Management of mobile device settings

This section contains information about how to remotely manage the settings of mobile devices in the Administration Console of Kaspersky Security Center.

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

Connecting Android devices to a Wi-Fi network

Expand all | Collapse all

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To connect the mobile device to a Wi-Fi network:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Wi-Fi section.
5. In the Wi-Fi networks section, click Add.

   This opens the Wi-Fi network window.

6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
7. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device. In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
8. Select the Automatic connection to network check box if you want the device to connect to the Wi-Fi network automatically.
9. In the Network protection section, select the type of Wi-Fi network security (open or secure network protected with the WEP, WPA/WPA2 PSK, or 802.1.x EAP protocol).

   The 802.1.x EAP security protocol is supported only in the Kaspersky Endpoint Security for Android app version 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

10. If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
    • EAP method

      Specifies an Extensible Authentication Protocol (EAP) method of network authentication. Possible values:

      • TLS (default)
      • PEAP
      • TTLS
    • Root certificate

      Specifies the root certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      You can specify a certificate in one of the following ways:

      • Select any available certificate from the drop-down list. It contains certificates previously added to the Root certificates section. On devices, these certificates are installed to a trusted certificate store.
      • Load a new certificate file (.cer, .pem, or .key) by clicking Browse. This certificate will not be added to the Root certificates section. On devices, the certificate will be used only for configuring this Wi-Fi network and will not be installed to a trusted certificate store.
    • Domain

      Specifies the constraint for the server domain name.

      If set, this Fully Qualified Domain Name (FQDN) is used as a suffix match requirement for the root certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met.

      You can specify multiple match strings using semicolons to separate the strings. A match with any of the values is considered a sufficient match for the certificate (i.e., the OR operator is used).

      If you specify *, any root certificate is considered valid. This value is specified by default.

    • User certificate

      Specifies the user certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      The following values are available in the drop-down list:

      • None - The user certificate is not specified.
      • VPN certificate - The VPN certificate that was last added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and was installed on the user device. If you choose this option, but no VPN certificate is installed on the device, the user certificate is not used for this Wi-Fi network.
      • List of SCEP certificate profiles configured in the SCEP and NDES section and used to obtain certificates.
    • Type of two-factor authentication

      Specifies a two-factor authentication type. Possible values:

      • None (default)
      • MSCHAP
      • MSCHAPV2
      • GTC
    • User identity

      Specifies a user ID to be used if the TLS EAP method is selected. You can either enter the value or select it from the Available macros drop-down list.

    • Anonymous identity

      Specifies an anonymous identity that is different from User identity and is used if the PEAP method of network authentication is selected. You can either enter the value or select it from the Available macros drop-down list.

    • Available macros

      A macro that will be used to replace values in the corresponding fields. Possible values:

      • %email%. Specifies the email address of the user to whom the device is registered. The value is retrieved from a mobile certificate.
      • %email_domain%. Specifies the email address domain of the user to whom the device is registered. The value is retrieved from a mobile certificate.
      • %email_user_name%. Specifies the username from the email address to which the device is registered. The value is retrieved from a mobile certificate.
      • %user_name%. Specifies the username under which the device is registered. The value is retrieved from a mobile certificate.
      • %device_id%. Specifies the ID of the device.
      • %group_id%. Specifies the ID of the administration group to which the device belongs to.
      • %device_platform%. Specifies the device platform.
      • %device_model%. Specifies the device model.
      • %os_version%. Specifies the operating system version on the device.
    • Password

      Specifies a password for accessing a wireless network protected using a WEP or WPA2 PSK protocol. The password will be sent in QR code.

      Do not use a password for a confidential Wi-Fi network. The password is sent to the user in the open way along with other necessary configuration data.

11. In the Password field, set a network access password if you selected a secure network at step 9.
12. Select the Use proxy server option if you want to use a proxy server to connect to a Wi-Fi network. Otherwise, select the Do not use proxy server option.
13. If you selected Use proxy server, in the Proxy server address and port field, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are using a proxy server to connect to a Wi-Fi network, you can use a policy to configure the settings for connecting to the network. On devices running Android 8.0 or later, you must manually configure the proxy server settings. On devices running Android 8.0 or later, you cannot use a policy to change the Wi-Fi network connection settings, except for the network access password.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

14. In the Do not use proxy server for addresses field, generate a list of web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android version 8.0 or later, the proxy server exclusion for web addresses does not work.

15. Click OK.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    This list contains the names of suggested wireless networks.

    On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear on the saved networks list on these devices.

    On devices operating in device owner mode and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

16. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On devices running Android version 10 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Wi-Fi section.
5. Click the Add button in the Wi-Fi networks section.

   This opens the Wi-Fi network window.

6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
7. If you want the iOS MDM device to connect to the Wi-Fi network automatically, select the Automatic connection check box.
8. To make it impossible to connect iOS MDM devices to a Wi-Fi network requiring preliminary authentication (captive network), select the Bypass captive portal check box.

   To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

9. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden Network check box.

   In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

10. In the Network protection drop-down list, select the type of protection of the Wi-Fi network connection:
    • Disabled. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).
    • WPA/WPA2 (Personal). The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access).
    • WPA2 (Personal). The network is protected using WPA2 protocol (Wi-Fi Protected Access 2.0). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Personal). The network is protected using the WEP, WPA or WPA2 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (Dynamic). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA/WPA2 (Enterprise). The network is protected using the WPA/WPA2 encryption protocol with use of the 802.1X protocol.
    • WPA2 (Enterprise). The network is protected using the WPA2 encryption protocol with the use of one key shared by all users (802.1X). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication.

    If you have selected WEP (Dynamic), WPA/WPA2 (Enterprise), WPA2 (Enterprise) or Any (Enterprise) in the Network protection list, in the Protocols section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

11. Configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the Authentication section, click the Configure button.

       The Authentication window opens.

    2. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    3. To require the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    4. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network. If the list does not contain any certificates, you can add them in the Certificates section.
    6. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

       The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel.

    7. Click OK.

    As a result, the settings of the account for user authentication upon connection to the Wi-Fi network will be configured on the iOS MDM device.

12. If necessary, configure the settings of the Wi-Fi network connection via a proxy server:
    1. In the Proxy server section, click the Configure button.
    2. In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to the Wi-Fi network via a proxy server are configured on the iOS MDM device.

13. Click OK.

    The new Wi-Fi network is displayed in the list.

14. Click the Apply button to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the authentication technology.

Configuring email

This section contains information on configuring mailboxes on mobile devices.

Configuring a mailbox on iOS MDM devices

To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.

By default, the email account is added with the following settings:

• Email protocol – IMAP.
• The user can move email messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the account.

To add an email account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Email.
5. Click the Add button in the Email account section.

   The Email account window opens.

6. In the Description field, enter a description of the user's email account.
7. Select the email protocol:
   • POP
   • IMAP
8. If necessary, specify the IMAP path prefix in the IMAP path prefix field.

   The IMAP path prefix must be entered using upper-case letters (for example: GMAIL for Google Mail). This field is available if the IMAP account protocol is selected.

9. In the User name as displayed in messages field, enter the user name to be displayed in the From: field for all outgoing messages.
10. In the Email address field, specify the email address of the iOS MDM device user.
11. Configure Additional Settings of the email account:
    • To allow the user to move email messages between the user's accounts, select the Allow movement of messages between accounts check box.

      If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts, Allow non-managed apps to use documents from managed apps, and Allow managed apps to use documents from non-managed apps check boxes.

    • To allow the email addresses used to be synchronized among user accounts, select the Allow sync of recent addresses check box.
    • To allow a user to use the Mail Drop service to forward large-sized attachments, select the Allow Mail Drop check box.
    • To allow the user to use only the standard iOS mail client, select the Allow use of only Mail app check box.
12. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
13. In the Inbound mail server and Outbound mail server sections, click the Configure button to configure the server connection settings:
    • Server address and port: Names of hosts or IP addresses of inbound mail servers and outbound mail servers and server port numbers.
    • Account name: Name of the user's account for inbound and outbound mail server authorization.
    • Authentication type: Type of user's email account authentication on inbound mail servers and outbound mail servers.
    • Password: Account password for authentication on the inbound and outbound mail server protected using the selected authentication method.
    • Use one password for incoming and outgoing mail servers: use one password for user authentication on incoming and outgoing mail servers.
    • Use SSL connection: usage of the SSL (Secure Sockets Layer) data transport protocol that uses encryption and certificate-based authentication to secure data transmission.
14. Click OK.

    The new email account appears in the list.

15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, email accounts from the compiled list will be added on the user's mobile device.

Configuring an Exchange mailbox on iOS MDM devices

To enable the iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.

By default, an account with the following settings is added on the Microsoft Exchange server:

• Email is synchronized once per week.
• The user can move messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the Exchange ActiveSync account.

To add the Exchange ActiveSync account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Exchange ActiveSync section.
5. Click the Add button in the Exchange ActiveSync accounts section.

   The Exchange ActiveSync account window opens on the General tab.

6. In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can use macros from the Macros available drop-down list.
7. In the Server address field, enter the network name or IP address of the Microsoft Exchange server.
8. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data, select the Use SSL connection check box.
9. In the Domain field, enter the name of the iOS MDM device user's domain. You can use macros from the Macros available drop-down list.
10. In the Account User Name field, enter the name of the iOS MDM device user.

    If you leave this field blank, Kaspersky Device Management for iOS prompts the user to enter the user name when applying the policy on the iOS MDM device. You can use macros from the Macros available drop-down list.

11. In the Email address field, specify the email address of the iOS MDM device user. You can use macros from the Macros available drop-down list.
12. In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
13. Select the Additional tab and configure the additional settings of the Exchange ActiveSync account:
    • Number of Days to Sync Mail for <time period>.
    • Authentication type.
    • Allow movement of messages between accounts.

      If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts, Allow non-managed apps to use documents from managed apps, and Allow managed apps to use documents from non-managed apps check boxes.

    • Allow sync of recent addresses.
    • Allow use of only Mail app.
14. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
15. Click OK.

    The new Exchange ActiveSync account appears in the list.

16. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list will be added on the user's mobile device.

Configuring an Exchange mailbox on Android devices (only Samsung)

To work with corporate mail, contacts, and the calendar on the mobile device, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).

Configuration of an Exchange mailbox is possible only for Samsung devices.

To configure an Exchange mailbox on a mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung device section.
5. In the Exchange ActiveSync window, click the Configure button.

   The Exchange mail server settings window opens.

6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
10. To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
11. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring device status in Kaspersky Security Center

To configure the device status in Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device information section.
5. In the window that opens, select the OK, Critical, or Warning status for each of the following conditions:
   • Real-time protection is not running
   • Web Protection is not running
   • App Control is not running
   • Device lock is not available
   • Device locate is not available
   • The versions of the KSN Statement do not match
   • The versions of the Marketing Statement do not match
6. Click the OK button.

Managing app configurations

This section provides instructions on how to manage settings and edit configurations of the apps installed on your users' devices.

Managing Google Chrome settings

Expand all | Collapse all

The Google Chrome settings section lets you manage settings of Google Chrome installed in Android work profile or on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode.

To open the Google Chrome settings section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App configuration > Google Chrome settings section.

Manage content settings

On the Content tab of the Google Chrome settings section, you can specify the following content settings:

• Set default cookie settings

  Default cookie settings.

  If the check box is selected, one of the following options will be applied to all sites by default:

  • Allow all sites to set local data (default)
  • Do not allow any site to set local data

  • If the check box is cleared, the user's personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is selected by default.

    There must be no conflicting URL patterns that you specify in the Allow cookies on these sites, Block cookies on these sites, and Allow cookies on these sites for one session only fields. If no URL is specified and the Set default cookies settings check box is selected, the option selected in the drop-down list will be applied to all sites.

• Allow cookies on these sites

  A list of sites that are allowed to set cookies. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

• Block cookies on these sites

  A list of sites that are prohibited to set cookies. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

• Allow cookies on these sites for one session only

  A list of sites that are allowed to set cookies only for one session. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

• Set default JavaScript settings

  Default JavaScript settings.

  If the check box is selected, one of the following options will be applied and the device user will not be able to change it:

  • Allow all sites to run JavaScript (default)
  • Do not allow any site to run JavaScript

    If the check box is cleared, user personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is cleared by default.

    If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.

• Allow JavaScript on these sites

  A list of sites that are allowed to run JavaScript. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

  If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.

• Block JavaScript on these sites

  A list of sites that are prohibited to run JavaScript. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

  If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.

• Set default pop-up settings (based on Google abusive pop-ups database)

  Default pop-up setting.

  If the check box is selected, one of the following options applies to pop-ups:

  • Allow all sites to show pop-ups. Lets all sites open pop-up windows. This value is selected by default.
  • Do not allow any site to show pop-ups. Prohibits all sites to open pop-up windows.

    Only those pop-ups will be blocked that are included into the Google abusive pop-ups database.

    If the check box is cleared, pop-ups are blocked, but a device user can change this behavior in Settings.

    The setting is supported in Google Chrome version 33 or later.

    The check box is cleared by default.

    If the Allow pop-ups on these sites and Block pop-ups on these sites (based on Google abusive pop-ups database) settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.

• Allow pop-ups on these sites

  A list of sites that are allowed to show pop-ups. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 34 or later.

  If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.

• Block pop-ups on these sites (based on Google abusive pop-ups database)

  A list of sites that are prohibited to show pop-ups. You can also set URL patterns, for example: [*.]example.com.

  Only those pop-ups will be blocked that are included into the Google abusive pop-ups database.

  The setting is supported in Google Chrome version 34 or later.

  If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.

• Set user location tracking settings

  The default geographic location settings.

  If the check box is selected, one of the following options will be applied to all sites by default:

  • Allow all sites to track location
  • Do not allow any site to track location
  • Ask whenever site wants to track location (default)

    If the check box is cleared, user personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is cleared by default.

Manage proxy settings

On the Proxy tab of the Google Chrome settings section, you can specify the following proxy settings:

• Set proxy mode

  Proxy settings for Google Chrome and ARC-apps.

  If the check box is selected, one of the following options will be applied and the device user is prevented from changing proxy settings:

  • Never use proxy. Prohibits use of proxies and all other proxy settings are ignored. This option is selected by default.
  • Detect proxy settings automatically. Detects proxy settings automatically and all other options are ignored.
  • Use PAC file. Uses the proxy PAC file specified in the PAC file URL field.
  • Use fixed proxy servers. Uses the data specified in the Proxy server URL and Bypass list fields.
  • Use system proxy settings. Uses the system proxy settings.

    If the check box is cleared, user personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is selected by default.

• Proxy server URL

  A URL of the proxy server.

  The setting is supported in Google Chrome version 30 or later.

• PAC file URL

  A URL to a proxy .PAC file.

  The setting is supported in Google Chrome version 30 or later.

• Bypass list

  A list of hosts for which the proxy will be bypassed.

  The setting is supported in Google Chrome version 30 or later.

Manage search settings

On the Search tab of the Google Chrome settings section, you can specify the following search settings:

• Enable Touch to Search

  Selecting or clearing this check box specifies whether the device user is allowed to use Touch to Search and turn the feature on or off.

  The setting is supported in Google Chrome version 40 or later.

  This check box is selected by default.

• Enable default search provider

  Default search provider settings.

  If the check box is selected, a default search provider is used when a user enters non-URL text in the address bar. The default search provider depends on search provider settings below this check box:

  • If you leave search provider settings empty, the device user can choose the search provider in the browser settings.
  • If you configure settings of the default search provider, this search provider is always used, and the device user can't choose the search provider in the browser.

  This check box is selected by default, but the default search provider settings are not configured.

  If you want to disable search in Google Chrome, we recommend that you leave the Enable default search provider check box selected and set the Search provider name parameter to the site of a non-search system. On some Google Chrome versions, there can be problems in Google Chrome operation if the check box is cleared.

  The setting is supported in Google Chrome version 30 or later.

  The default search provider parameters are:

  • Search provider name
  • Keyword
  • Search URL
  • Suggest URL
  • Icon URL
  • Encodings
  • Alternate URLs
  • Image URL
  • New tab URL
  • Parameters for search URL that uses POST
  • Parameters for suggest URL that uses POST
  • Parameters for image URL that uses POST
• Search provider name

  The default search provider name.

  The setting is supported in Google Chrome version 30 or later.

• Search URL

  The URL of the search engine used during default searches.

  The setting is supported in Google Chrome version 30 or later.

• Icon URL

  The URL of the default search provider's favicon.

  The setting is supported in Google Chrome version 30 or later.

• Encodings

  Character encodings supported by the search provider. The supported encodings are:

  • UTF-8
  • UTF-16
  • GB2312
  • ISO-8859-1

    The setting is supported in Google Chrome version 30 or later.

• Alternate URLs

  A list of alternate URLs to retrieve search terms from the search engine.

  The setting is supported in Google Chrome version 30 or later.

• New tab URL

  The URL of the search engine used to provide a New Tab page.

  The setting is supported in Google Chrome version 30 or later.

• Parameters for search URL that uses POST

  URL parameters when searching a URL with the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:

  q={searchTerms},ie=utf-8,oe=utf-8

  The setting is supported in Google Chrome version 30 or later.

• Parameters for suggest URL that uses POST

  URL parameters for search suggestions using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:

  q={searchTerms},ie=utf-8,oe=utf-8

  The setting is supported in Google Chrome version 30 or later.

• Parameters for image URL that uses POST

  URL parameters for image search using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{imageThumbnail}', it is replaced with the real image thumbnail. For example:

  content={imageThumbnail},url={imageURL},sbisrc={SearchSource}

  The setting is supported in Google Chrome version 30 or later.

Manage password settings

On the Passwords tab of the Google Chrome settings section, you can specify the following password settings:

• Enable saving passwords

  Selecting or clearing the check box specifies whether Google Chrome will remember the passwords the device user enters and also offer them the next time the device user signs in.

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

Manage page settings

On the Pages tab of the Google Chrome settings section, you can specify the following page settings:

• Enable alternate error pages

  Selecting the check box specifies whether Google Chrome is allowed to use built-in error pages, such as "Page not found".

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

• Enable AutoFill for addresses

  Autofill settings for addresses.

  If the check box is selected, the device user is allowed to manage AutoFill for addresses in the user interface.

  If the check box is cleared, AutoFill never suggests or fills in address information, nor does it save additional address information that the device user submits while browsing the web.

  The setting is supported in Google Chrome version 69 or later.

  This check box is selected by default.

• Enable AutoFill for credit cards

  Autofill settings for credit cards.

  If the check box is selected, the device user is allowed to manage AutoFill suggestions for credit cards in the user interface.

  If the check box is cleared, AutoFill never suggests or fills in credit card information, nor does it save additional credit card information that the device user might submit while browsing the web.

  The setting is supported in Google Chrome version 63 or later.

  This check box is selected by default.

Manage other settings

On the Other tab of the Google Chrome settings section, you can specify the following settings:

• Enable printing

  Selecting or clearing this check box specifies whether the device user is allowed to print in Google Chrome.

  The setting is supported in Google Chrome version 39 or later.

  This check box is selected by default.

• Set Google Safe Browsing settings

  Google Safe Browsing protection level.

  If the check box is selected, the device user is allowed to manage the Google Safe Browsing settings in Google Chrome, as well as select the protection level. The protection levels are:

  • Google Safe Browsing is never active. Disables Google Safe Browsing completely.
  • Google Safe Browsing is active in standard mode. Makes Google Safe Browsing always enabled in standard protection mode. This option is selected by default.
  • Google Safe Browsing is active in enhanced mode. Makes Google Safe Browsing always enabled in enhanced protection mode, but device user browsing experience data will be sent to Google.

    If the check box is cleared, Google Safe Browsing will operate in standard protection mode and the device user is allowed to change Google Safe Browsing settings.

    The setting is supported in Google Chrome version 87 or later.

    This check box is selected by default.

• Disable saving browser history

  Selecting or clearing this check box specifies whether browsing history is saved and tab syncing is on.

  The setting is supported in Google Chrome version 30 or later.

  This check box is cleared by default.

• Disable proceeding from Google Safe Browsing warning page

  Selecting or clearing this check box specifies whether the device user is allowed to proceed to the flagged site on Google Safe Browsing warnings, such as malware and phishing. The restriction does not apply to issues related to SSL certificate, such as invalid or expired certificates.

  The setting is supported in Google Chrome version 30 or later.

  This check box is cleared by default.

• Enable network prediction

  Selecting or clearing this check box specifies whether Google Chrome will predict such network actions as DNS prefetching, TCP and SSL preconnection and prerendering of webpages.

  If the check box is cleared, network prediction is disabled, but the device user can enable it.

  The setting is supported in Google Chrome version 38 or later.

  This check box is cleared by default.

• Set Restricted Mode for YouTube

  Minimum required Restricted Mode level for YouTube.

  If the check box is selected, a minimum required Restricted Mode level for YouTube is set and the device user cannot pick a less restricted mode. Restricted mode levels are:

  • Do not enforce Restricted Mode. Specifies that Google Chrome does not force Restricted mode. However, external policies might still enforce Restricted mode. This option is selected by default.
  • Enforce at least Moderate Restricted Mode. Lets a device user enable the Moderate and Strict Restricted mode on YouTube, but prohibits turning Restricted mode off.

  • If the check box is cleared, Google Chrome does not require use of Restricted mode for YouTube, but Restricted mode can be enforced by external rules, such as YouTube rules.

    The setting is supported in Google Chrome version 55 or later.

    This check box is selected by default.

• Set availability of Incognito mode

  Availability of Incognito mode in Google Chrome.

  If the check box is selected, the admin can specify whether the device user is allowed to open pages in Incognito mode by selecting one of the following options:

  • Incognito mode is available (default)
  • Incognito mode is disabled

    If the check box is cleared, the device user cannot open pages in Incognito mode in Google Chrome.

    The setting is supported in Google Chrome version 30 or later.

    This check box is selected by default.

• Enable search suggestions

  Selecting or clearing this check box specifies whether search suggestions are enabled in Google Chrome's address bar.

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

• Set translation settings

  Enabling translation functionality.

  If the check box is selected, the administrator can set the following translation options:

  • Always offer translation. Shows the integrated translation toolbar and a translate option on the right-click context menu. This option is selected by default.
  • Never offer translation. Disables all built-in translation functionality.

    If the check box is cleared, the user's personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is cleared by default.

• Enable bookmark editing

  Selecting or clearing this check box specifies whether the device user is allowed to add, remove, or modify bookmarks.

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

• Managed bookmarks

  An admin-managed list of bookmarks. The list is a dictionary where the keys are the "name" and "url". In other words, the key holds a bookmark's name and target. You can also set up a subfolder with a "children" key, which also has a list of bookmarks.

  By default, the folder name for managed bookmarks is "Managed bookmarks". You can change it by adding a new sub-dictionary. To do this, specify the "toplevel_name" key with the required folder name as its value.

  If you enter an incomplete URL as a bookmark's target, Google Chrome will substitute it with a URL as if it was submitted through the address bar. For example, "kaspersky.com" becomes "https://www.kaspersky.com".

  For example:

  "ManagedBookmarks": [{

  //Changes the default folder name

  "toplevel_name": "My managed bookmarks folder"

  },

  {

  //Adds a bookmark to the managed bookmarks folder

  "name": "Kaspersky",

  "url": "kaspersky.com"

  },

  {

  "name": "Kaspersky products",

  "children": [{

  "name": "Kaspersky Endpoint Security",

  "url": "kaspersky.com/enterprise-security/endpoint"

  },

  {

  "name": "Kaspersky Security for Mail Server",

  "url": "kaspersky.com/enterprise-security/mail-server-security"

  }

  ]

  }

  ]

  The setting is supported in Google Chrome version 37 or later.

• Block access to these URLs

  A list of forbidden URLs. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 86 or later.

• Allow access to these URLs (exceptions to blocked URLs)

  A list of URLs that are exceptions to the list specified in Block access to these URLs. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 86 or later.

Managing Exchange ActiveSync for Gmail

Expand all | Collapse all

The Exchange ActiveSync section lets you manage Exchange ActiveSync settings for Gmail installed in Android work profile or on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode.

To open the Exchange ActiveSync section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App configuration > Exchange ActiveSync section.
5. Specify the following settings:
   • Exchange ActiveSync server address

     The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL.

   • Force use of SSL

     Selecting or clearing this check box specifies whether SSL communication to the server port that you specified in the Exchange ActiveSync server address field will be used.

     This check box is selected by default.

   • Disable SSL certificate verification

     Selecting or clearing this check box specifies whether validation checks on SSL certificates used on Exchange ActiveSync servers will be performed. Performing a check is useful if certificates are self-signed.

     This check box is cleared by default.

   • Authentication type

     The authentication type used to verify a device user's email credential. Possible values:

     • Modern token-based authentication. Uses a token-based identity management method. This value is selected by default.
     • Basic authentication. Prompts the device user for their password and stores it for future use.
   • Device ID

     A string used by Kaspersky Security Center proxy or a third-party gateway to identify the device and connect it to Exchange ActiveSync. You can either enter the value or select it from the Available macros drop-down list.

   • Username

     The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. You can either enter a value or select one from the Available macros drop-down list.

   • Email address

     The email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter a value or select one from the Available macros drop-down list.

   • Available macros

     A macro that will be used to replace values in the corresponding fields. Possible values:

     • %email%. Specifies the email address of the user to whom the device is registered. The value is retrieved from a mobile certificate.
     • %email_domain%. Specifies the email address domain of the user to whom the device is registered. The value is retrieved from a mobile certificate.
     • %email_user_name%. Specifies the username from the email address to which the device is registered. The value is retrieved from a mobile certificate.
     • %user_name%. Specifies the username under which the device is registered. The value is retrieved from a mobile certificate.
     • %device_id%. Specifies the ID of the device.
     • %group_id%. Specifies the ID of the administration group to which the device belongs to.
     • %device_platform%. Specifies the device platform.
     • %device_model%. Specifies the device model.
     • %os_version%. Specifies the operating system version on the device.
   • User certificate

     The string alias that represents a certificate with a private key. The certificate can be a user certificate for authentication to the Exchange ActiveSync servers.

   • Default synchronization interval

     The default time interval when the Exchange ActiveSync servers synchronize mail items to Gmail. Possible values:

     • 1 day
     • 3 days
     • 1 week (default)
     • 2 weeks
     • 1 month
   • Default email signature

     The default email signature that is automatically added at the bottom of emails.

6. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring other apps

Expand all | Collapse all

The Other apps section lets you configure apps installed on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode or to apps installed in Android work profile.

When configuring some apps, the certificates installed on devices via the Kaspersky Security Center can be used. In this case, you need to specify a certificate alias in the app configuration:

• VpnCert for VPN certificates.
• MailCert for mail certificates.
• SCEP_profile_name for certificates received by using SCEP.

To configure apps via the Other apps section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App configuration > Other apps section.
5. In the List of apps configurations section, click the Add button.

   The Add app configuration window opens.

6. In the window that opens, specify the following parameters:
   • Activate

     Specifies whether to apply the configuration to the app on the devices that fall under the policy.

     The check box is selected by default.

   • App name (cannot be left blank)

     Name of the app to which the configuration is to be applied.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

   • Package name (cannot be left blank)

     Name of the package to which the configuration is to be applied. How to get the package name of an app

     To get the package name of an app:

     1. Open Google Play.
     2. Find the required app and open its page.

     The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

     To get the package name of an app that has been added to Kaspersky Security Center:

     1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
     2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

     In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

     If you have an app package as an APK file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

     When importing a configuration from an APK file or installation package, the value is inserted automatically.

     You can add only one configuration for each package name.

   • Version

     Version of the app, on which the created configuration will be based.

     When importing a configuration from an APK file or installation package, the value is inserted automatically.

   • Comment

     An optional comment.

7. In the same window, select how to add configuration:
   • Manually

     When this method is selected, click the Add button to add a new setting to the configuration. You need to specify the following parameters for each setting of the configuration:

     • Identifier

       Cannot be left blank. The value of this parameter is filled in manually.

     • Type

       Cannot be left blank. The value of this parameter is selected from a drop-down list.

       The following types are available:

       • String—A sequence of characters, digits, or symbols, always treated as text.
       • Boolean—True or false.
       • Integer—A numeric data type for numbers without fractions.
       • Choice—A data type that allows selecting one option from a predefined set of options.
       • Multiple choice—A data type that allows selecting one or multiple options from a list of possible options.
       • Bundle—A set of fields of any type, except for Bundle or BundleArray.
       • BundleArray—A set of bundles.
     • Value

       An optional parameter, whose value depends on the setting type.

       For some types of settings, additional parameters can be configured. For example, you can add macros for a String setting, add a field to a Bundle setting, or add a bundle to a BundleArray setting.

       It is also possible to edit a setting to be added to a bundle array by clicking the Edit button and configuring the setting's parameters.

       For information about configuring rules, please refer to the official documentation for the app to be configured.

   • Using installation package from Kaspersky Security Center

     When adding an app configuration using an installation package from Kaspersky Security Center, you need to select the app from a list of mobile app packages.

     After that, you can view the description for each setting of the configuration. These descriptions are part of the configuration file.

     Settings of configurations added using installation packages cannot be deleted.

   • Using an APK file from your computer

     When adding an app configuration by using an APK file from your computer, you must select a file saved on your computer.

     After that, you can view the description for each setting of the configuration. These descriptions are part of the configuration file.

     Settings of configurations added using APK files cannot be deleted.

   An example of configured basic parameters for the Microsoft Outlook app.

   Microsoft Outlook app configuration

   Configuration key	Description	Type	Value	Default value
   com.microsoft.outlook.EmailProfile.EmailAccountName	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. You can either enter a value or select one from the Available macros drop-down list. For example, User.
   com.microsoft.outlook.EmailProfile.EmailAddress	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter a value or select one from the Available macros drop-down list. For example, user@companyname.com.
   com.microsoft.outlook.EmailProfile.EmailUPN	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, userupn@companyname.com.
   com.microsoft.outlook.EmailProfile.ServerAuthentication	Authentication method	String	Username and Password – Prompts the device user for their password. Certificates – Certificate-based authentication.	Username and Password
   com.microsoft.outlook.EmailProfile.ServerHostName	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL. For example, mail.companyname.com.
   com.microsoft.outlook.EmailProfile.AccountDomain	Email domain	String	The account domain of the user. You can either enter a value or select one from the Available macros drop-down list. For example, companyname.
   com.microsoft.outlook.EmailProfile.AccountType	Authentication type	String	ModernAuth – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. BasicAuth – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	BasicAuth

8. Click OK to apply the configuration.

   The configuration appears in the List of apps configurations.

9. Click the Apply button to save the changes you have made.

The configuration is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

To change an app configuration:

1. In the Other apps section, select the app from the list, and then click the Edit button.

   The Edit app configuration window opens.

2. In the Edit app configuration window, you can edit a configuration of the selected app:
   • To upload a new APK file from your computer, click the Select button.
   • To add a new setting to the configuration, click the Add button below all the settings, and then specify the required parameters.
   • To delete a setting added manually, click the X button in the upper right corner of the setting's field.
3. Click OK to close the Edit app configuration window.
4. Click the Apply button to save the changes you have made.

The applied configuration is edited. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

To enable or disable the app configuration:

1. In the Other apps section, select the app from the list.
2. Do either of the following:
   • Switch the toggle button to On to enable the configuration.
   • Switch the toggle button to Off to disable the configuration.
3. Click the Apply button to save the changes you have made.

The applied configuration is edited. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

To delete an app configuration:

1. In the Other apps section, select the app from the list, and then click the Delete button.
2. Click the Apply button to save the changes you have made.

The applied configuration is deleted. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Managing app permissions

Expand all | Collapse all

The App permission management section lets you configure rules for granting runtime permissions to apps installed on devices managed via the Kaspersky Endpoint Security for Android app in device owner mode or to apps installed in an Android work profile.

You can configure rules for granting runtime permissions by creating or editing configuration files for specific apps.

Permission granting rules configured for specific apps have precedence over the general policy for granting permissions to apps installed on devices or in the Android work profile. For example, if you first select the Deny permissions automatically option in an Android work profile section, and then select the Grant permissions automatically option for a specific app in the App permission management section, the permission for this app will be granted automatically.

To add app permissions:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App permission management section.
5. Click the Add button.

   The Add permission granting rules window opens.

6. Select how to add a configuration with permission granting rules:
   • Manually

     When adding a configuration manually, you need to click the Add permission button to select a permission and an action to be performed for it from the drop-down lists.

   • Using an installation package from Kaspersky Security Center

     When adding a configuration using an installation package added to Kaspersky Security Center, you need to select the app from the list of mobile app packages.

     After that, you can view a list of runtime permissions and select the action to be performed for each permission.

   • Using an APK file from your computer

     When adding an app configuration using an APK file from your computer, you need to select a file saved on your computer.

     After that, you can view a list of runtime permissions and select an action to be performed for each permission.

7. Specify the following parameters:
   • App name (cannot be left blank)

     Name of the app for which permissions are to be configured.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

   • Package name (cannot be left blank)

     Name of the package for which permissions are to be configured.

     How to get the package name of an app

     To get the package name of an app:

     1. Open Google Play.
     2. Find the required app and open its page.

     The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

     To get the package name of an app that has been added to Kaspersky Security Center:

     1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
     2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

     In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

     If you have an app package as an APK file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

   • Comment

     An optional comment.

8. Click the Add permission button to open the block of the app permission configuration. You can add several permissions.

   Select one of the following permissions.

   • Permission for call handover
   • Location permissions
   • Permission to use saved geographic locations
   • Permission for activity recognition
   • Permission for answerphone voice mails
   • Permission to answer phone calls
   • Permissions for Bluetooth
   • Permissions to access body sensors data
   • Permission for phone calls
   • Permissions for camera
   • Permission to access account list
   • Permissions to access nearby devices via Wi-Fi
   • Permission to send notifications
   • Permission to manage outgoing calls
   • Permission to read calendar data
   • Permission to read call log
   • Permission to read contact list
   • Permissions to read external storage
   • Permission to read device's phone numbers
   • Permission to read phone state
   • Permissions to monitor SMS and MMS incoming messages
   • Permission to receive WAP push messages
   • Permission to record audio
   • Permission to send SMS
   • Permission to use SIP telephony
   • Permission to access devices that use UWB
   • Permission to write data to calendar
   • Permission to write and read data of call log
   • Permission to write contacts
   • Permission to write data to external storage

   To configure granting rules for app runtime permissions, you need to select one of the following actions for each permission:

   • Prompt the user for permissions

     When a permission is requested, the user decides whether to grant the specified permission to the app.

     This option is selected by default.

   • Grant permissions automatically

     An app is granted a permission without user interaction.

   • Deny permissions automatically

     An app is denied a permission without user interaction.

   You can save only one granting rule for each app permission.

9. Click OK to apply the configuration.

   The configuration appears in the List of app permissions.

10. Click the Apply button to save your changes.

The configuration with permission granting rules is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

To edit app permissions:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App permission management section.
5. Select the app in the List of app permissions block, and then click the Edit button.

   The Edit permission granting rules window opens.

6. Edit the selected permission granting rule as follows:
   • To add a new permission to the configuration, click the Add permission button below all the settings, and then select a permission and an action to be performed for this permission.

     You can add several permissions.

   • To edit an action for an existing permission, select another action in the list.
   • To delete a permission that was added manually, click the X button in the upper right corner of the permission's field.
7. Click OK to close the Edit permission granting rules window.
8. Click the Apply button to save your changes.

The edited configuration with permission granting rules is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

To delete app permissions:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App permission management section.
5. Select the app from the List of app permissions block, and then click the Delete button.
6. Click the Apply button to save your changes.

The configured permissions for the selected app are deleted. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Creating a report on installed mobile apps

Expand all | Collapse all

The Report on installed mobile apps lets you get the detailed information about the apps installed on users' Android devices, save this information to a file, send it by email, and print it.

To allow the report to display information, the Send data on installed apps check box in the App Control section must be selected and the An app has been installed or removed (list of installed apps) informational event type must be stored in the Administration Server database.

To enable sending data:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App Control section.
5. In the Report on installed mobile apps section, select the Send data on installed apps check box.

   The following settings are now available:

   • Select the Send data on system apps check box to send information about system apps. If a system app is configured in the App Control settings, its data is sent regardless of the state of this check box.
   • Select the Send data on service apps check box to send information about service apps without interface. If a service app is configured in the App Control settings, its data is sent regardless of the state of this check box.
6. Click the Apply button to apply your changes.
7. In the policy Properties window, select the Event Configuration section.
8. In the workspace of the section, select the Info tab.
9. Open the An app has been installed or removed (list of installed apps) event properties by double-clicking any column.
10. In the event's Properties window, select the Store in the Administration Server database for (days) check box and set the storage period. By default, the storage period is 30 days.

    After the storage period expires, the Administration Server deletes outdated information from the database. For more information about events, please refer to the Kaspersky Security Center Help.

11. Click OK to save your changes.

Sending data is enabled.

To configure a report on installed mobile apps:

1. In the console tree, go to the Administration Server folder.
2. In the workspace of the Administration Server folder, select the Reports tab.
3. In the context menu of the report template named Report on installed mobile apps, select Properties.
4. In the window that opens, edit the report template properties:
   • In the General section, specify the following parameters:
     • Report template name.
     • Maximum number of entries to display

       If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value.

       Report entries are first sorted according to the rules specified in the Fields → Detailed fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.

       If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some of the reports contain too many entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report and, consequently, you will not be able to view the report.

       By default, this option is enabled. The default value is 1000.

     • Print version

       The report output is optimized for printing: space characters are added between some values for better visibility.

       By default, this option is enabled.

   • In the Fields section, select the fields that will be displayed in the report, and the order of these fields, and configure whether the report should be sorted and filtered by each of the fields.
   • In the Group section, change the set of client devices the report is created for.
   • In the Hierarchy of Administration Servers section, specify the following parameters:
     • Include data from secondary and virtual Administration Servers

       If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.

       Disable this option if you want to view data only from the current Administration Server.

       By default, this option is enabled.

     • Up to nesting level

       The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.

       The default value is 1. You may want to change this value if you have to retrieve information from secondary Administration Servers located at lower levels in the tree.

     • Data wait interval (min)

       Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.

       The default value is 5 (minutes).

     • Cache data from secondary Administration Servers

       Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. There, the transferred data is stored in the cache.

       If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.

       Enabling this option allows you to view the information from secondary Administration Servers even if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.

       By default, this option is disabled.

     • Cache update frequency (h)

       Secondary Administration Servers at regular intervals transfer data to the Administration Server for which the report template is created. You can specify this period in hours. If you specify 0 hours, data is transferred only when the report is generated.

       The default value is 0.

     • Transfer detailed information from secondary Administration Servers

       In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.

       Enabling this option slows the report generation and increases traffic between Administration Servers. However, you can view all data in one report.

       Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.

       By default, this option is disabled.

5. Click OK to save your changes.

The updated report template appears in the list of report templates.

To create and view a report on installed mobile apps:

1. In the console tree, go to the Administration Server folder.
2. In the workspace of the Administration Server folder, select the Reports tab.
3. Select the report template named Report on installed mobile apps by double-clicking any column.

The report on installed mobile apps opens.

This report displays the following data:

• Summary

  Displays an overview of installed apps and the chart of apps installations. Information is grouped by the Package name field.

  This table contains the following fields:

  Package name

  Name of an installed app package.

  App name

  Name of an installed app, may depend on the language settings on a device.

  Number of devices

  Number of devices with an installed app.

  Number of groups

  Number of groups that contain devices with an installed app.

• Details

  Displays information about each app installed on each device.

  This table contains the following fields:

  Package name

  Name of an installed app package.

  App name

  Name of an installed app, may depend on the language settings on a device.

  App version

  Version of an installed app.

  Profile

  Profile with an installed app: Android work profile or personal profile.

  Virtual Administration Server

  Identifier of the virtual Administration Server that manages a device with an installed app.

  Group

  Identifier of the group that contains a device with an installed app.

  Device

  Identifier of a device with an installed app.

  Last connected to Administration Server

  Time of the last device synchronization with the Administration Server.

For more information about using reports, managing custom report templates, using report templates to generate new reports, and creating report delivery tasks, please refer to the Kaspersky Security Center Help.

Installing root certificates on Android devices

A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.

Kaspersky Security Center lets you add root certificates to be installed on Android devices to a trusted certificate store.

These certificates are installed on user devices as follows:

• On devices operating in device owner mode, the certificates are installed automatically.

  If you delete a root certificate in policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.

• On personal devices (not operating in device owner mode):
  • If a work profile was not created, the device user is prompted to install each certificate manually in a personal profile by following the instructions in the notification.
  • If a work profile was created, the certificates are installed automatically to this profile. If the Duplicate installation of root certificates in personal profile check box is selected in work profile settings, the certificates can also be installed in a personal profile. The device user is prompted to do this manually by following the instructions in the notification.

    If you delete a root certificate in policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.

    For instructions on how to install certificates in personal profiles, please refer to Installing root certificates on the device.

To add a root certificate in Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Root certificates section.
5. In the Root certificates section, click Add.

   The file explorer opens.

6. Select a certificate file (.cer, .pem, or .key) and click Open.

   The Certificate window opens.

7. View the certificate information and click Install Certificate.

   This starts the standard Certificate Import Wizard.

8. Follow the wizard's instructions.

   After the wizard is finished, the root certificate appears in the list of certificates.

9. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

Configuring notifications for Kaspersky Endpoint Security for Android

If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

The Kaspersky Endpoint Security uses the following tools to display the device protection status:

• Protection status notification. This notification is pinned to the notification bar. Protection status notification cannot be removed. The notification displays the device protection status (for example, ) and number of issues, if any. You can tap the device protection status and see the list issues in the app.
• App notifications. These notifications inform the device user about the application (for example, threat detection).
• Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.

An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Additional section.
5. In the App notifications section, click the Configure button.

   The Device notification settings window opens.

6. Select the Kaspersky Endpoint Security for Android issues that you want to hide on the user's mobile device and click the OK button.

   The Kaspersky Endpoint Security for Android will not display issues in the protection status notification. The Kaspersky Endpoint Security for Android will continue to display protection status notification and app notifications.

   Certain Kaspersky Endpoint Security for Android issues are mandatory and impossible to disable (such as issues about license expiration).

7. To hide all notifications and pop-up messages, select the Disable notifications and pop-ups when the app is in background mode.

   Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays device protection status (for example, ) and number of issues. Also the app display notifications when user is working with the app (the user updates anti-malware databases manually, for example).

   Kaspersky experts recommended that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.

8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The Kaspersky Endpoint Security for Android notifications that you disable will not be displayed on the user's mobile device.

Key features of mobile device management in MMC-based Administration Console

Kaspersky Secure Mobility Management provides the following features:

• Connect Android devices to Kaspersky Security Center by using an app installation package to download from a Kaspersky Security Center server.
• Connect iOS devices to Kaspersky Security Center by distributing email messages with a link and a QR code to download the iOS MDM profile from iOS MDM Server.
• Remotely connect mobile devices to Kaspersky Security Center and other third-party EMM systems (for example, VMWare AirWatch, MobileIron, IBM Maas360, Microsoft Intune, SOTI MobiControl).
• Remotely configure the Kaspersky Endpoint Security for Android app, as well as remotely configure services, apps, and functions of Android devices.
• Remotely configure mobile devices in accordance with corporate security requirements.
• Detect and neutralize threats on mobile devices (Anti-Malware).
• Prevent leakage of corporate information stored on mobile devices in case they are lost or stolen (Anti-Theft).
• Control internet use on mobile devices (Web Protection).
• Control installation and removal of apps (App Control).
• Control compliance with corporate security requirements (Compliance Control).
• Setup corporate mail on mobile devices, including for organizations with a Microsoft Exchange mail server deployed in the company (only for iOS and Samsung devices).
• Configure the corporate network (Wi-Fi, VPN), allowing VPN to be used on mobile devices. VPN can be configured only on iOS and Samsung devices.
• Configure the mobile device status to be displayed in Kaspersky Security Center when policy rules are violated: Critical, Warning, OK.
• Setup notifications shown to the user in the Kaspersky Endpoint Security for Android app.
• Configure settings on devices supporting Samsung Knox 2.6 or later.
• Configure settings on devices supporting Android work profiles.
• Configure settings of Android mobile devices in device owner mode.
• Deploy the Kaspersky Endpoint Security for Android app through the Samsung Knox Mobile Enrollment console. Samsung Knox Mobile Enrollment is intended for batch installation and initial configuration of apps on Samsung devices purchased from official vendors.
• Manage group security policies for mobile devices.
• The Kaspersky Endpoint Security for Android app can be upgraded to a specified version using Kaspersky Security Center policies.
• Administrator notifications about the status and events of the Kaspersky Endpoint Security for Android app can be communicated in Kaspersky Security Center or by email.
• Change Control for policy settings (revision history).
• Send commands for remote mobile device management. For example, if a mobile device is lost or stolen, you can send commands to locate the device or wipe all corporate data from the device.
• Configure screen unlock password settings for mobile devices.
• Configure Wi-Fi network settings for mobile devices.
• Add web clips to open websites from the Home screen of mobile devices.

Kaspersky Secure Mobility Management includes the following protection and management components:

• For Android devices:
  • Anti-Malware
  • Anti-Theft
  • Web Protection
  • App Control
  • Compliance Control
• For iOS MDM devices:
  • Password protection
  • Network management
  • Web Protection
  • Compliance Control

Connecting iOS MDM devices to AirPlay

Configure the connection to AirPlay devices to enable streaming of music, photos, and videos from the iOS MDM device to AirPlay devices. To be able to use AirPlay technology, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (of the second and third generations), AirPort Express devices, speakers or radio sets with AirPlay support.

Automatic connection to AirPlay devices is available for controlled devices only.

To configure the connection of an iOS MDM device to AirPlay devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the AirPlay section.
5. In the AirPlay devices section, select the Apply settings on device check box.
6. Click the Add button in the Passwords section.

   An empty row is added in the password table.

7. In the Device name column, enter the name of the AirPlay device on the wireless network.
8. In the Password column, enter the password to the AirPlay device.
9. To restrict access of iOS MDM devices to AirPlay devices, create a list of allowed devices in the Allowed devices (supervised only) section. To do so, add the MAC addresses of AirPlay devices to the list of allowed devices.

   Access to AirPlay devices that are not on the list of allowed devices is blocked. If the list of allowed devices is left blank, Kaspersky Device Management for iOS will allow access to all AirPlay devices.

10. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media content.

Connecting iOS MDM devices to AirPrint

To enable printing of documents from the iOS MDM device wirelessly using AirPrint technology, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users has to be configured on the AirPrint printer.

To configure the connection of an iOS MDM device to an AirPrint printer:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the AirPrint section.
5. Click the Add button in the AirPrint printers section.

   The Printer window opens.

6. In the IP address field, enter the IP address of the AirPrint printer.
7. In the Resource Path field, enter the path to the AirPrint printer.

   The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:

   • printers/Canon_MG5300_series
   • ipp/print
   • Epson_IPP_Printer
8. Click OK.

   The newly added AirPrint printer appears on the list.

9. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.

Bypassing the Activation Lock on supervised iOS devices

Activation Lock is an iOS feature that is designed to prevent others from using a lost or stolen iOS device or reactivating it without an owner's permission. Kaspersky Security Center allows to bypass the Activation Lock on supervised iOS devices without entering Apple ID and user's password by using a bypass code.

A bypass code is generated when an iOS device is connected to Kaspersky Security Center and becomes supervised.

To disable Activation Lock using a bypass code:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device for which you need to view the bypass code by double-clicking.

   The properties window of the selected device opens.

3. In the properties window of the selected device, select the Advanced iOS MDM settings tab.
4. On the Advanced iOS MDM settings tab, click the crossed-out eye icon next to the Bypass code for Activation Lock (supervised only) option.

   The bypass code for Activation Lock is displayed.

5. On the Activation Lock screen of the supervised iOS device, enter the bypass code in the Apple ID password field. Leave the username field empty.

   Activation Lock is disabled on the device.

Configuring the Access Point Name (APN)

To connect a mobile device to data transfer services on a mobile network, you should configure the APN (Access Point Name) settings.

Configuring APN on Android devices (only Samsung)

Configuration of APN is possible only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile telephony operator. Incorrect access point settings may result in additional mobile telephony charges.

To configure the Access Point Name (APN) settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → APN section.
5. In the APN section, click the Configure button.

   The APN settings window opens.

6. On the General tab, specify the following access point settings:
   1. In the APN type drop-down list, select the type of access point.
   2. In the APN name field, specify the name of the access point.
   3. In the MCC field, enter the mobile country code (MCC).
   4. In the MNC field, enter the mobile network code (MNC).
   5. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS settings:
      • In the MMS server field, specify the full domain name of the mobile carrier's server used for MMS exchange.
      • In the MMS proxy server field, specify the network name or IP address of the proxy server and the port number of the mobile carrier's server used for MMS exchange.
7. On the Additional tab, configure the additional settings of the Access Point Name (APN):
   1. In the Authentication type drop-down list, select the type of mobile device user's authentication on the mobile carrier's server for network access.
   2. In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
   3. In the Proxy server address field, specify the network name or IP address and port number of the mobile carrier's proxy server for network access.
   4. In the User name field, enter the user name for authorization on the mobile network.
   5. In the Password field, enter the password for user authorization on the mobile network.
8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring APN on iOS MDM devices

The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.

The APN section is out of date. It is recommended to configure APN settings in the Cellular communications section. Before configuring cellular communication settings, make sure that the settings of the APN section have not been applied on the device (the Apply settings on device check box is cleared). The settings of the APN and Cellular communications sections cannot be used concurrently.

To configure an access point on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Cellular communications section.
5. In the Cellular communication settings section, select the Apply settings on device check box.
6. In the APN type list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
   • Built-in APN – configuration of cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, please visit the Apple Technical Support website.
   • APN – configuration of cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
   • Built-in APN and APN – configuration of cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, please visit the Apple Technical Support website.
7. In the APN name field, specify the name of the access point.
8. In the Authentication type drop-down list, select the type of device user authentication on the mobile operator's server for network access (internet and MMS).
9. In the User name field, enter the user name for authorization on the mobile network.
10. In the Password field, enter the password for user authorization on the mobile network.
11. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
12. Click the Apply button to save the changes you have made.

As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.

Configuring the Android work profile

This section contains information about working with an Android work profile.

About Android work profile

Android Enterprise is a platform for managing the corporate mobile infrastructure, which provides company employees with a work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.

You can create the Android work profile (hereinafter also "work profile") on the user's mobile device. Android work profile is a safe environment on the user's device in which the administrator can manage apps and user accounts without restricting the user's use of his/her own data. When a work profile is created on the user's mobile device, the following corporate apps are automatically installed to it: Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the work profile and notifications of these apps are marked with a icon. You have to create a separate Google corporate account for the Google Play Market app. Apps installed in the work profile appear in the common list of apps.

Configuring the work profile

Expand all | Collapse all

To configure the settings of the Android work profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Android work profile.
5. In the Android work profile workspace, select the Create work profile check box.
6. Specify the work profile settings:
   • On the General tab, specify the data sharing, contact, and other settings:
     • Settings in the Data access and sharing section:
       • Prohibit personal profile apps to share data with work profile apps

         Restricts sharing of files, pictures, or other data from personal profile apps with work profile apps.

         If the check box is selected, apps in personal profile can't share data with work profile apps.

         If the check box is cleared, the apps in personal profile can share data with work profile apps.

         The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.

         This check box is selected by default.

       • Prohibit work profile apps to share data with personal profile apps

         Restricts sharing of files, pictures, or other data from work profile apps with personal profile apps.

         If the check box is selected, the apps in work profile can't share data with personal profile apps.

         If the check box is cleared, the apps in work profile can share data with personal profile apps.

         The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.

         This check box is selected by default.

       • Prohibit work profile apps to access files in personal profile

         Restricts access of work profile apps to files in personal profile.

         If the check box is selected, the user can't access files in personal profile when using work profile apps.

         If the check box is cleared, the user can access files in personal profile when using work profile apps. Note that the access must be also supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit personal profile apps to access files in work profile

         Restricts access of personal profile apps to files in work profile.

         If the check box is selected, the user can't access files in work profile when using personal profile apps.

         If the check box is cleared, the user can access files in work profile when using personal profile apps. Note that the access must be supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit use of clipboard content across personal and work profiles

         Selecting or clearing this check box specifies whether the device user is allowed to copy data via clipboard across personal and work profiles.

         This check box is selected by default.

       • Prohibit activation of USB debugging mode

         Restricts the use of USB debugging node on the user's mobile device in the work profile. In USB debugging mode, the user can download an app via a workstation, for example.

         If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.

         If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.

         This check box is selected by default.

       • Prohibit the user to add and remove accounts in work profile

         If the check box is selected, the user is prohibited to add and remove accounts in work profile via Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in work profile.

         Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.

         This check box is selected by default.

       • Prohibit screen sharing, recording, and screenshots in work profile apps

         Selecting or clearing this check box specifies whether the device user is allowed to take screenshots, record and share the device screen in work profile apps. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.

         This check box is selected by default.

     • Settings in the Contacts section:
       • Prohibit showing contact name from work profile for incoming calls in personal profile

         Selecting or clearing this check box specifies whether a contact name from work profile will be shown in personal profile for incoming calls.

         This check box is selected by default.

       • Prohibit personal profile apps to access work profile contacts

         Selecting or clearing this check box specifies whether contact management apps (for example, built-in Google Contacts Manager) in personal profile are allowed to access work profile contacts.

         This check box is selected by default.

   • On the Apps tab, specify the following settings:
     • Enable App Control in work profile only

       Controls the startup of apps in the work profile on the user's mobile device. You can create lists of allowed, blocked, recommended, and required apps as well as allowed and blocked app categories in the App Control section.

       If this check box is selected, depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the work profile. Meanwhile, App Control does not work in the personal profile.

       This check box is cleared by default.

     • Enable Web Protection in work profile only

       Restricts user access to websites in the work profile on the device. You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section. If Web Protection is disabled, Kaspersky Endpoint Security only restricts user access to websites in the Phishing and Malware categories. These categories are selected by default in the Websites of selected categories are forbidden area of Web Protection.

       If this check box is selected, Web Protection for Google Chrome blocks or allows access to websites only in the Android work profile. Meanwhile, Web Protection does not work in the personal profile.

       If this check box is cleared, depending on the Web Protection settings, Kaspersky Endpoint Security blocks or allows access to websites in the personal and work profiles of the mobile device.

       For Samsung Internet Browser, HUAWEI Browser, and Yandex Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

       This check box is cleared by default.

       For Samsung Internet Browser, HUAWEI Browser, and Yandex Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

       You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.

     • Prohibit installation of apps in the work profile from unknown sources

       Restricts installation of apps in the work profile from all sources other than Google Play Enterprise.

       If the check box is selected, the user can install apps from Google Play only. Users use their own Google corporate accounts to install apps.

       If the check box is cleared, the user can install apps in any available way. Only blocked apps the list of which can be created in the App Control section cannot be installed.

       This check box is cleared by default.

     • Prohibit removal of apps from work profile

       Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the work profile.

       This check box is cleared by default.

     • Prohibit display of notifications from work profile apps when screen is locked

       Restricts display of notification contents from work profile apps on the lock screen of the device.

       If the check box is selected, contents of notifications from work profile apps can't be viewed on the device lock screen. To view the notifications, the user has to unlock the device \ work profile.

       If the check box is cleared, notifications from work profile apps are displayed on the device lock screen.

       This check box is cleared by default.

     • Prohibit use of camera for work profile apps

       Selecting or clearing this check box specifies whether work profile apps can access the device camera.

       This check box is selected by default.

       On devices running Android 10 or later, if the Prohibit use of camera check box in the Device Management section is selected, the device camera may be blocked in the work profile even if the Prohibit use of camera for work profile apps check box is cleared.

     • Granting runtime permissions for work profile apps

       The Granting runtime permissions for work profile apps setting allows you to select an action to be performed when work profile apps are running and request additional permissions. This does not apply to permissions granted in device Settings (e.g. Access All Files).

       • Prompt the user for permissions

         When a permission is requested, the user decides whether to grant the specified permission to the app.

         This option is selected by default.

       • Grant permissions automatically

         All work profile apps are granted permissions without user interaction.

       • Deny permissions automatically

         All work profile apps are denied permissions without user interaction.

         Users can adjust app permissions in the device settings before these permissions are denied automatically.

       On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:

       • Location permissions
       • Permissions for camera
       • Permissions to record audio
       • Permission for activity recognition
       • Permissions to monitor SMS and MMS incoming messages
       • Permissions to access body sensors data

     • Adding widgets of work profile apps to device home screen

       The Adding widgets of work profile apps to device home screen setting allows you to choose whether the device user is allowed to add widgets of work profile apps to device home screen.

       • Prohibit for all apps

         The device user is prohibited from adding widgets of apps installed in the work profile.

         This option is selected by default.

       • Allow for all apps

         The device user is allowed to add widgets of all apps installed in the work profile.

       • Allow only for the listed apps

         The device user is allowed to add widgets of listed apps installed in the work profile.

         To add an app to the list, click Add and enter an app package name. How to get the package name of an app

         To get the package name of an app:

         1. Open Google Play.
         2. Find the required app and open its page.

         The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

         To get the package name of an app that has been added to Kaspersky Security Center:

         1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
         2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

         In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

         If you have an app package as an APK file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

         To remove an app from the list, select the app and click Delete.

   • On the Certificates tab, you can configure the following settings:
     • Duplicate installation of VPN certificates in personal profile

       Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and installed to the work profile will also be installed to the personal profile.

       By default, VPN certificates received from Kaspersky Security Center are installed in the work profile.This setting is applied when a new VPN certificate is issued.

       This check box is cleared by default.

     • Duplicate installation of root certificates in personal profile

       Selecting or clearing the check box specifies whether the root certificates added in the Root certificates policy section and installed to the work profile will also be installed to the personal profile.

       This check box is cleared by default.

   • On the Password tab, specify work profile password settings:
     • Require to set password for work profile

       Allows to specify the requirements for work profile password according to company security requirements.

       If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting to set up work profile password according to company requirements.

       If the check box is cleared, editing password settings is not available.

       This check box is cleared by default.

     • Minimum number of characters

       The minimum number of characters in the user password. Possible values: 4 to 16 characters.

       The user's password is 4 characters long by default.

       The following is applicable only to personal and work profiles:

       • In personal profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 10 or later.
       • In work profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 12 or later.

       The values are determined by the following rules:

       • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
       • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
     • Minimum password complexity requirements (Android 12 or earlier)

       Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

       • Numeric

         The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

         This option is selected by default.

       • Alphabetic

         The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

       • Alphanumeric

         The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

       • Not specified

         The user can set any password.

       • Complex

         The user must set a complex password according to the specified password properties:

         • Minimum number of letters
         • Minimum number of digits
         • Minimum number of special symbols (for example, !@#$%)
         • Minimum number of uppercase letters
         • Minimum number of lowercase letters
         • Minimum number of non-letter characters (for example, 1^&*9)
       • Complex numeric

         The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

       This option applies only to devices running Android 12 or earlier.

     • Maximum number of incorrect password attempts before deletion of work profile

       Specifies the maximum number of attempts by the user to enter password to unlock the device. When the policy is applied, the work profile will be deleted from the device after the maximum number of attempts is exceeded.

       Possible values are 4 to 16.

       The default value is not set. This means that the attempts are not limited.

     • Maximum password age, in days

       Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

       The default value is 0. This means that the password won't expire.

     • Number of days to notify that a password change is required

       Specifies the number of days to notify the user before the password expires.

       The default value is 0. This means that the user won't be notified about password expiration.

     • Number of recent passwords that can't be used as a new password

       Specifies the maximum number of previous user passwords that can't be used as a new password. This setting will apply only when the user sets new password on the device.

       The default value is 0. This means that the new user password can match any previous password except the current one.

     • Period of inactivity before the work profile locks, in seconds

       Specifies the period of inactivity before the device locks. After this period, the device will lock.

       The default value is 0. This means that the device won't lock after a certain period.

     • Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0 or later)

       Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

       The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

       This option applies only to devices running Android 8.0 or later.

     • Allow biometric unlock methods (Android 9+)

       If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

       This check box is selected by default.

       This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow use of fingerprints

       The use of fingerprints to unlock the screen.

       This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

       If the check box is selected, the use of fingerprints on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

       This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

       This check box is selected by default.

       This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

       On some Xiaomi devices with Android work profile, the work profile may be unlocked by a fingerprint only if you set the Period of inactivity before the device screen locks value after setting a fingerprint as the screen unlocking method.

     • Allow face scanning (Android 9 or later)

       If the check box is selected, the use of face scanning on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

       This check box is selected by default.

       This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow iris scanning (Android 9 or later)

       If the check box is selected, the use of iris scanning on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

       This check box is selected by default.

       This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

   • On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their work profile if it was locked.
     • Passcode length

       The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.

       The passcode length is 4 digits by default.

     • Passcode

       This field is displayed if you view the policy settings for a certain user device, not a group of devices.

       This field displays the passcode required to unlock work profile. A new passcode is generated after the user unlocks work profile with the passcode.

       This field is not editable.

7. To configure work profile settings on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.

Unlocking the work profile

The work profile can be locked if the device does not meet the Compliance Control security requirements.

To unlock the work profile, the user of the mobile device must enter a one-time work profile passcode on the locked screen. The passcode is generated by MMC-based Administration Console and is unique for each mobile device. When the device work profile is unlocked, the work profile password is set to default value (1234).

As an administrator, you can view the passcode in the policy settings, which are applied to the mobile device. The length of the passcode can be changed (4, 8, 12, or 16 digits).

To unlock the mobile device using the one-time passcode:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. Select the mobile device for which you want to get the one-time passcode.
3. Open the mobile device properties window.
4. Select Applications → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window.
6. Select the Android work profile section.

   The passcode for the selected device is shown on the Passcode tab in the Passcode field.

Use any available method (such as email) to communicate the one-time passcode to the user.

The user should enter the received one-time passcode on their device.

After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.

Adding an LDAP account

To enable the iOS MDM device user to access corporate contacts on the LDAP server, add the LDAP account.

To add the LDAP account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the LDAP section.
5. Click the Add button in the LDAP accounts section.

   The LDAP account window opens.

6. In the Description field, enter a description of the user's LDAP account. You can use macros from the Macros available drop-down list.
7. In the Account Name field, enter the account name for authorization on the LDAP server. You can use macros from the Macros available drop-down list.
8. In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
9. In the Server address (cannot be left blank) field, enter the name of the LDAP server domain. You can use macros from the Macros available drop-down list.
10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
11. Compile a list of search queries for the iOS MDM device user access to corporate data on the LDAP server:
    1. Click the Add button in the Search settings section.

       A blank row appears in the table with search queries.

    2. In the Name column, enter the name of a search query.
    3. In the Search scope column, select the nesting level of the folder for the corporate data search on the LDAP server:
       • Base – search in the base folder of the LDAP server.
       • One level – search in folders on the first nesting level counting from the base folder.
       • Subtree – search in folders on all nesting levels counting from the base folder.
    4. In the Search base column, enter the path to the folder on the LDAP server with which the search begins (for example: "ou=people", "o=example corp").
    5. Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
12. Click OK.

    The new LDAP account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, LDAP accounts from the compiled list will be added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.

Adding a calendar account

To enable the iOS MDM device user to access the user's calendar events on the CalDAV server, add the CalDAV account. Synchronization with the CalDAV server enables the user to create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.

To add the CalDAV account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Calendar section.
5. Click the Add button in the CalDAV accounts section.

   The CalDAV account window opens.

6. In the Description field, enter a description of the user's CalDAV account.
7. In the Server address and port (cannot be left blank) field, enter the name of a host or the IP address of a CalDAV server and the number of the CalDAV server port.
8. In the Main URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example: http://example.com/caldav/users/mycompany/user).

   The URL should begin with "http://" or "https://".

9. In the Account Name field, enter the account name for authorization on the CalDAV server.
10. In the Password field, set the CalDAV account password for authorization on the CalDAV server.
11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
12. Click OK.

    The new CalDAV account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CalDAV accounts from the compiled list will be added on the user's mobile device.

Adding a contacts account

To enable the iOS MDM device user to synchronize data with the CardDAV server, add the CardDAV account. Synchronization with the CardDAV server enables the user to access the contact details from any device.

To add the CardDAV account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Contacts section.
5. Click the Add button in the CardDAV accounts section.

   The CardDAV account window opens.

6. In the Description field, enter a description of the user's CardDAV account. You can use macros from the Macros available drop-down list.
7. In the Server address and port (cannot be left blank) field, enter the name of a host or the IP address of a CardDAV server and the number of the CardDAV server port.
8. In the Main URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).

   The URL should begin with "http://" or "https://".

9. In the Account Name field, enter the account name for authorization on the CardDAV server. You can use macros from the Macros available drop-down list.
10. In the Password field, set the CardDAV account password for authorization on the CardDAV server.
11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of contacts between the CardDAV server and the mobile device, select the Use SSL connection check box.
12. Click OK.

    The new CardDAV account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.

Configuring calendar subscription

To enable the iOS MDM device user to add events of shared calendars (such as the corporate calendar) to the user's calendar, add subscription to this calendar. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other openly published calendars.

To add calendar subscription:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Calendar subscription section.
5. Click the Add button in the Calendar subscriptions section.

   The Calendar Subscription window opens.

6. In the Description field, enter a description of the calendar subscription.
7. In the Server web address (cannot be left blank) field, specify the URL of the third-party calendar.

   In this field, you can enter the mail URL of the CalDAV account of the user to whose calendar you are subscribing. You can also specify the URL of an iCal calendar or a different openly published calendar.

8. In the User name field, enter the user account name for authentication on the server of the third-party calendar.
9. In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
11. Click OK.

    The new calendar subscription appears in the list.

12. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, events from shared calendar on the list will be added to the calendar on the user's mobile device.

Managing web clips

A web clip is an app that opens a website from the Home screen of the mobile device. By clicking web clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website).

You can add or delete web clips on user devices and specify web clip icons displayed on the screen.

Managing web clips on Android devices

To manage web clips on a user's Android device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device management section.
5. In the Adding web clips to device home screen section, do any of the following:
   • To add a web clip:
     1. Click the Add button.

        The Add web clip window opens.

     2. In the Name field, enter the name of the web clip to be displayed on the home screen of the Android device.
     3. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
     4. In the Icon field, specify the image for the web clip icon: click Browse... and select an image file. The PNG and JPEG file formats are supported. If you do not select an image for the web clip, a blank square is displayed as the icon.
     5. Click OK.

        The new web clip appears in the list.

        The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

   • To edit a web clip:
     1. Select the web clip that you want to edit, and then click Edit.

        The Add web clip window opens.

     2. Define the new settings of the web clip, as described earlier in this section.
     3. Click OK.
   • To delete a web clip:
     1. Select the web clip that you want to delete, and then click Delete.

        The web clip disappears from the list.

6. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the web clips you created. After the user installs these web clips, the corresponding icons are added on the home screen of the device.

The deleted web clips are disabled on the home screen of the Android device. If the user taps the corresponding icon, a notification appears that the web clip is no longer available. The user should delete the web clip from the home screen by following a vendor-specific procedure.

Managing web clips on iOS MDM devices

By default, the following restrictions on web clip usage apply:

• The user cannot manually remove web clips from the mobile device.
• Websites that open when the user clicks a web clip icon do not open in full-screen mode.
• The corner rounding, shadow, and gloss visual effects are applied to the web clip icon on the screen.

To manage web clips on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Web Clip section.
5. In the Web Clip section, do any of the following:
   • To add a web clip:
     1. Click the Add button.

        The Web Clip window opens.

     2. In the Name field, enter the name of the web clip to be displayed on the home screen of the iOS MDM device.
     3. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
     4. To allow the user to remove a web clip from the iOS MDM device, select the Allow removal check box.
     5. Click Select and specify the file with the image for the web clip icon that will be displayed on the home screen of the iOS MDM device.

        The image must meet the following requirements:

        • Image size no greater than 400 х 400 pixels.
        • File format: GIF, JPEG, or PNG.
        • File size no greater than 1 MB.

        The web clip icon is available for preview in the Icon field. If you do not select an image for the web clip, a blank square is displayed as the icon.

        If you want the web clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.

     6. If you want the website to open in full-screen mode on the iOS MDM device when you click the icon, select the Full screen Web Clip check box.

        In full-screen mode, the Safari toolbar is hidden and only the website is shown on the device screen.

     7. Click OK.

        The new web clip appears in the list.

   • To edit a web clip:
     1. Select the web clip that you want to edit, and then click Edit.

        The Web Clip window opens.

     2. Define the new settings of the web clip, as described earlier in this section.
     3. Click OK.
   • To delete a web clip:
     1. Select the web clip that you want to delete, and then click Delete.

        The web clip disappears from the list.

6. Click the Apply button to save the changes you have made.

Once the policy is applied, the web clip icons from the list you have created are added on the home screen of the user's mobile device.

The deleted web clips are removed from the home screen of the iOS MDM device.

Setting wallpaper

Expand all | Collapse all

You can set the same image as a wallpaper for a home screen and a lock screen on your users' devices that fall under the same policy.

To set a wallpaper on your users' Android devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device management section.
5. In the Setting wallpaper for home screen and lock screen section, click Set.

   The Setting wallpaper window opens.

6. In the How to set wallpaper drop-down list, select the way of setting a wallpaper:
   • Download image from internet

     For this option, you need to specify a URL beginning with http:// or https://. Use only trusted websites.

   • Upload image

     For this variant, you need to upload an image in PNG or JPEG format with a maximum size of 1 MB.

7. Once the image is imported, you can preview it in the Setting wallpaper window.

   Preview

   For the Upload image option, an image preview is always shown. It is saved in the policy and available during subsequent editing of the wallpaper.

   For the Download image from internet option, the Preview button appears if the image is downloaded from a URL beginning with http://. Click the button to show an image preview. The preview is not saved in the policy. That means you may need to re-download the preview after editing the wallpaper.

   The Preview functionality does not work for images downloaded from URLs beginning with https://.

8. If you want to use the same image as a wallpaper for a lock screen, select the Use the same image for the lock screen check box. Otherwise, the image is used only as a home screen wallpaper.

   The check box is cleared by default.

9. Click the OK button to save the changes you have made.

The imported image is set as a wallpaper on users' devices.

Adding fonts

To add a font on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Fonts section.
5. Click the Add button in the Fonts section.

   The Font window opens.

6. In the File name field, specify the path to the font file (a file with the .ttf or .otf extension).

   Fonts with the ttc or otc extension are not supported.

   Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an undefined error.

7. Click Open.

   The new font appears in the list.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.