Kaspersky Secure Mobility Management
6.0
English

Contents

[Topic 274694]

Creating a policy

Kaspersky Security Center Web Console lets you create policies to configure the security settings of a group of Android, iOS, and Aurora mobile devices. The values of security settings configured in policies are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings.

You can create policies using the Mobile policy wizard.

To create a policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. In the list of policies that opens, click Current path to select the administration group for which you want to create a policy.

    By default, the new policy is applied to the Managed devices group.

  3. Click Add to start the Mobile policy wizard.
  4. In the Select application window, select the Kaspersky Mobile Devices Protection and Management option, and then click Next.

    The Mobile policy wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Step 1. License

At this step, choose a license.

The license you choose determines the security settings that you can configure in a policy. By default, the license that supports the Kaspersky Secure Mobility Management functionality is pre-selected. You can choose a different license manually.

Step 2. Operating systems and device operating modes

At this step, choose the operating systems the policy will apply to and specify the device operating modes.

  • Android
    • Personal device (basic protection and management of a personal Android device).
    • Device with corporate container (isolated corporate environment on an Android device).
    • Corporate device (an extended set of settings for managing a corporate Android device).

      For detailed information, refer to the About Android device operating modes section.

  • iOS
    • Basic protection (protection against web threats and jailbreak detection on iOS devices).
    • Basic control (basic management of a personal iOS device).
    • Supervised (an extended set of settings for managing an iOS device).

      For detailed information, refer to the About iOS device operating modes section.

      To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

  • Aurora
    • Protection (protection of Aurora devices against threats).

      To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

In the New policy window:

  1. In the Name field, type the name of the new policy. If you specify the name of an existing policy, it will have (1) added at the end automatically.
  2. In the Policy status block of settings, select the status of the policy:
    • Active. The wizard saves the created policy on the Administration Server. At the next synchronization of mobile devices with the Administration Server, the policy will be used on devices as an active policy.
    • Inactive. The wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to an active state.

      Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

  3. On the General tab of the Settings inheritance block of settings, select the inheritance options:
    • Inherit settings from parent policy

      If you enable this option in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.

      If you disable this option in a child policy, then you can change all the settings in the child policy, even if some settings are locked in the parent policy.

    • Force inheritance of settings in child policies

      If you enable this option in a parent policy, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups and you cannot change these settings in the child groups.

    By default, the Inherit settings from parent policy option is enabled and the Force inheritance of settings in child policies option is disabled.

    Inheritance of policy settings works only if either identical device operating modes are selected for the parent and child policy or device operating modes selected for the child policy provide more security settings. For example, a child policy for Android devices with a corporate container can inherit settings from a parent policy for personal devices but cannot inherit settings from a parent policy for corporate devices.
    If you create a child policy that is incompatible with the parent policy, you must delete it and create a new child policy to manage devices.

  4. Click Save.

The new policy for mobile devices is created.

Page top
[Topic 274738]

Modifying a policy

Kaspersky Security Center Web Console lets you modify policies.

To modify a policy:

  1. Open the policy properties window by doing one of the following:
    • In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of policies that opens, click the name of the policy that you want to modify.
    • In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileDevices. Click the mobile device that falls under the policy that you want to modify, and then select the policy on the Active policies and policy profiles tab.
  2. In the policy properties window, navigate to the Application settings tab, and then define the policy settings.

    You can also configure general settings, settings inheritance, event logging and notifications, and policy profiles, and also view the revision history. For more information, please refer to the Kaspersky Security Center Help.

  3. Click Save to save the changes you have made to the policy and exit the policy properties window.

The policy is modified. Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 283010]

Copying a policy

Kaspersky Security Center Web Console lets you create a copy of a policy.

To create a copy of a policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. In the list of policies that opens, select the check box next to the name of the policy you want to copy, and then click Copy.
  3. In the tree of administration groups that opens, select the target group where you want the policy to be created.

    You can create a new administration group by selecting an existing group, and then clicking Add child group.

  4. Click Copy.
  5. Click OK to confirm the operation.

A copy of the policy will be created in the target group under the same name. The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

Page top
[Topic 274713]

Moving a policy to another administration group

Kaspersky Security Center Web Console lets you move a policy to another administration group.

To move a policy to another administration group:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. In the list of policies that opens, select the check box next to the name of the policy that you want to move to another administration group, and then click Move.
  3. In the tree of administration groups that opens, select the target group to which you want to move the policy.

    You can create a new administration group by selecting an existing group, and then clicking Add child group.

  4. Click Move.
  5. Click OK to confirm the operation.

The result depends on the policy inheritance properties:

  • If the policy is not inherited in the source group, it will be moved to the target group.
  • If the policy is inherited in the source group, it will not be moved. Instead, a copy of the policy will be created in the target group.

The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

Page top
[Topic 283449]

Viewing the list of policies

Kaspersky Security Center Web Console lets you view the list of created policies, their statuses, and properties.

To view the list of policies:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. The list of policies opens with brief information about the policies. On this page, you can create, modify, copy, move, and delete policies.
Page top
[Topic 274716]

Viewing the policy distribution results

Kaspersky Security Center Web Console lets you view the distribution chart of a policy and the information about all devices that fall under that policy.

To view the results of distributing a policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. In the list of policies that opens, select the check box next to the name of the policy whose distribution results you want to view, and then click Distribution.

The policy distribution results page opens. This page contains the policy summary, a policy distribution chart, and a table with information about all devices that fall under that policy. You can open the policy properties window by clicking the Configure policy button.

Page top
[Topic 274711]

Managing revisions to policies

Kaspersky Security Center Web Console lets you view modifications made to a policy over a certain period, as well as save information about these modifications in a file.

To view a policy revision:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. In the list of policies that opens, click the policy whose revision you want to view, and then go to the Revision history section.
  3. In the list of policy revisions, click the number of the revision that you want to view.

    If the size of the revision is more than 10 MB, you will not be able to view it using Kaspersky Security Center Web Console. You will be prompted to save the selected revision to a JSON file.

    If the size of the revision does not exceed 10 MB, a report in HTML format with the settings of the selected policy revision is displayed. The report is displayed in a pop-up window, so make sure pop-ups are allowed in your browser.

    To save a policy revision to a JSON file, in the list of policy revisions, select the revision that you want to save, and then click Save to file.

The revision is saved to a JSON file.

For detailed information on managing revisions to policies, refer to the Kaspersky Security Center Help.

Page top
[Topic 274740]

Restricting permissions to configure policies

Kaspersky Security Center administrators can configure the access permissions of Web Console users for different functions of the Kaspersky Secure Mobility Management solution depending on the job duties of users.

In the Web Console interface, you can configure access rights on the Security and User roles tabs of the Administration Server properties window. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

For each functional area, the administrator can assign the following permissions:

  • Allow editing. The Web Console user is allowed to change the policy settings in the properties window.
  • Block editing. The Web Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.
Page top
[Topic 274742]

Configuring role-based access control

Kaspersky Security Center Web Console provides facilities for role-based access to the features of Kaspersky Secure Mobility Management.

You can configure access rights to application features for Kaspersky Secure Mobility Management in one of the following ways:

  • By configuring the rights for each user or group of users individually.
  • By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application. You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

For detailed information on configuring user access in Kaspersky Security Center, refer to the Kaspersky Security Center Help.

Some of the predefined user roles are not authorized to work with mobile devices. The predefined user roles which are available for the Kaspersky Secure Mobility Management features are listed in the table below.

Predefined user roles for Kaspersky Secure Mobility Management

Role

Read

Write

License key management: create policies and modify license key settings

Vulnerability and patch management: view unaccepted EULAs and accept EULAs

Kaspersky Endpoint Security Administrator

+

+

-

-

Kaspersky Endpoint Security Operator

+

-

-

-

Main Administrator

+

+

-

-

Main Operator

+

-

-

-

Mobile Device Management Administrator

+

+

+

+

Mobile Device Management Operator

+

-

-

-

For detailed information on predefined user roles, refer to the Kaspersky Security Center Help.

Access rights to Kaspersky Secure Mobility Management features

Functional area

Right

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > App configuration
  • Read: Get read access to all settings in the corresponding policy section
  • Write: Get write access to all settings in the corresponding policy section

Please note, to configure the Web Protection and Web Control settings, the administrator must have the Read and Write rights for both the Protection and Security controls functional areas.

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Security controls

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Corporate container

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Device configuration

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Configuration of Kaspersky device management apps

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Protection

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Restrictions

Kaspersky Mobile Devices Protection and Management > Kaspersky Security Center Web Console > Samsung Knox settings

Mobile Device Management access rights

Right

User action: right required to perform the action

Mobile Device Management > General > Read
  • View the Mobile section in Kaspersky Security Center Web Console

Mobile Device Management > General > Write
  • Perform any action with certificates (except viewing certificates)

    The Manage certificates right must also be granted.

  • Configure Firebase Cloud Messaging settings

Mobile Device Management > General > Connect new devices
  • Connect new mobile devices and iOS MDM Servers
  • Delete devices

Mobile Device Management > General > Manage certificates
  • Perform any action with certificates
  • Configure certificate issuance rules

The Write right must also be granted.

Mobile Device Management > General > Send only information commands to mobile devices
  • Send and cancel the Synchronize device command

Mobile Device Management > General > Send commands to mobile devices
  • Send and cancel any command

Page top
[Topic 286998]

Configuring policy profiles

Sometimes it may be necessary to create and centrally modify several instances of a single policy for an administration group. These instances might differ by only one or two settings.

To help you avoid creating several instances of a single policy, Kaspersky Security Center Web Console lets you create policy profiles. Policy profiles are necessary if you want devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. Activation of a profile modifies the settings of the "basic" policy that were initially active on the device. The modified settings take values that have been specified in the profile.

You can modify the specific conditions that must affect activation of the policy profile that you are creating. For mobile devices, you can modify the following conditions:

  • Rules for specific device owner

    Profile activation on the device according to its owner.

    • Device owner
    • Device owner is included in an internal security group
  • Rules for Active Directory usage

    Policy profile activation on the device based on the device allocation in an Active Directory organizational unit or the membership of that device (or the device owner) in an Active Directory security group. The configuration scope depends on the currently used policy.

    • Device owner's membership in an Active Directory security group
    • Device membership in Active Directory security group
    • Device allocation in Active Directory organizational unit

For detailed information on configuring activation rules, creating, deleting, or copying policy profiles, refer to the Kaspersky Security Center Help.

Page top
[Topic 286996]

Deleting a policy

Kaspersky Security Center Web Console lets you delete policies.

You can delete only policies that are not inherited in the current administration group. If a policy is inherited, you can only delete it in the higher-level group for which it was created.

To delete a policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles.
  2. In the list of policies that opens, select the check box next to the name of the policy that you want to delete, and then click Delete.
  3. In the window that opens, click OK to confirm the operation.

The policy is deleted. Before the new policy is applied, mobile devices belonging to the administration group continue to work according to the settings specified in the policy that has been deleted.

Page top
[Topic 274741]