Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices through Kaspersky Security Center. The application supports the following features for management of iOS MDM devices:

• Define the settings of managed iOS MDM devices in centralized mode and restrict features of devices through configuration profiles. You can add or modify configuration profiles and install them on mobile devices.
• Install apps on mobile devices by means of provisioning profiles, bypassing App Store. For example, you can use provisioning profiles for installation of in-house corporate apps on users' mobile devices. A provisioning profile contains information about an app and a mobile device.
• Install apps on an iOS MDM device through the App Store. Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server.

Every 24 hours, a push notification is sent to all connected iOS MDM devices in order to synchronize data with the iOS MDM Server.

For information about the configuration profile and the provisioning profile, as well as apps installed on an iOS MDM device, please refer to the properties window of the device.

Signing an iOS MDM profile by a certificate

You can sign an iOS MDM profile by a certificate. You can use a certificate that you issued yourself or you can receive a certificate from trusted certification authorities.

A certificate is not required for the iOS MDM profile to operate correctly. If the iOS MDM profile is not signed by a certificate, when installing the iOS MDM profile, a warning appears and the users are prompted to confirm that they trust the organization that sent the certificate.

To sign an iOS MDM profile by a certificate:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the properties window of the folder, select the Connection settings for iOS devices section.
4. Click the Browse button under the Select certificate file field.

   The Certificate window opens.

5. In the Certificate type field, specify the public or private certificate type:
   • If the PKCS #12 container value is selected, specify the certificate file and the password.
   • If the X.509 certificate value is selected:
     1. Specify the private key file (one with the *.prk or *.pem extension).
     2. Specify the private key password.
     3. Specify the public key file (one with the *.cer extension).
6. Click OK.

The iOS MDM profile is signed by a certificate.

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available at the Apple Inc. website. Apple Configurator 2 works only on devices running macOS; if you do not have such devices at your disposal, you can use iPhone Configuration Utility on the device with Administration Console instead. However, Apple Inc. does not support iPhone Configuration Utility any longer.

To create a configuration profile using iPhone Configuration Utility and to add it to an iOS MDM Server:

1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the Mobile Device Management folder, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the iOS MDM Server, select the Configuration profiles section.
6. In the Configuration profiles section, click the Create button.

   The New configuration profile window opens.

7. In the New configuration profile window, specify a name and ID for the profile.

   The configuration profile ID should be unique; the value should be specified in Reverse-DNS format, for example, com.companyname.identifier.

8. Click OK.

   iPhone Configuration Utility then starts if you have it installed.

9. Reconfigure the profile in iPhone Configuration Utility.

   For a description of the profile settings and instructions on how to configure the profile, please refer to the documentation enclosed with iPhone Configuration Utility.

After you configure the profile with iPhone Configuration Utility, the new configuration profile is displayed in the Configuration profiles section in the properties window of the iOS MDM Server.

You can click the Modify button to modify the configuration profile.

You can click the Import button to load the configuration profile to a program.

You can click the Export button to save the configuration profile to a file.

The profile that you have created must be installed on iOS MDM devices.

Installing a configuration profile on a device

To install a configuration profile to a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device on which you want to install a configuration profile.

   You can select multiple mobile devices to install the profile on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Install profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install profile.

   The Select profiles window opens showing a list of profiles. Select from the list the profile that you want to install on the mobile device. You can select multiple profiles to install them on the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected configuration profile will be installed on the user's mobile device. If the command is successfully executed, the current status of the command in the command log will be shown as Done.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device <device name> management commands window.

You can view the profile that you installed and remove it, if necessary.

Removing the configuration profile from a device

To remove a configuration profile from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device from which you want to remove the configuration profile.

   You can select multiple mobile devices to remove the profile from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Remove profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu of the device, and then selecting Remove profile.

   The Remove profiles window opens showing a list of profiles.

6. Select from the list the profile that you want to remove from the mobile device. You can select multiple profiles to remove them from the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected configuration profile will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device <device name> management commands window.

Adding a provisioning profile

To add a

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the iOS MDM Server, go to the Provisioning profiles section.
6. In the Provisioning profiles section, click the Import button and specify the path to a provisioning profile file.

The profile will be added to the iOS MDM Server settings.

You can click the Export button to save the provisioning profile to a file.

You can install the provisioning profile that you imported on iOS MDM devices.

Installing a provisioning profile to a device

To install a provisioning profile on a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device on which you want to install the provisioning profile.

   You can select multiple mobile devices to install the provisioning profile simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Install provisioning profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu of that mobile device, and then selecting Install provisioning profile.

   The Select provisioning profiles window opens showing a list of provisioning profiles. Select from the list the provisioning profile that you want to install on the mobile device. You can select multiple provisioning profiles to install them on the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected provisioning profile will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log is shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device <device name> management commands window.

You can view the profile that you installed and remove it, if necessary.

Removing a provisioning profile from a device

To remove a provisioning profile from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device from which you want to remove the provisioning profile.

   You can select multiple mobile devices to remove the provisioning profile from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Remove provisioning profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu and then selecting Remove provisioning profile.

   The Remove provisioning profiles window opens showing a list of profiles.

6. Select from the list the provisioning profile that you need to remove from the mobile device. You can select multiple provisioning profiles to remove them from the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected provisioning profile will be removed from the user's mobile device. Applications that are related to the deleted provisioning profile will not be operable. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device <device name> management commands window.

Configuring managed apps

Expand all | Collapse all

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. An app is considered managed if it has been installed on a device through Kaspersky Endpoint Security. A managed app can be managed remotely by means of Kaspersky Endpoint Security.

To add a managed app to an iOS MDM Server:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

5. In the properties window of the iOS MDM Server, select the Managed applications section.
6. Click the Add button in the Managed applications section.

   The Add an application window opens.

7. In the Add an application window, in the App name field, specify the name of the app to be added.
8. In the Apple ID or link to manifest file field, specify the Apple ID of the application to be added, or specify a link to a manifest file that can be used to download the app.
9. If you want a managed app to be removed from the user's mobile device along with the iOS MDM profile when removing the latter, select the Remove together with iOS MDM profile check box.
10. If you want to block the app data backup through iTunes, select the Block data backup check box.
11. If you want to configure settings of the managed app, click the App configuration button.

    The App configuration window opens.

12. In the App configuration window, click the Browse button to select and upload a configuration file in PLIST format.

    To generate a configuration file, you may use a configuration generator (for example, https://appconfig.jamfresearch.com/generator) or refer to the official documentation on the app to be configured.

    An example of configured basic parameters for the Microsoft Outlook app.

    Microsoft Outlook app configuration

    Configuration key	Description	Type	Value	Default value
    com.microsoft.outlook.EmailProfile.EmailAccountName	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. For example, User.
    com.microsoft.outlook.EmailProfile.EmailAddress	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. For example, user@companyname.com.
    com.microsoft.outlook.EmailProfile.EmailUPN	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, userupn@companyname.com.
    com.microsoft.outlook.EmailProfile.ServerAuthentication	Authentication method	String	Username and Password – Prompts the device user for their password. Certificates – Certificate-based authentication.	Username and Password
    com.microsoft.outlook.EmailProfile.ServerHostName	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL. For example, mail.companyname.com.
    com.microsoft.outlook.EmailProfile.AccountDomain	Email domain	String	The account domain of the user. For example, companyname.
    com.microsoft.outlook.EmailProfile.AccountType	Authentication type	String	ModernAuth – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. BasicAuth – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	BasicAuth
    IntuneMAMRequireAccounts	Is sign-in required	String	Specifies whether account sign-in is required. You can select one of the following values: Enabled - The app requires the user to sign-in to the managed user account defined by the IntuneMAMUPN key to receive Org data. Disabled - No account sign-in is required
    IntuneMAMUPN	UPN Address	String	The User Principal Name of the account allowed to sign into the app. For example, userupn@companyname.com.

    An example of a configuration file for the Microsoft Outlook app.

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

    <key>com.microsoft.outlook.EmailProfile.AccountType</key>

    <string>BasicAuth</string>

    <key>com.microsoft.outlook.EmailProfile.EmailAccountName</key>

    <string>My Work Email</string>

    <key>com.microsoft.outlook.EmailProfile.ServerHostName</key>

    <string>exchange.server.com</string>

    <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>

    <string>%email%</string>

    <key>com.microsoft.outlook.EmailProfile.EmailUPN</key>

    <string>%full_name%</string>

    <key>com.microsoft.outlook.EmailProfile.AccountDomain</key>

    <string>my-domain</string>

    <key>com.microsoft.outlook.EmailProfile.ServerAuthentication</key>

    <string>Username and Password</string>

    <key>IntuneMAMAllowedAccountsOnly</key>

    <string>Enabled</string>

    <key>IntuneMAMUPN</key>

    <string>%full_name%</string>

    </dict>

    </plist>

13. After the PLIST file is imported, the app configuration will be displayed in the App configuration window.

    You can change the configuration by editing the text of the PLIST file after its import.

14. Click OK to apply the app configuration.
15. Click OK once again to close the Add an application window.

The added app is displayed in the Managed applications section of the properties window of the iOS MDM Server.

It is also possible to change or delete the configuration of an already added app.

To change the configuration of a managed app:

1. In the Managed applications section, select the managed app from the list, and then click the Modify button.

   The Changing mobile app settings window opens.

2. In the Changing mobile app settings window, click the App configuration button.

   The App configuration window opens.

3. Click the Browse button to select and upload a configuration file in PLIST format.
4. If necessary, edit the text of the PLIST file after its import.
5. Click OK to apply the app configuration.
6. Click OK to close the Changing mobile app settings window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

To delete a managed app configuration:

1. In the Managed applications section, select the managed app from the list, and then click the Modify button.

   The Changing mobile app settings window opens.

2. In the Changing mobile app settings window, click the Delete configuration button.

The applied configuration of the managed app is deleted.

Installing an app on a mobile device

To install an app on an iOS MDM mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device on which you want to install an app.

   You can select multiple mobile devices to install the application on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Install app section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install app.

   The Select apps window opens showing a list of profiles. Select from the list the application that you want to install on the mobile device. You can select multiple applications to install them on the mobile device simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected application will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again. You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device <device name> management commands window.

Information about the application installed is displayed in the properties of the iOS MDM mobile device. You can remove the application from the mobile device through the command log or the context menu of the mobile device.

Removing an app from a device

To remove an app from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device from which you want to remove the app.

   You can select multiple mobile devices to remove the app from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Remove app section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Remove app.

   The Remove apps window opens showing a list of applications.

6. Select from the list the app that you need to remove from the mobile device. You can select multiple apps to remove them simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected app will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device <device name> management commands window.

Installing and uninstalling apps on a group of iOS MDM devices

Kaspersky Security Center allows you to install and remove apps on iOS MDM devices by sending commands to these devices.

Selecting devices

To select iOS MDM devices on which apps should be installed or removed:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the iOS MDM device on which apps should be installed or removed.

   You can also select multiple devices and send commands simultaneously. To select a group of devices, do one of the following:

   • To select all devices in the workspace, filter the list of devices as required and press Ctrl+A.
   • To select a range of devices, hold down the Shift key, click the first device in the range, and then click the last device in the range.
   • To select individual devices, hold down the Ctrl key and click devices you want to include in the group.

Installing apps on devices

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. For more information, refer to Adding a managed app.

To install apps on selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Install app.

   For a single device, you can also select Show command log in the context menu, proceed to the Install app section, and click the Send command button.

   The Select apps window opens showing a list of managed apps.

2. Select the apps you want to install on iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are installed. If the command is successfully executed, the command log will show its current status as Completed.

Removing apps from devices

To remove apps from selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Remove app.

   For a single device, you can also select Show command log in the context menu, proceed to the Remove app section, and click the Send command button.

   The Remove apps window opens showing a list of previously installed apps.

2. Select the apps you want to remove from iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are uninstalled. If the command is successfully executed, the command log will show its current status as Completed.

Configuring roaming on an iOS MDM mobile device

Expand all | Collapse all

To configure roaming:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device owned by the user for whom you want to configure roaming.

   You can select multiple mobile devices to configure roaming on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device <device name> management commands window, proceed to the Configure roaming section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands → Configure roaming from the context menu of the device.

6. In the Roaming settings window, specify the relevant settings:
   • Enable data roaming

     If this option is enabled, the data roaming is enabled on the iOS MDM mobile device. The user of the iOS MDM mobile device can surf the internet while in roaming.

     By default, this option is disabled.

Roaming is configured for the selected devices.

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device for which you want to view the information.
4. From the context menu of the mobile device select Properties.

   The properties window of the iOS MDM device opens.

The properties window of the mobile device displays information about the connected iOS MDM device.

Disconnecting an iOS MDM device from management

If you want to stop managing an iOS MDM device, you can disconnect it from management in Kaspersky Security Center.

As an alternative, you or the device owner can remove the iOS MDM profile from the device. However, after that you nevertheless must disconnect the device from management, as described in this section. Otherwise, you will not be able to start managing this device again.

To disconnect an iOS MDM device from the iOS MDM Server:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices:
   1. Click the No filter specified, records total: <number> link.
   2. On the Management protocol list, select iOS MDM.
3. Select the mobile device that you want to disconnect.
4. In the context menu of the mobile device, select Delete.

The iOS MDM device is marked in the list for removal. Within one minute, the device is removed from the iOS MDM Server database, after which it is automatically removed from the list of managed devices.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile option has been enabled in the iOS MDM Server settings, will be removed from the mobile device.

Configuring kiosk mode for iOS MDM devices

Expand all | Collapse all

Kiosk mode is an iOS feature that lets you limit the set of apps available to a device user to a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings.

The kiosk mode settings apply to iOS MDM devices managed through Kaspersky Security Center.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Kiosk mode section.

Configure kiosk mode

To enable kiosk mode:

1. Click the Enable kiosk mode (supervised only) check box to activate kiosk mode on a supervised device.
2. In the App's bundle ID field, enter the unique identifier of an app selected for kiosk mode (for example, com.apple.calculator). How to get the bundle ID of an app

   To get the bundle ID of a native iPhone or iPad app,

   Follow the instruction in Apple documentation.

   To get the bundle ID of any iPhone or iPad app:

   1. Open App Store.
   2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

   3. Copy this identifier (without letters "id").
   4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

   5. Open the downloaded file and find there the "bundleId" fragment.

   The text that directly follows this fragment is the bundle ID of the required app.

   To get the bundle ID of an app that has been added to Kaspersky Security Center:

   1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
   2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

   In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

   If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

   To select a different app, you need to disable kiosk mode, save the changes to the policy, and enable kiosk mode for a new app.

   The app that is selected for kiosk mode must be installed on the device. Otherwise, the device will be locked until kiosk mode is disabled.

   The use of the selected app must also be allowed in the policy settings. If the use of the app is prohibited, kiosk mode will not be enabled until the selected app is removed from the list of forbidden apps.

   In some cases, if the use of the selected app is prohibited in the policy settings, kiosk mode can still be enabled.

3. Specify the settings that will be enabled on the device in kiosk mode. For available settings, see the "Kiosk mode settings" section below.
4. Specify the settings that the user can edit on the device in kiosk mode.
5. Click the Apply button to save the changes you have made.

Once the changes to the policy are saved, kiosk mode is enabled. The selected app is forced to open on a supervised device, while the use of other apps is prohibited. The selected app reopens immediately after the device is restarted.

To edit the kiosk mode settings, you need to disable kiosk mode, save changes to the policy, and then enable kiosk mode again with the new settings.

To disable kiosk mode:

1. Select the Disable kiosk mode (supervised only) check box to deactivate kiosk mode on a supervised device.
2. Click the Apply button to save the changes you have made.

Once the changes to the policy are saved, kiosk mode is disabled. The use of all apps is allowed on a supervised device.

Now, you can enable kiosk mode again with the new settings.

Kiosk mode settings

• Auto-Lock

  If the check box is selected, Auto-Lock is enabled. The screen is automatically locked on the device.

  If the check box is cleared, Auto-Lock is disabled.

  This check box is selected by default.

• Touch (not recommended to disable)

  If the check box is selected, all touch input capabilities are enabled.

  If the check box is cleared, all touch input capabilities are disabled.

  This check box is selected by default.

• AssistiveTouch

  If the check box is selected, AssistiveTouch is enabled. The device screen is adapted to the user's unique physical needs.

  If the check box is cleared, AssistiveTouch is disabled.

  This check box is cleared by default.

• Voice Control

  If the check box is selected, Voice Control is enabled. The user can navigate and interact with the device using voice commands.

  If the check box is cleared, Voice Control is disabled.

  This check box is cleared by default.

• VoiceOver

  If the check box is selected, VoiceOver is enabled. Audible descriptions of what appears on the screen are given.

  If the check box is cleared, VoiceOver is disabled.

  This check box is cleared by default.

• Speak Selection

  If the check box is selected, Speak Selection is enabled. The text selected on the screen is spoken.

  If the check box is cleared, Speak Selection is disabled.

  This check box is cleared by default.

• Volume Buttons

  If the check box is selected, the volume buttons are enabled. The user can adjust the volume on the device.

  If the check box is cleared, the volume buttons are disabled.

  This check box is selected by default.

• Mono Audio

  If the check box is selected, Mono Audio is enabled. The left and right headphone channels are combined to play the same content.

  If the check box is cleared, Mono Audio is disabled.

  This check box is cleared by default.

• Zoom

  If the check box is selected, Zoom is enabled. The user can zoom in and out on the content on the screen.

  If the check box is cleared, Zoom is disabled.

  This check box is selected by default.

• Auto-Rotate Screen

  If the check box is selected, Auto-Rotate Screen is enabled. Screen orientation automatically changes when the device is rotated.

  If the check box is cleared, Auto-Rotate Screen is disabled.

  This check box is selected by default.

• Invert Colors

  If the check box is selected, inverting colors on the screen is enabled. The displayed colors are changed to their opposite colors.

  If the check box is cleared, inverting colors on the screen is disabled.

  This check box is cleared by default.

• Ring/Silent Switch

  If the check box is selected, Ring/Silent Switch is enabled. The user can switch between Ring and Silent modes to mute or unmute sounds and alerts.

  If the check box is cleared, Ring/Silent Switch is disabled.

  This check box is selected by default.

• Sleep/Wake Button

  If the check box is selected, the Sleep/Wake button is enabled. The user can put the device to sleep or wake the device.

  If the check box is cleared, the Sleep/Wake button is disabled.

  This check box is selected by default.