Kaspersky Secure Mobility Management
4.0
English

Contents

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Secure Mobility Management

Kaspersky Secure Mobility Management is an integrated solution for protecting and managing corporate mobile devices as well as personal mobile devices used by company employees for corporate purposes.

Kaspersky Secure Mobility Management includes the following components:

  • Kaspersky Endpoint Security for Android mobile app

    The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

  • Kaspersky Endpoint Security for Android Administration Plug-in

    The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.

  • Kaspersky Device Management for iOS Administration Plug-in

    The Kaspersky Device Management for iOS Administration Plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center via the iOS MDM protocol (hereinafter referred to as "iOS MDM devices"), without using the iPhone Configuration Utility.

The administration plug-ins are integrated into the Kaspersky Security Center remote administration system. The administrator can use a single Administration Console of Kaspersky Security Center to manage all mobile device on the corporate network as well as client computers and virtual systems. After you connect mobile devices to the Administration Server, they become managed. The administrator can remotely monitor managed devices.

The Kaspersky Endpoint Security for Android mobile app may also operate as part of the Kaspersky Endpoint Security Cloud remote administration system. For more details on working with apps through Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud Online Help.

The Kaspersky Endpoint Security for Android mobile app can also operate as part of third-party EMM solutions of AppConfig Community participants.

In this section

Distribution kit

About Kaspersky Endpoint Security for Android app

About Kaspersky Device Management for iOS

About the Kaspersky Endpoint Security for Android Administration Plug-in

About the Kaspersky Device Management for iOS Administration Plug-in

Hardware and software requirements

Known issues and considerations
Page top
[Topic 91308]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Distribution kit

The Kaspersky Secure Mobility Management distribution kit may include various components, depending on the chosen application version.

Kaspersky Security Center

  • ksc_14_<version>_full_<language>.exe

    Kaspersky Security Center installer. This is a special version that is customized specially for Kaspersky Secure Mobility Management.

  • ksc_14_<version>_Console_<language>.exe

    Installer of MMC-based Administration Console. This is a special version that is customized specially for Kaspersky Secure Mobility Management.

    You can install Administration Console on another device and manage Kaspersky Security Center Administration Server remotely.

Mobile device management in MMC-based Administration Console

Mobile device management in Kaspersky Security Center Web Console

  • on_prem_ksm_devices_<version>.zip

    Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Devices) plug-in:

    • plugin.zip

      Archive that contains the Kaspersky Security for Mobile (Devices) plug-in.

    • signature.txt

      File that contains the signature for the Kaspersky Security for Mobile (Devices) plug-in.

  • on_prem_ksm_policies_<version>.zip

    Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Policies) plug-in:

    • plugin.zip

      Archive that contains the Kaspersky Security for Mobile (Policies) plug-in.

    • signature.txt

      File that contains the signature for the Kaspersky Security for Mobile (Policies) plug-in.

Mobile device management in Kaspersky Security Center Cloud Console

To manage mobile device in Kaspersky Security Center Cloud Console, you do not need to download a distribution package. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

File of the Kaspersky Endpoint Security for Android app

kesandroid10<version><languages>.apk—Android package file of the Kaspersky Endpoint Security for Android app.

File of Corporate App Catalog

Install_<version>.exe—Distribution package of Corporate App Catalog. The package includes the following components:

  • Corporate App Catalog
  • Corporate App Catalog Management Console
  • Apache server

For more information about installing Corporate App Catalog, please refer to Corporate App Catalog Help.

Auxiliary files

  • sc_package_<languages>.exe

    Self-extracting archive that contains the files required for installing the Kaspersky Endpoint Security for Android app by creating installation packages:

    • adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll

      Files required for creating installation packages.

    • installer.ini

      Configuration file that contains Administration Server connection settings.

    • kesandroid10<version><languages>.apk

      Android package file of the Kaspersky Endpoint Security for Android app.

    • kmlisten.exe

      Utility for delivering installation packages through the administrator's computer.

    • kmlisten.ini

      Configuration file that contains the settings for the kmlisten.exe utility.

    • kmlisten.kpd

      Application description file.

    If you create an installation package with the sc_package.exe archive in the Kaspersky Security Center version earlier than 14.2, the installation of Kaspersky Endpoint Security for Android app will fail on devices running Android 10 or later. To avoid this issue, please upgrade to Kaspersky Security Center 14.2 or contact Technical Support to receive an appropriate version of the archive.

Documentation

  • Help for Kaspersky Secure Mobility Management.
Page top
[Topic 214493]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

Kaspersky Endpoint Security for Android app includes the following components:

  • Anti-Malware. It allows you to detect and neutralize threats on your device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
    • Protection. Detects threats in open files, scans new apps, and prevents device infection in real time.
    • Scan. It is started on demand for the entire file system, only for installed apps, or a selected file or folder.
    • Update. Update allows you to download new anti-malware databases for the application.
  • Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
    • Locate to get the coordinates of the device's location.
    • Alarm to make the device sound a loud alarm.
    • Mugshot to make the device take pictures with the frontal camera if someone attempts to unlock it.
    • Wipe corporate data to protect sensitive company information.
  • Web Protection. This component blocks malicious sites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords to online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
  • App Control. This component lets you install recommended and required apps to your device via a direct link to the distribution package or a link to Google Play. App Control lets you remove blocked apps that violate corporate security requirements.
  • Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can also install the Kaspersky Endpoint Security for Android app in device owner mode. This will give you full control over company-owned Android devices and let you configure a wide range of device settings. In device owner mode, you can:

  • Restrict Android operating system features.
  • Configure Google Chrome settings.
  • Configure app startup settings in App Control.
  • Limit the set of apps that are available to a device user in Kiosk mode.
  • Configure Exchange ActiveSync settings for Gmail.
  • Configure the connection to an NDES/SCEP server.
  • Install root certificates on devices.
Page top
[Topic 99558]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Device Management for iOS

Kaspersky Device Management for iOS ensures protection and control of mobile devices that are connected to Kaspersky Security Center and includes device management features, such as:

  • Password protection. This feature allows you to set password complexity requirements so that users use complex passwords compliant with corporate password policy.
  • Network management. This feature allows you to add approved VPN and Wi-Fi networks or restrict access to others.
  • Wipe corporate data. In case the device is lost or stolen, you can send the Wipe command to it to protect sensitive company information.
  • Web Protection. This component blocks malicious sites designed to spread malicious code. Web Protection also blocks fake (phishing)  websites designed to steal confidential data of the user (for example, passwords to online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
  • Applications restrictions. This component lets you control whether device native apps, such as iTunes, Safari, or Game Center can be used on a supervised device.
  • Feature restrictions. This component allows to check managed devices for compliance with the corporate security requirements and impose restrictions on certain functions of non-compliant devices.
  • Compliance Control. This component monitors iOS MDM devices for compliance with corporate security requirements and takes actions in case of non-compliance. Compliance control is based on a list of rules. Each rule includes the following components:
    • Status (whether the rule is enabled or disabled).
    • Device check criteria (for example, absence of the specified apps or operating system version).
    • Actions performed on the device in case of non-compliance (for example, wipe corporate data or send an email message to the user).
Page top
[Topic 136121]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Endpoint Security for Android Administration Plug-in

The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center. The Kaspersky Endpoint Security for Android Administration Plug-in can be used to:

  • Create group security policies for mobile devices.
  • Remotely configure the operating settings of the Kaspersky Endpoint Security for Android app on users' mobile devices.
  • Receive reports and statistics on the operation of the Kaspersky Endpoint Security for Android mobile app on users' devices.

The Kaspersky Endpoint Security for Android Administration Plug-in is installed by default when deploying Kaspersky Security Center. The plug-in does not require individual installation.

Page top
[Topic 89640]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Device Management for iOS Administration Plug-in

The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center. The Kaspersky Device Management for iOS Administration Plug-in can be used to do the following:

  • Create group security policies for mobile devices.
  • Remotely configure devices connected by using the iOS MDM protocol (hereinafter referred to as "iOS MDM devices").

For more details on connecting mobile devices to Kaspersky Security Center by using the iOS MDM protocol, please refer to the "Managing iOS MDM devices" section.

The Kaspersky Device Management for iOS Administration Plug-in is installed by default when deploying Kaspersky Security Center. The plug-in does not require separate installation.

Page top
[Topic 89639]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Hardware and software requirements

This section lists the hardware and software requirements for the administrator's computer that is used to deploy the apps on mobile devices, as well as the mobile device operating systems supported by Kaspersky Secure Mobility Management.

Hardware and software requirements for the administrator's computer

To deploy the comprehensive solution Kaspersky Secure Mobility Management, the administrator's computer must meet the hardware requirements of Kaspersky Security Center. For more details on using the hardware requirements of Kaspersky Security Center, please refer to Kaspersky Security Center Help.

To work with the Administration Plug-in of Kaspersky Endpoint Security for Android, the Administration Console of Kaspersky Security Center version 14.2 or later must be installed on the administrator's computer.

To work with the Kaspersky Device Management for iOS Administration Plug-in, the administrator's computer must meet the following software requirements:

  • Administration Console of Kaspersky Security Center 14.2 or later
  • iOS MDM Server component
  • Instruction set of version SSE2 or more recent version

To deploy the Kaspersky Endpoint Security for Android mobile app via the Administration Server, the administrator's computer must meet the following software requirements:

  • Kaspersky Security Center 14.2 or later
  • Administration Plug-in for Kaspersky Endpoint Security for Android

There are no software requirements for the administrator's computer when the Kaspersky Endpoint Security for Android mobile app is deployed from the relevant online stores.

The Kaspersky Endpoint Security for Android mobile app can also be used as part of the Kaspersky Endpoint Security Cloud remote administration system (Version 6.0 and above). For more details on working with apps through Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud Help.

The Kaspersky Endpoint Security for Android mobile app can function within third-party EMM systems:

  • VMware AirWatch 9.3 or later
  • MobileIron 10.0 or later
  • IBM MaaS360 10.68 or later
  • Microsoft Intune 1908 or later
  • SOTI MobiControl 14.1.4 (1693) or later

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app has the following hardware and software requirements:

  • Smartphone or tablet with a screen resolution of 320x480 pixels or higher
  • 65 MB of free disk space in the main memory of the device
  • Android 5.0 or later (including Android 12L, excluding Go Edition)
  • x86, x86-64, Arm5, Arm6, Arm7, or Arm8 processor architecture

The app can be installed only to the main memory of the device.

Hardware and Software Requirements for an iOS MDM Profile

For an iOS MDM profile, the device must meet the following hardware and software requirements:

  • iOS 10–17 or iPadOS 13–17
  • Internet connection
Page top
[Topic 102017]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Known issues and considerations

The following known issues are non-critical for the operation of the solution.

Known issues when installing apps

  • Kaspersky Endpoint Security for Android is installed only in the main memory of the device.
  • On devices running Android 7.0, an error may occur during attempts to disable administrator rights for Kaspersky Endpoint Security for Android in device settings if Kaspersky Endpoint Security for Android is prohibited from overlaying on other windows. This issue is caused by a well-known defect in Android 7.
  • Kaspersky Endpoint Security for Android on devices running Android 7.0 or later does not support multi-window mode.
  • Kaspersky Endpoint Security for Android does not work on Chromebook devices running the Chrome operating system.
  • Kaspersky Endpoint Security for Android does not work on devices running Android (Go edition) operating systems.
  • When using the Kaspersky Endpoint Security for Android app with third-party EMM systems (for example, VMWare AirWatch), only the Anti-Malware and Web Protection components are available. The administrator can configure the settings of Anti-Malware and Web Protection in the EMM system console. In this case, notifications about app operation are available only in the interface of the Kaspersky Endpoint Security for Android app (Reports).

Known issues when upgrading the app version

  • You can upgrade Kaspersky Endpoint Security for Android only to a more recent version of the app. Kaspersky Endpoint Security for Android cannot be downgraded to an older version.
  • To upgrade Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device.
  • You can update through Google Play if Kaspersky Endpoint Security for Android was installed from Google Play. If the app was installed using another method, you cannot update through Google Play.
  • You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed through Kaspersky Security Center. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.
  • After you upgrade administration plug-ins to Technical Release 33, the Kaspersky Endpoint Security for Android app must also be upgraded to Technical Release 33. Otherwise, you will not be able to activate Samsung KNOX on some of your users' devices.

Known issues in Anti-Malware operation

  • Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
  • For additional analysis of a device for new threats whose information has not yet been added to anti-malware databases, you must enable the use of Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. To use KSN, the mobile device must be connected to the internet.
  • In some cases, updating anti-malware databases from the Administration Server on a mobile device may fail. In this case, run the anti-malware database update task on the Administration Server.
  • On some devices, Kaspersky Endpoint Security for Android does not detect devices connected over USB OTG. It is not possible to run a malware scan on such devices.
  • On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
  • On devices running Android 11 or later, the user must grant the "Allow access to manage all files" permission.
  • On devices running Android 7.0 or later, the configuration window for the malware scan run schedule might be incorrectly displayed (management elements are not shown). This issue is caused by a well-known defect in Android 7.
  • On devices running Android 7.0, real-time protection in the extended mode does not detect threats in files that are stored on an external SD card.
  • On devices running Android 6, Kaspersky Endpoint Security for Android does not detect the downloading of a malicious file to the device memory. A malicious file may be detected by Anti-Malware when the file is run, or during a malware scan of the device. This issue is caused by a well-known defect in Android 6. To ensure device security, it is recommended to configure scheduled malware scans.

Known issues in Web Protection operation

  • Web Protection on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser.
  • The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.
  • Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if the work profile is used and Web Protection is enabled only for the work profile.
  • Kaspersky Endpoint Security in the work profile scans only the website domain in HTTPS traffic. Malicious and phishing websites may remain unblocked if the app installed in the work profile. If the domain is trusted, Web Protection can skip a threat (for example, https://trusted.domain.com/phishing/). If the domain is untrusted, Web Protection blocks malicious and phishing websites.
  • For Web Protection to work, you must enable the use of Kaspersky Security Network. Web Protection blocks websites based on the KSN data on the reputation and category of websites.
  • Forbidden websites may remain unblocked by Web Protection on devices running Android 6 with Google Chrome version 51 (or any earlier version) installed if the website is opened in the following ways (this issue is caused by a well-known defect in Google Chrome):
    • From search results.
    • From the bookmarks list.
    • From search history.
    • Using the web address autocomplete function.
    • Opening the website in a new tab in Google Chrome.
  • Forbidden websites may remain unblocked in Google Chrome version 50 (or any earlier version) if the website is opened from Google search results while the Merge Tabs and Apps feature is enabled in the browser settings. This issue is caused by a well-known defect in Google Chrome.
  • Websites from blocked categories may remain unblocked in Google Chrome if the user opens them from third-party apps, for example, from an IM client app. This issue is related to how the Accessibility service works with the Chrome Custom Tabs feature.
  • Forbidden websites may remain unblocked in Samsung Internet Browser if the user opens them in background mode from the context menu or from third-party apps, for example, from an IM client app.
  • Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of Web Protection.
  • On some Xiaomi devices, the "Display pop-up window" and "Display pop-up windows while running in the background" permissions should be granted for Web Protection to work.
  • When entering a website address in Web Protection settings, adhere to the following rules:
    • For Android devices, specify the address in regular expressions format (for example, https://example.com.*).
    • For iOS MDM devices, specify the HTTP or HTTPS data transport protocol (for example, http://www.example.com).
  • Allowed websites may be blocked in Samsung Internet Browser in the Only listed websites are allowed Web Protection mode when the page is refreshed. Websites are blocked if a regular expression contains advanced settings (for example, ^https?://example.com/pictures/). It is recommended to use regular expressions without additional settings (for example, ^https?://example.com).
  • If Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android does not block search in the Google Search widget. Instead, it blocks user access to the search results.
  • In a work profile, if Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android endlessly reloads the Google Chrome home page, blocks the browser, and interferes with the device.
  • To make sure that the Kaspersky Endpoint Security for Android app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet Browser, or Yandex Browser, include the same URL twice, once with the HTTP protocol (e.g., http://example.com) and once with the HTTPS protocol (e.g., https://example.com). As an alternative, you can use regular expressions.
  • In Yandex Browser and Samsung Internet Browser, malicious and phishing websites may remain unblocked. This is because only the website domain is scanned, and if it is trusted, Web Protection can skip a threat.
  • If Kaspersky Endpoint Security for Android is not set as an Accessibility feature, Web Protection may block an allowed website that loads some elements from a website with a domain that is not in the list of allowed domains.

Known issues in Anti-Theft operation

  • For timely delivery of commands to Android devices, the app uses the Firebase Cloud Messaging (FCM) service. If FCM is not configured, commands will be delivered to the device only during synchronization with Kaspersky Security Center according to the schedule defined in the policy, for example, every 24 hours.
  • To lock a device, Kaspersky Endpoint Security for Android must be set as the device administrator.
  • To lock devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
  • On some devices, Anti-Theft commands may fail to execute if Battery Saver mode is enabled on the device. This defect has been confirmed on Alcatel 5080X.
  • To locate devices running Android 10 or later, the user must grant the "All the time" permission to device location.
  • To take a mugshot with devices running Android 11 or later, the user must grant the "While using the app" permission to access the camera.

Known issues in App Control operation

  • Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. This does not apply to device owner mode.
  • For App Control (app categories) to work, you must enable the use of Kaspersky Security Network. App Control determines the category of an app based on data that is available in KSN. To use KSN, the mobile device must be connected to the internet. For App Control, you can add individual apps to the lists of blocked and allowed apps. In this case, KSN is not required.
  • When configuring App Control, it is recommended to clear the Block system apps check box. Blocking system apps may lead to problems in device operation.
  • On iOS MDM devices, if you specify allowed apps in the list of apps allowed to be installed, all apps except system apps and those added to the list of allowed apps will be hidden on the device screen.
  • On some HUAWEI and Honor personal devices, apps from allowed categories may be blocked and apps from forbidden categories may remain unblocked. This is because the category for some apps from App Gallery cannot be correctly defined.
  • On some Samsung and Oppo devices, app icons may remain hidden on the home screen after clearing the Block system apps check box. This is due to limitations of the Android operating system.

Known issues when configuring certificates in iOS MDM policy

  • When you add a certificate to an iOS MDM policy and attempt to save or close the policy, MMC-based Administration Console of Kaspersky Security Center may crash, but the certificate is saved to the policy settings.

Known issues when configuring email

  • Remote configuration of a mailbox is available only on the following devices:
    • iOS MDM devices.
    • Samsung devices (Exchange ActiveSync).
    • Android devices with the TouchDown mail client installed.

      In previous versions of Kaspersky Endpoint Security for Android, you can use Kaspersky Security Center to remotely configure TouchDown profile settings on a user's device. TouchDown support has been discontinued in Kaspersky Endpoint Security for Android Service Pack 4. For more detail, refer to the Symantec technical support website.

      After upgrading the Kaspersky Endpoint Security for Android Administration Plug-in, the TouchDown settings in the policy are hidden but saved. When new devices are connected, TouchDown settings will be configured after the policy is applied.

      After the policy is modified and saved, TouchDown settings will be deleted. The TouchDown settings on a user's devices will be cleared after a policy is applied.

Known issues when configuring device unlock password strength

  • On devices running Android 10 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

    If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.

    If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.

  • On devices running Android 10 or later, using a fingerprint to unlock the screen can be managed for work profile only.
  • On devices running Android 7.1.1, if the unlock password does not meet the corporate security requirements (Compliance Control), the Settings system app may function improperly when an attempt is made to change the unlock password through Kaspersky Endpoint Security for Android. The issue is caused by a well-known defect in Android 7.1.1. In this case, to change the unlock password, use the Settings system app only.
  • On some devices running Android 6 or later, an error may occur when screen unlock password is entered, if device data is encrypted. This issue is related to specific features of the Accessibility service with MIUI firmware.
  • On some HUAWEI devices, an issue message about too simple screen unlocking method appears, and the user must set a PIN code that is compliant with policy requirements. For more details about setting a correct PIN code on HUAWEI devices, please refer to Configuring a strong unlock password for an Android device.

Known issues when configuring Wi-Fi

  • On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.
  • On supervised iOS MDM devices, if you select the Force connection to allowed Wi-Fi networks only (supervised only, iOS 14.5+) check box when configuring feature restrictions, the current Wi-Fi connection will be interrupted even if it belongs to the allowed Wi-Fi networks list. This is due to iOS operating system specifics. The user must reconnect to the Wi-Fi network manually.

Known issues when configuring APN

  • Remote configuration of APN is available only on iOS MDM devices or Samsung devices.
  • Configure APN for iOS MDM devices in the Cellular communications section. The APN section is out of date. Before configuring the APN settings, make sure that the Apply on device check box in the APN section is cleared.

Known issues with Firewall

  • Use of Firewall is available only on Samsung devices.

Known issues when configuring VPN

  • Remote configuration of VPN is available only on the following devices:
    • iOS MDM devices.
    • Samsung devices.
  • When you set up a VPN connection for selected domains in Safari, if you change the Connect automatically option, the changes are not applied on the device. The Connect automatically check box is selected by default and we recommend against changing it if you want to activate a VPN automatically for specified domains.

Known issues with App removal protection

  • Kaspersky Endpoint Security for Android must be set as the device administrator.
  • To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
  • On some Xiaomi and HUAWEI devices, Kaspersky Endpoint Security for Android removal protection does not work. This issue is caused by the specific features of MIUI 7 and 8 firmware on Xiaomi and EMUI firmware on HUAWEI.

Known issues when configuring device restrictions

  • On devices running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.
  • On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

Known issues when sending commands to mobile devices

  • On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.
  • The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting.
  • If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.

Known issues with Android work profile

  • If you create an Android work profile by using a policy, the user must grant the "Allow access to manage all files" permission to Kaspersky Endpoint Security for Android that is installed on the devices running Android 11 or later and that is related to the work profile.
  • The Prohibit activation of USB debugging mode Android work profile function does not work on devices with Android 13. This is caused by an issue in Android 13.
  • On some Xiaomi devices with Android work profile, the work profile may be unlocked by a fingerprint only if you set the Period of inactivity before the device screen locks value after setting a fingerprint as the screen unlocking method.
  • When the Deny permissions automatically action is selected in the Granting runtime permissions for apps setting, if the user configures the necessary permissions for an app after device synchronization with Kaspersky Security Center but before this app requests all permissions, these permissions cannot be changed without reinstalling the app or wiping its data.

Known issues with specific devices

  • On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must grant Kaspersky Endpoint Security for Android an autostart permission or manually add it to the list of apps that are started when the operating system starts. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted. In addition, if the device has been locked, you cannot use a command to unlock the device. You can unlock the device only by using a one-time unlock code.
  • On certain devices (for example, Meizu and Asus) running Android 6 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device. If the user uses a graphic password to unlock the device, you must convert the graphic password to a numeric password. For more details about converting a graphic password into a numeric password, please refer to the Technical Support website of the mobile device manufacturer. This issue is related to the operation of the Accessibility Features service.
  • On some HUAWEI devices running Android 5.Х, after Kaspersky Endpoint Security for Android is set as an Accessibility feature, an incorrect message about the lack of appropriate rights may be displayed. To hide this message, enable the app as a protected app in the device settings.
  • On some HUAWEI devices running Android 5.X or 6, when Battery Saver mode is enabled for Kaspersky Endpoint Security for Android, the user can manually terminate the app. The user device becomes unprotected after that. This issue is due to some features of HUAWEI software. To restore the device protection, run Kaspersky Endpoint Security for Android manually. It is recommended to disable Battery Saver mode for Kaspersky Endpoint Security for Android in the device settings.
  • On HUAWEI devices with EMUI firmware running Android 7.0, the user can hide the notification regarding the protection status of Kaspersky Endpoint Security for Android. This issue is due to some features of HUAWEI software.
  • On some Xiaomi devices, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security for Android from running in the background. This issue is due to some features of Xiaomi software.
  • On some Xiaomi devices, when setting the password length to more than 5 characters in a policy, the user will be prompted to change the screen unlock password instead of the PIN code. You cannot set a PIN code that has more than 5 characters. This issue is due to some features of Xiaomi software.
  • On Xiaomi devices with MIUI firmware running Android 6, the Kaspersky Endpoint Security for Android icon may be hidden in the status bar. This issue is due to some features of Xiaomi software. It is recommended to allow the display of notification icons in Notifications settings.
  • On some Nexus devices running Android 6.0.1, the privileges required for proper operation cannot be granted through the Quick Start Wizard of Kaspersky Endpoint Security for Android. This issue is caused by a well-known defect in Security Patch for Android by Google. To ensure proper operation, the required privileges must be manually granted in the device settings.
  • On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
  • On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.
  • Web Protection cannot be enabled on some Samsung devices, if the device is connected to a 3G/4G network, has Battery Saver mode enabled and restricts background data. It is recommended to disable the function that restricts background processes in Battery Saver settings.
  • On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.
  • After executing Anti-Theft commands (such as Locate, Device Lock, Unlock, and Mugshot), the mobile certificate and the VPN certificate may be deleted on some Samsung devices. The certificates have to be reinstalled to continue. This issue occurs due to the Mobile Device Fundamentals Protection Profile (MDFPP) security standard.
  • On some Honor and HUAWEI devices, you cannot restrict the use of Bluetooth. When Kaspersky Endpoint Security for Android attempts to restrict the use of Bluetooth, the operating system shows a notification containing the options to reject or allow this restriction. The user can reject this restriction and continue to use Bluetooth.
  • On some Samsung devices, after Kaspersky Endpoint Security is installed or updated from a standalone installation package, KNOX MDM profile activation is unavailable.
  • On Blackview devices, the user can clear the memory for the Kaspersky Endpoint Security for Android app. As a result, the device protection and management are disabled, all defined settings become ineffective, and the Kaspersky Endpoint Security for Android app is removed from the Accessibility features. This is because this vendor's devices provide the customized Recent screens app with elevated privileges. This app can override Kaspersky Endpoint Security for Android settings and cannot be replaced because it is part of the Android operating system.
  • On some Google Pixel devices running Android 11 or earlier, the Kaspersky Endpoint Security for Android app crashes immediately after the start. This is caused by an issue in Android.
  • On some TECNO and OnePlus devices, the user can unlock the device using face scanning, even if this biometric unlock method is prohibited by the policy.
  • On some devices (for example, Xiaomi, TECNO, and Realme) running Android 9 or later, when you select the Prohibit changing language check box in device owner mode, the user still can change the language, and no warning message appears.
  • On some Xiaomi devices, when deploying the Kaspersky Endpoint Security for Android app via an installation package downloaded from Kaspersky Security Center, the built-in device anti-virus may suggest downloading the app from a trusted service, for example, Xiaomi GetApps. This is because the certificate used to sign the installation package differs from the one specified in the app marketplace. If the app is installed from the app marketplace, a subsequent upgrade may fail. To prevent this, the user should continue the installation by clicking the Ignore button in the Security risks detected message that appears.
  • On some HUAWEI devices, the Accessibility permissions may be reset after starting the built-in Digital Balance app.
  • On some Sony and Google Pixel devices running Android 13 or later, the Kaspersky Endpoint Security Help, which has information about enabling accessibility is displayed incorrectly.
  • On Samsung Galaxy S23 and S24 series devices Real-Time Protection may not work.

Known issues in app operation on Android 13

  • On Android 13, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security from running in the background. This is caused by a well-known issue in Android 13.
  • On Android 13, the permission to send notifications is requested when the initial app configuration begins. This is due to specifics of the Android 13 operating system.

Known issues when adding web clips

  • The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

Known issues in device owner mode

  • Some device owner mode features and control options may not work properly on Xiaomi devices (including Redmi and POCO) due to vendor specifics.
    • Restricting Android features may not work on Xiaomi, Redmi, and POCO devices for the following control options:
      • Prohibit modification of apps in Settings
      • Prohibit uninstallation of apps
    • Other issues:
      • When installing the Kaspersky Endpoint Security for Android app in device owner mode on Xiaomi devices running Android 12, the app does not start automatically once the device setup completes. Please start the app manually.
      • When setting up permissions for Kaspersky Endpoint Security for Android on Xiaomi MI A3 devices running stock Android 11, you may need to provide the Accessibility permission twice for the settings to apply. After Allow is selected, you may be redirected to the Accessibility permission request again. Please turn the switch to OFF and then to ON again to apply the changes and continue the setup.
      • Kaspersky Endpoint Security for Android removal protection feature may not work on some Xiaomi devices. This issue is caused by the specifics of MIUI 7 and 8 firmware on Xiaomi.
  • On certain devices running Android 10 or earlier, if you select the Prohibit modification of apps in Settings check box when configuring restrictions for apps, the user still can clear app defaults and stop apps in app settings. This is due to Android operating system specifics.
  • Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
  • The Kaspersky Endpoint Security for Android app can't be installed in device owner mode on the following devices: Honor 30i (Android 10), HUAWEI y8p, HUAWEI Y5 (Android 8.0), HUAWEI Mate 40 PRO (Android 10), Xiaomi Redmi 4X (Android 7.1), Honor 5c (Android 7.0, EMUI 5.0). This is due to the device firmware specifics: the QR code scanner is not available after the device is reset to factory settings.
  • On devices with Android 10, location permissions are automatically set to Allow only while using the app instead of Allow all the time and can't be changed by the administrator or users. This issue is caused by a well-known bug in Android 10.
  • The Prohibit screen capture restriction does not block the device user from capturing the device settings screen.
  • On some Samsung and Xiaomi devices, the Prohibit file transfer over USB restriction does not block the device user from transferring files via Android Debug Bridge (ADB).
  • On some devices (for example, Samsung, Oppo, or Google Pixel), if the Forbidden apps are installed non-compliance criterion is detected, and then the time period allocated for the user to fix this non-compliance expires, the selected action may be performed with a delay or may require device synchronization with Kaspersky Security Center.

Known issues in kiosk mode

  • On iOS MDM devices running iOS 17 and iPadOS 17, if the Auto-Rotate Screen check box is cleared in Kiosk mode settings, screen orientation still changes automatically when the device is rotated.

Known issues with app configurations

  • The Set Restricted Mode for YouTube, Enforce at least moderate restricted mode, Do not enforce restricted mode settings do not work for Google Chrome. This issue is caused by a well-known defect in Google Chrome.
Page top
[Topic 153756]