Kaspersky Secure Mobility Management
6.0
English

Contents

[Topic 274759]

Configuring anti-malware protection on Android devices

Expand all | Collapse all

For timely detection of threats, viruses, and other malicious applications, you can configure the settings for real-time protection and automatic malware scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

  • Viruses, worms, Trojans, and malicious tools
  • Adware
  • Legitimate apps that intruders can use to compromise users' devices or data

Anti-Malware has several limitations:

  • Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
  • On devices running Android 11 or later, Kaspersky Endpoint Security for Android can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.

Configuring real-time protection

To configure real-time protection settings for mobile devices:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Protection section.
  4. On the Real-time protection card, click Settings.

    The Real-time protection window opens.

  5. Enable the settings using the Real-time protection toggle switch.

    If the toggle switch is turned on, device protection is enabled, but can be manually disabled by the user.

    If the toggle switch is turned off, device protection is disabled and the user can't enable it.

  6. In the App scan drop-down list, select the app scan mode:
    • Do not scan apps
    • Scan only new apps and files from the Downloads folder
    • Scan all apps and monitor actions with files
  7. In the Action on threat detection drop-down list, select one of the following options:
    • Delete

      Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

    • Skip

      If detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file is deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

    • Delete and save a backup copy of file in quarantine
  8. To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Additional protection by Kaspersky Security Network check box.
  9. To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and legitimate apps that intruders can use to compromise the user's device and data check box.
  10. Click OK.
  11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring automatic malware scans

To configure autorun of malware scans on the mobile device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Protection section.
  4. On the Scan card, click Settings.

    The Scan window opens.

  5. Enable the settings using the Scan toggle switch.
  6. In the Action on threat detection list, select one of the following options:
    • Delete

      Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

    • Skip

      If detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file is deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

    • Delete and save a backup copy of file in quarantine
    • Ask user

      Kaspersky Endpoint Security for Android displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.

      Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.

    If during a scan Kaspersky Endpoint Security for Android detects malicious apps on users' devices, the actions differ depending on the device management mode.

    On corporate devices, installed malicious apps detected by Kaspersky Endpoint Security for Android are deleted from the device automatically if the Delete option is selected. If Kaspersky Endpoint Security for Android detects malicious system apps, they are prohibited from being displayed and launched on users' devices.

    In a corporate container, installed malicious apps detected by Kaspersky Endpoint Security for Android are not deleted but prohibited from being displayed and launched on users' devices without notifying device users.

    If the Ask user option is selected, Kaspersky Endpoint Security for Android prompts users to select an action for each detected app, both on corporate devices and devices with a corporate container.

    Installed malicious apps cannot be quarantined. Accordingly, if the Delete and save a backup copy of file in quarantine option is selected, a detected malicious app is deleted.

    On personal devices, detected malicious apps cannot be deleted automatically. In this case, Kaspersky Endpoint Security for Android prompts the user to delete or skip the detected app.

  7. In the Scheduled scan field, you can configure the settings for automatic launching a full scan of the device file system.
  8. If you selected a weekly or daily scan, specify the day of the week (for weekly scans) and start time in the Day and Time fields.

    If the device is in battery saver mode, the app may perform this task later than specified.

  9. Click OK.
  10. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.

To keep mobile device protection up to date, configure the anti-malware database update settings.

By default, anti-malware database updates are disabled when the device is roaming. Scheduled updates of anti-malware databases are not performed.

Configuring database updates

To configure settings for anti-malware database updates:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Protection section.
  4. On the Database update card, click Settings.

    The Database update window opens.

  5. Enable the settings using the Database update toggle switch.
  6. In the Scheduled database update field, you can configure the settings for automatic anti-malware database updates on the user's device.
  7. If you selected a weekly or daily database update, specify the day of the week (for weekly database updates) and start time in the Day and Time fields.

    If the device is in battery saver mode, the app may perform this task later than specified.

  8. In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-malware database updates:
    • Kaspersky servers

      Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases using Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.

    • Administration Server

      Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.

    • Other source

      Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you must enter the address of an HTTP server in the field below (for example, http://domain.com/).

  9. If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is roaming, select the Allow database update while roaming check box in the Database update while roaming section.

    Even if the check box is cleared, the user can manually start an anti-malware database update when the device is roaming.

  10. Click OK.
  11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274761]

Protecting Android devices on the internet

You can use Web Protection to protect personal data of mobile device users on the internet. Web Protection blocks malicious websites that distribute malicious code, and phishing websites designed to steal your confidential data and gain access to your financial accounts. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. Web Protection is enabled by default.

In Yandex Browser and Samsung Internet, malicious and phishing websites may remain unblocked. This is because only the website domain is scanned, and if it is trusted, Web Protection can skip a threat.

Web Protection on Android devices is supported only in Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser.

On corporate devices, if Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature, Web Protection is supported only in Google Chrome and checks only the domain of a website. To allow other browsers (Samsung Internet, Yandex Browser, and HUAWEI Browser) to support Web Protection, enable Kaspersky Endpoint Security as an Accessibility feature.

To enable Web Protection:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Protection section.
  4. On the Web Protection card, enable the settings using the Web Protection toggle switch.
  5. Click Enable.

    If you disable Web Protection, Web Control will also be disabled.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274762]

Protection of data on a stolen or lost device

This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.

In this section

Sending commands to a lost or stolen mobile device

Unlocking a mobile device
Page top
[Topic 274763]

Sending commands to a lost or stolen mobile device

To protect data on a mobile device that is lost or stolen, you can send special commands.

You can send commands to the following types of managed mobile devices:

  • Android devices managed via the Kaspersky Endpoint Security for Android app
  • iOS MDM devices

Each device type supports a specific set of commands (see the tables below).

Commands for Android devices

Commands for protecting data on a lost or stolen Android device

Command

Result

Lock device

The mobile device is locked. To obtain access to data, you must unlock the device using the Unlock device command or a one-time passcode.

Unlock device

The mobile device is unlocked.

After unlocking a device running Android 5 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7 or later, the screen unlock password is not changed.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

This command is unavailable for personal devices and devices with a corporate container running Android 14 or later.

Wipe corporate data

Corporate data is wiped from the device. The list of wiped data depends on the mode the device is operating in:

  • On a personal device, the Knox container, corporate files sent to the device, and mail certificate are wiped.
  • On a corporate device, the Knox container, corporate files sent to the device, and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Additionally, if a corporate container was created, the corporate container (its contents, corporate files sent to the device, configurations, and restrictions) and the certificates installed in the corporate container (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.

Locate device

The mobile device's location coordinates are obtained.

To view the device location in Yandex.Maps, go to the Assets (Devices)MobileDevices section. Then choose a device and select Command historyLocate deviceDevice coordinatesOpen Maps. After you click Open Maps, the device coordinates are transferred to Yandex.Maps and the device is shown on a map.

On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received within the past 30 minutes. Otherwise, the command fails.

This command does not work on Android devices if Google Location Accuracy is disabled in the settings. Please be aware that not all Android devices come with this location setting.

Take photos

The mobile device is locked. Photos are taken using the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed.

When attempting to unlock the device, the user automatically consents to having their photo taken on the device.

If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use the camera has been revoked via Quick Settings, the notification is not displayed but the taken photo is black.

Sound alarm

The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low).

Wipe app data

The data of a specified app is wiped from the mobile device.

For this action, you need to specify the package name for the app whose data is to be deleted.

As a result, the app is rolled back to its default state.

The data of system and administrative apps is not wiped.

Wipe data of all apps

The data of all apps is wiped from the mobile device.

On a corporate device, the data of all apps on the device is wiped.

On a device with a corporate container, the data of all apps in the corporate container is wiped.

As a result, apps are rolled back to their default state.

The data of system and administrative apps is not wiped.

Get location history

The mobile device's location history for the last 14 days is displayed.

To view the device location in Yandex.Maps, go to the Assets (Devices)MobileDevices section. Then choose a device and select Command historyGet location historyView on map. After you click View on map, the device coordinates are transferred to Yandex.Maps and the device is shown on a map.

Due to technical limitations on Android devices, the device location may be retrieved less often than specified in the Location tracking settings.

Commands for iOS MDM devices

Commands for protecting data on a lost or stolen iOS MDM device

Command

Result

Lock device

The mobile device is locked. To access data, you must unlock the device.

Reset unlock password

The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

Wipe corporate data

All installed configuration profiles, provisioning profiles, the iOS MDM profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device.

Enable Lost Mode (supervised only)

Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows a message and phone number that you can edit.

If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.

Locate device (Lost Mode only)

The location of the mobile device is obtained.

To view the device location in Yandex.Maps, go to the Assets (Devices)MobileDevices section. Then choose a device and select Command historyLocate deviceDevice coordinatesOpen Maps. After you click Open Maps, the device coordinates are transferred to Yandex.Maps and the device is shown on a map.

Sound alarm (Lost Mode only)

A sound is played on the lost mobile device.

Disable Lost Mode (supervised only)

Lost Mode is disabled on the mobile device, and the device is unlocked.

Permissions for executing commands

Special rights and permissions are required for executing Kaspersky Endpoint Security for Android commands. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or later disable these permissions in the device settings. If this is the case, it will be impossible to execute commands.

On devices running Android 10 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11 or later, the user must also grant the "While using the app" permission to access the camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the required level of permissions. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. We recommend contacting the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to the Commands for mobile devices section. To learn more about sending commands from Administration Console, please refer to the Sending commands section.

Page top
[Topic 274764]

Unlocking a mobile device

You can unlock a mobile device using the following methods:

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time passcode. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Web Console, please refer to the Sending commands section.

A one-time device passcode is a secret code for unlocking the mobile device. The passcode is generated by Kaspersky Security Center and is unique for each mobile device. You can change the length of the one-time passcode (4, 8, 12, or 16 digits) in the Anti-Theft settings of the policy.

To unlock a mobile device using a one-time passcode:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileDevices.
  2. Click the mobile device for which you want to get a one-time passcode.
  3. Select ApplicationsKaspersky Mobile Devices Protection and Management.

    The Kaspersky Mobile Devices Protection and Management properties window opens.

  4. Select the Application settings tab.

    The unique passcode for the selected device is shown in the One-time code field of the One-time device passcode section.

  5. Use any available method (such as email) to communicate the one-time passcode to the user of the locked device.

    The user then must enter the received one-time passcode on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The user's mobile device is unlocked.

After unlocking a device running Android 5 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7 or later, the screen unlock password is not changed.

To change the length of the one-time device passcode:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Protection section.
  4. On the Anti-Theft card, click Settings.

    The Anti-Theft window opens.

  5. Select the length of the one-time device passcode in the corresponding drop-down list. By default, the passcode is 4 digits long.
  6. If you want to contact the person who finds the mobile device, in the Text displayed on locked device field, enter the text of the message that will be shown on the lock screen.
  7. Click OK.
  8. Click Save to save the changes you have made.

The length of the one-time passcode is set to the selected value.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274765]

Configuring the device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

In this section

Configuring a strong unlock password for an Android device

Configuring a strong unlock password for an iOS MDM device
Page top
[Topic 274768]

Configuring a strong unlock password for an Android device

Expand all | Collapse all

To keep an Android device secure, you need to configure the use of a password that the user is prompted to enter when unlocking the device.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, by locking the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password doesn't comply with security requirements criterion.

On certain Samsung devices running Android 7 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: removal protection is enabled for Kaspersky Endpoint Security for Android and strength requirements are set for the screen unlock password. To unlock the device, you must send a special command to the device.

Configuring unlock password settings

To configure the use of an unlock password:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Security controls section.
  4. On the Screen unlock settings card, click Settings.

    The Screen unlock settings window opens.

  5. Enable the settings using the Screen unlock settings toggle switch, if you want the app to check whether an unlock password has been set.

    The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

    If the app detects that no system password has been set on the device, it prompts the user to set one. The password is set according to the parameters defined by the administrator.

  6. Specify the following options, if required:
    • Minimum password length

      The minimum number of characters in the user password. Possible values: 4 to 16 characters.

      The user's password is 4 characters long by default.

      The following applies only to the user's personal space and the corporate container:

      • In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
      • In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.

      The values are determined using the following rules:

      • If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
      • If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
    • Minimum password complexity requirements

      Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

      • Numeric

        The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).

        This option is selected by default.

      • Alphabetic

        The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).

      • Alphanumeric

        The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

      • No requirements

        The user can set any password.

      • Complex

        The user must set a complex password according to the specified password properties:

        • Minimum number of letters
        • Minimum number of digits
        • Minimum number of special characters
        • Minimum number of lowercase letters
        • Minimum number of uppercase letters
        • Minimum number of non-alphabetic characters
      • Complex numeric

        The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

    • Maximum password lifetime (days)

      Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

      The default value is 0. This means that the password won't expire.

    • Number of days to send a notification before a required password change

      Specifies the number of days to notify the user before the password expires.

      The default value is 0. This means that the user won't be notified about an expiring password.

    • Number of recent passwords that cannot be set as a new password

      Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.

      The default value is 0. This means that the new user password can match any previous password except the current one.

    • Period of inactivity before the screen locks (sec)

      Specifies the period of inactivity before the device locks.

      The default value is 0. This means that the device won't lock after a certain period.

    • Period after biometric unlock before password must be entered (min)

      Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

      The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

    • Allow biometric unlock methods

      If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

      This check box is selected by default.

    • Allow fingerprint unlock

      Specifies whether fingerprints can be used to unlock the screen.

      This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

      If the check box is selected, the use of fingerprints on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.

      This check box is available only if the Allow biometric unlock methods check box is selected.

      This check box is selected by default.

      On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.

    • Allow face unlock

      If the check box is selected, the use of face scanning is allowed on the mobile device.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

      This check box is available only if the Allow biometric unlock methods check box is selected.

      This check box is selected by default.

    • Allow iris scanning

      If the check box is selected, the use of iris scanning is allowed on the mobile device.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

      This check box is available only if the Allow biometric unlock methods check box is selected.

      This check box is selected by default.

    • Reset to factory settings after failed attempts to enter password

      Allows limiting the number of attempts to enter the screen unlock password.

      If the check box is selected, the app wipes all device data if the user fails to enter the correct password after the specified number of attempts.

      If the check box is cleared, the number of attempts is not limited.

      The check box is cleared by default.

    • Maximum number of failed password attempts

      Specifies the number of password entry attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.

      The field is available if the Reset to factory settings after failed attempts to enter password check box is selected.

    • Set new password

      This option lets you set the password on the user corporate device.

      Click this button to open the New screen unlock password window and enter a new password.

      The complexity of the entered password must comply with requirements configured earlier in the Screen unlock settings card of the policy.

      Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.

      • If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
      • If the device is protected with the password or is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

      If you leave this option empty, no changes are applied to the device.

  7. Click OK.
  8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Setting a new unlock password

To set a new password on a user's corporate device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Restrictions section.
  4. On the New screen unlock password card, click Settings.

    The New screen unlock password window opens.

  5. Enable the settings using the New screen unlock password toggle switch.
  6. Enter a new password that will be used to unlock the user's mobile device. This password must comply with current screen unlock password settings.
  7. If you want to edit the current unlock password settings, click the Configure screen unlock settings button.

    In the Screen unlock settings window that opens, configure screen unlock password settings, if required.

  8. Click OK.

    If the device is not protected with a password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately. If the device is protected with the password or is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

  9. Click Save to save the changes you have made.

The new password is set on user's mobile device. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Setting a PIN code on HUAWEI devices

Some HUAWEI devices display a message about screen unlocking method being too simple.

To set an acceptable PIN code on a HUAWEI device, the user must do the following:

  1. In the message about the issue, tap the Edit button.
  2. Enter the current PIN code.
  3. In the Set new password window, tap the Change unlock method button.
  4. Select the Custom PIN unlock method.
  5. Set the new PIN code.

    The PIN code must be compliant with policy requirements.

An acceptable PIN code is set on the device.

Page top
[Topic 274769]

Configuring a strong unlock password for an iOS MDM device

These settings apply to supervised devices and devices operating in basic control mode.

To protect iOS MDM device data, configure the unlock password strength settings.

By default, the user can use a simple password. A simple password is a password that contains sequential or repeated characters such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.

To configure the unlock password strength settings for an iOS MDM device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Security controls section.
  4. On the Screen unlock settings card, click Settings.

    The Screen unlock settings window opens.

  5. Enable the settings using the Screen unlock settings toggle switch.

    The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

  6. Configure the unlock password strength settings:
    • To allow the user to use a simple password, select the Allow simple password check box. Even if this check box is cleared, the user can set a password with less than 6 characters.

      If only the Allow simple password check box is selected, no password will be requested. To prompt the user to set a password, select both the Allow simple password check box and the Force use of password check box.

    • To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
    • To require use of a password, select the Force use of password check box. If the check box is cleared, the mobile device can be used without a password.

      If the Prompt for alphanumeric value, Minimum password length, or Minimum number of special characters options are enabled, a password is requested even if the Force use of password check box is cleared.

    • In the Minimum password length list, select the minimum password length in characters.
    • In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").

      On some iOS MDM devices, if the Minimum number of special characters value is specified and the Allow simple password check box is selected, the device displays information about setting a password of 6 or more characters even though it is possible to set a password of 4 or more characters.

    • In the Maximum password lifetime (days) field, specify the period of time in days during which the password will stay current. When this period expires, the iOS MDM Server prompts the user to change the password.
    • In the Auto-Lock list, select the amount of time after which Auto-Lock should be enabled on the iOS MDM device. If the mobile device remains idle for this time period, it switches to sleep mode.

      On different iOS MDM devices, the actual time of the device's automatic locking may differ from the value that you have specified:

      On iPhone devices: if you set Auto-Lock in 10 or 15 minutes, the device will be locked in 5 minutes.

      On iPad devices: if you set Auto-Lock in 1 – 4 minutes, the device will be locked in 2 minutes.

      For other values the actual time of the device's automatic locking matches the specified time.

    • In the Reuse of previous passwords field, specify the number of used passwords (including the current password) that the iOS MDM Server will compare with the new password when the user changes the current password. If the passwords match, the new password is rejected.
    • In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
    • In the Maximum number of failed password attempts, select the number of attempts that the user can make to enter the unlock password on the iOS MDM device.
  7. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the iOS MDM Server checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not comply with the policy, the user is prompted to change the password.

Page top
[Topic 274770]

Configuring a virtual private network (VPN)

This section contains information on configuring virtual private network (VPN) settings for secure connection to Wi-Fi networks.

In this section

Configuring VPN on Android devices (only Samsung)

Configuring VPN on iOS MDM devices

Configuring Per App VPN on iOS MDM devices
Page top
[Topic 274771]

Configuring VPN on Android devices (only Samsung)

To securely connect an Android device to the internet and protect data transfer, you can configure VPN (Virtual Private Network) settings.

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements must be considered when using a virtual private network:

  • The app that uses the VPN connection must be allowed in the Firewall settings.
  • VPN settings configured in the policy cannot be applied to system apps. The VPN connection for system apps has to be configured manually.
  • Some apps that use a VPN connection need to have additional settings configured at first startup. To configure settings, a VPN connection has to be allowed in app settings.

To configure VPN on a user's mobile device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Samsung Knox settings section.
  4. On the VPN card, click Settings.

    The VPN window opens.

  5. Enable the settings using the VPN toggle switch.
  6. Specify the following VPN settings:
    • Settings in the Network section:
      • In the Network name field, enter the name of the VPN tunnel.
      • In the Protocol drop-down list, select the VPN connection type:
        • IPSec Xauth PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server using the Xauth authentication utility.
        • L2TP IPSec PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server via the IKE protocol using a preset key. This protocol is selected by default.
        • PPTP. A "point-to-point" tunneling protocol that lets the mobile device user establish a secure connection to the VPN server by creating a special tunnel on a standard unsecured network.
      • In the Server address field, enter the network name or IP address of the VPN server.
    • Settings in the Protocol settings section:
      • In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.

        You can specify several DNS search domains, separating them with blank spaces.

      • In the DNS server(s) field, enter the full domain name or IP address of the DNS server.

        You can specify several DNS servers, separating them with blank spaces.

      • In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.

        If a range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.

  7. Additionally, configure the following settings:
    • For the IPSec Xauth PSK and L2TP IPSec PSK protocols:
      • In the IPSec shared key field, enter the password for the preset IPSec security key.
      • In the IPSec ID field, enter the name of the mobile device user.
    • For the L2TP IPSec PSK protocol, specify the password for the L2TP key in the L2TP key field.
    • For the PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
  8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274772]

Configuring VPN on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To connect an iOS MDM device to a virtual private network (VPN) and protect data while connected to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a Per App VPN connection.

To configure a VPN connection on a user's iOS MDM device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the VPN card, click Settings.

    The VPN window opens.

  5. Enable the settings using the VPN toggle switch.
  6. Click Add.

    The Add VPN configuration window opens.

  7. On the General tab, in the Network section, configure the following settings:
    1. In the Network name field, enter the name of the VPN tunnel.
    2. In the Protocol drop-down list, select the type of the VPN connection.
      • L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of the iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
      • IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
      • IPSec. The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
      • Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall version 8.0(3).1 or later. To configure a VPN connection, install the Cisco AnyConnect app from the App Store on the iOS MDM device.
      • Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, version 6.4 or later with the Juniper Networks IVE package version 7.0 or later. To configure a VPN connection, install the JUNOS app from the App Store on the iOS MDM device.
      • F5 SSL. The connection supports the F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure a VPN connection, install the F5 BIG-IP Edge Client app from the App Store on the iOS MDM device.
      • SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices version 10.5.4 or later, SonicWALL SRA devices version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, and E-Class NSA with SonicOS version 5.8.1.0 or later. To configure a VPN connection, install the SonicWALL Mobile Connect app from the App Store on the iOS MDM device.
      • Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from the App Store on the iOS MDM device.
      • Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
    3. In the Server address field, enter the network name or IP address of the VPN server.
  8. Configure the settings for the VPN connection according to the selected type of virtual private network.
    • L2TP
      • Settings in the Authentication section:
        • Authentication type

          Two-factor authentication of an iOS MDM device user using an RSA SecurID token or password-based authentication.

        • Account name

          The account name for authorization on the VPN server.

        • Password

          The password of the account for authentication on the virtual private network.

        • Authentication method

          The method of authenticating iOS MDM device users on the virtual private network.

        • Shared secret

          Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.

        • Authentication certificate

          The certificate used for user authentication.

      • Settings in the Other section:
        • Send all traffic via VPN

          Transmission of all outbound traffic via the VPN connection if a different network service is used (example: AirPort or Ethernet).

          If the check box is selected, all traffic is sent via the VPN connection.

          If the check box is cleared, outbound traffic is transmitted without requiring the use of the VPN connection.

          This check box is cleared by default.

    • IPSec
      • Settings in the Authentication section:
        • Authentication method

          The method of authenticating iOS MDM device users on the virtual private network.

        • Account name

          The account name for authorization on the VPN server.

        • Password

          The password of the account for authentication on the virtual private network.

        • Shared secret

          Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.

        • Group name

          Name of the group of iOS MDM devices that connect to the VPN via L2TP and IPSec (Cisco) protocols. If the Use hybrid authentication check box is selected, the group name must end with "[hybrid]" (for example: "mycompany [hybrid]").

        • Use hybrid authentication

          Use of hybrid authentication when the user connects to a VPN. The VPN server uses a certificate for authentication, and the iOS MDM device user enters a public key for authentication via the IPSec (Cisco) protocol.

          If the check box is selected, hybrid authentication is used when the user connects to a VPN.

          If the check box is cleared, the hybrid authentication is not used.

          This check box is cleared by default.

        • Authentication certificate

          The certificate used for user authentication.

      • Settings in the Domains section:
      • Settings in the Other section:
        • Prompt for PIN

          The application checks whether the system password is set when the mobile device is turned on.

          If the check box is selected, Kaspersky Mobile Devices Protection and Management checks if the system password is set on the device. If no system password is set on the device, the user has to set it. The password should be set in accordance with the settings configured by the administrator.

          If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not require a system password.

          This check box is cleared by default.

    • IKEv2
      • Settings in the Network section:
        • Dead peer detection interval

          The frequency at which the IKEv2 VPN client should run the Dead Peer Detection (DPD) algorithm. The following values are available:

          • Not selected. Do not run DPD.
          • Low. Run DPD every 30 minutes.
          • Medium. Run DPD every 10 minutes.
          • High. Run DPD every 1 minute.

          The default value is set to Medium.

      • Settings in the Authentication section:
        • Authentication method

          The method of authenticating iOS MDM device users on the virtual private network.

        • Local identifier

          The identifier of the IKEv2 VPN client (iOS MDM device).

        • Remote identifier

          The identifier of the IKEv2 VPN server.

        • Shared secret

          The shared secret used for IKEv2 VPN authentication.

        • Common Name (CN) of server certificate

          This name is used to validate the certificate sent by the IKEv2 VPN server. If this option is not set, the certificate is validated using the remote identifier.

        • Common Name (CN) of server certificate publisher

          If this option is set, IKEv2 sends a certificate request based on this certificate issuer to the server.

        • Authentication certificate

          The certificate used for user authentication.

        • EAP authentication

          The type of EAP authentication used for the VPN IKEv2 connection. The following values are available:

          • Credentials
          • Certificate

          The default value is Credentials.

        • Account name

          The account name for authorization on the VPN server.

        • Password

          The password of the account for authentication on the virtual private network.

        • Minimum TLS version

          The minimum TLS version used for EAP authentication. The following values are available:

          • TLS 1.0
          • TLS 1.1
          • TLS 1.2

          The default value is TLS 1.0.

        • Maximum TLS version

          The maximum TLS version used for EAP authentication. The following values are available:

          • TLS 1.0
          • TLS 1.1
          • TLS 1.2

          The default value is TLS 1.2.

      • Settings in the Security association section:
        • SA parameters

          Determines the object in which the parameters are sent. Possible values:

          • IKEv2
          • Child

          The default value is IKEv2.

        • Encryption algorithm

          Determines the encryption algorithm used for the connection. Possible values:

          • DES
          • 3DES
          • AES-128
          • AES-256
          • AES-128-GCM
          • AES-256-GCM
          • ChaCha20Poly1305

          The default value is AES-256.

        • Integrity algorithm

          Determines the integrity algorithm used for the connection. Possible values:

          • SHA1-96
          • SHA1-160
          • SHA2-256
          • SHA2-384
          • SHA2-512

          The default value is SHA2-256.

        • Diffie-Hellman group

          Determines the Diffie-Hellman group used when setting up the VPN tunnel.

          The default value is 14.

        • SA Lifetime (min)

          The rekey interval in minutes.

      • Settings in the Other section:
        • Disable redirect

          Specifies whether IKEv2 VPN server redirects are disabled.

          If the check box is selected, the IKEv2 VPN connection is not redirected.

          If the check box is cleared, the IKEv2 VPN connection is redirected if a redirect request is received from the server.

          This check box is cleared by default.

        • Disable Mobility and Multi-homing Protocol

          Specifies whether Mobility and Multi-homing Protocol (MOBIKE) is disabled for the IKEv2 VPN connection.

          If the check box is selected, MOBIKE is disabled

          If the check box is cleared, MOBIKE is enabled.

          This check box is cleared by default.

        • Use internal IPv4 and IPv6 subnet attributes

          Specifies whether the IKEv2 VPN client should use the INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET configuration attributes sent by the IKEv2 VPN server.

          If the check box is selected, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are used.

          If the check box is cleared, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are not used.

          This check box is cleared by default.

        • Enable a tunnel over cellular data

          Specifies whether fallback is enabled.

          If the check box is selected, the device enables a tunnel over cellular data to carry traffic that is eligible for Wi-Fi Assist and also requires a VPN.

          If the check box is cleared, fallback is disabled.

          This check box is cleared by default.

        • Enable Perfect Forward Secrecy

          Specifies whether Perfect Forward Secrecy (PFS) is enabled for the IKEv2 VPN connection.

          If the check box is selected, PFS is enabled.

          If the check box is cleared, PFS is disabled.

          This check box is cleared by default.

    • Cisco AnyConnect
    • Juniper SSL
      • Settings in the Network section:
      • Settings in the Authentication section:
        • Authentication method

          The method of authenticating iOS MDM device users on the virtual private network.

        • Account name

          The account name for authorization on the VPN server.

        • Password

          The password of the account for authentication on the virtual private network.

        • Scope

          Name of the network that includes VPN servers and iOS MDM devices for the VPN connection established using Juniper SSL.

        • Role

          Name of the user role that grants the user access to resources using Juniper SSL. A role can combine several users performing similar functions.

        • Authentication certificate

          The certificate used for user authentication.

      • Settings in the Domains section:
      • Settings in the Other section:
        • Send all traffic via VPN

          Routes all traffic via the VPN.

        • Exclude local traffic

          Excludes local traffic from traffic routed via the VPN connection.

          This check box is available if the Send all traffic via VPN check box is selected.

    • F5 SSL
    • SonicWALL Mobile Connect
    • Aruba VIA
    • Custom SSL
      • Settings in the Network section:
      • Settings in the Configuration data section:
        • Key

          Contains a key with additional settings for the Custom SSL connection.

        • Value

          Contains a value with additional settings for the Custom SSL connection.

      • Settings in the Authentication section:
        • Authentication method

          The method of authenticating iOS MDM device users on the virtual private network.

        • Account name

          The account name for authorization on the VPN server.

        • Password

          The password of the account for authentication on the virtual private network.

        • Authentication certificate

          The certificate used for user authentication.

        • Bundle ID

          If the custom VPN configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.

      • Settings in the Domains section:
  9. If necessary, on the Advanced tab, in the Proxy server section, configure the settings of the VPN connection via a proxy server:
    1. Select the Use a proxy server check box.
    2. Configure a connection to a proxy server:
      1. If you want to configure the connection automatically:
        • Select Automatic.
        • In the PAC file URL field, specify the URL of the proxy PAC file.
        • To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
      2. If you want to configure the connection manually:
        • Select Manual.
        • In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
        • In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
      3. In the Password field, specify the password for the connection to the proxy server.
  10. For IKEv2 and IPSec connections, if necessary, set up Per App VPN functionality for supported system apps (Mail, Calendar, Contacts, and Safari).
  11. Click Add.

    The new VPN is displayed in the list.

    You can modify or delete VPN in the list using the Edit and Delete buttons at the top of the list.

  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the VPN connection will be configured on the user's iOS MDM device.

Page top
[Topic 274773]

Configuring Per App VPN on iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

The Per App VPN functionality allows a device to establish a VPN connection when supported system apps are launched. This functionality is available for IKEv2 and IPSec connections.

The following system apps support Per App VPN connections:

  • Mail
  • Calendar
  • Contacts
  • Safari
  • Messages

To enable the Per App VPN functionality:

  1. Perform the initial setup of the VPN connection.
  2. On the Advanced tab, in the Per App VPN section, select the Enable Per App VPN check box.
  3. Set up Per App VPN for supported system apps in the corresponding settings of the policy.

Mail

To specify the Per App VPN configuration for the Mail app:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Email card, click Settings.

    The Email window opens.

  5. Enable the settings using the Email toggle switch.
  6. Click Add.

    The Add email account window opens.

  7. Configure a mailbox.
  8. On the Advanced tab, in the Per App VPN section, select the Enable Per App VPN check box.
  9. Select a configuration from the Per App VPN configuration drop-down list.
  10. Click Save.
  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Mail app.

Calendar

To specify the Per App VPN configuration for the Calendar app:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Calendar card, click Settings.

    The Calendar window opens.

  5. Enable the settings using the Calendar toggle switch.
  6. Click Add.

    The Add CalDAV account window opens.

  7. Add a calendar account.
  8. In the Per App VPN section, select the Enable Per App VPN check box.
  9. Select a configuration from the Per App VPN configuration drop-down list.
  10. Click Add.
  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Calendar app.

Calendar subscriptions

A list of subscriptions to calendars of other CalDAV users, iCal calendars, and other published calendars.

To specify the Per App VPN configuration for calendar subscriptions:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Calendar subscriptions card, click Settings.

    The Calendar subscriptions window opens.

  5. Enable the settings using the Calendar subscriptions toggle switch.
  6. Click Add.

    The Add calendar subscription window opens.

  7. Add a calendar subscription.
  8. In the Per App VPN section, select the Enable Per App VPN check box.
  9. Select a configuration from the Per App VPN configuration drop-down list.
  10. Click Add.
  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for calendar subscriptions.

Contacts

To specify the Per App VPN configuration for the Contacts app:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Contacts card, click Settings.

    The Contacts window opens.

  5. Enable the settings using the Contacts toggle switch.
  6. Click Add.

    The Add CardDAV account window opens.

  7. Add a contacts account.
  8. In the Per App VPN section, select the Enable Per App VPN check box.
  9. Select a configuration from the Per App VPN configuration drop-down list.
  10. Click Add.
  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Contacts app.

Safari

To specify the Per App VPN configuration for Safari:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Per App VPN for Safari card, click Settings.

    The Per App VPN for Safari window opens.

  5. Enable the settings using the Per App VPN for Safari toggle switch.
  6. Click Add.

    The Add a website domain window opens.

  7. Select a configuration from the Per App VPN configuration drop-down list.
  8. In the Domain name field, specify the website domain that will trigger the VPN connection in Safari. The domain must be in the www.example.com format.
  9. Click Add.

    The new domain appears in the Safari website domains list.

    You can modify or delete Safari website domains in the list using the Edit and Delete buttons at the top of the list.

  10. Click OK.
  11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for Safari website domains.

LDAP

An LDAP account provides access to corporate data and contacts in the standard iOS apps: Contacts, Messages, and Mail.

To specify the Per App VPN configuration for an LDAP account:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the LDAP card, click Settings.

    The LDAP window opens.

  5. Enable the settings using the LDAP toggle switch.
  6. Click Add.

    The Add LDAP account window opens.

  7. Add an LDAP account.
  8. In the Per App VPN section, select the Enable Per App VPN check box.
  9. Select a configuration from the Per App VPN configuration drop-down list.
  10. Click Add.
  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the LDAP account.

Page top
[Topic 274774]

Configuring Firewall on Android devices (only Samsung)

Configure Firewall settings to monitor network connections on the user's mobile device.

Firewall can be configured only for Samsung devices.

To configure Firewall on a user's mobile device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Samsung Knox settings section.
  4. On the Firewall card, click Settings.

    The Firewall window opens.

  5. Enable the settings using the Firewall toggle switch.
  6. In the Internet access drop-down list, select the Firewall mode. Depending on its operating mode, Firewall monitors connections established by the user's mobile device:
    • If you want to allow inbound and outbound connections of all installed apps, select Allow for all apps. This mode is selected by default.
    • If you want to block all network activity except for several specified apps, select Allow for listed apps.
  7. If you selected Allow for listed apps as the Firewall mode, create a list of apps for which all network activity is allowed:
    1. In the Apps with internet access section, click Add.

      The Add app window opens.

    2. In the App name field, enter the name of the mobile app.
    3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
    4. Click Add.

    The new app for which Firewall is disabled appears in the list.

    You can modify or delete mobile apps in the list using the Edit and Delete buttons at the top of the list.

  8. Click OK.
  9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274775]

Protecting Kaspersky Endpoint Security for Android against removal

To protect mobile devices and comply with corporate security requirements, you can enable protection against removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app using the Kaspersky Endpoint Security for Android interface. When removing the app using Android operating system tools, you are prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.

On certain Samsung devices running Android 7 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: removal protection is enabled for Kaspersky Endpoint Security for Android and strength requirements are set for the screen unlock password. To unlock the device, you must send a special command to the device.

To protect the app from removal on devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or later disable these permissions in the device settings. If this is the case, the app is not protected from removal.

To enable protection against removal of Kaspersky Endpoint Security for Android:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the KES for Android settings section.
  4. On the Configure access to app settings card, click Settings.

    The Configure access to app settings window opens.

  5. Enable the settings using the Configure access to app settings toggle switch.

    The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

  6. Clear the Allow removing the app from device check box.
  7. Click OK.
  8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If an attempt is made to remove the app, the mobile device will be locked.

Page top
[Topic 274776]

Detecting hacked devices

Kaspersky Security Center Web Console lets you detect hacked (rooted) Android devices and jailbreaking on iOS devices. System files are unprotected on a hacked device and can therefore be modified. If a hack attempt is detected, we recommend that you immediately restore normal operation of the device.

If a device is hacked, you receive a notification. You can view hacking notifications in Kaspersky Security Center Web Console in the Monitoring & reportingDashboard section. You can also disable notifications about hacks in the event notification settings.

On Android devices, you can impose restrictions on the user's activity if the device is hacked (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, create a compliance rule with the Device has been rooted criterion.

Page top
[Topic 274777]

Configuring a global HTTP proxy on iOS MDM devices

These settings apply to supervised devices.

To route the user's internet traffic, configure the iOS MDM device connect to the internet through a proxy server.

Be careful when configuring these settings. If the settings are incorrect, devices may lose their internet connection and will not synchronize with the iOS MDM Server. If this happens, you will have to add the devices again.

To configure global HTTP proxy settings on the user's iOS MDM device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Global HTTP proxy card, click Settings.

    The Global HTTP proxy window opens.

  5. Enable the settings using the Global HTTP proxy toggle switch.
  6. Select the type of global HTTP proxy configuration:
    • To specify the proxy server connection settings manually:
      1. In the Setting type section, select Manual.
      2. In the Proxy server address and Proxy server port fields, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
      3. In the User name field, set the user account name for authorization on the proxy server.
      4. In the Password field, set the user account password for authorization on the proxy server.
      5. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
    • To configure the proxy server connection settings using a predefined PAC (Proxy Auto Configuration) file:
      1. In the Setting type section, select Automatic.
      2. In the PAC file URL field, enter the web address of the PAC file (for example: http://www.example.com/filename.pac).
      3. To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
      4. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
  7. Click OK.
  8. Click Save to save the changes you have made.

As a result, the mobile device user will connect to the internet via a proxy server after the policy is applied.

Page top
[Topic 274778]

Adding security certificates to iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

You can add certificates to iOS MDM devices to simplify user authentication and ensure data security. The data signed with a certificate is protected against modification while it is transferred over the network. Data encryption using a certificate provides an added level of security for the data. The certificate can also be used to verify user identity.

Kaspersky Mobile Devices Protection and Management supports the following certificate standards:

  • PKCS#1. Encryption with a public key based on RSA algorithms.
  • PKCS#12. Storage and transmission of a certificate and a private key.

To add a security certificate to iOS MDM devices:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Certificate management card, click Settings.

    The Certificate management window opens.

  5. Enable the settings using the Certificate management toggle switch.
  6. Click Upload and specify the path to the certificate.

    Files of PKCS#1 certificates have the CER, DER, or PEM extension. Files of PKCS#12 certificates have the P12 or PFX extension. The password for a PKCS#12 certificate must not me empty.

  7. Click Open.

    If the certificate is password-protected, enter the password. The new certificate appears in the list.

  8. Click OK.
  9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, certificates are automatically installed on devices.

Page top
[Topic 274779]

Adding a SCEP profile to iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.

A SCEP profile with the following settings is added by default:

  • The alternative subject name is not used for registering certificates.
  • Three attempts are made at 10-second intervals to poll the SCEP server. If all attempts to sign the certificate fail, you have to generate a new certificate signing request.
  • The received certificate cannot be used for data signing or encryption.

You can edit the specified settings when adding the SCEP profile.

To add a SCEP profile:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the SCEP card, click Settings.

    The SCEP window opens.

  5. Enable the settings using the SCEP toggle switch.
  6. Click Add.

    The Add SCEP profile window opens.

  7. In the SCEP Server section, specify the following SCEP server settings:
    • In the Configuration name field, specify the name of the Certification Center deployed on the SCEP server. The Certification Center supplies the user of an iOS MDM device with certificates using the Simple Certificate Enrollment Protocol (SCEP).
    • In the Server URL field, enter the web address of the SCEP server on which the Certification Center is deployed.

      The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.

    • In the Maximum number of polling attempts field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed. By default, the value is 3 attempts.

      If all attempts to sign the certificate fail, you have to generate a new certificate signing request.

    • In the Polling interval (sec) field, specify the number of seconds between attempts to poll the SCEP server to get the certificate signed. By default, the value is 10 seconds.
    • In the Static challenge phrase field, enter a pre-published registration key.

      Before signing a certificate, the SCEP server prompts the mobile device user to enter the key. If this field is left blank, the SCEP does not request the key.

    • In the Method for uploading certificate thumbprint drop-down list, select how to add a certificate thumbprint. You can use certificate thumbprints based on the SHA-1 or MD5 hashing algorithm.
      • If you selected the Manually option, in the Certificate thumbprint field that appears, enter a unique certificate thumbprint for verifying the authenticity of the response from the Certification Center.
      • If you selected the From file option, upload a CER, KEY, or PEM file. The thumbprint will be generated and added automatically.

      The certificate thumbprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.

  8. In the Subject section, specify the following settings:
    • In the Subject Name field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.

      Attributes can contain details of the country (C), locality (L), state (ST), organization (O), organization unit (OU), and common user name (CN). For example, /C=RU/O=MyCompany/CN=User/.

      You can also use other attributes specified in RFC 5280.

      Attributes are used by DNS services to validate the certificate issued by the Authentication Authority at the user's request.

    • Click the Add Subject Alternative Name button to add a field for specifying the subject alternative name:
      • In the Type of Subject Alternative Name drop-down list that appears, select the type of subject alternative name for the SCEP server. You can add only one alternative name of each type.

        You can use a subject alternative name to identify the user of the iOS MDM device. By default, identification based on the alternative name is not used.

        • DNS name. Identification using the domain name.
        • NT Principal Name. DNS name of the iOS MDM device user on the Windows NT network. The NT subject name is contained in the certificate request sent to the SCEP server. You can also use the name of the NT subject to identify the user of the iOS MDM device.
        • Email address. Identification using the email address. The email address must be specified according to RFC 822.
        • Uniform Resource Identifier (URI). Identification using the IP address or address in FQDN format.
      • In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the selected subject type: the user's email address, domain, or web address.
  9. In the Key section, configure the encryption key settings:
    • In the Key size (bit) drop-down list, select the size of the registration key in bits: 1024, 2048, or 4096. The default value is 1024 bits.
    • If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use as digital signature check box.

      Data signing protects data against modification. For example, Safari can validate the authenticity of the certificate and establish a safe data exchange session.

    • If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.

      Data encryption also protects confidential data during data exchange over a network. For example, Safari can establish a secure data exchange session using encryption. This guarantees website authenticity and confirms that the connection to the website is encrypted to prevent interception of personal and confidential data.

      You cannot simultaneously use the SCEP server certificate as a data signing certificate and a data encryption certificate.

    • If you want to allow all installed apps to access the private key from the SCEP server certificate, select the Allow all apps to access private key check box.
    • If you do not want the private key to be exported from the keychain, select the Prohibit exporting private key from the keychain check box.
  10. Click Add.

    The new SCEP profile appears in the list.

    You can modify or delete SCEP profiles in the list using the Edit and Delete buttons at the top of the list.

  11. Click OK.
  12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.

Page top
[Topic 274780]

Restricting SD card usage (only Samsung)

Expand all | Collapse all

Configure SD card restrictions to control usage of SD cards on the user's Samsung device that supports Knox.

To restrict SD card usage on a mobile device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Samsung Knox settings section.
  4. On the Device feature restrictions card, click Settings.

    The Device feature restrictions window opens.

  5. Enable the settings using the Device feature restrictions toggle switch.
  6. In the SD card settings section, specify the required restrictions:
    • Prohibit access to SD card

      This setting applies to devices with Android 5-12.

      Selecting or clearing this check box specifies whether access to the SD card is disabled or enabled on the device.

      This check box is cleared by default.

    • Prohibit writing to SD card

      Selecting or clearing this check box specifies whether writing to the SD card is disabled or enabled on the device.

      This check box is cleared by default.

    • Prohibit moving apps to SD card

      Selecting or clearing this check box specifies whether the device user is allowed to move apps to the SD card.

      This check box is cleared by default.

  7. In the Additional settings section, you can specify any additional restrictions:
    • Prohibit sending crash reports to Google

      This setting applies to devices running Android 11 or earlier.

      If the check box is selected, Kaspersky Endpoint Security for Android blocks sending crash reports to Google.

      If the check box is cleared, sending reports is allowed.

      This check box is cleared by default.

    • Prohibit developer mode

      This setting applies to devices running Android 11 or earlier.

      If the check box is selected, the device user is not allowed to enable developer mode on the device.

      If the check box is cleared, the user is allowed to enable developer mode on the device.

      This check box is cleared by default.

  8. Click OK.
  9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. SD card settings are now configured.

Page top
[Topic 274781]