      If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

    • Quarantine
  7. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

To configure autorun of malware scans on the mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Scan section.
  5. To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and riskware check box.
  6. In the Action on threat detection list, select one of the following options:
    • Delete

      Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

    • Skip

      If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

    • Quarantine
    • Ask user

      The Kaspersky Endpoint Security for Android app displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.

      When the app detects several objects, the Ask user option allows the device user to apply a selected action to each file by using the Apply to all threats check box.

      Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.

    If during a scan Kaspersky Endpoint Security for Android detects malicious apps on users' devices, the actions differ depending on the device management mode.

    In device owner mode, installed malicious apps detected by Kaspersky Endpoint Security for Android are deleted from the device automatically, if the Delete option is selected. If Kaspersky Endpoint Security for Android detects malicious system apps, they are prohibited from being displayed and launched on users' devices.

    In Android work profile, installed malicious apps detected by Kaspersky Endpoint Security for Android are not deleted but prohibited from being displayed and launched on users' devices without notifying device users.

    However, if the Ask user option is selected, Kaspersky Endpoint Security for Android prompts users to select an action for each detected app both on devices in device owner mode or with created Android work profile.

    Installed malicious apps cannot be saved in quarantine. So, if the Quarantine option is selected, a detected malicious app is deleted.

    On personal devices, detected malicious apps cannot be deleted automatically. In this case, Kaspersky Endpoint Security for Android prompts the user to delete or skip the detected app.

  7. The Scheduled scan section lets you configure the settings of the automatic launch of the full scan of the device file system. To do so, click the Schedule button and specify the frequency and start time of the full scan in the Schedule window.

    If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

  8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.

To keep mobile device protection up to date, configure the anti-malware database update settings.

By default, anti-malware database updates are disabled for when the device is roaming. Scheduled updates of anti-malware databases are not performed.

To configure the settings of anti-malware database updates:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Database update section.
  5. If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is in the roaming zone, select the Allow database update while roaming check box in the Database update while roaming section.

    Even if the check box is cleared, the user can manually start an anti-malware database update when the device is roaming.

  6. In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-malware database updates:
    • Kaspersky servers

      Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases from Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.

    • Administration Server

      Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.

    • Other source

      Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you should enter the address of an HTTP server in the field below (e.g., http://domain.com/).

  7. In the Scheduled database update section, configure the settings for automatic anti-malware database updates on the user's device. To do so, click the Schedule button and specify the frequency and start time of updates in the Schedule window.

    If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

  8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 136503]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Android devices on the internet

To protect the personal data of a mobile device user on the internet, enable Web Protection. Web Protection blocks malicious websites that distribute malicious code, and phishing websites designed to steal your confidential data and gain access to your financial accounts. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. Web Protection also lets you configure a user's access to websites based on predefined lists of allowed and blocked websites.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time.

Web Protection on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser.

If the Kaspersky Endpoint Security for Android app in device owner mode is not enabled as an Accessibility Features service, Web Protection is supported only by the Google Chrome browser and checks only the domain of a website. To allow other browsers (Samsung Internet Browser, Yandex Browser, and HUAWEI Browser) support Web Protection, enable Kaspersky Endpoint Security as an Accessibility Features service. This will also enable the Custom Tabs feature operation.

The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.

Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

To enable Web Protection in Google Chrome, HUAWEI Browser, Samsung Internet Browser, or Yandex Browser:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Web Protection.
  5. To use Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
    1. Click the Web Protection Statement link at the top of the section.

      This opens Statement regarding data processing for purpose of using Web Protection window.

    2. Read and accept Privacy Policy by selecting the corresponding check box. To view Privacy Policy, click the Privacy Policy link.

      If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app (ks4android_settings_buttonAboutTerms and conditionsPrivacy Policy).

    3. Select the Web Protection Statement acceptance mode:
      • I have read and accept the Web Protection Statement
      • Request acceptance of the Web Protection Statement from the device user
      • I do not accept the Web Protection Statement

        If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.

    4. Click OK to close the window.
  6. Select the Enable Web Protection check box.
  7. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 148305]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protection of stolen or lost device data

This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.

In this section

Sending commands to a lost or stolen mobile device

Unlocking a mobile device

Data encryption

Deleting data on Android devices after failed password entry attempts
Page top
[Topic 89901]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Sending commands to a lost or stolen mobile device

To protect data on a mobile device that is lost or stolen, you can send special commands.

You can send commands to the following types of managed mobile devices:

  • Android devices managed via the Kaspersky Endpoint Security for Android app
  • iOS MDM devices

Each device type supports a dedicated set of commands (see the tables below).

Commands for Android devices

Commands for protecting data on a lost or stolen Android device

Command

Command execution result

Lock

The mobile device is locked. To obtain access to data, you must unlock the device.

Unlock

The mobile device is unlocked.

After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

Locate device

The mobile device's location coordinates are obtained.

On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.

The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting.

Mugshot

The mobile device is locked. The mugshot photo is taken by the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed.

When attempting to unlock the device, the user automatically consents to the mugshot.

If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use camera has been revoked via Quick Settings, the notification is not displayed but the photo taken is black.

Alarm

The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low).

Wipe app data

The data of a specified app is wiped from the mobile device.

The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.

For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app

As a result, the app is rolled back to its default state.

The data of system and administrative apps is not wiped.

To get the package name of an app:

  1. Open Google Play.
  2. Find the required app and open its page.

The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

To get the package name of an app that has been added to Kaspersky Security Center:

  1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
  2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

Wipe data of all apps

The data of all apps is wiped from the mobile device.

The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.

If the device works in device owner mode, data of all apps on the device is wiped.

If Android work profile is created on the device, data of all apps in the work profile is wiped.

As a result, apps are rolled back to their default state.

The data of system and administrative apps is not wiped.

Wipe corporate data

The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

  • On a personal device, KNOX container and mail certificate are wiped.
  • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

Get device location history

The mobile device's location history for the last 14 days is displayed.

This command works only if the Device location history informational event type is stored in the Administration Server database. The events are configured in the Events section of the policy properties. For more details, please refer to the Kaspersky Security Center Help.

Due to technical limitations on Android devices, the device location may be retrieved less often than specified in the Synchronization section of the policy properties.

Commands for iOS MDM devices

Commands for protecting data on a lost or stolen iOS MDM device

Command

Command execution result

Lock

The mobile device is locked. To obtain access to data, you must unlock the device.

Reset password

The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements.

Wipe corporate data

All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

Enable Lost Mode (supervised only)

Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows the message and phone number that you can edit.

If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.

Locate device (supervised only)

The location of the mobile device is obtained. You can click the link in the command log to view device coordinates and check the device location on a map.

This command is supported only for supervised devices that are in Lost Mode.

Play sound (supervised only)

The sound is played on the lost mobile device.

This command is supported only for supervised devices that are in Lost Mode.

Disable Lost Mode (supervised only)

Lost Mode is disabled on the mobile device, and the device is unlocked.

This command is supported only for supervised devices.

Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to the "Commands for mobile devices" section. To learn more about sending commands from Administration Console, please refer to the "Sending commands" section.

Page top
[Topic 89902]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Unlocking a mobile device

You can unlock a mobile device by using the following methods:

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time unlock code. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Administration Console, please refer to the "Sending commands" section.

A one-time unlock code is a secret application code for unlocking the mobile device. The one-time code is generated by the application and is unique to each mobile device. You can change the length of the one-time code (4, 8 or 16 digits) in group policy settings in the Anti-Theft section.

To unlock the mobile device using a one-time code:

  1. In the console tree, select Mobile Device ManagementMobile devices.
  2. Select a mobile device for which you want to get a one-time unlock code.
  3. Open the mobile device properties window by double-clicking.
  4. Select AppsKaspersky Endpoint Security for Android.
  5. Open the Kaspersky Endpoint Security properties window by double-clicking.
  6. Select the Anti-Theft section.
  7. A unique code for the selected device is shown in the One-time code field of the One-time device unlock code section.
  8. Use any available method (such as email) to communicate the one-time code to the user of the locked device.
  9. The user enters the one-time code on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The mobile device is unlocked.

After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

Page top
[Topic 138758]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Data encryption

To protect data against unauthorized access, you must enable encryption of all data on the device (for example, account credentials, external devices and apps, as well as email messages, SMS messages, contacts, photos, and other files). For access to encrypted data, you must specify a special key – device unlock password. If data is encrypted, access to it can be obtained only when the device is unlocked.

Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this parameter in the device properties: in the console tree, select Additional > Mobile Device Management > Mobile devices, and then double-click the required device).

To encrypt all data on an Android device:

  1. Enable screen lock on the Android device (SettingsSecurityScreen lock).
  2. Set a device unlock password that is compliant with corporate security requirements.

    It is not recommended to use a pattern lock for unlocking the device. On certain Android devices running Android 6 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device instead of a pattern lock. This issue is related to the operation of the Accessibility Features service. To unlock the device screen in this case, convert the pattern lock into a numeric password. For more details about converting a pattern lock into a numeric password, please refer to the Technical Support website of the mobile device manufacturer.

  3. Enable encryption of all data on the device (SettingsSecurityEncrypt data).
Page top
[Topic 145531]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting data on Android devices after failed password entry attempts

You can configure deleting all data on an Android device (that is, resetting the device to factory settings) after the user makes too many failed attempts to enter the screen unlock password.

These settings apply to devices operating in device owner mode and to personal devices on which the Kaspersky Endpoint Security for Android app is enabled as a device administrator.

To configure wiping all data:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Anti-Theft section.
  5. In the Data wipe on device section, select the Wipe all data after failed attempts to enter unlock password check box.
  6. In the Maximum number of attempts to enter unlock password field, specify the number of attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
  7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center. If the user exceeds the specified number of attempts to enter the correct screen unlock password, the Kaspersky Endpoint Security for Android app wipes all device data.

Page top
[Topic 243163]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

In this section

Configuring a strong unlock password for an Android device

Configuring a strong unlock password for iOS MDM devices
Page top
[Topic 136564]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a strong unlock password for an Android device

Expand all | Collapse all

To keep an Android device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password is not compliant with security requirements criterion.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To configure the use of an unlock password:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Device Management section.
  5. If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password check box in the Screen lock section.

    If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.

  6. Specify the following options, if required:
    • Minimum number of characters

      The minimum number of characters in the user password. Possible values: 4 to 16 characters.

      The user's password is 4 characters long by default.

      The following is applicable only to personal and work profiles:

      • In personal profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 10 or later.
      • In work profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 12 or later.

      The values are determined by the following rules:

      • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
      • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
    • Minimum password complexity requirements (Android 12 or earlier in device owner mode)

      Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

      • Numeric

        The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

        This option is selected by default.

      • Alphabetic

        The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

      • Alphanumeric

        The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

      • Not specified

        The user can set any password.

      • Complex

        The user must set a complex password according to the specified password properties:

        • Minimum number of letters
        • Minimum number of digits
        • Minimum number of special symbols (for example, !@#$%)
        • Minimum number of uppercase letters
        • Minimum number of lowercase letters
        • Minimum number of non-letter characters (for example, 1^&*9)
      • Complex numeric

        The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

      • Weak biometric

        The user can use biometric unlock methods or set a stronger complex password.

      This option applies only to devices running Android 12 or later in device owner mode.

    • Maximum password age, in days

      Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

      The default value is 0. This means that the password won't expire.

      This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

    • Number of days to notify that a password change is required (for device owner mode)

      Specifies the number of days to notify the user before the password expires.

      The default value is 0. This means that the user won't be notified about password expiration.

      This option applies only to devices operating in device owner mode.

    • Number of recent passwords that can't be used as a new password (all Android versions; Android 10 or later in device owner mode)
    • Period of inactivity before the device screen locks, in seconds

      Specifies the period of inactivity before the device locks. After this period, the device will lock.

      The default value is 0. This means that the device won't lock after a certain period.

    • Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0 or later in device owner mode)

      Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

      The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

      This option applies only to devices running Android 8.0 or later in device owner mode.

    • Allow biometric unlock methods (Android 9 or later; Android 10 in device owner mode)

      If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

      This check box is selected by default.

      This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

    • Allow use of fingerprints (all Android versions; Android 10 in device owner mode)

      The use of fingerprints to unlock the screen.

      This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

      If the check box is selected, the use of fingerprints on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

      This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

      This check box is selected by default.

      This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

      On some Xiaomi devices with Android work profile, the work profile may be unlocked by a fingerprint only if you set the Period of inactivity before the device screen locks value after setting a fingerprint as the screen unlocking method.

    • Allow face scanning (Android 9 or later; Android 10 in device owner mode)
    • Allow iris scanning (Android 9 or later; Android 10 in device owner mode)

      If the check box is selected, the use of iris scanning on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

      This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

      This check box is selected by default.

      This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

    • Allow the device to start up before prompting the password

      If the check box is selected, the device starts up and loads system processes and background apps before prompting the user to enter the unlock password.

      Once this option is applied, it cannot be reverted without resetting the device to factory defaults.

      If the check box is cleared, the startup requirements remain unchanged.

      This check box is cleared by default.

    • Unlock password

      This option lets you set the password on the user device.

      On devices running Android 7.0–10 inclusive, this option applies to personal devices on which no password is set.

      On devices running Android 11 or later, this option applies only if the device is in device owner mode.

      Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.

      • If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
      • If the device is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

      If you leave this option empty, no changes are applied to the device.

  7. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On some HUAWEI devices, an issue message about too simple screen unlocking method appears.

To set a correct PIN code on a HUAWEI device, the user must do the following:

  1. In the issue message, tap the Edit button.
  2. Enter the current PIN code.
  3. In the Set new password window, tap the Change unlock method button.
  4. Select the Custom PIN unlock method.
  5. Set the new PIN code.

    The PIN code must be compliant with policy requirements.

A correct PIN code is now set on the device.

Page top
[Topic 90495]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a strong unlock password for iOS MDM devices

To protect iOS MDM device data, configure the unlock password strength settings.

By default, the user can use a simple password. A simple password is a password that contains successive or repetitive characters, such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.

To configure the strength settings for an iOS MDM device unlock password:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Password section.
  5. In the Password settings section, select the Apply settings on device check box.
  6. Configure unlock password strength settings:
    • To allow the user to use a simple password, select the Allow simple password check box.
    • To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
    • To require use of a password, select the Force use of password check box. If the check box is cleared, the mobile device can be used without a password.
    • In the Minimum password length list, select the minimum password length in characters.
    • In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").
    • In the Maximum password lifetime field, specify the period of time in days during which the password will stay current. When this period expires, Kaspersky Device Management for iOS prompts the user to change the password.
    • In the Enable Auto-Lock in list, select the amount of time after which iOS MDM device Auto-Lock should be enabled.
    • In the Password history field, specify the number of used passwords (including the current password) that Kaspersky Device Management for iOS will compare with the new password when the user changes the old password. If passwords match, the new password is rejected.
    • In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
    • In the Maximum number of access attempts, select the number of access attempts that the user can make to enter the iOS MDM device unlock password.
  7. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Kaspersky Device Management for iOS checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not conform to the policy, the user is prompted to change the password.

Page top
[Topic 88130]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a virtual private network (VPN)

This section contains information on configuring virtual private network (VPN) settings for secure connection to Wi-Fi networks.

In this section

Configuring VPN on Android devices (only Samsung)

Configuring VPN on iOS MDM devices

Configuring Per App VPN on iOS MDM devices
Page top
[Topic 141383]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring VPN on Android devices (only Samsung)

To securely connect an Android device to Wi-Fi networks and protect data transfer, you should configure the settings for VPN (Virtual Private Network).

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements should be considered when using a virtual private network:

  • The app that uses the VPN connection must be allowed in Firewall settings.
  • Virtual private network settings configured in the policy cannot be applied to system applications. The VPN connection for system applications has to be configured manually.
  • Some applications that use the VPN connection need to have additional settings configured at first startup. To configure settings, the VPN connection has to be allowed in application settings.

To configure VPN on a user's mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
  5. In the VPN section, click the Configure button.

    This opens the VPN network window.

  6. In the Connection type drop-down list, select the type of VPN connection.
  7. In the Network name field, enter the name of the VPN tunnel.
  8. In the Server address field, enter the network name or IP address of the VPN server.
  9. In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.

    You can specify several DNS search domains, separating them with blank spaces.

  10. In the DNS server(s) field, enter the full domain name or IP address of the DNS server.

    You can specify several DNS servers, separating them with blank spaces.

  11. In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.

    If the range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.

  12. Additionally configure the following settings for networks of the IPSec Xauth PSK and L2TP IPSec PSK types:
    1. In the IPSec shared key field, enter the password for the preset IPSec security key.
    2. In the IPSec ID field, enter the name of the mobile device user.
  13. For an L2TP IPSec PSK network, additionally specify the password for the L2TP key in the L2TP key field.
  14. For a PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
  15. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 90755]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring VPN on iOS MDM devices

To connect an iOS MDM device to a virtual private network (VPN) and protect data during the connection to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a VPN connection for selected website domains in Safari.

To configure the VPN connection on a user's iOS MDM device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the VPN section.
  5. Click the Add button in the VPN networks section.

    This opens the VPN network window.

  6. In the Network name field, enter the name of the VPN tunnel.
  7. In the Connection type drop-down list, select the type of VPN connection:
    • L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
    • PPTP (Point-to-Point Tunneling Protocol). The connection supports authentication of iOS MDM device user using MS-CHAP v2 passwords and two-factor authentication.

      The PPTP connection is no longer supported.

    • IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
    • IPSec (Cisco). The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
    • Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall of version 8.0(3).1 or later. To configure the VPN connection, install the Cisco AnyConnect app from App Store on the iOS MDM device.
    • Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, of version 6.4 or later with the Juniper Networks IVE package of version 7.0 or later. To configure the VPN connection, install the JUNOS app from App Store on the iOS MDM device.
    • F5 SSL. The connection supports F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure the VPN connection, install the F5 BIG-IP Edge Client app from App Store on the iOS MDM device.
    • SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices of version 10.5.4 or later, SonicWALL SRA devices of version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, E-Class NSA with SonicOS of version 5.8.1.0 or later. To configure the VPN connection, install the SonicWALL Mobile Connect app from App Store on the iOS MDM device.
    • Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from App Store on the iOS MDM device.
    • Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
  8. In the Server address field, enter the network name or IP address of the VPN server.
  9. In the Account name field, enter the account name for authorization on the VPN server. You can use macros from the Macros available drop-down list.
  10. Configure the security settings for the VPN connection according to the selected type of virtual private network. For information about these settings, refer to the context help of the administration plug-in.
  11. For IKEv2 and IPsec connections, if necessary, set up Per App VPN functionality for supported system apps (Email, Calendar, Safari, and Contacts). For details, refer to the Configuring Per App VPN on iOS MDM devices section or the context help of the administration plug-in.
  12. If necessary, configure the settings of the VPN connection via a proxy server:
    1. Select the Proxy server settings tab.
    2. Select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to a VPN via a proxy server are configured on the iOS MDM device.

  13. Click OK.

    The new VPN is displayed in the list.

  14. Click the Apply button to save the changes you have made.

As a result, a VPN connection will be configured on the user's iOS MDM device once the policy is applied.

Page top
[Topic 90374]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Per App VPN on iOS MDM devices

The Per App VPN functionality allows a device to establish a VPN connection when supported system apps (Email, Calendar, Safari, and Contacts) are launched. This functionality is available for IKEv2 and IPsec connections.

To enable the Per App VPN functionality:

  1. Perform the initial setup of the VPN connection. For more details on the pre-configuring process, please refer to the Configuring VPN on iOS MDM devices section.
  2. Select the Enable Per App VPN check box.

Set up Per App VPN for supported system apps (Email, Calendar, Safari, and Contacts) in the corresponding policy sections.

When you select the Enable Per App VPN check box, the Turn on VPN automatically for system apps check box becomes available and is also selected. This means that the device will automatically activate the VPN connection when associated system apps initiate network communication.

To specify the Per App VPN configuration for the Email, Calendar, and Contacts apps:

  1. Go to the corresponding policy section.
  2. Click Add to create a new account or select the existing account in the list and click Edit.
  3. In the Per App VPN settings section, select the Enable Per App VPN (iOS 14+) check box.
  4. Choose this Per App VPN configuration from the Select Per App VPN configuration drop-down list and click OK to save the changes.

To specify the Per App VPN configuration for Safari:

  1. Go to the Safari policy section.
  2. Click Add.

    The Adding domain for Safari window opens.

  3. Choose this Per App VPN configuration from the Per App VPN configuration drop-down list.
  4. In the Domain for the VPN connection that will be activated field, specify the website domain that will trigger the VPN connection in Safari. The domain should be in the "www.example.com" format.
  5. Click OK to add the domain to the list.

Page top
[Topic 254347]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Firewall on Android devices (only Samsung)

Configure Firewall settings to monitor network connections on the user's mobile device.

To configure Firewall on a mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
  5. In the Firewall window, click Configure.

    The Firewall window opens.

  6. Select the Firewall mode:
    • To allow all inbound and outbound connections, move the slider to Allow all.
    • To block all network activity except that of apps on the list of exclusions, move the slider up to Block all but exceptions.
  7. If you have set the Firewall mode to Block all but exceptions, create a list of exclusions:
    1. Click Add.

      This opens the Exclusion for Firewall window.

    2. In the App name field, enter the name of the mobile app.
    3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
    4. Click OK.
  8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 138696]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Kaspersky Endpoint Security for Android against removal

For mobile device protection and compliance with corporate security requirements, you can enable protection against removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app using the Kaspersky Endpoint Security for Android interface. When removing the app using the tools of the Android operating system, you are prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To enable protection against removal of Kaspersky Endpoint Security for Android:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Additional section.
  5. In the Removal of Kaspersky Endpoint Security for Android section, clear the Allow removal of Kaspersky Endpoint Security for Android check box.

    To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

  6. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If an attempt is made to remove the app, the mobile device will be locked.

Page top
[Topic 90531]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Detecting device hacks (root)

Kaspersky Secure Mobility Management enables you to detect device hacks (root). System files are unprotected on a hacked device and can therefore be modified. Moreover, third-party apps from unknown sources could be installed on hacked devices. Upon detection of a hack attempt, we recommend that you immediately restore normal operation of the device.

Kaspersky Endpoint Security for Android uses the following services to detect when a user obtains root privileges:

  • Embedded service of Kaspersky Endpoint Security for Android. A Kaspersky service that checks whether a mobile device user has obtained root privileges (Kaspersky Mobile Security SDK).

If the device is hacked, you receive a notification. You can view hacking notifications in the workspace of the Administration Server on the Monitoring tab. You can also disable notifications about hacks in the event notification settings.

On devices running Android, you can impose restrictions on the user's activity on the device if the device is hacked (for example, lock the device). You can impose restrictions by using the Compliance Control component. To do this, in the compliance rule settings, select the Device has been rooted criterion.

Page top
[Topic 136565]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a global HTTP proxy on iOS MDM devices

To protect the user's internet traffic, configure the connection of the iOS MDM device to the internet via a proxy server.

Automatic connection to the internet via a proxy server is available for controlled devices only.

To configure global HTTP proxy settings on the user's iOS MDM device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Global HTTP Proxy section.
  5. In the Global HTTP proxy settings section, select the Apply settings on device check box.
  6. Select the type of global HTTP proxy configuration.

    By default, the manual type of global HTTP proxy configuration is selected, and the user is prohibited from connecting to captive networks without connecting to a proxy server. Captive networks are wireless networks that require preliminary authentication on the mobile device without connecting to the proxy server.

    • To specify the proxy server connection settings manually:
      1. In the Proxy settings type drop-down list, select Manual.
      2. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
      3. In the User name field, set the user account name for proxy server authorization. You can use macros from the Macros available drop-down list.
      4. In the Password field, set the user account password for proxy server authorization.
      5. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
    • To configure the proxy server connection settings using a predefined PAC (Proxy Auto Configuration) file:
      1. In the Proxy settings type drop-down list, select Automatic.
      2. In the URL of PAC file field, enter the web address of the PAC file (for example: http://www.example.com/filename.pac).
      3. To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
      4. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
  7. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the mobile device user will connect to the internet via a proxy server.

Page top
[Topic 88664]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding security certificates to iOS MDM devices

To simplify user authentication and ensure data security, add certificates on the user's iOS MDM device. Data signed with a certificate is protected against modification during network exchange. Data encryption using a certificate provides an added level of security for data. The certificate can be also used to verify the user's identity.

Kaspersky Device Management for iOS supports the following certificate standards:

  • PKCS#1 – encryption with a public key based on RSA algorithms.
  • PKCS#12 – storage and transmission of a certificate and a private key.

To add a security certificate on a user's iOS MDM device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Certificates section.
  5. Click the Add button in the Certificates section.

    The Certificate window opens.

  6. In the File name field, specify the path to the certificate:

    Files of PKCS#1 certificates have the cer, crt, or der extensions. Files of PKCS#12 certificates have the p12 or pfx extensions.

  7. Click Open.

    If the certificate is password-protected, specify the password. The new certificate appears in the list.

  8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user will be prompted to install certificates from the list that has been created.

Page top
[Topic 88328]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a SCEP profile to iOS MDM devices

You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.

A SCEP profile with the following settings is added by default:

  • The alternative subject name is not used for registering certificates.
  • Three attempts 10 seconds apart are made to poll the SCEP server. If all attempts to sign the certificate have failed, you have to generate a new certificate signing request.
  • The certificate that has been received cannot be used for data signing or encryption.

You can edit the specified settings when adding the SCEP profile.

To add a SCEP profile:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the SCEP section.
  5. Click the Add button in the SCEP profiles section.

    The SCEP profile window opens.

  6. In the Server web address field, enter the web address of the SCEP server on which the Certification Center is deployed.

    The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.

  7. In the Name field, enter the name of the Certification Center deployed on the SCEP server.
  8. In the Subject field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.

    Attributes can contain details of the country (C), organization (O), and common user name (CN). For example: /C=RU/O=MyCompany/CN=User/. You can also use other attributes specified in RFC 5280.

  9. In the Type of alternative name of subject drop-down list, select the type of alternative name of the subject of the SCEP server:
    • No – alternative name identification is not used.
    • RFC 822 name – identification using the email address. The email address must be specified according to RFC 822.
    • DNS name – identification using the domain name.
    • URI – identification using the IP address or address in FQDN format.

    You can use an alternative name of the subject for identifying the user of the iOS MDM device.

  10. In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the subject type: the user's email address, domain, or web address.
  11. In the NT subject name field, enter the DNS name of the iOS MDM device user on the Windows NT network.

    The NT subject name is contained in the certificate request sent to the SCEP server.

  12. In the Number of polling attempts on SCEP server field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed.
  13. In the Frequency of attempts (sec) field, specify the period of time in seconds between attempts to poll the SCEP server to get the certificate signed.
  14. In the Registration request field, enter a pre-published registration key.

    Before signing a certificate, the SCEP server requests the mobile device user to supply a key. If this field is left blank, the SCEP does not request the key.

  15. In the Key Size drop-down list, select the size of the registration key in bits: 1024 or 2048.
  16. If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use for signing check box.
  17. If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.

    It is prohibited to use the SCEP server certificate as a data signing certificate and a data encryption certificate at the same time.

  18. In the Certificate fingerprint field, enter a unique certificate fingerprint for verifying the authenticity of the response from the Certification Center. You can use certificate fingerprints with the SHA1 or MD5 hashing algorithm. You can copy the certificate fingerprint manually or select a certificate using the Create from certificate button. When the fingerprint is created using the Create from certificate button, the fingerprint is added to the field automatically.

    The certificate fingerprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.

  19. Click OK.

    The new SCEP profile appears in the list.

  20. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.

Page top
[Topic 90359]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Restricting SD card usage (only Samsung)

Expand all | Collapse all

Configure SD card settings to control usage of the SD card on the user's mobile device.

To restrict SD card usage on a mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
  5. In the SD card settings section specify the needed restrictions:
    • Allow access to SD card

      This setting applies to devices with Android 5.0-12.

      Selecting or clearing this check box specifies whether access to SD card is enabled or disabled on the device.

      This check box is selected by default.

    • Allow writing to SD card

      Selecting or clearing this check box specifies whether writing to SD card is enabled or disabled on the device.

      This check box is selected by default.

    • Allow moving apps to SD card

      Selecting or clearing this check box specifies whether the device user is allowed to move apps to SD card.

      This check box is selected by default.

  6. Click the Apply button to save the changes you have made.

SD card settings are now configured.

Page top
[Topic 249554]