Kaspersky Secure Mobility Management
4.0
English

Contents

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protection of stolen or lost device data

This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.

In this section

Sending commands to a lost or stolen mobile device

Unlocking a mobile device

Data encryption

Deleting data on Android devices after failed password entry attempts
Page top
[Topic 89901]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Sending commands to a lost or stolen mobile device

To protect data on a mobile device that is lost or stolen, you can send special commands.

You can send commands to the following types of managed mobile devices:

  • Android devices managed via the Kaspersky Endpoint Security for Android app
  • iOS MDM devices

Each device type supports a dedicated set of commands (see the tables below).

Commands for Android devices

Commands for protecting data on a lost or stolen Android device

Command

Command execution result

Lock

The mobile device is locked. To obtain access to data, you must unlock the device.

Unlock

The mobile device is unlocked.

After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

Locate device

The mobile device's location coordinates are obtained.

On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.

The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting.

Mugshot

The mobile device is locked. The mugshot photo is taken by the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed.

When attempting to unlock the device, the user automatically consents to the mugshot.

If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use camera has been revoked via Quick Settings, the notification is not displayed but the photo taken is black.

Alarm

The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low).

Wipe app data

The data of a specified app is wiped from the mobile device.

The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.

For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app

As a result, the app is rolled back to its default state.

The data of system and administrative apps is not wiped.

To get the package name of an app:

  1. Open Google Play.
  2. Find the required app and open its page.

The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

To get the package name of an app that has been added to Kaspersky Security Center:

  1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
  2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

Wipe data of all apps

The data of all apps is wiped from the mobile device.

The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.

If the device works in device owner mode, data of all apps on the device is wiped.

If Android work profile is created on the device, data of all apps in the work profile is wiped.

As a result, apps are rolled back to their default state.

The data of system and administrative apps is not wiped.

Wipe corporate data

The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

  • On a personal device, KNOX container and mail certificate are wiped.
  • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

Get device location history

The mobile device's location history for the last 14 days is displayed.

This command works only if the Device location history informational event type is stored in the Administration Server database. The events are configured in the Events section of the policy properties. For more details, please refer to the Kaspersky Security Center Help.

Due to technical limitations on Android devices, the device location may be retrieved less often than specified in the Synchronization section of the policy properties.

Commands for iOS MDM devices

Commands for protecting data on a lost or stolen iOS MDM device

Command

Command execution result

Lock

The mobile device is locked. To obtain access to data, you must unlock the device.

Reset password

The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements.

Wipe corporate data

All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

Enable Lost Mode (supervised only)

Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows the message and phone number that you can edit.

If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.

Locate device (supervised only)

The location of the mobile device is obtained. You can click the link in the command log to view device coordinates and check the device location on a map.

This command is supported only for supervised devices that are in Lost Mode.

Play sound (supervised only)

The sound is played on the lost mobile device.

This command is supported only for supervised devices that are in Lost Mode.

Disable Lost Mode (supervised only)

Lost Mode is disabled on the mobile device, and the device is unlocked.

This command is supported only for supervised devices.

Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to the "Commands for mobile devices" section. To learn more about sending commands from Administration Console, please refer to the "Sending commands" section.

Page top
[Topic 89902]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Unlocking a mobile device

You can unlock a mobile device by using the following methods:

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time unlock code. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Administration Console, please refer to the "Sending commands" section.

A one-time unlock code is a secret application code for unlocking the mobile device. The one-time code is generated by the application and is unique to each mobile device. You can change the length of the one-time code (4, 8 or 16 digits) in group policy settings in the Anti-Theft section.

To unlock the mobile device using a one-time code:

  1. In the console tree, select Mobile Device ManagementMobile devices.
  2. Select a mobile device for which you want to get a one-time unlock code.
  3. Open the mobile device properties window by double-clicking.
  4. Select AppsKaspersky Endpoint Security for Android.
  5. Open the Kaspersky Endpoint Security properties window by double-clicking.
  6. Select the Anti-Theft section.
  7. A unique code for the selected device is shown in the One-time code field of the One-time device unlock code section.
  8. Use any available method (such as email) to communicate the one-time code to the user of the locked device.
  9. The user enters the one-time code on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The mobile device is unlocked.

After unlocking a device running Android 5.0 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

Page top
[Topic 138758]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Data encryption

To protect data against unauthorized access, you must enable encryption of all data on the device (for example, account credentials, external devices and apps, as well as email messages, SMS messages, contacts, photos, and other files). For access to encrypted data, you must specify a special key – device unlock password. If data is encrypted, access to it can be obtained only when the device is unlocked.

Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this parameter in the device properties: in the console tree, select Additional > Mobile Device Management > Mobile devices, and then double-click the required device).

To encrypt all data on an Android device:

  1. Enable screen lock on the Android device (SettingsSecurityScreen lock).
  2. Set a device unlock password that is compliant with corporate security requirements.

    It is not recommended to use a pattern lock for unlocking the device. On certain Android devices running Android 6 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device instead of a pattern lock. This issue is related to the operation of the Accessibility Features service. To unlock the device screen in this case, convert the pattern lock into a numeric password. For more details about converting a pattern lock into a numeric password, please refer to the Technical Support website of the mobile device manufacturer.

  3. Enable encryption of all data on the device (SettingsSecurityEncrypt data).
Page top
[Topic 145531]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting data on Android devices after failed password entry attempts

You can configure deleting all data on an Android device (that is, resetting the device to factory settings) after the user makes too many failed attempts to enter the screen unlock password.

These settings apply to devices operating in device owner mode and to personal devices on which the Kaspersky Endpoint Security for Android app is enabled as a device administrator.

To configure wiping all data:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Anti-Theft section.
  5. In the Data wipe on device section, select the Wipe all data after failed attempts to enter unlock password check box.
  6. In the Maximum number of attempts to enter unlock password field, specify the number of attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
  7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center. If the user exceeds the specified number of attempts to enter the correct screen unlock password, the Kaspersky Endpoint Security for Android app wipes all device data.

Page top
[Topic 243163]