Corporate container
This section contains information about working with a corporate container.
Page top
[Topic 274798]
About corporate containers
Android Enterprise is a platform for managing the corporate mobile infrastructure and provides company employees with a safe work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.
You can create a corporate container that uses an Android Work Profile on a user's personal mobile device. A corporate container is a safe environment in which the administrator can manage apps and user accounts without restricting the user's use of their own data. When a corporate container is created on the user's mobile device, the following corporate apps are automatically installed in it: Google Play, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Apps installed in the corporate container as well as notifications from these apps are marked with a briefcase icon. You have to create a separate Google corporate account for the Google Play app. Apps installed in a corporate container appear in the common list of apps.
Page top
[Topic 274816]
Configuring a corporate container
Expand all | Collapse all
To configure the settings of a corporate container:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Corporate container section.
- On the Corporate container on devices card, click Settings.
The Corporate container on devices window opens.
- Enable the settings using the Corporate container on devices toggle switch.
- Specify the corporate container settings:
- On the General tab, you can specify the settings for data sharing, contacts, and more.
- Settings in the Data access and sharing section:
- Prohibit personal apps from sharing data with corporate container apps
Restricts sharing files, pictures, or other data from personal apps with corporate container apps.
If the check box is selected, personal apps can't share data with corporate container apps.
If the check box is cleared, personal apps can share data with corporate container apps.
This check box is selected by default.
- Prohibit corporate container apps from sharing data with personal apps
Restricts sharing files, pictures, or other data from corporate container apps with personal apps.
If the check box is selected, the apps in the corporate container can't share data with personal apps.
If the check box is cleared, the apps in the corporate container can share data with personal apps.
This check box is selected by default.
- Prohibit corporate container apps from accessing personal files
Restricts access of corporate container apps to personal files.
If the check box is selected, the user can't access personal files when using corporate container apps.
If the check box is cleared, the user can access personal files when using corporate container apps. Note that the access must be also supported by the apps that are being used.
This check box is selected by default.
- Prohibit personal apps from accessing files in corporate container
Restricts access of personal apps to files in the corporate container.
If the check box is selected, the user can't access files in the corporate container when using personal apps.
If the check box is cleared, the user can access files in the corporate container when using personal apps. Note that the access must be supported by the apps that are being used.
This check box is selected by default.
- Prohibit use of clipboard between personal apps and corporate container
Selecting or clearing this check box specifies whether the device user is allowed to copy data via the clipboard between personal apps and the corporate container.
This check box is selected by default.
- Prohibit activation of USB debugging
Restricts the use of USB debugging on the user's mobile device in the corporate container. In USB debugging mode, the user can download an app via a workstation, for example.
If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.
If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.
This check box is selected by default.
- Prohibit users from adding and removing accounts in corporate container
If the check box is selected, the user is prohibited to add and remove accounts in the corporate container via the Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in the corporate container.
Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.
This check box is selected by default.
- Prohibit screen sharing, recording, and screenshots in corporate container apps
Selecting or clearing this check box specifies whether the device user is allowed to take screenshots of, record and share the device screen in corporate container apps. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.
This check box is selected by default.
- Settings in the File sharing section:
- Copy shared files to user's personal space
Selecting or clearing this check box specifies whether files sent to a user's device with a corporate container are copied to the user's personal space on the device.
This check box applies only to files that have not yet been sent to the device. Files that were sent to the device before the check box is selected are not copied to the user's personal space.
This check box is cleared by default.
- Settings in the Contacts section:
- On the Apps tab, specify the following settings:
- Settings in the General section:
- Enable App Control in corporate container only
Controls the startup of apps in the corporate container on the user's mobile device. You can create lists of allowed, forbidden, and recommended apps as well as allowed and forbidden app categories in the App Control section.
If this check box is selected, then depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the corporate container. Moreover, App Control does not work in the user's personal space.
This check box is selected by default.
- Enable Web Protection and Web Control in corporate container only
Restricts user access to websites in the corporate container on the device. You can specify website access settings in the Web Control settings.
If this check box is selected, Web Protection and Web Control block or allow access to websites only in the corporate container. Moreover, Web Protection and Web Control do not work in the user's personal space.
If this check box is cleared, then depending on the Web Protection and Web Control settings, Kaspersky Endpoint Security blocks or allows access to websites in the user's personal space and the corporate container.
This check box is selected by default.
- Prohibit installation of apps from unknown sources in corporate container
Restricts installation of apps in the corporate container from all sources other than Google Play Enterprise.
If the check box is selected, the user can install apps only from Google Play. Users use their own Google corporate accounts to install apps.
If the check box is cleared, the user can install apps in any available way. Only apps forbidden in the App Control settings can't be installed.
This check box is cleared by default.
- Prohibit removing apps from corporate container
Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the corporate container.
This check box is cleared by default.
- Prohibit displaying notifications from corporate container apps when screen is locked
Restricts displaying the contents of notifications from corporate container apps on the lock screen of the device.
If the check box is selected, the contents of notifications from corporate container apps can't be viewed on the device lock screen. To view these notifications, the user has to unlock the device or corporate container.
If the check box is cleared, notifications from corporate container apps are displayed on the device lock screen.
This check box is selected by default.
- Prohibit use of camera for corporate container apps
Selecting or clearing this check box specifies whether corporate container apps can access the device camera.
This check box is selected by default.
- In the Granting runtime permissions for corporate container apps section you can select an action to be performed when corporate container apps are running and request additional permissions. This does not apply to permissions granted in the device settings (for example, Access All Files).
- Allow users to configure permissions
When a permission is requested, the user decides whether to grant the specified permission to the app.
This option is selected by default.
- Grant permissions automatically
All corporate container apps are granted permissions without user interaction.
On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select this option, the app will prompt the user for these permissions:
- Location permissions
- Permissions for camera
- Permissions to record audio
- Permission for activity recognition
- Permissions to monitor SMS and MMS incoming messages
- Permissions to access body sensor data
- Deny permissions automatically
All corporate container apps are denied permissions without user interaction.
Users can adjust app permissions in the device settings before these permissions are denied automatically.
- In the Adding widgets of corporate container apps to device home screen section you can choose whether the device user is allowed to add widgets of corporate container apps to the device home screen.
- Prohibit for all apps
The device user is prohibited from adding widgets of apps installed in the corporate container.
This option is selected by default.
- Allow for all apps
The device user is allowed to add widgets of all apps installed in the corporate container.
- Allow only for the listed apps
The device user is allowed to add widgets of listed apps installed in the corporate container.
To add an app to the list, click Add and enter an app package name.
How to get the package name of an app
To get the name of an app package:
- Open Google Play.
- Find the app and open its page.
The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
To get the name of an app package that has been added to Kaspersky Security Center:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps & files.
- Select Android → Apps.
In the list of apps that opens, app identifiers are displayed in the Package name column.
- On the Certificates tab, you can configure the following settings:
- Duplicate installation of VPN certificates in user's personal space
Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile → Certificates section of the Kaspersky Security Center Web Console and installed in the corporate container will also be installed in the user's personal space.
By default, VPN certificates received from Kaspersky Security Center are installed in the corporate container. This setting is applied when a new VPN certificate is issued.
This check box is cleared by default.
- Duplicate installation of root certificates in user's personal space
Selecting or clearing the check box specifies whether the root certificates added in the Root certificates settings and installed in the corporate container will also be installed in the user's personal space.
This check box is cleared by default.
- On the Password tab, specify the corporate container password settings:
- Require setting a password for corporate container
Lets you specify the requirements for the corporate container password according to company security requirements.
If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting them to set up a corporate container password according to company requirements.
If the check box is cleared, password settings cannot be edited.
This check box is cleared by default.
- Minimum password length
The minimum number of characters in the user password. Possible values: 4 to 16 characters.
The user's password is 4 characters long by default.
The following applies only to the user's personal space and the corporate container:
- In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
- In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.
The values are determined using the following rules:
- If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
- If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
- Minimum password complexity requirements
Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:
- Numeric
The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).
This option is selected by default.
- Alphabetic
The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).
- Alphanumeric
The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.
- No requirements
The user can set any password.
- Complex
The user must set a complex password according to the specified password properties:
- Minimum number of letters
- Minimum number of digits
- Minimum number of special characters (for example, !@#$%)
- Minimum number of uppercase letters
- Minimum number of lowercase letters
- Minimum number of non-alphabetic characters (for example, 1^*9)
- Complex numeric
The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.
- Maximum number of failed password attempts before corporate container is deleted
Specifies the maximum number of user attempts to enter the password to unlock the corporate container. When the policy is applied, the corporate container will be deleted from the device after the maximum number of failed attempts is exceeded.
Possible values are 4 to 16.
The default value is not set. This means that the attempts are not limited.
- Maximum password lifetime (days)
Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.
The default value is 0. This means that the password won't expire.
- Number of days to send a notification before a required password change
Specifies the number of days to notify the user before the password expires.
The default value is 0. This means that the user won't be notified about an expiring password.
- Number of recent passwords that cannot be set as a new password
Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.
The default value is 0. This means that the new user password can match any previous password except the current one.
- Period of inactivity before corporate container is locked (sec)
Specifies the period of inactivity before the device locks.
The default value is 0. This means that the device won't lock after a certain period.
- Period after biometric unlock before password must be entered (min)
Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.
The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.
- Allow biometric unlock methods
If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.
This check box is selected by default.
- Allow fingerprint unlock
Specifies whether fingerprints can be used to unlock the screen.
This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.
If the check box is selected, the use of fingerprints on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.
This check box is available only if the Allow biometric unlock methods check box is selected.
This check box is selected by default.
On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.
- Allow face unlock
If the check box is selected, the use of face scanning is allowed on the mobile device.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.
This check box is available only if the Allow biometric unlock methods check box is selected.
This check box is selected by default.
- Allow iris scanning
If the check box is selected, the use of iris scanning is allowed on the mobile device.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.
This check box is available only if the Allow biometric unlock methods check box is selected.
This check box is selected by default.
- On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their corporate container if it is locked.
- Passcode length
The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.
The passcode length is 4 characters by default.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The user's mobile device is divided into a corporate container and a personal space.
Page top
[Topic 274817]
Unlocking the corporate container
The corporate container can be locked if the device does not meet the Compliance Control security requirements.
To unlock the corporate container, the user of the mobile device must enter a one-time corporate container passcode on the locked screen. The passcode is generated by Kaspersky Security Center and is unique for each mobile device. When the corporate container is unlocked, the corporate container password is set to the default value (1234).
As an administrator, you can view the passcode in the policy settings that are applied to the mobile device. The length of the passcode can be changed (4, 8, 12, or 16 digits) in the Corporate container on devices settings of the policy.
To unlock a corporate container using a one-time passcode:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
- Click the mobile device for which you want to get a one-time passcode.
- Select Applications → Kaspersky Mobile Devices Protection and Management.
The Kaspersky Mobile Devices Protection and Management properties window opens.
- Select the Application settings tab.
The unique passcode for the selected device is shown in the One-time code field of the One-time corporate container passcode section.
- Use any available method (such as email) to communicate the one-time passcode to the user.
The user then must enter the received one-time passcode on their device.
The corporate container of the user's mobile device is unlocked.
After the corporate container on a device is locked, the history of corporate container passwords is cleared. This means that the user can specify a recent password, regardless of the corporate container password settings.
Page top
[Topic 274818]