Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices in Kaspersky Security Center Web Console.

Signing device management profiles with a certificate

This functionality is available with Kaspersky Security Center Linux 15.2 or later.

You can sign device management profiles with a certificate received from a trusted certification authority.

A certificate is not required for the device management profile to operate correctly. If the device management profile is not signed with a certificate, then when installing the device management profile, a warning appears and users are prompted to confirm that they trust the organization that sent the certificate.

To sign device management profiles with a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.

   The list of iOS MDM Servers opens.

2. Click Signing certificate.

   The Signing certificate window opens.

3. In the Certificate format field, specify the public or private certificate type:
   • If the PKCS #12 value is selected, specify the certificate file and the password.
   • If the X.509 value is selected:
     1. Specify the private key file.
     2. Specify the public key file.
     3. Specify the private key password.
4. Click Save.

Device management profiles that you create will now be signed with the specified certificate.

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available on the Apple website. Apple Configurator 2 works only on devices running macOS. If you do not have such devices at your disposal, you can use iPhone Configuration Utility. However, Apple no longer supports iPhone Configuration Utility.

To add a configuration profile to an iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Configuration profiles tab.
4. To add a new configuration profile, click Add.
5. In the window that opens, select the configuration profile that you want to add.

   The configuration profile name should not be longer than 100 characters. If you enter a longer name, only part of it will be displayed.

The new configuration profile will be displayed in the list of configuration profiles.

You can install the profile that you have created on iOS MDM devices.

Installing a configuration profile on a device

To install a configuration profile on an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to install configuration profiles on.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Install configuration profile command.
5. In the Configuration profiles section, select the configuration profiles that you want to install on the devices.
6. Click Send.

The command is sent to the devices you selected.

To view the list of configuration profiles installed on a device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, click the device whose properties you want to view.

   The device properties window opens.

3. Select the Configuration profiles tab.

The list of configuration profiles installed on the device is displayed.

Removing a configuration profile from a device

To remove a configuration profile from an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to remove configuration profiles from.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Delete configuration profile command.
5. In the Configuration profiles section, select the configuration profiles that you want to remove from the devices.
6. Click Send.

The command is sent to the devices you selected.

The profile may be displayed in the list of configuration profiles installed on the device for several minutes after it has been deleted.

To view the list of configuration profiles installed on a device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, click the device whose properties you want to view.

   The device properties window opens.

3. Select the Configuration profiles tab.

The list of configuration profiles installed on the device is displayed.

Configuring managed apps

Expand all | Collapse all

Before installing an app on an iOS MDM device, you must add that app to the Administration Server. An app is considered managed if it has been installed on a device through Kaspersky Mobile Devices Protection and Management. A managed app can be managed remotely by means of Kaspersky Mobile Devices Protection and Management.

To add a managed app to an iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps & files.
2. Click iOS, and then click Add.

   The Add app window opens.

3. Specify the app name in the App name field. This name will be used to identify the app in policy settings.
4. In the Installation method field, select one of the following methods to add the app:
   • Installation package
   • Link to manifest file

     A manifest file is a PLIST file, which is required to install an app on an iOS device. These files are dictionaries containing app installation settings (for example, the location of the installation package). When you use a manifest file to add an app, you have to fill in these settings manually. When you add an app from the App Store or an IPA file, the manifest file is generated automatically.

     To get a manifest file for an app, we recommend first adding the app to the iOS MDM Server using an IPA file. In this case, the iOS MDM Server automatically generates a manifest file, which you can download and modify later.

   • App Store
5. Do one of the following:
   • If you selected Installation package, click Select, and upload an IPA file from your computer.
   • If you selected Link to manifest file, specify a link to a manifest file that can be used to download the app.
   • If you selected App Store, specify a link or ID of the app to be added from the App Store.
6. If necessary, configure the following settings:
   • Select the Remove when device management profile is deleted check box if you want the app to be removed from the user's mobile device along with the device management profile. This check box is selected by default.
   • Select the Block backup of app data to iCloud check box if you want to block backup of the app data to iCloud.
7. If you want to add a custom configuration for the app, in the App configuration section, click Select and select a configuration file in PLIST format on your computer.

   To generate a configuration file, you can use a configuration generator (for example, https://appconfig.jamfresearch.com/generator) or refer to the official documentation on the app to be configured.

   Example of a basic configuration for the Microsoft Outlook app

   Microsoft Outlook app configuration

   Configuration key	Description	Type	Value	Default value
   com.microsoft.outlook.EmailProfile.EmailAccountName	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. For example, User.
   com.microsoft.outlook.EmailProfile.EmailAddress	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. For example, user@companyname.com.
   com.microsoft.outlook.EmailProfile.EmailUPN	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, userupn@companyname.com.
   com.microsoft.outlook.EmailProfile.ServerAuthentication	Authentication method	String	Username and Password – Prompts the device user for their password. Certificates – Certificate-based authentication.	Username and Password
   com.microsoft.outlook.EmailProfile.ServerHostName	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL. For example, mail.companyname.com.
   com.microsoft.outlook.EmailProfile.AccountDomain	Email domain	String	The account domain of the user. For example, companyname.
   com.microsoft.outlook.EmailProfile.AccountType	Authentication type	String	ModernAuth – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. BasicAuth – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	BasicAuth
   IntuneMAMRequireAccounts	Is sign-in required	String	Specifies whether account sign-in is required. You can select one of the following values: Enabled - The app requires the user to sign-in to the managed user account defined by the IntuneMAMUPN key to receive Org data. Disabled - No account sign-in is required
   IntuneMAMUPN	UPN Address	String	The User Principal Name of the account allowed to sign into the app. For example, userupn@companyname.com.

   Example of a configuration file for the Microsoft Outlook app

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

   <key>com.microsoft.outlook.EmailProfile.AccountType</key>

   <string>BasicAuth</string>

   <key>com.microsoft.outlook.EmailProfile.EmailAccountName</key>

   <string>My Work Email</string>

   <key>com.microsoft.outlook.EmailProfile.ServerHostName</key>

   <string>exchange.server.com</string>

   <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>

   <string>%email%</string>

   <key>com.microsoft.outlook.EmailProfile.EmailUPN</key>

   <string>%full_name%</string>

   <key>com.microsoft.outlook.EmailProfile.AccountDomain</key>

   <string>my-domain</string>

   <key>com.microsoft.outlook.EmailProfile.ServerAuthentication</key>

   <string>Username and Password</string>

   <key>IntuneMAMAllowedAccountsOnly</key>

   <string>Enabled</string>

   <key>IntuneMAMUPN</key>

   <string>%full_name%</string>

   </dict>

   </plist>

   You can use macros in the corresponding fields of the configuration file to replace values. Available macros

   Macros which can be used in configuration files

   Macro	Description
   %full_name%	Full user name
   %email%	User's main email address
   %email1%	User's first backup email address
   %email2%	User's second backup email address
   %mobile_phone%	User's mobile phone number
   %phone_number%	User's main phone number
   %phone_number1%	User's first backup phone number
   %phone_number2%	User's second backup phone number
   %short_name%	User name
   %domain_name%	Name of user's domain
   %job_title%	User's job title
   %department%	Department name
   %company%	Company name

8. Click Save to save the changes you have made.

The newly created app is displayed in the table of apps on the iOS tab.

If you select a large IPA file, the app may take some time to upload. Do not close the Apps & files section until the app is uploaded.

You can view and edit app properties by clicking the app in the list or remove the app using the Delete button.

Installing an app on a mobile device

To install an app on a mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to install apps on.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Install app command.
5. In the Apps field, select the apps that you want to install on the devices.
6. Click Send.

The command is sent to the devices you selected.

Updating an app installed on a device

You can update an app on an iOS MDM device in the Send command window or on the Apps tab in the device properties window.

In the Send command window, you can update apps on multiple devices.

To update an app on an iOS MDM device in the Send command window:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to update apps on.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Update app command.
5. In the Apps section, select the apps that you want to update on the devices.
6. Click Send.

The command is sent to the devices you selected.

To update an app on an iOS MDM device in the device properties window:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, click the name of the device that you want to update apps on.

   The device properties window opens.

3. Select the Apps tab.
4. At the top of the apps list, click Update.
5. In the window that opens, select the apps that you want to update on the device and click Update.

The command is sent to the device.

Updating apps may take a few minutes. The command is executed only if a device is connected to the internet. To check whether an app has been updated, click Refresh list.

Removing an app from a device

You can remove an app from an iOS MDM device in the Send command window or on the Apps tab in the device properties window.

In the Send command window, you can remove apps from multiple devices.

To remove an app from an iOS MDM device in the Send command window:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to remove apps from.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Delete app command.
5. In the Apps section, select the apps that you want to remove from the devices.
6. Click Send.

The command is sent to the devices you selected.

To remove an app from an iOS MDM device in the device properties window:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, click the name of the device that you want to remove apps from.

   The device properties window opens.

3. Select the Apps tab.
4. In the apps list, select the apps that you want to remove from the device and click Delete.

The command is sent to the device.

Removing apps may take a few minutes. The command is executed only if a device is connected to the internet. To check whether an app has been removed, click Refresh list.

Configuring roaming on an iOS MDM mobile device

To configure roaming:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to configure roaming settings for.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Change roaming settings command.
5. In the Action section, do one of the following:
   • If you want to enable data roaming, select Enable data roaming.
   • If you want to disable data roaming, select Disable data roaming.
6. Click Send.

The command is sent to the devices you selected.

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.

   The list of managed mobile devices opens.

2. To filter iOS MDM devices, click the Operating mode column heading and select the operating mode of the iOS MDM device you want to view information about.

   The list of iOS MDM devices is displayed.

   Depending on the database you use, searches may be case-sensitive.

3. Select the mobile device you want to view information about.

   A window with the properties of the iOS MDM device opens.

The General tab of the properties window displays information about the connected iOS MDM device.

The Certificates tab of the properties window displays information about the certificates installed on the selected iOS MDM device.

The Apps tab of the properties window displays information about the apps installed on the selected iOS MDM device.

The Configuration profiles tab of the properties window displays information about the configuration profiles installed on the selected iOS MDM device.

Disconnecting an iOS MDM device from management

If you want to stop managing an iOS MDM device, you can disconnect it from management in Kaspersky Security Center.

We do not recommend disconnecting the device from management by removing the device management profile, since such device may not work correctly when reconnected. To stop managing an iOS MDM device, disconnect it from the iOS MDM Server as described in this section.

To disconnect an iOS MDM device from the iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.

   The list of managed mobile devices opens.

2. To filter iOS MDM devices, click the Operating mode column heading and select the operating mode of the iOS MDM device you want to disconnect.

   The list of iOS MDM devices operating in the selected mode is displayed.

3. Select the mobile device you want to disconnect.
4. Click Delete.

In the list, the iOS MDM device is marked for removal. Within one minute, the device is removed from the database of the iOS MDM Server, after which it is automatically removed from the list of managed devices.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the device management profile, and apps for which the Remove when device management profile is deleted option has been enabled in the iOS MDM Server settings, will be removed from the device. The iOS MDM policy will also be deleted.

Configuring kiosk mode for iOS MDM devices

These settings apply to supervised devices.

Expand all | Collapse all

Kiosk mode is an iOS feature that lets you limit the apps available to a device user to a single app. In this mode, a device user can open only the one app that is allowed on the device and specified in the kiosk mode settings.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Restrictions section.
4. On the Kiosk mode card, click Settings.

The Kiosk mode window opens.

Configure kiosk mode

To enable kiosk mode:

1. Enable the settings using the Kiosk mode toggle switch to activate kiosk mode on a supervised device.
2. In the Bundle ID field, enter the unique identifier of an app selected for kiosk mode (for example, com.apple.calculator).

   How to get the bundle ID of an app

   To get the bundle ID of a built-in iPhone or iPad app,

   Follow the instructions in the Apple documentation.

   To get the bundle ID of any iPhone or iPad app:

   1. Open the App Store.
   2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

   3. Copy this identifier (without the letters "id").
   4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

   5. Open the downloaded file and find the "bundleId" fragment in it.

   The text that directly follows this fragment is the bundle ID of the required app.

   To get the bundle ID of an app that has been added to Kaspersky Security Center:

   1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps & files.
   2. Click iOS.

      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

   To select a different app, you need to disable kiosk mode, save the changes to the policy, and enable kiosk mode for a new app.

   The app that is selected for kiosk mode must be installed on the device. Otherwise, the device will be locked until kiosk mode is disabled.

   The use of the selected app must also be allowed in the policy settings. If the use of the app is prohibited, kiosk mode will not be enabled until the selected app is removed from the list of forbidden apps.

   In some cases, kiosk mode can still be enabled even when the use of the selected app is prohibited in the policy settings.

3. Specify the settings that will be enabled on the device in kiosk mode in the corresponding section. For available settings, see the "Kiosk mode settings" section below.
4. Specify the settings that the user can edit on the device in kiosk mode in the corresponding section.
5. Click OK.
6. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, kiosk mode is enabled. The selected app is forced to open on a supervised device, and the use of other apps is prohibited. The selected app reopens immediately after the device is restarted.

To edit the kiosk mode settings, you need to disable kiosk mode, save changes to the policy, and then enable kiosk mode again with the new settings.

To disable kiosk mode:

1. Disable the settings using the Kiosk mode toggle switch to deactivate kiosk mode on a supervised device.
2. Click OK.
3. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, kiosk mode is disabled and the use of all apps is allowed on the supervised device.

Now, you can enable kiosk mode again with the new settings.

Kiosk mode settings

• Auto-Lock

  If the check box is selected, Auto-Lock is enabled. The screen is automatically locked on the device.

  If the check box is cleared, Auto-Lock is disabled.

  This check box is selected by default.

• Touch (not recommended to disable)

  If the check box is selected, all touch input capabilities are enabled.

  If the check box is cleared, all touch input capabilities are disabled.

  This check box is selected by default.

• AssistiveTouch

  If the check box is selected, AssistiveTouch is enabled. The device screen is adapted to the user's unique physical needs.

  If the check box is cleared, AssistiveTouch is disabled.

  This check box is cleared by default.

• Voice Control

  If the check box is selected, Voice Control is enabled. The user can navigate and interact with the device using voice commands.

  If the check box is cleared, Voice Control is disabled.

  This check box is cleared by default.

• VoiceOver

  If the check box is selected, VoiceOver is enabled. Audible descriptions of what appears on the screen are given.

  If the check box is cleared, VoiceOver is disabled.

  This check box is cleared by default.

• Speak Selection

  If the check box is selected, Speak Selection is enabled. The text selected on the screen is spoken.

  If the check box is cleared, Speak Selection is disabled.

  This check box is cleared by default.

• Volume Buttons

  If the check box is selected, the volume buttons are enabled. The user can adjust the volume on the device.

  If the check box is cleared, the volume buttons are disabled.

  This check box is selected by default.

• Mono Audio

  If the check box is selected, Mono Audio is enabled. The left and right headphone channels are combined to play the same content.

  If the check box is cleared, Mono Audio is disabled.

  This check box is cleared by default.

• Zoom

  If the check box is selected, Zoom is enabled. The user can zoom in and out on the content on the screen.

  If the check box is cleared, Zoom is disabled.

  This check box is selected by default.

• Auto-Rotate Screen

  If the check box is selected, Auto-Rotate Screen is enabled. Screen orientation automatically changes when the device is rotated.

  If the check box is cleared, Auto-Rotate Screen is disabled.

  This check box is selected by default.

• Invert Colors

  If the check box is selected, inverting colors on the screen is enabled. The displayed colors are changed to their opposite colors.

  If the check box is cleared, inverting colors on the screen is disabled.

  This check box is cleared by default.

• Ring/Silent Switch

  If the check box is selected, Ring/Silent Switch is enabled. The user can switch between Ring and Silent modes to mute or unmute sounds and alerts.

  If the check box is cleared, Ring/Silent Switch is disabled.

  This check box is selected by default.

• Sleep/Wake Button

  If the check box is selected, the Sleep/Wake button is enabled. The user can put the device to sleep or wake the device.

  If the check box is cleared, the Sleep/Wake button is disabled.

  This check box is selected by default.