Kaspersky Secure Mobility Management
6.0
English

Contents

App Control

This section contains instructions on how to configure user access to apps on a mobile device.

In this section

App Control on Android devices

App Control on iOS MDM devices
Page top
[Topic 274747]

App Control on Android devices

Expand all | Collapse all

The App Control component lets you manage apps on Android devices and configure use of these apps to keep the devices secure.

You can restrict user activity on a device on which forbidden apps are installed or required apps are not installed (for example, by locking the device). You can impose restrictions using the Compliance Control component. To do so, in the rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If the user does this, App Control will not run.

On corporate devices, you have extended control over the device. App Control operates without notifying the device user:

  • Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
  • Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Remove forbidden apps automatically check box in the policy settings.

To configure app startup settings on the mobile device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Security controls section.
  4. On the App Control card, click Settings.

    The App Control window opens.

  5. Enable the settings using the App Control toggle switch.
  6. Configure the settings on the following tabs:
    • If you want to configure general rules of app management, go to the App use tab.
      1. In the Operating mode drop-down list, select the App Control mode:
        • To allow the user to start all apps except those specified as blocked in the list of categories and apps, select Use all apps except forbidden ones. Kaspersky Endpoint Security for Android will hide icons of forbidden apps. This option is selected by default.
        • To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select Use only allowed apps. Kaspersky Endpoint Security for Android will hide icons of all apps except those specified in the list of allowed, recommended, or required apps and system apps.
      2. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, only add a record to the event log check box.
      3. If you want Kaspersky Endpoint Security for Android to block startup of system apps (such as Calendar, Camera, and Settings) on the user's mobile device, select the Block system apps check box. This check box is displayed in the Use only allowed apps mode.

        We recommend that you do not block system apps because doing so could cause the device to malfunction.

        Before removing Kaspersky Endpoint Security for Android from the device, clear this check box or disable App Control.

      4. If you want Kaspersky Endpoint Security for Android to remove forbidden apps from the device in the background without notifying the user, select the Remove forbidden apps automatically check box. This check box is displayed in policies for managing corporate devices.
      5. Click Add to add apps and categories for which you want to set rules.

        The Add app or category window opens.

      6. In the Object field, select either App or App category and do the following:
        • If you selected App, select an installation package or specify the package name and the app name in the corresponding fields.
        • If you selected App category, select a category and enter a description in the corresponding fields.
        • Click Add.

        The app or category is added to the list.

      7. If you want to configure exceptions from listed forbidden or allowed apps, click Exceptions, specify package names in the window that opens, and click OK.
      8. If you want to receive reports on installed apps, in the Report on installed apps section, select the Send data on installed apps check box. Then you can select the following check boxes:
        • Send data on built-in apps to send data on system apps.
        • Send data on service apps to send data on service apps that have no user interface and cannot be started manually.

        If a system app or service app is configured in the App Control settings, app data is sent regardless of the state of the check boxes.

        Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed on a device or removed from it.

    • If you want to set actions to be performed for selected apps, go to the App management tab.
      1. In the Actions for apps table, click Add.
      2. In the window that opens, do the following:
        1. In the Action field select one of the following actions:
          • Install. The user will be prompted to install the app.
          • Remove. The app will be deleted from the user's device.
          • Recommend installation. The user will receive a recommendation to install the app.
        2. Fill in the following fields:
          • Package name
          • App name
          • Link

            Links to app packages must start with http:// or https://.

          • Version

            This field is a string parameter specified in the format of Oracle regular expressions. For more details on regular expressions, please refer to the Oracle Technical Support website.

            The Link and Version fields are not displayed if you select Remove in the Action field.

        3. Click Add.

      The configured action is added to the list.

  7. Click OK.
  8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274757]

App Control on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices.

Kaspersky Security Center lets you manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launched on devices.

To configure the list of apps allowed or prohibited to be installed on devices:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Security controls section.
  4. On the App Control card, click Settings.

    The App Control window opens.

  5. Enable the settings using the App Control toggle switch.
  6. In the Operating mode field, select one of the following options:
    • Use all apps except forbidden ones

      All apps will be displayed and available to run on the device except the ones from the list.

    • Use only allowed apps

      This option is selected by default. If you select this option, the user will be able to open only the following apps on the device:

      • Apps in the list
      • System apps

      All other apps will be hidden.

  7. Click Add to add apps to the list.
  8. In the window that opens, specify the app's bundle ID in the corresponding field. Specify the com.apple.webapp value to allow or restrict all Web Clips. How to get the bundle ID of an app

    To get the bundle ID of a built-in iPhone or iPad app,

    Follow the instructions in the Apple documentation.

    To get the bundle ID of any iPhone or iPad app:

    1. Open the App Store.
    2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

    3. Copy this identifier (without the letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

    5. Open the downloaded file and find the "bundleId" fragment in it.

    The text that directly follows this fragment is the bundle ID of the required app.

    To get the bundle ID of an app that has been added to Kaspersky Security Center:

    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileApps & files.
    2. Click iOS.

      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

    If necessary, you can specify several bundle IDs by clicking the Add bundle ID button.

  9. Click Save.
  10. Click OK.
  11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the specified settings for apps are configured on devices.

Page top
[Topic 274758]