The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Working in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console

This Help section describes protection and management of mobile devices by using Kaspersky Security Center Web Console (hereinafter also referred to as Web Console) or Kaspersky Security Center Cloud Console (hereinafter also referred to as Cloud Console).

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About mobile device management in Kaspersky Security Center Web Console and Cloud Console

You can manage mobile devices in Kaspersky Security Center Web Console and Cloud Console by using the following components:

• Kaspersky Endpoint Security for Android app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

• Kaspersky Security for iOS app

  The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

• Kaspersky Security for Mobile (Devices) plug-in

  The Kaspersky Security for Mobile (Devices) plug-in provides the interface for managing mobile devices and the mobile apps installed on them through Kaspersky Security Center Web Console and Cloud Console.

• Kaspersky Security for Mobile (Policies) plug-in

  The Kaspersky Security for Mobile (Policies) plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center, by using group policies.

The plug-ins are integrated into the Kaspersky Security Center remote administration system. You can use Kaspersky Security Center Web Console or Cloud Console to manage mobile devices, as well as client computers and virtual systems. After you connect mobile devices to the Administration Server, they become managed. You can remotely monitor managed devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Distribution kit

The Kaspersky Secure Mobility Management distribution kit may include various components, depending on the chosen application version.

Kaspersky Security Center

• ksc_14_<version>_full_<language>.exe

  Kaspersky Security Center installer. This is a special version that is customized specially for Kaspersky Secure Mobility Management.

• ksc_14_<version>_Console_<language>.exe

  Installer of MMC-based Administration Console. This is a special version that is customized specially for Kaspersky Secure Mobility Management.

  You can install Administration Console on another device and manage Kaspersky Security Center Administration Server remotely.

Mobile device management in MMC-based Administration Console

• klcfginst.exe

  Installer of Kaspersky Endpoint Security for Android Administration Plug-in.

• klmdminst.exe

  Installer of Kaspersky Device Management for iOS Administration Plug-in.

Mobile device management in Kaspersky Security Center Web Console

• on_prem_ksm_devices_<version>.zip

  Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Devices) plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Security for Mobile (Devices) plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Security for Mobile (Devices) plug-in.

• on_prem_ksm_policies_<version>.zip

  Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Policies) plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Security for Mobile (Policies) plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Security for Mobile (Policies) plug-in.

Mobile device management in Kaspersky Security Center Cloud Console

To manage mobile device in Kaspersky Security Center Cloud Console, you do not need to download a distribution package. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

File of the Kaspersky Endpoint Security for Android app

kesandroid10<version><languages>.apk—Android package file of the Kaspersky Endpoint Security for Android app.

File of Corporate App Catalog

Install_<version>.exe—Distribution package of Corporate App Catalog. The package includes the following components:

• Corporate App Catalog
• Corporate App Catalog Management Console
• Apache server

For more information about installing Corporate App Catalog, please refer to Corporate App Catalog Help.

Auxiliary files

• sc_package_<languages>.exe

  Self-extracting archive that contains the files required for installing the Kaspersky Endpoint Security for Android app by creating installation packages:

  • adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll

    Files required for creating installation packages.

  • installer.ini

    Configuration file that contains Administration Server connection settings.

  • kesandroid10<version><languages>.apk

    Android package file of the Kaspersky Endpoint Security for Android app.

  • kmlisten.exe

    Utility for delivering installation packages through the administrator's computer.

  • kmlisten.ini

    Configuration file that contains the settings for the kmlisten.exe utility.

  • kmlisten.kpd

    Application description file.

  If you create an installation package with the sc_package.exe archive in the Kaspersky Security Center version earlier than 14.2, the installation of Kaspersky Endpoint Security for Android app will fail on devices running Android 10 or later. To avoid this issue, please upgrade to Kaspersky Security Center 14.2 or contact Technical Support to receive an appropriate version of the archive.

Documentation

• Help for Kaspersky Secure Mobility Management.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Key features of mobile device management in Kaspersky Security Center Web Console and Cloud Console

Kaspersky Secure Mobility Management provides the following features:

• Distribution of email messages for connecting Android mobile devices to Kaspersky Security Center by using links to download the Kaspersky Endpoint Security for Android app from Google Play.
• Distribution of email messages for connecting iOS mobile devices to Kaspersky Security Center by using links to download the Kaspersky Security for iOS app from App Store.
• Remote connection of mobile devices to Kaspersky Security Center and other third-party EMM systems (for example, VMWare AirWatch, MobileIron, IBM Maas360, SOTI MobiControl).
• Remote configuration of the mobile app, as well as remote configuration of services, apps, and functions of mobile devices.
• Remote configuration of mobile devices in accordance with the corporate security requirements.
• Prevention of leakage of corporate information stored on mobile devices, in case they are lost or stolen (Anti-Theft). Supported for Android devices only.
• Control of compliance with corporate security requirements (Compliance Control). Supported for Android devices only.
• Control of protection against online threats and control of internet use on mobile devices (Web Protection).
• Setup of notifications shown to the user in the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps.
• Administrator notifications about the status and events of the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps can be communicated in Kaspersky Security Center or by email.
• Change Control for policy settings (revision history).

Kaspersky Secure Mobility Management includes the following protection and management components:

• Anti-Malware (for Android devices)
• Anti-Theft (for Android devices)
• Web Protection (for Android and iOS devices)
• App Control (for Android devices)
• Compliance Control (for Android devices)
• Detection of root privileges on Android devices and jailbreak detection on iOS devices

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

The Kaspersky Endpoint Security for Android app includes the following components:

• Anti-Malware. This component detects and neutralizes threats on your device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
  • Protection. It detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or a selected file or folder.
  • Update. It allows you to download new anti-malware databases for the application.
• Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate. Get the coordinates of the device's location.
  • Alarm. Make the device sound a loud alarm.
  • Wipe. Erase corporate data to protect sensitive company information.
• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them, by using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in the Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
• App Control. This component lets you install recommended and required apps to your device via a direct link to the distribution package or a link to Google Play. App Control lets you remove blocked apps that violate corporate security requirements.
• Compliance control. This component allows you to check managed devices for compliance with the corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can configure the components of the Kaspersky Endpoint Security for Android app in Kaspersky Security Center Web Console and Cloud Console by defining the settings of group policies.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Security for iOS app

The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

The Kaspersky Security for iOS app offers the following key features:

• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them, by using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. You can configure this component in Kaspersky Security Center Web Console and Cloud Console by defining the settings of group policies.
• Jailbreak detection. When Kaspersky Security for iOS detects a jailbreak, it displays a critical message and informs you about the issue.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Security for Mobile (Devices) plug-in

The Kaspersky Security for Mobile (Devices) plug-in provides the interface for managing mobile devices and the mobile apps installed on them through Kaspersky Security Center Web Console and Cloud Console. The Kaspersky Security for Mobile (Devices) plug-in allows you to perform the following:

• Connect mobile devices to Kaspersky Security Center.
• Manage the certificates of mobile devices.
• Configure Firebase Cloud Messaging (for Android devices only).
• Send commands to mobile devices (for Android devices only).

The Kaspersky Security for Mobile (Devices) plug-in can be installed when configuring Kaspersky Security Center Web Console. If you are using Kaspersky Security Center Cloud Console, you do not need to install this plug-in. For more information about deployment scenarios in different types of consoles, see section "Deployment scenarios".

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Security for Mobile (Policies) plug-in

The Kaspersky Security for Mobile (Policies) plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center, by using group policies. The Kaspersky Security for Mobile (Policies) plug-in can be used to perform the following:

• Create group security policies for mobile devices.
• Remotely configure the operating settings of the mobile app on users' mobile devices.
• Receive reports and statistics on the operation of the mobile app on users' mobile devices.

The Kaspersky Security for Mobile (Policies) plug-in can be installed when configuring Kaspersky Security Center Web Console. If you are using Kaspersky Security Center Cloud Console, you do not need to install this plug-in. For more information about deployment scenarios in different types of consoles, see section "Deployment scenarios".

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Hardware and software requirements

This section lists the hardware and software requirements for the administrator's computer that is used to install the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in in Kaspersky Security Center Web Console and Cloud Console, as well as the hardware and software requirements of the mobile apps.

Hardware and software requirements for the administrator's computer

To install the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in, the administrator's computer must meet the hardware requirements of Kaspersky Security Center. For more information about the hardware and software requirements of Kaspersky Security Center:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

To use the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in in Kaspersky Security Center Web Console, Kaspersky Security Center Web Console must be installed on the administrator's computer.

To use the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in in Kaspersky Security Center Cloud Console, you must create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

The Kaspersky Endpoint Security for Android app can function within the following third-party EMM systems:

• VMware AirWatch 9.3 or later
• MobileIron 10.0 or later
• IBM MaaS360 10.68 or later
• Microsoft Intune 1908 or later
• SOTI MobiControl 14.1.4 (1693) or later

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app has the following hardware and software requirements:

• Smartphone or tablet with a screen resolution of 320x480 pixels or higher
• 65 MB of free disk space in the main memory of the device
• Android 5.0 or later (including Android 12L, excluding Go Edition)
• x86, x86-64, Arm5, Arm6, Arm7, or Arm8 processor architecture

The app can be installed only to the main memory of the device.

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Security for iOS app

The Kaspersky Security for iOS app has the following hardware requirements:

• iPhone 6S or later
• iPad Air 2 or later

The Kaspersky Security for iOS app has the following software requirements:

• iOS 14.1 or later
• iPadOS 14.1 or later

The Kaspersky Security for iOS app can't operate properly when a VPN client with an active VPN connection is running on the same mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Known issues and considerations

Kaspersky Endpoint Security for Android and Kaspersky Security for iOS have several known issues that are non-critical for the operation of these apps.

Known issues of Kaspersky Security for iOS

• The Kaspersky Security for iOS app can't operate properly when a VPN client with an active VPN connection is running on the same mobile device.

Known issues of Kaspersky Endpoint Security for Android

Known issues when installing apps

• Kaspersky Endpoint Security for Android is installed only in the main memory of the device.
• On devices running Android 7.0, an error may occur during attempts to disable administrator rights for Kaspersky Endpoint Security for Android in device settings if Kaspersky Endpoint Security for Android is prohibited from overlaying on other windows. This issue is caused by a well-known defect in Android 7.
• Kaspersky Endpoint Security for Android on devices running Android 7.0 or later does not support multi-window mode.
• Kaspersky Endpoint Security for Android does not work on Chromebook devices running the Chrome operating system.
• Kaspersky Endpoint Security for Android does not work on devices running Android (Go edition) operating systems.
• When using the Kaspersky Endpoint Security for Android app with third-party EMM systems (for example, VMWare AirWatch), only the Anti-Malware and Web Protection components are available. The administrator can configure the settings of Anti-Malware and Web Protection in the EMM system console. In this case, notifications about app operation are available only in the interface of the Kaspersky Endpoint Security for Android app (Reports).

Known issues when upgrading the app version

• You can upgrade Kaspersky Endpoint Security for Android only to a more recent version of the app. Kaspersky Endpoint Security for Android cannot be downgraded to an older version.

Known issues in Anti-Malware operation

• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
• For additional analysis of a device for new threats whose information has not yet been added to anti-malware databases, you must enable the use of Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. To use KSN, the mobile device must be connected to the internet.
• In some cases, updating anti-malware databases from the Administration Server on a mobile device may fail. In this case, run the anti-malware database update task on the Administration Server.
• On some devices, Kaspersky Endpoint Security for Android does not detect devices connected over USB OTG. It is not possible to run a malware scan on such devices.
• On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
• On devices running Android 11 or later, the user must grant the "Allow access to manage all files" permission.
• On devices running Android 7.0 or later, the configuration window for the malware scan run schedule might be incorrectly displayed (management elements are not shown). This issue is caused by a well-known defect in Android 7.
• On devices running Android 7.0, real-time protection in the extended mode does not detect threats in files that are stored on an external SD card.
• On devices running Android 6, Kaspersky Endpoint Security for Android does not detect the downloading of a malicious file to the device memory. A malicious file may be detected by Anti-Malware when the file is run, or during a malware scan of the device. This issue is caused by a well-known defect in Android 6. To ensure device security, it is recommended to configure scheduled malware scans.

Known issues in Web Protection operation

• Web Protection on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser.
• The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.
• Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if the work profile is used and Web Protection is enabled only for the work profile.

• For Web Protection to work, you must enable the use of Kaspersky Security Network. Web Protection blocks websites based on the KSN data on the reputation and category of websites.
• Forbidden websites may remain unblocked by Web Protection on devices running Android 6.0 with Google Chrome version 51 (or any earlier version) installed if the website is opened in the following ways (this issue is caused by a well-known defect in Google Chrome):
  • From search results.
  • From the bookmarks list.
  • From search history.
  • Using the web address autocomplete function.
  • Opening the website in a new tab in Google Chrome.
• Forbidden websites may remain unblocked in Google Chrome version 50 (or any earlier version) if the website is opened from Google search results while the Merge Tabs and Apps feature is enabled in the browser settings. This issue is caused by a well-known defect in Google Chrome.
• Websites from blocked categories may remain unblocked in Google Chrome if the user opens them from third-party apps, for example, from an IM client app. This issue is related to how the Accessibility service works with the Chrome Custom Tabs feature.
• Forbidden websites may remain unblocked in Samsung Internet Browser if the user opens them in background mode from the context menu or from third-party apps, for example, from an IM client app.
• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of Web Protection.
• On some Xiaomi devices, the "Display pop-up window" and "Display pop-up windows while running in the background" permissions should be granted for Web Protection to work.
• Allowed websites may be blocked in Samsung Internet Browser in the Only listed websites are allowed Web Protection mode when the page is refreshed. Websites are blocked if a regular expression contains advanced settings (for example, ^https?://example.com/pictures/). It is recommended to use regular expressions without additional settings (for example, ^https?://example.com).
• If Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android does not block search in the Google Search widget. Instead, it blocks user access to the search results.
• In a work profile, if Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android endlessly reloads the Google Chrome home page, blocks the browser, and interferes with the device.

Known issues in Anti-Theft operation

• For timely delivery of commands to Android devices, the app uses the Firebase Cloud Messaging (FCM) service. If FCM is not configured, commands will be delivered to the device only during synchronization with Kaspersky Security Center according to the schedule defined in the policy, for example, every 24 hours.
• To lock a device, Kaspersky Endpoint Security for Android must be set as the device administrator.
• To lock devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some devices, Anti-Theft commands may fail to execute if Battery Saver mode is enabled on the device. This defect has been confirmed on Alcatel 5080X.
• To locate devices running Android 10.0 or later, the user must grant the "All the time" permission to device location.

Known issues in App Control operation

• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. This does not apply to device owner mode.
• For App Control (app categories) to work, you must enable the use of Kaspersky Security Network. App Control determines the category of an app based on data that is available in KSN. To use KSN, the mobile device must be connected to the internet. For App Control, you can add individual apps to the lists of blocked and allowed apps. In this case, KSN is not required.
• When configuring App Control, it is recommended to clear the Block system apps check box. Blocking system apps may lead to problems in device operation.
• On iOS MDM devices, if you specify allowed apps in the list of apps allowed to be installed, all apps except system apps and those added to the list of allowed apps will be hidden on the device screen.
• On some HUAWEI and Honor personal devices, apps from allowed categories may be blocked and apps from forbidden categories may remain unblocked. This is because the category for some apps from App Gallery cannot be correctly defined.
• On some Samsung and Oppo devices, app icons may remain hidden on the home screen after clearing the Block system apps check box. This is due to limitations of the Android operating system.

Known issues when configuring device unlock password strength

• On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

  If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.

  If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.

• On devices running Android 7.1.1, if the unlock password does not meet the corporate security requirements (Compliance Control), the Settings system app may function improperly when an attempt is made to change the unlock password through Kaspersky Endpoint Security for Android. The issue is caused by a well-known defect in Android 7.1.1. In this case, to change the unlock password, use the Settings system app only.
• On some devices running Android 6.0 or later, an error may occur when screen unlock password is entered, if device data is encrypted. This issue is related to specific features of the Accessibility service with MIUI firmware.

Known issues with App removal protection

• Kaspersky Endpoint Security for Android must be set as the device administrator.
• To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some Xiaomi and HUAWEI devices, Kaspersky Endpoint Security for Android removal protection does not work. This issue is caused by the specific features of MIUI 7 and 8 firmware on Xiaomi and EMUI firmware on HUAWEI.

Known issues when configuring device restrictions

• On devices running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.
• On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

Known issues when sending commands to mobile devices

• On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.
• The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting.
• If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.

Known issues with specific devices

• On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must grant Kaspersky Endpoint Security for Android an autostart permission or manually add it to the list of apps that are started when the operating system starts. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted. In addition, if the device has been locked, you cannot use a command to unlock the device. You can unlock the device only by using a one-time unlock code.
• On certain devices (for example, Meizu and Asus) running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device. If the user uses a graphic password to unlock the device, you must convert the graphic password to a numeric password. For more details about converting a graphic password into a numeric password, please refer to the Technical Support website of the mobile device manufacturer. This issue is related to the operation of the Accessibility Features service.
• On some HUAWEI devices running Android 5.Х, after Kaspersky Endpoint Security for Android is set as an Accessibility feature, an incorrect message about the lack of appropriate rights may be displayed. To hide this message, enable the app as a protected app in the device settings.
• On some HUAWEI devices running Android 5.X or 6.X, when Battery Saver mode is enabled for Kaspersky Endpoint Security for Android, the user can manually terminate the app. The user device becomes unprotected after that. This issue is due to some features of HUAWEI software. To restore the device protection, run Kaspersky Endpoint Security for Android manually. It is recommended to disable Battery Saver mode for Kaspersky Endpoint Security for Android in the device settings.
• On HUAWEI devices with EMUI firmware running Android 7.0, the user can hide the notification regarding the protection status of Kaspersky Endpoint Security for Android. This issue is due to some features of HUAWEI software.
• On some Xiaomi devices, when setting the password length to more than 5 characters in a policy, the user will be prompted to change the screen unlock password instead of the PIN code. You cannot set a PIN code that has more than 5 characters. This issue is due to some features of Xiaomi software.
• On Xiaomi devices with MIUI firmware running Android 6.0, the Kaspersky Endpoint Security for Android icon may be hidden in the status bar. This issue is due to some features of Xiaomi software. It is recommended to allow the display of notification icons in Notifications settings.
• On some Nexus devices running Android 6.0.1, the privileges required for proper operation cannot be granted through the Quick Start Wizard of Kaspersky Endpoint Security for Android. This issue is caused by a well-known defect in Security Patch for Android by Google. To ensure proper operation, the required privileges must be manually granted in the device settings.
• On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
• On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.
• Web Protection cannot be enabled on some Samsung devices, if the device is connected to a 3G/4G network, has Battery Saver mode enabled and restricts background data. It is recommended to disable the function that restricts background processes in Battery Saver settings.
• On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.
• On some Honor and HUAWEI devices, you cannot restrict the use of Bluetooth. When Kaspersky Endpoint Security for Android attempts to restrict the use of Bluetooth, the operating system shows a notification containing the options to reject or allow this restriction. The user can reject this restriction and continue to use Bluetooth.
• On Blackview devices, the user can clear the memory for the Kaspersky Endpoint Security for Android app. As a result, the device protection and management are disabled, all defined settings become ineffective, and the Kaspersky Endpoint Security for Android app is removed from the Accessibility features. This is because this vendor's devices provide the customized Recent screens app with elevated privileges. This app can override Kaspersky Endpoint Security for Android settings and cannot be replaced because it is part of the Android operating system.
• On some Google Pixel devices running Android 11 or earlier, the Kaspersky Endpoint Security for Android app crashes immediately after the start. This is caused by an issue in Android.
• On Samsung Galaxy S23 and S24 series devices Real-Time Protection may not work.

Known issues in app operation on Android 13

• On Android 13, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security from running in the background. This is caused by a well-known issue in Android 13.
• On Android 13, the permission to send notifications is requested when the initial app configuration begins. This is due to specifics of the Android 13 operating system.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying a mobile device management solution in Kaspersky Security Center Web Console or Cloud Console

To manage mobile devices by using Kaspersky Security Center Web Console or Cloud Console, you must deploy a mobile device management solution.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios

Deployment in Kaspersky Security Center Web Console

Deployment of mobile device management solution in Kaspersky Security Center Web Console consists of the following steps:

1. Preparing Kaspersky Security Center Web Console for deployment
2. Deploying administration plug-ins
3. Deploying the mobile app
4. (Optional, for Android only) Configuring the information exchange with Firebase Cloud Messaging

   It is recommended to perform this step to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

Deployment in Kaspersky Security Center Cloud Console

Deployment of mobile device management solution in Kaspersky Security Center Cloud Console consists of the following steps:

1. Preparing Kaspersky Security Center Cloud Console for deployment
2. Deploying the mobile app
3. (Optional, for Android only) Configuring the information exchange with Firebase Cloud Messaging

   It is recommended to perform this step to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing Kaspersky Security Center Web Console and Cloud Console for deployment

This section provides instructions on preparing Kaspersky Security Center Web Console and Cloud Console for deployment.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server for connection of mobile devices

To connect mobile devices to the Administration Server, you must define the connection settings before installing the app on devices.

• If you are using Kaspersky Security Center Web Console, configure its properties as described below.
• If you are using Kaspersky Security Center Cloud Console, the connection settings are defined during the initial configuration of Kaspersky Security Center Cloud Console. For more information, please refer to Kaspersky Security Center Cloud Console Help.

To define Kaspersky Security Center Web Console properties for a mobile device connection:

1. In the main window of Kaspersky Security Center Web Console, click Settings ().

   The Administration Server properties window opens.

2. Configure the Administration Server ports that will be used by mobile devices:
   1. Select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.
   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

   4. In the Port for mobile device activation field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the mobile app.

      Port 17100 is used by default.

      If you specify an incorrect connection port, the users of mobile devices will not be able to activate the mobile app by using the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate that was created during Administration Server installation. If you want, replace the certificate issued through the Administration Server with another certificate or reissue the certificate issued through the Administration Server.

   To edit the certificate:

   1. Select the Certificates section.
   2. Define the required settings.

      For detailed information about the certificates, please refer to Kaspersky Security Center Help.

4. Click the Save button to save the changes you have made to the settings and exit the Administration Server properties window.

After you configure the mobile device connection settings, you can install the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices and connect them to the Administration Server by using the specified settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

Group policies are used to perform centralized configuration of the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps installed on the users' mobile devices.

To apply a policy to a group of devices, you are advised to create a separate group for these devices in Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices by using a group policy.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Hierarchy of groups.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for automatically allocating a device to administration groups

When the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app is installed on mobile devices, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console or Cloud Console. In order to manage newly connected devices, you can move them to an administration group manually or create a rule for allocating them automatically to administration groups.

To create a rule for automatic allocation of mobile devices to administration groups:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Discovery & deployment > Deployment & assignment > Moving rules.
2. In the New rule window that opens, click the Add button.
3. In the Rule name field, specify the rule name.
4. In the Administration group field, select the administration group to which mobile devices will be allocated after the app has been installed on them.
5. In the Apply rule section, select Run once for each device.
6. Select the Move only devices not added to an administration group check box to prevent the moving of the mobile devices that are allocated to other administration groups when applying the rule.
7. Select the Enable rule check box, to apply the rule immediately after creating it.

   You can enable the rule at any time later by using the toggle button on the Moving rules page.

8. Select Rule conditions > Applications and do the following:
   1. Enable the Operating system version toggle button.
   2. In the list of operating systems that opens, select Android or iOS.

   The rule will be applied to the corresponding devices. You must specify at least one condition to create a rule.

9. Click Save to create the rule.

The newly created rule is displayed on the Moving rules page. According to the rule, Kaspersky Security Center will allocate all newly connected devices to the selected administration group.

For detailed information on administration groups management and actions with unassigned devices:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying administration plug-ins

To manage mobile devices in Kaspersky Security Center Web Console, the following administration plug-ins must be installed:

• Kaspersky Security for Mobile (Devices) plug-in
• Kaspersky Security for Mobile (Policies) plug-in

If you are using Kaspersky Security Center Cloud Console, you do not need to install the administration plug-ins. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

You can use the following methods to install administration plug-ins:

• By using the Quick Start Wizard of Kaspersky Security Center Web Console.

  Kaspersky Security Center Web Console automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

  For more information on the Quick Start Wizard for Kaspersky Security Center, please refer to Kaspersky Security Center Help.

• By using the list of available distribution packages in Kaspersky Security Center Web Console.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution packages from an external source and add administration plug-ins to Kaspersky Security Center Web Console.

  For example, the distribution packages of administration plug-ins can be downloaded on the Kaspersky website.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins from the list of available distribution packages

To install the administration plug-ins:

1. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
2. Click the Add button.

   This opens the list of up-to-date versions of Kaspersky applications.

3. Install the administration plug-ins:
   1. In the list of available applications, click the Mobile devices section to expand it.
   2. Select Kaspersky Security for Mobile (Devices), and then click Install plug-in.
   3. Select Kaspersky Security for Mobile (Policies), and then click Install plug-in.

The distribution packages are downloaded and the plug-ins are installed. When each plug-in is installed and added to Kaspersky Security Center Web Console, a confirmation window is displayed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins from the distribution package

You can download the distribution package on the Kaspersky website.

To install the Kaspersky Security for Mobile (Devices) plug-in from the distribution package:

1. Copy the plugin.zip and signature.txt files from the on_prem_ksm_devices_xx.x.x.x.zip archive of the distribution package to the administrator's workstation.
2. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
3. Click Add from file.
4. In the Add from file window that opens, click Upload ZIP file, and then browse for plugin.zip.
5. Click Upload signature, and then browse for signature.txt.
6. Click the Add button.

The Kaspersky Security for Mobile (Devices) plug-in is installed and added to Kaspersky Security Center Web Console.

To install the Kaspersky Security for Mobile (Policies) plug-in from the distribution package:

1. Copy the plugin.zip and signature.txt files from the on_prem_ksm_policies_xx.x.x.x.zip archive of the distribution package to the administrator's workstation.
2. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
3. Click Add from file.
4. In the Add from file window that opens, click Upload ZIP file, and then browse for plugin.zip.
5. Click Upload signature, and then browse for signature.txt.
6. Click the Add button.

The Kaspersky Security for Mobile (Policies) plug-in is installed and added to Kaspersky Security Center Web Console.

You can make sure that the administration plug-ins have been installed by viewing the list of installed plug-ins on the Console settings > Web plug-ins page.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying the mobile app

To manage mobile devices in Kaspersky Security Center Web Console or Cloud Console, you must deploy the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices. You can deploy apps on mobile devices by using Kaspersky Security Center Web Console or Cloud Console.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying the mobile app by using Kaspersky Security Center Web Console or Cloud Console

The mobile app is deployed on the mobile devices of users whose user accounts have been added to Kaspersky Security Center. For more information about user accounts in Kaspersky Security Center:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

You can use the Kaspersky Security for Mobile (Devices) plug-in to install the app from Kaspersky Security Center Web Console and Cloud Console by sending an installation link to a mobile device.

• On an Android device, the user receives a Google Play link to download the Kaspersky Endpoint Security for Android app. The app can be installed by following the standard installation procedure on the Android platform. After the installation of the app, the user must provide the required permissions.

  Some HUAWEI and Honor devices do not have Google services and therefore no access to apps in Google Play. If some users of HUAWEI and Honor devices cannot install the app from Google Play, they should be instructed to install the app from HUAWEI App Gallery.

• On an iOS device, the user receives an App Store link to download the Kaspersky Security for iOS app. The app can be installed by following the standard installation procedure on the iOS platform.

  Before connecting an iOS device, send the address of Kaspersky Security Center to the device user to improve connection security. The user will see this address during app installation and can cancel the connection if the displayed address doesn't match the address you sent.

The link contains the following data:

• Kaspersky Security Center synchronization settings
• Mobile certificate

To deploy the app on a mobile device:

1. Start the Mobile Device Connection Wizard:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices, and then click Add.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Users & roles > Users. Click the name of the user or the user group to whom you want to send the link for connecting a mobile device, and then select Devices. Click Add mobile device. In this case, skip step 3.

   Proceed through the Wizard by using the Next button.

2. Select the operating system of the devices that you want to add:
   • Android
   • iOS and iPadOS
3. Select users and user groups to whom you want to send the link for connecting a mobile device.
4. Select email addresses where to send the link:
   • All email addresses
   • Main email address
   • Alternative email address
   • Another email address

     If you select this option, specify the email address below.

5. The link summary is displayed.

   Make sure that all parameters of the link are correct, and then click Send.

6. A window opens with a confirmation that the link for adding a mobile device has been sent.

   Click OK to finish the Wizard.

When the user installs the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app, the user's device will be displayed on the Devices > Mobile > Devices tab of Web Console or Cloud Console.After installing the app on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices (for Android only) for data protection in case devices are lost or stolen.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating the mobile app

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app and the Kaspersky Security for iOS app are fully functional, the Kaspersky Security Center license purchased by the organization must provide for the Mobile Device Management functionality. The Mobile Device Management functionality is intended for connecting mobile devices to Kaspersky Security Center and managing them.

For detailed information about licensing Kaspersky Security Center and licensing options:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

Activating the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Licenses.
3. Use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   If a key file is selected from the Kaspersky Security Center key storage and sent to the device, Kaspersky Security for iOS will be not able to process it, because Kaspersky Security for iOS does not support this activation method. To activate Kaspersky Security for iOS, you must add the license to Kaspersky Security Center as an activation code.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the If the key on device is different, replace with this key check box.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Providing the required permissions for the Kaspersky Endpoint Security for Android app

Certain features of the Kaspersky Endpoint Security for Android app require permissions. Kaspersky Endpoint Security for Android asks for mandatory permissions during installation, as well as after installation and prior to using individual features of the app. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts, in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later or Android 6-10 with Google Play services, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by the Kaspersky Endpoint Security for Android app

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing certificates

Mobile certificates are used for the purpose of identifying the users of mobile devices on the Administration Server.

Kaspersky Security Center Web Console and Cloud Console allow you to perform the following actions with user mobile certificates:

• View the certificates and their statuses.
• Create new certificates.
• Renew the expiring certificates.
• Delete certificates.

For more information on Kaspersky Security Center certificates:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the list of certificates

Kaspersky Security Center Web Console and Cloud Console allow you to view the applied user mobile certificates, their statuses, and properties.

To view the list of applied user mobile certificates:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.

The Mobile certificates page opens with information about the applied user mobile certificates. You can view details of a certificate by clicking it in the User name column.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining certificate settings

You can use Kaspersky Security Center Web Console or Cloud Console to configure the lifetime, automatic updates, and password protection of mobile certificates.

To define mobile certificate settings:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select Certificate settings.
4. In the Generate mobile certificates window that opens, you can configure the following:
   • Certificate validity period (days)

     Certificate lifetime period in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.

   • Reissue when certificate will expire in (days)

     The number of days remaining until the current certificate's expiration during which Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 1.

   • Reissue certificate automatically if possible

     If possible, certificates will be reissued automatically. If this option is disabled, certificates must be reissued manually as they expire. By default, this option is disabled.

   • Prompt for password during certificate installation

     The user will be prompted for a password when the certificate is installed on a mobile device. The password is used only once—during installation of the certificate on the mobile device. The password will be automatically generated by the Administration Server and sent to the user by email. You can specify the password length in the Password length field.

5. Click Save to apply the changes and close the window.

The specified settings will be used by Kaspersky Security Center for creating, updating, and protecting mobile certificates.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a certificate

You can create mobile certificates in Kaspersky Security Center Web Console and Cloud Console for the purpose of identifying the users of mobile devices.

To create a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. In the Mobile certificates window that opens, click Add to start Mobile Certificate Creation Wizard. Proceed through the Wizard by using the Next button.
4. Select users or user groups whose mobile devices you want to manage with a new certificate.
5. Specify the Publication parameters:
   • If you want to notify the users about the new certificate, select the Notify user about the new certificate check box.
   • If you want to allow using one certificate multiple times on the same device, select the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box.
6. Select the Authentication type:
   • Select Credentials (domain login or user name) if you want users to access the certificate by using their credentials.

     On devices, users will have to specify the login in one of the following formats:

     • userPrincipalName@DNSDomainName
     • sAMAccountName
     • sAMADomain\sAMAccountName
   • Select One-time password if you want users to access the certificate by using a one-time password.

     This option is available if you did not select the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box in the previous step.

   • Select Password if you want users to access the certificate by using a password.

     This option is available if you selected the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box in the previous step.

7. Specify the method of certificate delivery in the Certificate delivery field:
   • If you have selected One-time password in the previous step, select one of the following options:
     • If you want to send the password by email, select Notify user by email.

       Then select which email address to use or select Another email address to specify another email address.

     • If you want to notify users about the password by other means, select Show the password after finishing the Wizard.
   • If you have selected Credentials (domain login or user name) in the previous step, select which email address to use or select Another email address to specify another email address.
8. The certificate summary is displayed.

   Make sure that all parameters are correct, and then click Create.

As a result, Mobile Certificate Creation Wizard creates a certificate that users can install on their mobile devices. The certificate becomes available after the next synchronization of mobile devices with Kaspersky Security Center.

For more information about creating certificates and configuring rules for issuing them:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Renewing a certificate

If any of the applied mobile certificates is about to expire, you can renew it by using Kaspersky Security Center Web Console or Cloud Console.

To renew a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select the certificate that you want to renew, and then click Reissue.

The status of the certificate changes to The certificate has been reissued.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting a certificate

You can delete mobile certificates by using Kaspersky Security Center Web Console or Cloud Console.

If you delete a mobile certificate, the device can no longer synchronize with the Administration Server and cannot be managed by means of Kaspersky Security Center. To start managing the mobile device again, you will need to reinstall the Kaspersky Endpoint Security for Android app on it.

To delete a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select the certificate that you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Exchanging information with Firebase Cloud Messaging

Kaspersky Endpoint Security for Android uses the Firebase Cloud Messaging (FCM) service to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

To use the Firebase Cloud Messaging service, you must define the service settings in Kaspersky Security Center Web Console or Cloud Console.

To enable Firebase Cloud Messaging in Kaspersky Security Center Web Console or Cloud Console:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Android devices synchronization.

   The Android devices synchronization window opens.

2. In the Sender ID and Server key fields, specify the Firebase Cloud Messaging settings: SENDER_ID and API Key.

Firebase Cloud Messaging is enabled.

To obtain a Sender ID and the Server key:

1. Register on Google portal.
2. Go to Google Cloud Platform.
3. Create a new project.

   Wait for the project to be created.

4. Find the relevant SENDER_ID of the project.
5. Enable Google Firebase Cloud Messaging for Android.
6. Follow the onscreen instructions to create credentials.
7. Retrieve the API Key from the properties of the newly created credentials.

For detailed information about operations in Google Cloud Platform, please refer to its documentation.

You now have a Sender ID and a Server key to configure the Firebase Cloud Messaging settings.

If the Firebase Cloud Messaging settings are not defined, commands on the mobile device and policy settings will be delivered when the device is synchronized with Kaspersky Security Center, according to the schedule set in the policy (for example, every 24 hours). In other words, commands and policy settings will be delivered with a delay.

For the purposes of supporting the main functionality of the product, you agree to automatically provide the Firebase Cloud Messaging service with the unique ID of the app installation (Instance ID), and the following data:

• Information about the installed software: app version, app ID, app build version, app package name.
• Information about the computer on which the software is installed: OS version, device ID, version of Google services.
• Information about FCM: app ID in FCM, FCM user ID, protocol version.

Data is transmitted to Firebase services over a secure connection. Access to and protection of information is regulated by the relevant terms of use of the Firebase services: Firebase Data Processing and Security Terms, Privacy and Security in Firebase.

To prevent the exchange of information with the Firebase Cloud Messaging service:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Android devices synchronization.

   The Android devices synchronization window opens.

2. Click Reset.
3. In the window that opens, click the OK button to confirm resetting.

The Firebase Cloud Messaging settings are cleared.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing mobile devices in Kaspersky Security Center Web Console and Cloud Console

You can manage mobile devices in Kaspersky Security Center Web Console and Cloud Console by using group policies and by sending commands to mobile devices (for Android only).

To manage mobile devices in Kaspersky Security Center Web Console, you must install administration plug-ins.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting mobile devices to Kaspersky Security Center

To manage a mobile device by using Kaspersky Security Center Web Console or Cloud Console, the device must be connected to Kaspersky Security Center. You can view the list of mobile devices connected to Kaspersky Security Center on the Devices > Mobile > Devices tab of Web Console or Cloud Console.

Before connecting an iOS device, send the address of Kaspersky Security Center to the device user to improve connection security. The user will see this address during app installation and can cancel the connection if the displayed address doesn't match the address you sent.

To connect a mobile device to Kaspersky Security Center:

1. Start the Mobile Device Connection Wizard:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices, and then click Add.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Users & roles > Users. Click the name of the user or the user group to whom you want to send the link for connecting a mobile device, and then select Devices. Click Add mobile device. In this case, skip step 3.

   Proceed through the Wizard by using the Next button.

2. Select the operating system of the devices that you want to add:
   • Android
   • iOS and iPadOS
3. Select users and user groups to whom you want to send the link for connecting a mobile device.
4. Select email addresses where to send the link:
   • All email addresses
   • Main email address
   • Alternative email address
   • Another email address

     If you select this option, specify the email address below.

5. The link summary is displayed.

   Make sure that all parameters of the link are correct, and then click Send.

6. A window opens with a confirmation that the link for adding a mobile device has been sent.

   Click OK to finish the Wizard.

When the user installs the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app, the user's device will be displayed on the Devices > Mobile > Devices tab of Web Console or Cloud Console.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Moving unassigned mobile devices to administration groups

When the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app is installed on mobile devices, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console or Cloud Console. In order to manage newly connected devices, you can create a rule for their automatic allocating to administration groups or move them to an administration group manually.

To move an unassigned mobile device to an administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Discovery & deployment > Unassigned devices.
2. Select the device that you want to move to an administration group, and then click Move to group.
3. In the tree of administration groups that opens, select the target group to which you want to move the device.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.

The device is moved to the specified administration group and the group policy is applied to it.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Sending commands to mobile devices

You can send commands to Android mobile devices to protect data on a mobile device that is lost or stolen, or to perform forced synchronization of a mobile device with Kaspersky Security Center.

You can't send commands to iOS devices.

The following commands are supported:

• Lock device

  The mobile device is locked.

• Unlock device

  The mobile device is unlocked.

  After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

• Reset to factory settings

  All data is deleted from the mobile device and the settings are rolled back to their default values.

• Wipe corporate data

  The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

  • On a personal device, KNOX container and mail certificate are wiped.
  • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
• Locate device

  Device is located and shown on Google Maps. The mobile service provider may charge a fee for internet access.

  On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.

• Sound alarm

  The mobile device sounds an alarm. The alarm sounds for 5 minutes (or for 1 minute if the device battery is low).

• Synchronize device

  The mobile device is synchronized with Kaspersky Security Center.

Kaspersky Endpoint Security for Android app requires specific permissions for the execution of commands. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10.0 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11.0 or later, the user must also grant the "While using the app" permission to access the camera. Otherwise, anti-theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the required level of permissions. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the camera permission is requested again.

To send a command to a mobile device:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select the device to which you want to send the command, and then click either Control or Manage.
3. Select the required command in the Available commands list, and then click OK.
4. Click OK if you are prompted to confirm the operation.

The specified command is sent to the mobile device and the confirmation window is displayed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing mobile devices from Kaspersky Security Center

If you do not need to manage a mobile device any longer, you can remove it from Kaspersky Security Center by using Web Console or Cloud Console.

To remove a mobile device from Kaspersky Security Center:

1. Remove the mobile app from the device or make sure that the user has removed the app from the required device.
2. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
3. Select the mobile device that you want to remove, and then click Delete.
4. Click OK to confirm the operation.

The device is removed from Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing group policies

This section describes how to manage group policies in Kaspersky Security Center Web Console and Cloud Console.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Group policies for managing mobile devices

A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices.

You can use a policy to configure settings of both individual devices and a group of devices. For a group of devices, administration settings can be configured in the window of group policy properties.

Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and secondary Administration Servers), in local application settings.

The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator.

To keep corporate security of Android mobile devices up to date, you can monitor users' devices for compliance with corporate security requirements.

For more details on managing policies and administration groups in Kaspersky Security Center Web Console and Cloud Console:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the list of group policies

Kaspersky Security Center Web Console and Cloud Console allow you to view the group policies, their statuses, and properties.

To view the list of group policies,

In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.

The list of group policies opens with brief information about the group policies. On this page, you can create, modify, copy, move, and delete group policies.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the policy distribution results

Kaspersky Security Center Web Console and Cloud Console allow you to view the distribution chart of a group policy and information about all devices that fall under that policy.

To view the distribution results of a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy for which you want to view the distribution results, and then click Distribution.

The policy distribution results page opens. This page contains the policy summary, the policy distribution chart, and the table with information about all devices that fall under that policy. You can open the policy properties window by clicking the Configure policy button.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to create group policies for the purpose of managing mobile devices.

To create a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of Kaspersky Security Center group policies that opens, click Current path to select the administration group for which you want to create a policy.

   By default, the new group policy is applied to the Managed devices group.

3. Click Add to start the Policy Creation Wizard. Proceed through the Wizard by using the Next button.
4. Select Kaspersky Security for Mobile (Policies).
5. Type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically.
6. Select the policy status:
   • Active

     The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy.

   • Inactive

     The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state.

     Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

7. You can enable or disable two options of inheritance, Inherit settings from parent policy and Force inheritance of settings in child policies:
   • If you enable Inherit settings from parent policy for a child administration group and lock some settings in the parent policy, then you cannot change these settings in the policy for the child group. You can, however, change the settings that are not locked in the parent policy.
   • If you disable Inherit settings from parent policy for a child administration group, then you can change all the settings in the child group, even if some settings are locked in the parent policy.
   • If you enable Force inheritance of settings in child policies in the parent administration group, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups and you cannot change these settings in the child groups.
   • In the policies for the Managed devices group, the Inherit settings from parent policy option does not affect any settings, because the Managed devices group does not have any upstream groups and therefore does not inherit any policies.

   By default, the Inherit settings from parent policy option is enabled and the Force inheritance of settings in child policies option is disabled.

8. If you want, you can define the settings of the newly created policy. To do so, select the Application settings tab, and then proceed as described in the "Defining policy settings" section.

   Alternatively, you can do that later.

9. Click Save to create the policy.

A new group policy for managing mobile devices is created.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Modifying a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to modify the settings of group policies.

To modify a group policy:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings, and then define the policy settings as described in the "Defining policy settings" section.

   You can also configure general settings, settings inheritance, events logging and notifications, policy profiles, and view revision history. For more information, please refer to Kaspersky Security Center Help.

3. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Copying a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to create a copy of a group policy.

To create a copy of a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy for which you want to create a copy, and then click Copy.
3. In the tree of administration groups that opens, select the target group in which you want to create a copy of the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Copy.
5. Click OK to confirm the operation.

A copy of the policy will be created in the target group under the same name. The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) index is added to the name of the newly created or moved policy, for example: (1).

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Moving a policy to another administration group

Kaspersky Security Center Web Console and Cloud Console allow you to move a policy to another administration group.

To move a policy to another administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy that you want to move to another administration group, and then click Move.
3. In the tree of administration groups that opens, select the target group to which you want to move the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.
5. Click OK to confirm the operation.

The result depends on the policy inheritance properties:

• If the policy is not inherited in the source group, it will be moved to the target group.
• If the policy is inherited in the source group, it will not be moved. Instead, a copy of this policy will be created in the target group.

The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) index is added to the name of the newly created or moved policy, for example: (1).

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to delete group policies.

You can delete only a policy that is not inherited in the current administration group. If a policy is inherited, you can only delete it in the upper-level group for which it was created.

To delete a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy that you want to delete, and then click Delete.
3. Click OK to confirm the operation.

The group policy will be deleted.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining policy settings

This section describes how to define the settings of Kaspersky Security Center policies for managing mobile devices.

You can define policy settings either when creating or modifying a policy.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-malware protection

You can define these policy settings only for Android devices.

For the timely detection of threats, viruses, and other malicious applications, you should configure real-time protection and autorun of malware scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

• Viruses, worms, Trojans, and malicious tools
• Adware
• Apps that can be exploited by criminals to harm your device or personal data

Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips large files and does not notify you that such files were skipped.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring real-time protection

You can define these policy settings only for Android devices.

To configure real-time protection:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. In the Anti-Malware section, configure the mobile device file system protection:
   • To enable real-time protection of the mobile device against threats, select the Enable real-time anti-malware protection check box.
   • Specify the level of protection:
     • If you want Kaspersky Endpoint Security for Android to scan only new apps and files from the Downloads folder, select Scan only new apps.
     • To enable extended protection of the mobile device against threats, select Scan all apps and monitor actions with files.

       Kaspersky Endpoint Security for Android will scan all files that the user opens, modifies, moves, copies, installs, or saves on the device, as well as newly installed mobile apps.

       On devices running Android 8.0 or later, Kaspersky Endpoint Security for Android scans files that the user modifies, moves, installs, and saves, as well as copies of files. Kaspersky Endpoint Security for Android does not scan files when they are opened, or source files when they are copied.

   • To enable additional scanning of new apps before they are started for the first time on the user's device by using the Kaspersky Security Network cloud service, select the Additional protection by Kaspersky Security Network check box.
   • To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that may be used by cybercriminals to cause harm to the user's device and data check box.
4. In the Anti-Malware settings section, select the action to be performed on threat detection:
   • Delete and save a backup copy of file in quarantine

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will create a backup copy of file and save it in quarantine.

   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring autorun of malware scans on a mobile device

You can define these policy settings only for Android devices.

To configure autorun of malware scans on a mobile device:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that may be used by cybercriminals to cause harm to the user's device and data checkbox in the Device scan section.
4. In the Action on threat detection list, select one of the following options:
   • Delete and save a backup copy of file in quarantine

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will create a backup copy of file and save it in quarantine.

   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

   • Ask user

     The Kaspersky Endpoint Security for Android app displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.

     When the app detects several objects, the Ask user option allows the device user to apply a selected action to each file by using the Apply to all threats check box.

     Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10.0 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.

5. In the Scheduled scan section, you can configure the automatic full scan of the device file system.

   Select one of the following options:

   • Disabled

     The scan of the device file system will not be launched automatically.

   • After database update

     The device file system will be scanned automatically on each anti-malware database update.

   • Daily

     The device file system will be scanned automatically every day.

     If you select this option, you can also specify the time of the scan in the Start time field.

   • Weekly on

     The device file system will be scanned automatically once a week.

     If you select this option, you can also select the day of the week when you want to run the scan, by using the drop-down list and specify the time of the scan in the Start time field.

   If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

6. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-malware database updates

You can define these policy settings only for Android devices.

To configure anti-malware database updates:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Database update.
3. In the Database update section, configure the schedule of automatic database updates on the user's device.

   Select one of the following options:

   • Disabled

     Automatic updates of anti-malware databases will be disabled.

   • Daily

     Anti-malware databases will be updated every day.

     If you select this option, you can also specify the time of update in the Update time field.

   • Weekly

     Anti-malware databases will be updated once a week.

     If you select this option, you can also specify the time of update in the Update time field and the day of the week when you want to run update in the Day of the week drop-down list.

   If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Firebase Cloud Messaging.

4. In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-malware database updates:
   • Kaspersky servers

     Kaspersky Endpoint Security for Android will use a Kaspersky update server as an update source for downloading anti-malware databases to the user's device.

   • Administration Server

     Available only if you use Kaspersky Security Center Web Console.

     Kaspersky Endpoint Security for Android will use the repository of Kaspersky Security Center Administration Server as an update source for downloading anti-malware databases to the user's device.

   • Other source

     Kaspersky Endpoint Security for Android will use a third-party server as an update source for downloading anti-malware databases to the user's device.

     If you select this option, you must specify the address of an HTTP server in the Use another server as an update source for anti-malware databases field.

5. If you want Kaspersky Endpoint Security for Android to download anti-malware database updates according to the update schedule when the user's device is roaming, select the Allow database update while roaming check box in the Update anti-malware databases while roaming section.
6. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining device unlock settings

You can define these policy settings only for Android devices.

To keep a mobile device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions by using the Compliance Control component.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To configure device unlock password strength:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password in the Password protection section.

   If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.

4. Specify the minimum number of characters in the user password.

   Possible values: 4 to 16 characters.

   The user's password is 4 characters long by default.

   On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

   The values for devices running Android 10.0 or later are determined by the following rules:

   • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphanumeric. The PIN or password must be at least 4 characters long.
   • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
5. If you want the user to have the capability to use fingerprints to unlock the screen, select the Allow use of fingerprints (Android 9 or earlier) check box. If the unlock password is not compliant with corporate security requirements, you cannot use a fingerprint scanner to unlock the screen.

   On devices running Android 10.0 or later, the use of a fingerprint to unlock the screen is not supported.

   Kaspersky Endpoint Security for Android does not restrict the use of a fingerprint scanner for signing in to apps or confirming purchases.

   On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.

   On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.

   After adding a fingerprint in the device settings, the user can unlock the screen by using the following methods:

   • Press the finger to the fingerprint scanner (main method).
   • Enter the unlock password (backup method).
6. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring protection of stolen or lost device data

You can define these policy settings only for Android devices.

To protect corporate data in case a mobile device is lost or stolen, you must configure the unauthorized access protection.

To ensure protection of stolen or lost device data, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time.

To configure protection of stolen or lost device data:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. In the Anti-Theft section, configure device locking:
   • Specify the number of characters in the unlock code.
   • Specify the text to be displayed when the device is locked.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring app control

You can define these policy settings only for Android devices.

App Control checks that the apps installed on a mobile device are compliant with corporate security requirements. In Kaspersky Security Center, the administrator creates lists of allowed, blocked, mandatory, and recommended apps according to the corporate security requirements. As a result of App Control, Kaspersky Endpoint Security prompts the user to install mandatory and recommended apps, and to remove blocked apps. It is impossible to start blocked apps on the user's mobile device.

In Kaspersky Security Center Web Console and Cloud Console, you can manage apps on users' devices by applying pre-defined rules. You can configure two types of App Control rules: application rules and category rules.

An App rule is applied to a specific app, while a Category rule is applied to any app that belongs to a pre-defined category. App categories are specified by Kaspersky experts.

To configure App Control:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the table under the App Control section, add rules that will define what apps will be controlled.
   • To add a rule for a specific app:
     1. In the table, click App rule.
     2. In the App rule window that opens, choose the action that will be performed with the apps covered by the created rule.
     3. Specify the app that will be subject to the rule by filling in Link to installation package (for example, https://play.google.com/store/apps/details?id=com.kaspersky.kes), Package name (for example, katana.facebook.com), and App name.
     4. Click Save.

     The rule is added to the list of App Control rules.

   • To add a rule for a category of apps:
     1. In the table under the App Control section, click Category rule.
     2. In the Category rule window that opens, select the app category from the drop-down list.

        Apps within the selected category will be subject to the created rule.

     3. In the Operation mode section, select the action that will be performed when any apps within the selected category attempt to start up: Forbidden apps or Allowed apps.
     4. Fill in the Additional comment shown on the user's device when an app of a specified category is detected, if necessary.
     5. Click Save.

     The rule is added to the list of App Control rules.

4. In the Actions with forbidden apps section, choose what action is performed for forbidden applications:
   • If you want Kaspersky Endpoint Security for Android to block the startup of forbidden applications on the user's mobile device, select Block apps from launching.
   • If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select Do not block forbidden apps, report only.
5. In the Operation mode section, choose whether the rules you add will define allowed apps or forbidden apps:
   • If you want the rules to define which apps are allowed, select Forbidden apps.

     If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in the Forbidden apps mode, select the Block system apps check box.

     Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

   • If you want the rules to define which apps are forbidden, select Allowed apps.
6. To receive information about all apps installed on mobile devices, in the Application report section, select the Send a list of installed apps on all mobile devices check box.

   Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.

7. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring compliance control of mobile devices with corporate security requirements

You can define these policy settings only for Android devices.

Compliance control allows you to monitor Android devices for compliance with corporate security requirements and take actions in case of non-compliance. Corporate security requirements regulate how the user can work with the device. For example, real-time protection must be enabled on the device, anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device non-compliance criterion.
• Action that will be taken on a device if the user does not fix the non-compliance within the set time period.
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).

  When the specified time period is over, the selected action will be taken on the user's device.

  If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

To configure compliance control, you can perform the following actions:

• Enable or disable existing compliance rules.
• Edit an existing compliance rule.
• Add a new rule.
• Delete a rule.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling and disabling compliance rules

You can define these policy settings only for Android devices.

To enable or disable existing rules of compliance control of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, enable or disable the existing compliance rules by using the toggle buttons in the Status column.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Editing compliance rules

You can define these policy settings only for Android devices.

To edit a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, select the rule that you want to edit, and then click Edit.
4. In the Rule window that opens, edit the rule as follows:
   1. In the Action column, configure the list of actions to be performed in case of non-compliance with the rule by adding new actions, editing the existing actions, or deleting them.
   2. Optionally, specify the time period in which a user can fix the non-compliance by using the Time to rectification column for each action.
   3. Click the Save button to save the rule.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding compliance rules

You can define these policy settings only for Android devices.

To add a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, click Rule.
4. In the Rule window that opens, define the rule as follows:
   1. Select the non-compliance criterion for the rule.
   2. Click Add, and then select the action to be performed in case of non-compliance with the rule in the Action column.

      You can add several actions.

   3. Specify the time period in which a user can fix the non-compliance by using the Time to rectification column for each action.
   4. Click the Save button to save the rule.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting compliance rules

You can define these policy settings only for Android devices.

To delete a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, select the rule that you want to delete, and then click Delete.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

List of non-compliance criteria

You can define these policy settings only for Android devices.

To ensure that an Android device complies with corporate security requirements, Kaspersky Endpoint Security for Android can check the device against the following criteria:

• Real-time protection is disabled.

  Real-time protection must be enabled.

  For more information on configuring real-time protection, see the "Configuring real-time protection" section.

• Anti-malware databases are out of date.

  The anti-malware database of Kaspersky Endpoint Security for Android must be regularly updated.

  For more information on defining the settings of anti-malware database updates, see the "Configuring anti-malware protection" section.

• Forbidden apps are installed.

  The device must not have applications installed that are classified as Block from launching, as specified in the App Control section.

  For more information on creating rules for applications, see the "Configuring App Control" section.

• Apps from forbidden categories are installed.

  The device must not have applications installed that fall under a category that is classified as Block from launching, as specified in the App Control section.

  For more information on creating rules for application categories, see the "Configuring App Control" section.

• Not all required apps are installed.

  The device must have specific applications installed that are classified as Force to install, as specified in the App Control section.

  For more information on creating rules for applications, see the "Configuring App Control" section.

• Operating system version is out of date.

  The device must have an allowed version of the operating system.

  For using this non-compliance criterion, you must specify the range of allowed operating system versions in the Minimum operating system version and Maximum operating system version drop-down lists.

• Device has not been synchronized for a long time.

  The device must be regularly synchronized with the Administration Server.

  For using this non-compliance criterion, you must specify the maximum time interval between device synchronizations in the Synchronization period drop-down list.

• Device has been rooted.

  The device must not be rooted.

  For more information, see the "Detecting device hacks (root)" section.

• Unlock password is not compliant with security requirements.

  The device must be protected with an unlock password that complies with the unlock password strength requirements.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

List of actions in case of non-compliance

You can define these policy settings only for Android devices.

If the user does not fix a non-compliance issue within the specified time, the following actions are available:

• Block all apps except system apps.

  All apps on the user's mobile device, except system apps, are blocked from starting.

• Lock device.

  Mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.

• Wipe corporate data.

  The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

  • On a personal device, KNOX container and mail certificate are wiped.
  • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
• Fully reset device to factory settings.

  All data is deleted from the mobile device and the settings are rolled back to their factory values.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring user access to websites

You can define these policy settings for Android and iOS devices.

To protect personal and corporate data stored on mobile devices during internet browsing, you can configure user access to websites by using Web Protection. Web Protection scans websites before a user opens them, and then blocks websites that distribute malicious code and phishing websites designed to steal confidential data and gain access to financial accounts.

For Android devices, this feature also supports website filtering by categories defined in the Kaspersky Security Network cloud service. Filtering allows you to restrict access to certain websites or categories of websites (for example, those from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).

To enable Web Protection on iOS devices, the user must allow the Kaspersky Security for iOS app to add a VPN configuration.

To enable Web Protection on Android devices:

• The Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement) should be accepted. Kaspersky Endpoint Security uses Kaspersky Security Network (KSN) to scan websites. The Web Protection Statement contains the terms of data exchange with KSN.

  You can accept the Web Protection Statement for the user in Kaspersky Security Center. In this case, the user is not required to take any action.

  If you have not accepted the Web Protection Statement and prompt the user to do this, the user must read and accept the Web Protection Statement in the app settings.

  If you have not accepted the Web Protection Statement, Web Protection is not available.

Web Protection on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser.

If the Kaspersky Endpoint Security for Android app in device owner mode is not enabled as an Accessibility Features service, Web Protection is supported only by the Google Chrome browser and checks only the domain of a website. To allow other browsers (Samsung Internet Browser, Yandex Browser, and HUAWEI Browser) support Web Protection, enable Kaspersky Endpoint Security as an Accessibility Features service. This will also enable the Custom Tabs feature operation.

The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.

Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

To configure user access to websites:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Web Protection section, select the Enable Web Protection check box to enable the feature.
4. For Android devices, you can select one of the following options:
   • To restrict user access to websites based on their content:
     1. Select Block websites of specified categories.
     2. Select the check boxes next to the categories of websites to which Kaspersky Endpoint Security for Android will block access.

        If Web Protection is enabled, user access to websites in the Phishing and Malware sites categories is always blocked.

   • To specify the list of allowed websites:
     1. Select Allow only specified websites.
     2. Create a list of websites by adding website addresses to which the app will not block access. You can add websites by link (full URL, including the protocol, e.g. https://example.com).

        Kaspersky Endpoint Security for Android also supports regular expressions. When entering the address of an allowed or blocked website, use the following templates:

        • https://example\.com/.*—This template blocks or allows all child pages of the website, accessed via the HTTPS protocol (for example, https://example.com/about).
        • https?://example\.com/.*—This template blocks or allows all child pages of the website, accessed via both the HTTP and HTTPS protocols.
        • https?://.*\.example\.com—This template blocks or allows all subdomain pages of the website (e.g., https://pictures.example.com).
        • https?://example\.com/[abc]/.*—This template blocks or allows all child pages of the website where the URL path begins with 'a', 'b', or 'c' as the first directory (e.g., https://example.com/b/about).
        • https?://\w{3,5}.example\.com/.*—This template blocks or allows all child pages of the website where the subdomain consists of a word with 3 to 5 characters (e.g., http://abde.example.com/about).

        Use the expression https? to select both the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.

   

   Web Protection section with regular expressions' examples

   • To block user access to all websites, select Block all websites.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring feature restrictions

You can define these policy settings only for Android devices.

Kaspersky Security Center Web Console enables you to configure user access to the following features of mobile devices:

• Wi-Fi
• Camera
• Bluetooth

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Feature management section, configure the usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi (Android 9 or earlier) check box.

     On devices running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Kaspersky Endpoint Security for Android against removal

For mobile device protection and compliance with corporate security requirements, you can enable protection against the removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app by using the Kaspersky Endpoint Security for Android interface. When removing the app by using the tools of the Android operating system, the user is prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.

To enable protection against the removal of Kaspersky Endpoint Security for Android:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Manage app on mobile device section, clear the Allow removal of Kaspersky Endpoint Security for Android from device check box.

   To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

If an attempt is made to remove the app, the mobile device will be locked.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization of mobile devices with Kaspersky Security Center

You can define these policy settings for Android and iOS devices.

To manage mobile devices and receive reports or statistics from mobile devices, you must define synchronization settings. Synchronization of mobile devices with Kaspersky Security Center can be performed in the following ways:

• By schedule. Synchronization by schedule is performed by using HTTP. You can configure the synchronization schedule in the policy properties. Modifications to policy settings, commands, and tasks are performed when mobile devices are synchronized with Kaspersky Security Center according to the schedule—that is, with a delay. By default, mobile devices are synchronized with Kaspersky Security Center automatically every six hours.
• Forced (for Android devices). Forced synchronization is performed by using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. It might be useful when a device is in battery saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure mobile device synchronization with Kaspersky Security Center:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Synchronization.
3. In the Synchronization with the Administration Server section, use the Synchronization period drop-down list to select the synchronization period.

   By default, synchronization is performed every six hours.

   When the specified synchronization period is very short, the actual synchronization period may be a bit longer due to technical limitations. This is especially true for devices in the battery saver mode. Frequent synchronizations discharge the device battery more quickly.

4. For Android devices, you can disable synchronization when the device is roaming. To do so, select the Do not synchronize while roaming check box.

   By default, synchronization while roaming is enabled.

5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Kaspersky Security Network

To protect mobile devices more effectively, Kaspersky Endpoint Security for Android and Kaspersky Security for iOS use data acquired from users around the globe. Kaspersky Security Network is designed to process such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the Kaspersky online knowledge base with information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

Your participation in Kaspersky Security Network helps Kaspersky to acquire real-time information about the types and sources of new threats, develop methods of neutralizing them, and reduce the number of false alarms. Participation in Kaspersky Security Network also lets you access reputation statistics for applications and websites.

When you participate in Kaspersky Security Network, some statistics are acquired while the mobile apps are running and they are automatically sent to Kaspersky. This information makes it possible to keep track of threats in real time. Files or their parts that may be exploited by intruders to harm the computer or user's content can be also sent to Kaspersky for additional examination.

The following app components use the Kaspersky Security Network cloud service:

• The Anti-Malware, Web Protection, and App Control components in the Kaspersky Endpoint Security for Android app.
• The Web Protection component in the Kaspersky Security for iOS app.

To start using KSN, you must accept the terms and conditions of the End User License Agreement.

Refusal to participate in KSN reduces the level of device protection, which may lead to infection of the device and loss of data.

To improve the performance of the mobile app, you can also provide statistical data to Kaspersky Security Network.

Providing the information to Kaspersky Security Network is voluntary.

You can opt out of participating in Kaspersky Security Network at any time.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Information exchange with Kaspersky Security Network

Information exchange in Kaspersky Endpoint Security for Android

To improve real-time protection, Kaspersky Endpoint Security for Android uses the Kaspersky Security Network cloud service for operating the following components:

• Anti-Malware. The app obtains access to the Kaspersky online knowledge base regarding the reputation of files and apps. The scan is performed for threats whose information has not yet been added to anti-malware databases but is already available in KSN. Kaspersky Security Network cloud service provides full operation of Anti-Malware and reduces the likelihood of false alarms.
• Web Protection. The app uses data received from KSN to scan websites before they are opened. The app also determines the website category to control internet access to users, based on lists of allowed and blocked categories (for example, the "Internet communication" category).
• App Control. The app determines the app category to restrict the startup of apps that do not meet corporate security requirements, based on lists of allowed and blocked categories (for example, the "Games" category).

Information on the type of data submitted to Kaspersky when using KSN during operation of Anti-Malware and App Control is available in the End User License Agreement. By accepting the terms and conditions of the License Agreement, you agree to transfer this information.

Information on the type of data submitted to Kaspersky when using KSN during operation of Web Protection is available in the Statement regarding data processing for Web Protection. By accepting the terms and conditions of the Statement, you agree to transfer this information.

For more information about data provision to KSN, refer to Data provision in Kaspersky Endpoint Security for Android.

Providing data to KSN is voluntary. If you want, you can disable data exchange with KSN.

Information exchange in Kaspersky Security for iOS

To improve real-time protection, Kaspersky Security for iOS uses the Kaspersky Security Network cloud service for operating the Web Protection component. The app uses data received from KSN to scan web resources before they are opened.

Information on the type of data submitted to Kaspersky when using KSN during operation of Web Protection is available in the End User License Agreement. By accepting the terms and conditions of the License Agreement, you agree to transfer this information.

For more information about data provision to KSN, refer to Data provision in Kaspersky Security for iOS.

Providing data to KSN is voluntary. If you want, you can disable data exchange with KSN.

Sending statistics to KSN from Android and iOS apps

To exchange data with KSN for the purposes of improving the performance of the app, the following conditions must be fulfilled:

• The device user must read and accept the terms of the Kaspersky Security Network Statement.
• You must configure the group policy settings to allow statistics to be sent to KSN.

You can opt out of sending statistic data to Kaspersky Security Network at any time. Information on the type of statistic data submitted to Kaspersky when using KSN during operation of the mobile app is available in the Kaspersky Security Network Statement.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling and disabling Kaspersky Security Network

By default, the use of Kaspersky Security Network is enabled.

If the use of Kaspersky Security Network is disabled, Web Protection, App Control, and additional protection in Kaspersky Security Network are disabled automatically and their settings become unavailable.

To enable or disable the use of Kaspersky Security Network:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > KSN and statistics.
3. To enable or disable the use of Kaspersky Security Network, select or clear the Use Kaspersky Security Network check box.
4. If the use of Kaspersky Security Network is enabled and if you agree to submit data to Kaspersky, select the Allow statistics to be sent to Kaspersky Security Network check box. This data will help the mobile app more quickly respond to threats, improve the performance of protection components, and decrease the likelihood of false alarms.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Exchanging information with Google Analytics for Firebase, Firebase Performance Monitoring, and Crashlytics

You can define these policy settings only for Android devices.

Kaspersky Endpoint Security for Android exchanges data with the Google Analytics for Firebase, Firebase Performance Monitoring, and Crashlytics services in order to improve the quality, appearance, and performance of Kaspersky software, products, services, and infrastructure by analyzing users' experience, features, status, and device settings used.

Exchanging information with the Google Analytics for Firebase, Firebase Performance Monitoring, and Crashlytics services is disabled by default.

To enable data exchange:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > KSN and statistics.
3. In the Sending statistics to third-party services section, select the Allow data transfer to help improve the quality, appearance, and performance of the app check box.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring notifications on mobile devices

You can define these policy settings only for Android devices.

If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

Kaspersky Endpoint Security uses the following tools to display the device protection status:

• Protection status notification. This notification is pinned to the notification bar. A protection status notification cannot be removed. The notification displays the device protection status (for example, ) and number of issues, if any. The device user can tap the device protection status and see the list of issues in the app.
• App notifications. These notifications inform the device user about the application (for example, threat detection).
• Pop-up messages. Pop-up messages require an action from the device user (for example, an action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.

An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android on a mobile device:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Notifications and reports.
3. In the Notifications section, configure the display of notifications:
   • To hide all notifications and pop-up messages, disable the Display notifications when Kaspersky Endpoint Security is in the background toggle button.

     Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays the device protection status (for example, ) and number of issues. The app also displays notifications when the user is working with the app (for example, the user updates anti-malware databases manually).

     Kaspersky experts recommend that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.

   • In List of security issues displayed on users' devices, select the Kaspersky Endpoint Security for Android issues that you want to be displayed on the user's mobile device.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Detecting device hacks

Kaspersky Security Center Web Console enables you to detect device hacks (root) on Android devices and jailbreaks on iOS devices. System files are unprotected on a hacked device and can therefore be modified. Moreover, third-party apps from unknown sources could be installed on hacked devices. Upon detection of a hack attempt, we recommend that you immediately restore normal operation of the device.

Kaspersky Endpoint Security for Android uses the following services to detect when a user obtains root privileges:

• Embedded service of Kaspersky Endpoint Security for Android. A Kaspersky service that checks whether a mobile device user has obtained root privileges (Kaspersky Mobile Security SDK).

Kaspersky Security for iOS uses the following service to detect a jailbreak:

• Embedded service of Kaspersky Security for iOS. A Kaspersky service that checks whether a mobile device is jailbroken (Kaspersky Mobile Security SDK).

If the device is hacked, you receive a notification. You can view hacking notifications in Kaspersky Security Center Web Console on the Monitoring & reporting > Dashboard tab. You can also disable notifications about hacks in the event notification settings.

On Android devices, you can impose restrictions on the user's activity if the device is hacked (for example, lock the device). You can impose restrictions by using the Compliance Control component. To do this, create a compliance rule with the Device has been rooted criterion.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining licensing settings

You can define these policy settings for Android and iOS devices.

To manage mobile devices in Kaspersky Security Center Web Console or Cloud Console, you must activate the mobile app on the mobile devices. Activating the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

To define licensing settings of a group policy:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Licenses.
3. Use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the If the key on device is different, replace with this key check box.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring events

You can define these policy settings for Android and iOS devices.

You can define the storage and notification settings of events that occur on your users' devices and that are sent to Kaspersky Security Center.

You can configure events only when modifying a policy.

Events are distributed by importance level on the following tabs:

• Critical

  A critical event indicates a problem that may lead to data loss, an operational malfunction, or a critical error.

• Functional failure

  A functional failure indicates a serious problem, error, or malfunction that occurred during the operation of the app.

• Warning

  A warning is not necessarily serious, but nevertheless indicates a potential future problem.

• Info

  An informational event notifies about the successful completion of an operation or a procedure, or of the proper functioning of the app.

In each section, the list shows the types of events and the default event storage term in Kaspersky Security Center (in days).

From the list of events, you can do the following:

• Add or remove an event type from the list of event types that are sent to Kaspersky Security Center.
• Define the storage and notification settings for each event type, for example: how long events of this type must be stored in the Administration Server database or whether you will be notified about events of this type by email.

For more details on configuring events in Kaspersky Security Center Web Console and Cloud Console:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring events about the installation, update, and removal of apps on users' devices

You can define these policy settings for Android and iOS devices.

If you use Kaspersky Security Center Cloud Console, the list of types of events that occur on your users' devices, and that are sent to Kaspersky Security Center, does not include the installation, update, and removal of apps on the devices. This is because such events occur often and these events may replace other important events in the Kaspersky Security Center database when the events count limit is reached. They may also affect the performance of Administration Server or the DBMS, and the bandwidth of the internet connection with Kaspersky Security Center Cloud Console.

If you nevertheless want to store events of this type and be notified about them, proceed as described in this section.

To configure events about the installation, update, and removal of apps on users' devices:

1. In the settings of a policy, on the Event configuration tab, add the An app has been installed or removed (list of installed apps) informational event type to the list of events that are stored in the Administration Server database.

   For more details on configuring events, please refer to Kaspersky Security Center Cloud Console Help.

2. Enable the Send a list of installed apps on all mobile devices option.

Events about the installation, update, and removal of apps on users' devices are stored in the Kaspersky Security Center database. You are notified about these events.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Network load

This section contains information on the volume of network traffic that is exchanged between mobile devices and Kaspersky Security Center.

Traffic volume