The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Management of mobile devices

This section contains information about how to remotely manage mobile devices in the Administration Console of Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing KES devices

In Kaspersky Security Center, you can manage KES mobile devices in the following ways:

• Centrally manage KES devices by using commands.
• View information about the settings for management of KES devices.
• Install applications by using mobile app packages.
• Disconnect KES devices from management.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Device owner mode

This section contains information about how to manage the settings of Android mobile devices in device owner mode. For information about device owner mode deployment, see here.

Device owner mode offers the following features and control options for Android mobile devices:

• Restrictions on Android operating system features
• Management of Google Chrome settings
• Silent installation of required apps and removal of blocked apps in App Control
• Kiosk mode
• Management of Exchange ActiveSync for Gmail
• NDES and SCEP integration

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Restricting Android features on devices

Expand all | Collapse all

You can restrict Android operating system features in device owner mode. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and manage system updates.

You can restrict Android features in the Feature restrictions section.

To open the Feature restrictions section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device owner mode > Feature restrictions section.

Restrict device features

On the Device Features tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit factory reset

  Selecting or clearing this check box specifies whether the device user is allowed to perform a factory reset from device settings.

  This check box is cleared by default.

• Prohibit screen sharing, recording, and screenshots

  Selecting or clearing this check box specifies whether the device user is allowed to take screenshots, record and share the device screen. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.

  This check box is cleared by default.

• Prohibit changing language (Android 9 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to change the device language.

  This restriction is supported on devices with Android 9 or later.

  This check box is cleared by default.

  On some devices (for example, Xiaomi, TECNO, and Realme) running Android 9 or later, when you select the Prohibit changing language check box in device owner mode, the user still can change the language, and no warning message appears.

• Prohibit changing date, time, and time zone (Android 9 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to change date, time, and time zone in Settings.

  This restriction is supported on devices with Android 9 or later.

  This check box is cleared by default.

• Prohibit adding and removing Google accounts

  Selecting or clearing the check box specifies whether the device user is allowed to add and remove Google accounts.

  This check box is cleared by default.

• Prohibit adjusting volume and mute device

  Restricts volume adjustment and muting the device.

  If the check box is selected, the device user can't adjust the volume and the device is muted.

  If the check box is cleared, the device user can adjust the volume and the device is unmuted.

  Anti-Theft can play a sound on the device disregarding of this restriction. The restriction is disabled to allow to play the sound, and then re-enabled.

  This check box is cleared by default.

• Prohibit outgoing phone calls

  Selecting or clearing this check box specifies whether the device user is allowed to make outgoing phone calls on this device.

  This check box is cleared by default.

• Prohibit sending and receiving SMS messages

  Selecting or clearing this check box specifies whether the device user is allowed to send and receive SMS messages on this device.

  This check box is cleared by default.

• Prohibit changing credentials

  Selecting or clearing this check box specifies whether the device user is allowed to change user credentials in the operating system.

  This check box is cleared by default.

• Prohibit keyguard camera

  Selecting or clearing the check box specifies whether the device user is prohibited to use camera when the device is locked.

  This check box is cleared by default.

• Prohibit keyguard notifications

  Selecting or clearing the check box specifies whether notifications are prohibited when the device screen is locked.

  This check box is available only if the Prohibit keyguard features check box is selected. Otherwise, the Prohibit keyguard notifications check box is cleared and disabled.

  This check box is cleared by default.

• Prohibit keyguard trust agents

  Selecting or clearing this check box specifies whether trusted apps are prohibited when the device screen is locked. Trusted apps are apps that allow the device user to unlock the device without a password, PIN, or fingerprint.

  This check box is available only if the Prohibit keyguard features check box is selected. Otherwise, the Prohibit keyguard trust agents check box is cleared and disabled.

  This check box is cleared by default.

• Disable keyguard swipe

  Selecting or clearing the check box specifies whether a user's device can be unlocked with a swipe.

  This setting has no effect if a password, PIN-code, or pattern is currently set as an unlocking method on the device.

  This check box is cleared by default.

• Prohibit adjusting brightness (Android 9 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to adjust brightness on the mobile device.

  This restriction is supported on devices with Android 9 or later.

  This check box is cleared by default.

• Prohibit ambient display (Android 9 or later)

  If this option is enabled, the user cannot use the Ambient Display feature on the device.

  By default, the option is disabled.

• Force screen on when plugged in to AC charger (Android 6 or later)

  Selecting or clearing the check box specifies if the device screen will be on while the device is charging with an AC charger.

  The restriction is supported on devices with Android 6 or later.

  This check box is cleared by default.

• Force screen on when plugged in to USB charger (Android 6 or later)

  Selecting or clearing of the check box specifies whether the device screen will be on while the device is charging via a USB charger.

  The restriction is supported on devices with Android 6.0 or later.

  This check box is cleared by default.

• Force screen on when plugged in to wireless charger (Android 6 or later)

  Selecting or clearing this check box specifies whether the device screen will be on while the device is charging via a wireless charger.

  The restriction is supported on devices with Android 6 or later.

  This check box is cleared by default.

• Prohibit changing wallpaper (Android 7.0 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to change the wallpaper on the mobile device.

  This restriction is supported on devices with Android 7.0 or later.

  This check box is cleared by default.

• Prohibit status bar (Android 6 or later)

  Preventing the status bar from being displayed.

  If the check box is selected, the status bar is not displayed on the device. Notifications and quick settings accessible via the status bar are also blocked.

  If the check box is cleared, the status bar can be displayed on the device.

  The restriction is supported on devices with Android 6 or later.

  This check box is cleared by default.

• Prohibit adding users

  Selecting or clearing the check box specifies whether the device user is allowed to add new users.

  This check box is selected by default. If device owner mode was enrolled via a QR code, the restriction is enabled and can't be disabled.

  The restriction can be disabled only on devices that meet the following requirements:

  • The device owner mode was enrolled via the adb.exe installation package.
  • The device must support multiple users.
• Prohibit switching user (Android 9 or later)

  If this option is enabled, the user cannot switch the current user of the device.

  By default, the option is disabled.

• Prohibit removing users

  Selecting or clearing the check box specifies whether the device user is allowed to remove users.

  This check box is selected by default. If device owner mode was enrolled via a QR code, the restriction can't be disabled.

  The restriction can be disabled only on devices that meet the following requirements:

  • The device owner mode was enrolled via the adb.exe installation package.
  • The device must support multiple users.
• Prohibit safe boot (Android 6 or later)

  Selecting or clearing this check box specifies whether the device user is allowed to boot the device in safe mode.

  The restriction is supported on devices with Android 6 or later.

  This check box is cleared by default.

• Prohibit unmuting microphone

  If this option is enabled, the device microphone is muted.

  If this option is disabled, the user can unmute the microphone and adjust its volume.

  By default, the option is disabled.

• Prohibit disabling microphone (Android 12 or later)

  If this option is enabled, the user cannot disable access to the microphone via the system toggle on the device. If access to the microphone on the device is disabled when this option is enabled, it is automatically re-enabled.

  By default, the option is disabled.

  On some Xiaomi and HUAWEI devices running Android 12, this restriction does not work. This issue is caused by the specific features of MIUI firmware on Xiaomi devices and EMUI firmware on HUAWEI devices.

Restrict app features

On the Apps tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit use of camera

  Selecting or clearing the check box specifies whether the device user is allowed to use all cameras on the device.

  If the check box is selected, our solution usually blocks the camera. However, for Asus and OnePlus devices, the camera app icon is completely hidden when the check box is selected.

  This check box is cleared by default.

• Prohibit camera toggle (Android 12 or later)

  Preventing the device user from toggling the camera.

  If the check box is selected, the device user cannot block the camera access via the system toggle.

  If the check box is cleared, the device user is allowed to use the camera toggle.

  The restriction is supported on devices with Android 12 or later.

  This check box is cleared by default.

  On some Xiaomi and HUAWEI devices running Android 12, this restriction does not work. This issue is caused by the specific features of MIUI firmware on Xiaomi devices and EMUI firmware on HUAWEI devices.

• Prohibit use of Google Play

  Selecting or clearing the check box specifies whether the device user is allowed to use Google Play.

  This check box is cleared by default.

• Prohibit use of Google Chrome

  Preventing use of Google Chrome.

  If the check box is selected, the device user cannot start Google Chrome or configure it in system settings.

  If the check box is cleared, the device user is allowed to use Google Chrome on the device.

  The check box is cleared by default.

• Prohibit use of Google Assistant

  Selecting or clearing the check box specifies whether the device user is allowed to use Google Assistant on the device.

  This check box is cleared by default.

• Prohibit installation of apps from unknown sources

  Selecting or clearing the check box specifies whether the device user is allowed to install apps from unknown sources.

  This check box is cleared by default.

• Prohibit modification of apps in Settings

  Preventing modifying apps in Settings.

  If the check box is selected, the device user is disallowed to perform the following actions:

  • Uninstalling apps
  • Disabling apps
  • Clearing app caches
  • Clearing app data
  • Force stopping apps
  • Clearing app defaults

    If the check box is cleared, the device user is allowed to modify apps in Settings.

    This check box is cleared by default.

• Prohibit installation of apps

  Selecting or clearing the check box specifies whether the device user is allowed to install apps on the device.

  This check box is cleared by default.

• Prohibit uninstallation of apps

  Selecting or clearing the check box specifies whether a device user is allowed to uninstall apps from this device.

  This check box is cleared by default.

• Prohibit disabling app verification

  Selecting or clearing the check box specifies whether the device user is allowed to disable app verification.

  This check box is cleared by default.

• Granting runtime permissions for apps

  The Granting runtime permissions for apps setting allows you to select an action to be performed when apps installed on devices in device owner mode are running and request additional permissions. This does not apply to permissions granted in device Settings (e.g. Access All Files).

  • Prompt the user for permissions

    When a permission is requested, the user decides whether to grant the specified permission to the app.

    This option is selected by default.

  • Grant permissions automatically

    All apps installed on devices in device owner mode are granted permissions without user interaction.

  • Deny permissions automatically

    All apps installed on devices in device owner mode are denied permissions without user interaction.

    Users can adjust app permissions in device settings before these permissions are denied automatically.

  On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:

  • Location permissions
  • Permissions for camera
  • Permissions to record audio
  • Permission for activity recognition
  • Permissions to access body sensors data

Restrict storage features

On the Storage tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit debugging features

  Preventing use of debugging features.

  If the check box is selected, the device user cannot use USB debugging features and developer mode.

  If the check box is cleared, the device user is allowed to enable and access debugging features and developer mode.

  This check box is cleared by default.

• Prohibit mounting physical external media

  Selecting or clearing the check box specifies whether the device user is allowed to mount physical external media, such as SD cards and OTG adapters.

  This check box is cleared by default.

• Prohibit file transfer over USB

  Selecting or clearing this check box specifies whether the device user is allowed to transfer files over USB.

  This check box is cleared by default.

• Prohibit backup service (Android 8.0 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to enable or disable the backup service.

  The restriction is supported on devices with Android 8.0 or later.

  This check box is cleared by default.

Restrict network features

On the Network tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit use of Wi-Fi

  Selecting or clearing the check box specifies whether the device user is allowed to use Wi-Fi and configure it in Settings.

  This check box is cleared by default.

• Prohibit enabling/disabling Wi-Fi (Android 13 or later)

  If this option is enabled, the user cannot enable or disable Wi-Fi on the device. Also, Wi-Fi cannot be disabled via airplane mode.

  By default, the option is disabled.

• Prohibit changing Wi-Fi settings

  Selecting or clearing the check box specifies whether the device user is allowed to configure Wi-Fi access points via Settings. The restriction does not affect Wi-Fi tethering settings.

  This check box is cleared by default.

• Prohibit Wi-Fi Direct (Android 13 or later)

  If this option is enabled, the user cannot use the Wi-Fi Direct feature on the device.

  By default, the option is disabled.

• Prohibit sharing pre-configured Wi-Fi networks (Android 13 or later)

  If this option is enabled, the user cannot share Wi-Fi networks that are configured in the policy settings. Other Wi-Fi networks on the device are not affected.

  By default, the option is disabled.

• Prohibit adding Wi-Fi networks (Android 13 or later)

  If this option is enabled, the user cannot manually add new Wi-Fi networks on the device.

  By default, the option is disabled.

• Prohibit changing pre-configured Wi-Fi networks

  Selecting or clearing the check box specifies whether the device user is allowed to change Wi-Fi configurations added by the administrator in the Wi-Fi section.

  This check box is cleared by default.

• Prohibit airplane mode (Android 9 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to enable airplane mode on the device.

  This restriction is supported on devices with Android 9 or later.

  This check box is cleared by default.

• Prohibit use of Bluetooth (Android 8.0 or later)

  Preventing use of Bluetooth.

  If the check box is selected, the device user cannot turn on and configure Bluetooth via Settings.

  If the check box is cleared, the device user is allowed to use Bluetooth.

  The restriction is supported on devices with Android 8.0 and later. For earlier versions of Android, select the Prohibit use of Bluetooth check box in the Device Management section.

  This check box is cleared by default.

• Prohibit changing Bluetooth settings

  Selecting or clearing the check box specifies whether the device user is allowed to configure Bluetooth via Settings.

  This check box is cleared by default.

• Prohibit outgoing data sharing over Bluetooth (Android 8.0 or later)

  Selecting or clearing the check box specifies whether outgoing Bluetooth data sharing is allowed on the device.

  The restriction is supported on devices with Android 8.0 or later.

  This check box is cleared by default.

• Prohibit changing VPN settings

  Preventing changing VPN settings.

  If the check box is selected, the device user cannot configure a VPN in Settings and VPNs are prohibited from starting.

  If the check box is cleared, the device user is allowed to modify a VPN in Settings.

  This check box is cleared by default.

• Prohibit resetting network settings (Android 6 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to reset network settings in Settings.

  This restriction is supported on devices with Android 6 or later.

  This check box is cleared by default.

• Prohibit changing mobile network settings

  Selecting or clearing the check box specifies whether the device user is allowed to change mobile network settings.

  This check box is cleared by default.

• Prohibit use of cellular data while roaming (Android 7.0 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to use cellular data while roaming.

  If the check box is selected, the device can't update anti-malware databases and synchronize with the Administration Server while in roaming.

  To allow anti-malware database update while roaming, this check box should be cleared and the Allow database update while roaming check box in the Database update section should be selected.

  To allow device synchronization with the Administration Server while roaming, this check box should be cleared and the Do not synchronize while roaming check box in the Synchronization section should be also cleared.

  This restriction is supported on devices with Android 7.0 or later.

  This check box is cleared by default.

• Prohibit use of Android Beam via NFC

  Selecting or clearing the check box specifies whether beaming out data from apps via NFC is allowed on the device. However, the device user can enable or disable NFC.

  This check box is cleared by default.

• Prohibit use of tethering

  Selecting or clearing the check box specifies whether the device user is allowed to configure tethering and hotspots.

  This check box is cleared by default.

Restrict location services

On the Location Services tab of the Feature restrictions section, you can configure the following settings:

• Prohibit use of location

  Preventing turning location on and off.

  If the check box is selected, the device user cannot turn location on or off. Search in Anti-Theft mode becomes unavailable.

  If the check box is cleared, the device user can turn location on or off.

  This check box is cleared by default.

  Various combinations of the Prohibit use of location and the Prohibit changing location settings (Android 9 or later) restriction values produce different results for location feature and configuration.

  Prohibit use of location	Prohibit changing location settings (Android 9 and later)	Feature restriction result
  Enabled	Enabled	Location is disabled and cannot be enabled by the device user.
  Enabled	Disabled	Location is disabled and can be enabled by the device user. Disabling the Prohibit changing location settings (Android 9) restriction makes it possible for the user to disable location on the device, which may make some features unavailable.
  Disabled	Enabled	Location is enabled and cannot be disabled by the device user.
  Disabled	Disabled	Location is enabled and can be disabled by the device user. Disabling the Prohibit changing location settings (Android 9) restriction makes it possible for the user to disable location on the device, which may make some features unavailable.

• Prohibit sharing location

  If this option is enabled, the user cannot share the device location via apps that provide such a feature (for example, Google Maps).

  By default, the option is disabled.

• Prohibit changing location settings (Android 9 or later)

  Preventing changing location settings.

  If the check box is selected, the device user cannot change location settings or disable location.

  If the check box is cleared, the device user can change location settings.

  The restriction is supported on devices with Android 9 or later.

  This check box is cleared by default.

  Various combinations of the Prohibit use of location and the Prohibit changing location settings (Android 9 or later) restriction values produce different results for location feature and configuration.

  Prohibit use of location	Prohibit changing location settings (Android 9 and later)	Feature restriction result
  Enabled	Enabled	Location is disabled and cannot be enabled by the device user.
  Enabled	Disabled	Location is disabled and can be enabled by the device user. Disabling the Prohibit changing location settings (Android 9) restriction makes it possible for the user to disable location on the device, which may make some features unavailable.
  Disabled	Enabled	Location is enabled and cannot be disabled by the device user.
  Disabled	Disabled	Location is enabled and can be disabled by the device user. Disabling the Prohibit changing location settings (Android 9) restriction makes it possible for the user to disable location on the device, which may make some features unavailable.

Restrict system updates

Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.

On the Updates tab of the Feature restrictions section, you can configure the following settings:

• Set system update policy

  Type of system update policy.

  If the check box is selected, one of the following system update policies is set:

  • Install updates automatically. Installs system updates immediately without user interaction. This option is selected by default.
  • Install updates during daily window. Installs system updates during a daily maintenance window without user interaction.

    The administrator also needs to set the start and end of the daily maintenance window in the Start time and End time fields respectively.

  • Postpone updates for 30 days. Postpones the installation of system updates for 30 days.

    After the specified period, the operating system prompts the device user to install the updates. The period is reset and starts again if a new system update is available.

    If the check box is cleared, a system update policy is not set.

    This check box is selected by default.

    Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.

• System update freeze periods (Android 9 and later)

  The System update freeze periods (Android 9 or later) block lets you set one or more freeze periods of up to 90 days during which system updates will not be installed on the device. When the device is in a freeze period, it behaves as follows:

  • The device does not receive any notifications about pending system updates.
  • System updates are not installed.
  • The device user cannot check for system updates manually.

    To add a freeze period, click Add period and enter the start and end of the freeze period in the Start time and End time fields respectively.

  Note: Each freeze period can be at most 90 days long, and the interval between adjacent freeze periods must be at least 60 days.

  The restriction is supported on devices with Android 9 or later.

  Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring kiosk mode for Android devices

Expand all | Collapse all

Kiosk mode is a Kaspersky Endpoint Security for Android feature that lets you limit the set of apps available to a device user, whether a single app or multiple apps. You can also efficiently manage some device settings.

The kiosk mode settings apply to devices managed via Kaspersky Endpoint Security for Android in device owner mode.

Kiosk mode does not affect the work of the Kaspersky Endpoint Security for Android app. It runs in the background, shows notifications, and can be updated.

Kiosk mode types

The following kiosk mode types are available in Kaspersky Endpoint Security:

• Single-app mode

  Kiosk mode with only a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings. If the app that you want to add to kiosk mode is not installed on the device, kiosk mode activates after the app is installed.

  On devices with Android 9 or later, the app launches directly in kiosk mode.

  On devices with Android 8.0 or earlier, the specified app must support kiosk mode functionality and call the startLockTask() method itself to launch the app.

• Multi-app mode

  Kiosk mode with multiple apps. In this mode, a device user can open only the set of apps that are allowed on the device and specified in the kiosk mode settings.

Presettings

Pre-configuration for kiosk mode includes the following:

• Before specifying apps that are allowed to be run on the device in kiosk mode, you need first to add these apps in App Control > List of categories and apps and mark them as required. Then, they will appear in the App package list of the kiosk mode.
• Before activating kiosk mode, we recommend that you prohibit launching of Google Assistant by enabling the corresponding restriction in Policy > Device owner mode > Feature restrictions > Apps > Prohibit use of Google Assistant. Otherwise, Google Assistant launches in kiosk mode and allows non-trusted apps to be opened.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device owner mode → Kiosk mode section.

Configure single-app mode

To configure single-app mode:

1. In the Kiosk mode drop-down list, select Single-app mode.
2. In the App package drop-down list, select an app package with the app that is allowed to be run on the device.
3. Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
4. Select the Allow navigation to additional apps check box if you want to add other apps that a device user can navigate to. For more details, see the Add additional apps section below.
5. Click the Apply button to save the changes you have made.

Configure multi-app mode

To configure multi-app mode:

1. In the Kiosk mode drop-down list, select Multi-app mode.
2. Click Add, select apps that are allowed to be run on the device, and then click OK.
3. Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
4. Select the Allow navigation to additional apps check box if you want to add other apps that a device user can navigate to. For more details, see the Add additional apps section below.
5. Click the Apply button to save the changes you have made.

Kiosk mode restrictions

You can set the following restrictions in kiosk mode:

• Prohibit status bar (Android 9 or later)

  Selecting or clearing this check box specifies whether the status bar is blank with notifications and indicators such as connectivity, battery, and sound and vibrate options. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

• Prohibit Overview button (Android 9 or later)

  Selecting or clearing this check box specifies whether the Overview button is hidden. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

• Prohibit Home button (Android 9 or later)

  Selecting or clearing this check box specifies whether the Home button is hidden. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

• Prohibit displaying system notifications (Android 9 or later)

  Selecting or clearing this check box specifies whether system notifications are hidden. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

Add additional apps

Besides locking the device to a single app or set of apps, you can also specify additional apps, that the main app can use. These additional apps provide full functionality of the apps added to kiosk mode. A device user cannot launch additional apps manually.

To add additional apps in the Kiosk mode section:

1. Select the Allow navigation to additional apps check box.
2. Click Add, specify the desired app package name, and then click OK. How to get the package name of an app

   To get the package name of an app:

   1. Open Google Play.
   2. Find the required app and open its page.

   The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

   To get the package name of an app that has been added to Kaspersky Security Center:

   1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
   2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

   In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

   If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

3. Click the Apply button to save the changes you have made.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting to an NDES/SCEP server

Expand all | Collapse all

You can configure a connection to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). To do this, you need to set up a connection to the CA using SCEP and specify a certificate profile.

To add a connection to a certificate authority and specify a certificate profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device owner mode > NDES and SCEP section.
5. In the Connection to certificate authority (CA) section, click Add.

   The Connection to certificate authority dialog appears.

6. Specify the following settings, and then click OK:
   • Connection name

     A unique connection name.

   • Protocol type

     A protocol version. Possible values:

     • SCEP
     • NDES (default)
   • SCEP server URL

     The URL of the SCEP server.

     For NDES, the URL has the http://<ServerName>/certsrv/mscep/mscep.dll format.

   • Challenge phrase type

     A type of challenge phrase required for authentication. Possible values:

     • None - Does not require authentication data.
     • Static - Requires entering an authentication phrase in the Static challenge phrase field. This is the default value.
   • Static challenge phrase

     Specifies the authentication phrase that is used to authenticate the device with the certificate with the SCEP server URL.

7. In the Certificate profiles section, click Add.

   The Certificate profile dialog appears.

8. Specify the following certificate profile settings and click OK:
   • Profile name

     A unique certificate profile name.

   • Certificate authority (CA)

     A certificate authority that you created in the Connection to certificate authority (CA) section.

   • Subject name

     A unique identifier that is the subject of the certificate. It includes information about what is being certified, including common name, organization, organizational unit, country code, and so on. You can either enter the value or select it from the Available macros drop-down list.

   • Private key length

     A length of the certificate private key. Possible values:

     • 1024
     • 2048 (default)
     • 4096
   • Private key type

     A type of the certificate private key. Possible values:

     • Signature (default)
     • Encryption
     • Signature and encryption
   • Renew certificate automatically

     If the check box is selected, the certificate will be automatically reissued to the device before this certificate expires. The Renew certificate before it expires (in days) field also becomes available. In this field, you need to specify the number of days before the expiration date when the certificate will be reissued.

     If the check box is cleared, the certificate will not be renewed automatically.

     The check box is cleared by default.

   • Renew certificate before it expires (in days)

     The number of days remaining until the certificate's expiration date during which a renewed certificate will be issued to the device. For example, you can specify 90 days in this field. A renewed certificate will be issued 90 days before the current certificate expires.

     This option is available and is required to be specified if the Renew certificate automatically check box is selected.

     The default value is not set.

   • Subject Alternative Names (SAN)

     An alternative name that represents the certificate subject name. You can specify multiple subject alternative names. To do this, click Add, and then specify the SAN type and SAN value options.

9. Click Apply to save the changes you have made.

Manage connections and certificate profiles

You can later edit or remove the added connections and certificate profile.

To edit a connection or certificate profile:

1. Select the needed connection or certificate profile in the corresponding section.
2. Click Edit, make the required changes, and click OK.
3. Click Apply to save the changes you have made.

After you edit the certificate profile in policy settings, the corresponding certificate on the device is deleted automatically during the next synchronization with Administration server and a new certificate is installed.

To remove a connection or certificate profile:

1. Select the needed connection or certificate profile in the corresponding section.
2. Click Delete, and then click OK.

   If you remove a certificate authority connection, all certificate profiles that use this connection are also removed.

3. Click Apply to save the changes you have made.

After you delete the certificate profile in policy settings, the corresponding certificate on the device will be deleted automatically during the next synchronization with Administration server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling certificate-based authentication of KES devices

To enable certificate-based authentication of a KES device:

1. Open the system registry of the client device that has Administration Server installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\KLLIM

3. Create a key with the LP_MobileMustUseTwoWayAuthOnPort13292 name.
4. Specify REG_DWORD as the key type.
5. Set the key value on 1.
6. Restart the Administration Server service.

Mandatory certificate-based authentication of the KES device using a shared certificate will be enabled after you run the Administration Server service.

The first connection of the KES device to the Administration Server does not require a certificate.

By default, certificate-based authentication of KES devices is disabled.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a mobile applications package for KES devices

A Kaspersky Endpoint Security for Android license is required to create a mobile applications package for KES devices.

To create a mobile applications package:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.

   The Remote installation folder is a subfolder of the Advanced folder by default.

2. Click the Help button and select Mobile apps packages are intended for installation on mobile devices without Kaspersky Security Center. For example, a mobile apps package can be sent to a user by email or can be published on a Web Server for further download and installation in the drop-down list.
3. In the Mobile apps package management window, click the New button.
4. The New package wizard starts. Follow the instructions of the wizard.

The newly created mobile applications package is displayed in the Mobile apps package management window.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing information about a KES device

To view information about a KES device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter KES devices by protocol type (KES).
3. Select the mobile device for which you want to view the information.
4. From the context menu of the mobile device select Properties.

The properties window of the KES device opens.

The properties window of the mobile device displays information about the connected KES device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Disconnecting a KES device from management

To disconnect a KES device from management, the user has to remove Network Agent from the mobile device. After the user has removed Network Agent, the mobile device details are removed from the Administration Server database, and the administrator can remove the mobile device from the list of managed devices.

To remove a KES device from the list of managed devices:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter KES devices by protocol type (KES).
3. Select the mobile device that you must disconnect from management.
4. In the context menu of the mobile device, select Delete.

The mobile device is removed from the list of managed devices.

If Kaspersky Endpoint Security for Android has not been removed from the mobile device, that mobile device reappears in the list of managed devices after synchronization with the Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices through Kaspersky Security Center. The application supports the following features for management of iOS MDM devices:

• Define the settings of managed iOS MDM devices in centralized mode and restrict features of devices through configuration profiles. You can add or modify configuration profiles and install them on mobile devices.
• Install apps on mobile devices by means of provisioning profiles, bypassing App Store. For example, you can use provisioning profiles for installation of in-house corporate apps on users' mobile devices. A provisioning profile contains information about an app and a mobile device.
• Install apps on an iOS MDM device through the App Store. Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server.

Every 24 hours, a push notification is sent to all connected iOS MDM devices in order to synchronize data with the iOS MDM Server.

For information about the configuration profile and the provisioning profile, as well as apps installed on an iOS MDM device, please refer to the properties window of the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Signing an iOS MDM profile by a certificate

You can sign an iOS MDM profile by a certificate. You can use a certificate that you issued yourself or you can receive a certificate from trusted certification authorities.

To sign an iOS MDM profile by a certificate:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the properties window of the folder, select the Connection settings for iOS devices section.
4. Click the Browse button under the Select certificate file field.

   The Certificate window opens.

5. In the Certificate type field, specify the public or private certificate type:
   • If the PKCS #12 container value is selected, specify the certificate file and the password.
   • If the X.509 certificate value is selected:
     1. Specify the private key file (one with the *.prk or *.pem extension).
     2. Specify the private key password.
     3. Specify the public key file (one with the *.cer extension).
6. Click OK.

The iOS MDM profile is signed by a certificate.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available at the Apple Inc. website. Apple Configurator 2 works only on devices running macOS; if you do not have such devices at your disposal, you can use iPhone Configuration Utility on the device with Administration Console instead. However, Apple Inc. does not support iPhone Configuration Utility any longer.

To create a configuration profile using iPhone Configuration Utility and to add it to an iOS MDM Server:

1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the Mobile Device Management folder, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the iOS MDM Server, select the Configuration profiles section.
6. In the Configuration profiles section, click the Create button.

   The New configuration profile window opens.

7. In the New configuration profile window, specify a name and ID for the profile.

   The configuration profile ID should be unique; the value should be specified in Reverse-DNS format, for example, com.companyname.identifier.

8. Click OK.

   iPhone Configuration Utility then starts if you have it installed.

9. Reconfigure the profile in iPhone Configuration Utility.

   For a description of the profile settings and instructions on how to configure the profile, please refer to the documentation enclosed with iPhone Configuration Utility.

After you configure the profile with iPhone Configuration Utility, the new configuration profile is displayed in the Configuration profiles section in the properties window of the iOS MDM Server.

You can click the Modify button to modify the configuration profile.

You can click the Import button to load the configuration profile to a program.

You can click the Export button to save the configuration profile to a file.

The profile that you have created must be installed on iOS MDM devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing a configuration profile on a device

To install a configuration profile to a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device on which you want to install a configuration profile.

   You can select multiple mobile devices to install the profile on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Install profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install profile.

   The Select profiles window opens showing a list of profiles. Select from the list the profile that you want to install on the mobile device. You can select multiple profiles to install them on the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected configuration profile will be installed on the user's mobile device. If the command is successfully executed, the current status of the command in the command log will be shown as Done.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device <device name> management commands window.

You can view the profile that you installed and remove it, if necessary.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing the configuration profile from a device

To remove a configuration profile from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device from which you want to remove the configuration profile.

   You can select multiple mobile devices to remove the profile from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Remove profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu of the device, and then selecting Remove profile.

   The Remove profiles window opens showing a list of profiles.

6. Select from the list the profile that you want to remove from the mobile device. You can select multiple profiles to remove them from the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected configuration profile will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device <device name> management commands window.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a provisioning profile

To add a

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the iOS MDM Server, go to the Provisioning profiles section.
6. In the Provisioning profiles section, click the Import button and specify the path to a provisioning profile file.

The profile will be added to the iOS MDM Server settings.

You can click the Export button to save the provisioning profile to a file.

You can install the provisioning profile that you imported on iOS MDM devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing a provisioning profile to a device

To install a provisioning profile on a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device on which you want to install the provisioning profile.

   You can select multiple mobile devices to install the provisioning profile simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Install provisioning profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu of that mobile device, and then selecting Install provisioning profile.

   The Select provisioning profiles window opens showing a list of provisioning profiles. Select from the list the provisioning profile that you want to install on the mobile device. You can select multiple provisioning profiles to install them on the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected provisioning profile will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log is shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device <device name> management commands window.

You can view the profile that you installed and remove it, if necessary.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing a provisioning profile from a device

To remove a provisioning profile from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device from which you want to remove the provisioning profile.

   You can select multiple mobile devices to remove the provisioning profile from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Remove provisioning profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu and then selecting Remove provisioning profile.

   The Remove provisioning profiles window opens showing a list of profiles.

6. Select from the list the provisioning profile that you need to remove from the mobile device. You can select multiple provisioning profiles to remove them from the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected provisioning profile will be removed from the user's mobile device. Applications that are related to the deleted provisioning profile will not be operable. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device <device name> management commands window.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring managed apps

Expand all | Collapse all

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. An app is considered managed if it has been installed on a device through Kaspersky Endpoint Security. A managed app can be managed remotely by means of Kaspersky Endpoint Security.

To add a managed app to an iOS MDM Server:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

5. In the properties window of the iOS MDM Server, select the Managed applications section.
6. Click the Add button in the Managed applications section.

   The Add an application window opens.

7. In the Add an application window, in the App name field, specify the name of the app to be added.
8. In the Apple ID or link to manifest file field, specify the Apple ID of the application to be added, or specify a link to a manifest file that can be used to download the app.
9. If you want a managed app to be removed from the user's mobile device along with the iOS MDM profile when removing the latter, select the Remove together with iOS MDM profile check box.
10. If you want to block the app data backup through iTunes, select the Block data backup check box.
11. If you want to configure settings of the managed app, click the App configuration button.

    The App configuration window opens.

12. In the App configuration window, click the Browse button to select and upload a configuration file in PLIST format.

    To generate a configuration file, you may use a configuration generator (for example, https://appconfig.jamfresearch.com/generator) or refer to the official documentation on the app to be configured.

    An example of configured basic parameters for the Microsoft Outlook app.

    Microsoft Outlook app configuration settings

    Configuration key	Description	Type	Value	Default value
    com.microsoft.outlook.EmailProfile.EmailAccountName	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. For example, User.
    com.microsoft.outlook.EmailProfile.EmailAddress	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. For example, user@companyname.com.
    com.microsoft.outlook.EmailProfile.EmailUPN	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, userupn@companyname.com.
    com.microsoft.outlook.EmailProfile.ServerAuthentication	Authentication method	String	Username and Password – Prompts the device user for their password. Certificates – Certificate-based authentication.	Username and Password
    com.microsoft.outlook.EmailProfile.ServerHostName	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL. For example, mail.companyname.com.
    com.microsoft.outlook.EmailProfile.AccountDomain	Email domain	String	The account domain of the user. For example, companyname.
    com.microsoft.outlook.EmailProfile.AccountType	Authentication type	String	ModernAuth – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. BasicAuth – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	BasicAuth
    IntuneMAMRequireAccounts	Is Sign-in required	String	Specifies whether organization account sign-in is required. You can select one of the following accepted values: Enabled - The app requires the user to sign-in to the managed user account defined by the IntuneMAMUPN key to receive Org data. Disabled - No account sign-in is required
    IntuneMAMUPN	UPN Adress	String	The User Principal Name of the account allowed to sign into the app. For example, userupn@companyname.com.

    An example of a configuration file for the Microsoft Outlook app.

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

    <key>com.microsoft.outlook.EmailProfile.AccountType</key>

    <string>BasicAuth</string>

    <key>com.microsoft.outlook.EmailProfile.EmailAccountName</key>

    <string>My Work Email</string>

    <key>com.microsoft.outlook.EmailProfile.ServerHostName</key>

    <string>exchange.server.com</string>

    <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>

    <string>%email%</string>

    <key>com.microsoft.outlook.EmailProfile.EmailUPN</key>

    <string>%full_name%</string>

    <key>com.microsoft.outlook.EmailProfile.AccountDomain</key>

    <string>my-domain</string>

    <key>com.microsoft.outlook.EmailProfile.ServerAuthentication</key>

    <string>Username and Password</string>

    <key>IntuneMAMAllowedAccountsOnly</key>

    <string>Enabled</string>

    <key>IntuneMAMUPN</key>

    <string>%full_name%</string>

    </dict>

    </plist>

13. After the PLIST file is imported, the app configuration will be displayed in the App configuration window.

    You can change the configuration by editing the text of the PLIST file after its import.

14. Click OK to apply the app configuration.
15. Click OK once again to close the Add an application window.

The added app is displayed in the Managed applications section of the properties window of the iOS MDM Server.

It is also possible to change or delete the configuration of an already added app.

To change the configuration of a managed app:

1. In the Managed applications section, select the managed app from the list, and then click the Modify button.

   The Changing mobile app settings window opens.

2. In the Changing mobile app settings window, click the App configuration button.

   The App configuration window opens.

3. Click the Browse button to select and upload a configuration file in PLIST format.
4. If necessary, edit the text of the PLIST file after its import.
5. Click OK to apply the app configuration.
6. Click OK to close the Changing mobile app settings window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

To delete a managed app configuration:

1. In the Managed applications section, select the managed app from the list, and then click the Modify button.

   The Changing mobile app settings window opens.

2. In the Changing mobile app settings window, click the Delete configuration button.

The applied configuration of the managed app is deleted.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an app on a mobile device

To install an app on an iOS MDM mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device on which you want to install an app.

   You can select multiple mobile devices to install the application on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Install app section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install app.

   The Select apps window opens showing a list of profiles. Select from the list the application that you want to install on the mobile device. You can select multiple applications to install them on the mobile device simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected application will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again. You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device <device name> management commands window.

Information about the application installed is displayed in the properties of the iOS MDM mobile device. You can remove the application from the mobile device through the command log or the context menu of the mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing an app from a device

To remove an app from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device from which you want to remove the app.

   You can select multiple mobile devices to remove the app from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Remove app section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Remove app.

   The Remove apps window opens showing a list of applications.

6. Select from the list the app that you need to remove from the mobile device. You can select multiple apps to remove them simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected app will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device <device name> management commands window.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing and uninstalling apps on a group of iOS MDM devices

Kaspersky Security Center allows you to install and remove apps on iOS MDM devices by sending commands to these devices.

Selecting devices

To select iOS MDM devices on which apps should be installed or removed:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the iOS MDM device on which apps should be installed or removed.

   You can also select multiple devices and send commands simultaneously. To select a group of devices, do one of the following:

   • To select all devices in the workspace, filter the list of devices as required and press Ctrl+A.
   • To select a range of devices, hold down the Shift key, click the first device in the range, and then click the last device in the range.
   • To select individual devices, hold down the Ctrl key and click devices you want to include in the group.

Installing apps on devices

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. For more information, refer to Adding a managed app.

To install apps on selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Install app.

   For a single device, you can also select Show command log in the context menu, proceed to the Install app section, and click the Send command button.

   The Select apps window opens showing a list of managed apps.

2. Select the apps you want to install on iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are installed. If the command is successfully executed, the command log will show its current status as Completed.

Removing apps from devices

To remove apps from selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Remove app.

   For a single device, you can also select Show command log in the context menu, proceed to the Remove app section, and click the Send command button.

   The Remove apps window opens showing a list of previously installed apps.

2. Select the apps you want to remove from iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are uninstalled. If the command is successfully executed, the command log will show its current status as Completed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring roaming on an iOS MDM mobile device

Expand all | Collapse all

To configure roaming:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device owned by the user for whom you want to configure roaming.

   You can select multiple mobile devices to configure roaming on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Configure roaming section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands → Configure roaming from the context menu of the device.

6. In the Roaming settings window, specify the relevant settings:
   • Enable data roaming

     If this option is enabled, the data roaming is enabled on the iOS MDM mobile device. The user of the iOS MDM mobile device can surf the internet while in roaming.

     By default, this option is disabled.

Roaming is configured for the selected devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device for which you want to view the information.
4. From the context menu of the mobile device select Properties.

   The properties window of the iOS MDM device opens.

The properties window of the mobile device displays information about the connected iOS MDM device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Disconnecting an iOS MDM device from management

If you want to stop managing an iOS MDM device, you can disconnect it from management in Kaspersky Security Center.

As an alternative, you or the device owner can remove the iOS MDM profile from the device. However, after that you nevertheless must disconnect the device from management, as described in this section. Otherwise, you will not be able to start managing this device again.

To disconnect an iOS MDM device from the iOS MDM Server:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device that you want to disconnect.
4. In the context menu of the mobile device, select Delete.

The iOS MDM device is marked in the list for removal. Within one minute, the device is removed from the iOS MDM Server database, after which it is automatically removed from the list of managed devices.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile option has been enabled in the iOS MDM Server settings, will be removed from the mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring kiosk mode for iOS MDM devices

Expand all | Collapse all

Kiosk mode is an iOS feature that lets you limit the set of apps available to a device user to a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings.

The kiosk mode settings apply to iOS MDM devices managed through Kaspersky Security Center.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Kiosk mode section.

Configure kiosk mode

To enable kiosk mode:

1. Click the Enable kiosk mode (supervised only) check box to activate kiosk mode on a supervised device.
2. In the App's bundle ID field, enter the unique identifier of an app selected for kiosk mode (for example, com.apple.calculator). How to get the bundle ID of an app

   To get the bundle ID of a native iPhone or iPad app,

   Follow the instruction in Apple documentation.

   To get the bundle ID of any iPhone or iPad app:

   1. Open App Store.
   2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

   3. Copy this identifier (without letters "id").
   4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

   5. Open the downloaded file and find there the "bundleId" fragment.

   The text that directly follows this fragment is the bundle ID of the required app.

   To get the bundle ID of an app that has been added to Kaspersky Security Center:

   1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
   2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

   In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

   If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

   To select a different app, you need to disable kiosk mode, save the changes to the policy, and enable kiosk mode for a new app.

   The app that is selected for kiosk mode must be installed on the device. Otherwise, the device will be locked until kiosk mode is disabled.

   The use of the selected app must also be allowed in the policy settings. If the use of the app is prohibited, kiosk mode will not be enabled until the selected app is removed from the list of forbidden apps.

   In some cases, if the use of the selected app is prohibited in the policy settings, kiosk mode can still be enabled.

3. Specify the settings that will be enabled on the device in kiosk mode. For available settings, see the "Kiosk mode settings" section below.
4. Specify the settings that the user can edit on the device in kiosk mode.
5. Click the Apply button to save the changes you have made.

Once the changes to the policy are saved, kiosk mode is enabled. The selected app is forced to open on a supervised device, while the use of other apps is prohibited. The selected app reopens immediately after the device is restarted.

To edit the kiosk mode settings, you need to disable kiosk mode, save changes to the policy, and then enable kiosk mode again with the new settings.

To disable kiosk mode:

1. Select the Disable kiosk mode (supervised only) check box to deactivate kiosk mode on a supervised device.
2. Click the Apply button to save the changes you have made.

Once the changes to the policy are saved, kiosk mode is disabled. The use of all apps is allowed on a supervised device.

Now, you can enable kiosk mode again with the new settings.

Kiosk mode settings

• Auto-Lock

  If the check box is selected, Auto-Lock is enabled. The screen is automatically locked on the device.

  If the check box is cleared, Auto-Lock is disabled.

  This check box is selected by default.

• Touch (not recommended to disable)

  If the check box is selected, all touch input capabilities are enabled.

  If the check box is cleared, all touch input capabilities are disabled.

  This check box is selected by default.

• AssistiveTouch

  If the check box is selected, AssistiveTouch is enabled. The device screen is adapted to the user's unique physical needs.

  If the check box is cleared, AssistiveTouch is disabled.

  This check box is cleared by default.

• Voice Control

  If the check box is selected, Voice Control is enabled. The user can navigate and interact with the device using voice commands.

  If the check box is cleared, Voice Control is disabled.

  This check box is cleared by default.

• VoiceOver

  If the check box is selected, VoiceOver is enabled. Audible descriptions of what appears on the screen are given.

  If the check box is cleared, VoiceOver is disabled.

  This check box is cleared by default.

• Speak Selection

  If the check box is selected, Speak Selection is enabled. The text selected on the screen is spoken.

  If the check box is cleared, Speak Selection is disabled.

  This check box is cleared by default.

• Volume Buttons

  If the check box is selected, the volume buttons are enabled. The user can adjust the volume on the device.

  If the check box is cleared, the volume buttons are disabled.

  This check box is selected by default.

• Mono Audio

  If the check box is selected, Mono Audio is enabled. The left and right headphone channels are combined to play the same content.

  If the check box is cleared, Mono Audio is disabled.

  This check box is cleared by default.

• Zoom

  If the check box is selected, Zoom is enabled. The user can zoom in and out the content on the screen.

  If the check box is cleared, Zoom is disabled.

  This check box is selected by default.

• Auto-Rotate Screen

  If the check box is selected, Auto-Rotate Screen is enabled. Screen orientation automatically changes when the device is rotated.

  If the check box is cleared, Auto-Rotate Screen is disabled.

  This check box is selected by default.

• Invert Colors

  If the check box is selected, inverting colors on the screen is enabled. The displayed colors are changed to opposite colors.

  If the check box is cleared, inverting colors on the screen is disabled.

  This check box is cleared by default.

• Ring/Silent Switch

  If the check box is selected, Ring/Silent Switch is enabled. The user can switch between Ring and Silent modes to mute or unmute sounds and alerts.

  If the check box is cleared, Ring/Silent Switch is disabled.

  This check box is selected by default.

• Sleep/Wake Button

  If the check box is selected, the Sleep/Wake button is enabled. The user can put the device to sleep or wake the device.

  If the check box is cleared, the Sleep/Wake button is disabled.

  This check box is selected by default.