The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment

This Help section is intended for specialists who install Kaspersky Security for Mobile, as well as for specialists who provide technical support to organizations that use Kaspersky Security for Mobile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Solution architecture

Kaspersky Security for Mobile includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats. It supports interaction between the mobile device and the Kaspersky Security Center Administration Server using Firebase Cloud Messaging.

• Kaspersky Endpoint Security for Android Administration Plug-in

  The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.

• Kaspersky Device Management for iOS Administration Plug-in

  The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center.

The architecture of the Kaspersky Security for Mobile integrated solution is shown in the figure below.

The architecture of Kaspersky Security for Mobile

For details on Administration Console, Administration Server, and iOS MDM Server, please refer to Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Common integrated solution deployment scenarios

This section covers the common deployment scenarios for the Kaspersky Security for Mobile integrated solution.

Different deployment scenarios can be used to deploy the integrated solution on Android devices and iOS devices. If the organization uses mobile devices running various operating systems, apps should be installed for each operating system separately by following the appropriate deployment scenario.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios for Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be deployed on mobile devices within the corporate network in several ways. You can use the most suitable deployment scenario for your organization or combine several deployment scenarios.

For details on deploying Kaspersky Endpoint Security for Android in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

Deploying Kaspersky Endpoint Security for Android via Kaspersky Security Center on personal devices

For personal devices, you can deploy Kaspersky Endpoint Security for Android via Kaspersky Security Center by using the following methods:

• Deliver messages with the Google Play link (recommended)
• Deliver messages with a link to the installation package in Kaspersky Security Center

Deployment of Kaspersky Endpoint Security for Android using Google Play consists in sending messages containing the Google Play link to users of devices from the Administration Console.

To deploy Kaspersky Endpoint Security for Android via the installation package, do the following:

1. Create and configure an app installation package.
2. Create a standalone installation package.
3. Send messages with a link for downloading a standalone installation package to users of Android devices. Mass mailing is available.

The user installs Kaspersky Endpoint Security for Android on a mobile device after receiving a message with a Google Play link or a link for downloading the installation package from the Kaspersky Security Center server. No additional preparations are needed to begin using the app.

Deploying Kaspersky Endpoint Security for Android via Kaspersky Security Center on company-owned devices (device owner mode)

For company-owned devices (device owner mode), you can deploy Kaspersky Endpoint Security for Android via Kaspersky Security Center by using the following method:

• Deliver the QR code with a link to a general app version (APK installation file)
• Deliver the QR code with a link to the installation package in Kaspersky Security Center

To deploy Kaspersky Endpoint Security for Android in device owner mode via the general app version, do the following:

1. Create a QR code for app installation from the Administration Console.
2. Pre-configure the mobile device and install Kaspersky Endpoint Security for Android using the QR code.

To deploy Kaspersky Endpoint Security for Android in device owner mode via the installation package, do the following:

1. Create and configure an app installation package.
2. Create a standalone installation package.
3. Create a QR code for app installation via the installation package.
4. Pre-configure the mobile device and install Kaspersky Endpoint Security for Android using the QR code.

Deploying Kaspersky Endpoint Security for Android from Google Play

Kaspersky Endpoint Security for Android is installed from Google Play independently by the users of devices. Users download the mobile app distribution package from Google Play and install the app on devices. After the app has been installed on the device, you need to make additional preparations before you can begin using it: configure the settings of the connection to the Administration Server and install a mobile certificate.

Deploying Kaspersky Endpoint Security for Android via KNOX Mobile Enrollment

Deployment of Kaspersky Endpoint Security for Android consists of adding a KNOX MDM profile to mobile devices. The KNOX MDM profile contains a link to an app deployed on the Kaspersky Security Center Web Server or another server. After the app is installed on the mobile device, you must also install a mobile certificate.

You can read about installation through KNOX Mobile Enrollment in the Samsung KNOX section.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios for iOS MDM profile

An iOS MDM profile is a profile that contains the settings for connecting mobile devices running iOS to Kaspersky Security Center. After installation of an iOS MDM profile and synchronization with Kaspersky Security Center, the device becomes a managed device. Mobile devices are managed through the Apple Push Notification service (APNs). For more details on installing an iOS MDM profile and working with APNs, please refer to Kaspersky Security Center Help.

Using an iOS MDM profile, you can do the following:

• Remotely configure the settings of iOS MDM devices by using group policies.
• Send device lock and data wipe commands.
• Remotely install Kaspersky apps and other third-party apps.

An iOS MDM profile can be deployed on mobile devices within the corporate network in several ways. You can use the most suitable deployment scenario for your organization or combine several deployment scenarios.

Before deploying an iOS MDM profile, the administrator must do the following:

1. Install an iOS MDM Server.
2. Obtain an Apple Push Notification Service certificate (APNs certificate).
3. Install an APNs certificate to the iOS MDM Server.

For more details on installing an iOS MDM Server and working with an APNs certificate, please refer to Kaspersky Security Center help.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

Deploying an iOS MDM profile via Kaspersky Security Center

Deployment of an iOS MDM profile via Kaspersky Security Center can be carried out by sending messages containing a link to download the iOS MDM profile. Mass mailing is available.

The user installs the iOS MDM profile to a mobile device after receiving the message with a link to the Kaspersky Security Center Web Server. No additional preparations for the iOS MDM profile are required.

For more details on creating an iOS MDM profile, please refer to Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing the Administration Console for deployment of the integrated solution

This section provides instructions on preparing the Administration Console for deployment of the integrated solution.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server settings for connection of mobile devices

In order for mobile devices to be able to connect to the Administration Server, before installing the Kaspersky Endpoint Security mobile app configure the mobile device connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the context menu of the Administration Server, select Properties.

   The Administration Server settings window opens.

2. Select Server connection settings → Additional ports.
3. Select the Open port for mobile devices check box.
4. In the Port for mobile devices field, specify the port through which mobile devices will connect to the Administration Server.

   Port 13292 is used by default. If the Open port for mobile devices check box is cleared or the wrong connection port is specified, mobile devices will not be able to connect to the Administration Server.

5. In the Port to activate mobile clients field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the Kaspersky Endpoint Security for Android app. Port 17100 is used by default.
6. Click OK.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Displaying the Mobile Device Management folder in the Administration Console

By displaying the Mobile Device Management folder in the Administration Console, you can view the list of mobile devices managed by the Administration Server, configure the mobile device management settings, and install certificates on mobile devices of users.

To enable the display of the Mobile Device Management folder in the Administration Console:

1. In the context menu of the Administration Server, select View → Configuring interface.
2. In the window that opens, select the Display Mobile Device Management check box.
3. Click OK.

The Mobile Device Management folder is displayed in the Administration Console tree after the Administration Console is restarted.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for device automatic allocating to administration groups

You can centrally administer the settings of Kaspersky Endpoint Security for Android app installed on users' mobile devices only if the devices belong to a previously created administration group for which a group policy has been configured.

If the rule to automatically allocate mobile devices detected on the network to the administration group is not configured, during the first synchronization of the device with the Administration Server, the device is automatically sent to the Administration Console in the Additional → Network poll → Domains → KES10 folder. A group policy does not apply to this device.

To create the rule for automatic allocating of mobile devices to administration group, follow the steps below:

1. In the console tree, select the Unassigned devices folder.
2. From the context menu of the Unassigned devices folder, select Properties.

   The Properties: Unassigned devices window appears.

3. In the Move devices section, click Add to start the process of creating a rule for automatically allocating devices to an administration group.

   The New rule window appears.

4. Type the rule name.
5. Specify the administration group to which mobile devices should be allocated after the Kaspersky Endpoint Security for Android mobile app has been installed on them. To do so, click Browse to the right of the Group to move devices to field and select the group in the window that appears.
6. In the Rule application section, select Run once for each device.
7. Select the Move only devices not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule.
8. Select the Enable rule check box, so that the rule can be applied to newly detected devices.
9. Open the Apps section and do the following:
   1. Select the Operating system version check box.
   2. Select one or several types of operating systems of the devices to be allocated to the specified group: Android or iOS.
10. Click OK.

The newly created rule is displayed in the list of device allocation rules in the Move devices section in the properties window of the Unassigned devices folder.

According to the rule, Kaspersky Security Center allocates all devices that meet the specified requirements from the Unassigned devices folder to the selected group. The mobile devices which were earlier allocated to the Unassigned devices folder can also be allocated to the required administration group of the Managed devices folder manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a mobile certificate

You have to create a mobile certificate in Administration Console for the purpose of identifying the user of a mobile device.

To create a mobile certificate:

1. In the console tree, select the Mobile Device Management → Certificates folder.
2. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard.
3. In the Certificate type window of the Wizard, select the Mobile certificate option.
4. In the User selection window of the Wizard, specify the users for whom you want to create a mobile certificate.
5. In the Certificate source window of the Wizard, select the method by which the mobile certificate is created.
   • To create a mobile certificate automatically using Administration Server tools, select Issue certificate through Administration Server tools.
   • To assign a previously created certificate to a user, select the Specify certificate file option. Click the Specify button to open the Certificate window and specify the certificate file in it.

     Clear the Publish certificate check box if you do not want to specify the type of mobile device and the method of notifying the user about certificate creation.

6. In the Method of user notification window of the Wizard, configure the settings of mobile device user notification about certificate creation using a text message or via email.
7. In the Generating the certificate window of the Wizard, click Done to finish the Certificate Installation Wizard.

As a result, the Certificate Installation Wizard creates a mobile certificate that the user can install on the mobile device. To get the certificate, start synchronization of the mobile device with the Administration Server. For more information about creating certificates and configuring rules for issuing them, refer to Kaspersky Security Center help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing Kaspersky Endpoint Security for Android

This section describes the methods for deploying Kaspersky Endpoint Security for Android on a corporate network.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Permissions

For all features of apps, Kaspersky Endpoint Security for Android prompts the user for the required permissions. Kaspersky Endpoint Security for Android prompts for the mandatory permissions while completing the Setup Wizard, as well as after installation prior to using individual features of apps. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by Kaspersky Endpoint Security for Android

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android using a Google Play link

Kaspersky Endpoint Security for Android is installed on the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

Kaspersky Security for Mobile lets you install the app through Kaspersky Security Center by using a Google Play link (recommended method).

The user will receive a link to Google Play. The app can be installed by following the standard installation procedure on the Android platform. Additional configuration of Kaspersky Endpoint Security for Android after installation is not required.

Some Huawei and Honor devices do not have Google services and therefore an access to apps in Google Play. If some users of Huawei and Honor devices cannot install the app from Google Play, they should be instructed to install the app from Huawei App Gallery.

The link contains the following data:

• Kaspersky Security Center synchronization settings.
• Mobile certificate.
• Indicator of acceptance of the Terms and Conditions of the End User License Agreement for Kaspersky Endpoint Security for Android and additional Statements. If the administrator accepts the terms of License Agreement and additional Statements in the Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

To install Kaspersky Endpoint Security for Android through Kaspersky Security Center using a Google Play link:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select Android.
4. In the Device type section, select Personal device.

   Kaspersky Security Center checks for administration plug-in updates. If Kaspersky Security Center detects updates, you can install the new version of the administration plug-in. When the administration plug-in is updated, you can accept the Terms and Conditions of the End User of the License Agreement (EULA) and additional Statements for Kaspersky Endpoint Security for Android. If the administrator accepts the License Agreement and additional Statements in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. This feature is available in Kaspersky Security Center version 12.

5. On the Kaspersky Endpoint Security for Android installation method page, select Link to an app version on Google Play.
6. On the Select users page of the Wizard, select one or more users for installation of Kaspersky Endpoint Security for Android to their mobile devices.

   If a user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

7. On the Certificate source page of the Wizard, select the source of the certificate for protection of data transfer between Kaspersky Endpoint Security for Android and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install Kaspersky Endpoint Security for Android to several mobile devices. A separate certificate must be created for each user.
8. On the User notification method page of the Wizard, select the channel used to forward the app installation link:
   • To send the link by email, select Send link to Kaspersky Endpoint Security and configure the settings in the By email section. Make sure that the email address is specified in the settings of user accounts.
   • To install Kaspersky Endpoint Security for Android using a QR code, select Show link to installation package and scan the QR code using the camera of the mobile device.
   • If none of the listed methods are suitable for you, select Show link to installation package → Copy to copy the link for installing Kaspersky Endpoint Security for Android to the clipboard. Use any available method to deliver the app installation link. You can also use other methods of installation of Kaspersky Endpoint Security for Android.
9. Click Finish to close the New Mobile Device Connection Wizard.

After installing Kaspersky Endpoint Security for Android on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android in device owner mode

Device owner mode is the device operation mode for company-owned Android devices. This mode lets you have full control over the entire device and configure a wide range of device functions. Device owner mode is supported on Android 7.0 or later.

Kaspersky Security Center lets you install the Kaspersky Endpoint Security for Android app in device owner mode by generating a QR code for app installation on the device.

Kaspersky Endpoint Security for Android is installed on the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

Ways to install the app

The Kaspersky Endpoint Security for Android app can be installed via a QR code that includes one of the following:

• Link to a general app version

  Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated using Google Play or Huawei AppGallery.

• Link to the installation package in Kaspersky Security Center

  Choose this method for mobile devices with no access to the internet. The app's installation package will be downloaded from the Kaspersky Security Center server. The app will also be updated through Kaspersky Security Center using policy settings.

  For this method, follow the steps below before generating a QR-code:

  1. Create and configure an app installation package.
  2. Create a standalone installation package.

Generating QR code for app installation

To generate a QR code for app installation in device owner mode:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select Android.
4. In the Device type section, select Company-owned device (device owner mode).
5. In the Additional section, select the required options:
   • Select the Enable all system apps check box if you want system apps to be active on the device. If the check box is cleared, all system apps are disabled.
   • Select the Allow use of mobile network to download Kaspersky Endpoint Security check box if you want to use mobile data for downloading the Kaspersky Endpoint Security for Android app. The option is supported on devices with Android 8 and later. If the check box is cleared, the app will be downloaded when the device is connected to Wi-Fi.
6. Click Next.

   Kaspersky Security Center checks for administration plug-in updates. If Kaspersky Security Center detects updates, you can install the new version of the administration plug-in. When the administration plug-in is updated, you can accept the Terms and Conditions of the End User of the License Agreement (EULA) and additional Statements for Kaspersky Endpoint Security for Android. If the administrator accepts the License Agreement and additional Statements in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

7. On the Method to install Kaspersky Endpoint Security for Android in device owner mode page, select an installation method:
   • Link to a general app version
   • Link to the installation package in Kaspersky Security Center

     If you choose this option, leave the Allow HTTP use for app download in device owner mode check box selected to ensure the app is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

   For more details about these methods, see the Ways to install the app section above.

8. On the Select users page of the Wizard, select one or more users for installation of Kaspersky Endpoint Security for Android to their mobile devices.

   If a user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

9. On the Certificate source page of the Wizard, select the source of the certificate for protection of data transfer between Kaspersky Endpoint Security for Android and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install Kaspersky Endpoint Security for Android to several mobile devices. A separate certificate must be created for each user.
10. On the User notification method page, specify email addresses. Make sure that the email address is specified in the user account settings in Kaspersky Security Center.
11. On the Result page, verify the information and save the QR code.
12. Click Finish to close the New Mobile Device Connection Wizard.

Additional configuration on the Android device is required to install Kaspersky Endpoint Security for Android in device owner mode.

After installing Kaspersky Endpoint Security for Android on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Other methods of installation of Kaspersky Endpoint Security for Android

You can install Kaspersky Endpoint Security for Android using a link to your own web server or instruct the users to install the app manually.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Manual installation from Google Play or Huawei AppGallery

Users can manually install Kaspersky Endpoint Security for Android from Google Play or Huawei AppGallery. The app can be installed by following the standard installation procedure of the Android platform. Users use their own Google accounts to install the application.

For details on the procedure of installing Kaspersky Endpoint Security for Android from Google Play, see the Google technical support website.

For details on the procedure of installing Kaspersky Endpoint Security for Android from Huawei AppGallery, see the HUAWEI Support website.

Some Huawei and Honor devices do not have Google services and therefore an access to apps in Google Play. If some users of Huawei and Honor devices cannot install the app from Google Play, they should be instructed to install the app from Huawei App Gallery.

After installing Kaspersky Endpoint Security for Android from Google Play or Huawei AppGallery, you must prepare the app for use. The process of preparing the app for use includes the following steps:

1. The administrator sends the settings of mobile device synchronization with the Administration Server (server address and port number) using any available method (for example, by sending an email message).
2. The user can configure the settings of mobile device synchronization with the Administration Server during operation of the Initial Configuration Wizard or in the Kaspersky Endpoint Security for Android settings.
3. The administrator creates a mobile certificate for the mobile device user.
4. The user receives an automatic notification with a prompt to install the mobile certificate. When installation is confirmed, the mobile certificate is installed on the mobile device.

Internet access should be enabled on the mobile device for synchronization with the Administration Server.

See the Kaspersky Security Center Help for details on how to configure the settings of mobile device synchronization with the Administration Server and receive a mobile certificate.

During the next synchronization of the mobile device with Administration Server, the user's mobile device on which Kaspersky Endpoint Security for Android is installed is moved to the Additional → Network poll → Domains folder in the administration group that was specified during installation of the application (the default group is KES10). You can move a mobile device to the administration group that you created in the Managed devices folder either manually or using automatic allocation rules.

This installation method is convenient if you want to install a specific version of Kaspersky Endpoint Security for Android.

To install Kaspersky Endpoint Security for Android using a link to your own web server:

1. Create an installation package and configure its settings.

   The installation package is a set of files created for remote installation of the Kaspersky app through Kaspersky Security Center.

2. Create a standalone installation package.

   A standalone installation package is the installation file of a mobile app that contains the settings of the app connection to the Administration Server and an indicator of acceptance of the Terms and Conditions of the End User License Agreement (EULA) for the Kaspersky Endpoint Security for Android. It is created on the basis of the Kaspersky Endpoint Security for Android installation package. The standalone installation package is a special case of an installation package.

The user will receive a link to the web server hosting the standalone installation package for Kaspersky Endpoint Security for Android. To install the app, the user must run the APK file. Additional configuration of Kaspersky Endpoint Security for Android after installation is not required.

To install Kaspersky Endpoint Security for Android using a link to your own web server, installation of apps from unknown sources must be allowed on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating and configuring an installation package

The Kaspersky Endpoint Security for Android installation package is the sc_package.exe self-extracting archive. The archive includes files required for installing mobile app on devices:

• adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll – Set of files required for installing Kaspersky Endpoint Security for Android.
• installer.ini – Configuration file that contains the Administration Server connection settings.
• KES10_xx_xx_xxx.apk – Setup file for Kaspersky Endpoint Security for Android.
• kmlisten.exe – Utility for delivering the application installation package through a the workstation.
• kmlisten.ini – Configuration file that contains the settings for the installation package delivery utility.
• kmlisten.kpd – Application description file.

To create the Kaspersky Endpoint Security for Android installation package:

1. In the console tree, select the Additional → Remote installation → Installation packages folder.
2. In the workspace of the Installation packages  folder, click the Create installation package button.

   The Installation Package Creation Wizard starts. Follow the instructions of the Wizard.

3. In the Select installation package type window of the Wizard, click the Create installation package for Kaspersky application button.
4. In the Defining installation package name window of the Wizard, enter the installation package name to be displayed in the workspace of the Installation packages folder.
5. In the Select application installation package for installation window of the Wizard, select the sc_package.exe self-extracting archive included in the distribution kit.

   If you have already unpacked the archive, choose the application description file, kmlisten.kpd. The application name and the version number appear in the entry field.

6. In the Accept EULA window of the Wizard, read, understand, and accept the terms and conditions of the End User License Agreement.

   You must accept the terms and conditions of the End User License Agreement for creating the installation package. If you accept the terms of License Agreement in the Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

   If you decide to stop the protection of the mobile devices, you can uninstall Kaspersky Endpoint Security for Android app and revoke your End User License Agreement (EULA) for the app. To learn more about revoking EULA, please refer to the Kaspersky Security Center help.

After the Wizard finishes, the created installation package appears in the Installation packages folder workspace. The installation packages are stored in the Packages folder, in the public shared folder on the Administration Server.

To configure the installation package settings:

1. In the console tree, select the Additional → Remote installation → Installation packages folder.
2. In the context menu of the Kaspersky Endpoint Security for Android installation package, select Properties.
3. On the Settings tab, specify the Administration Server connection settings for mobile devices and the name of the administration group to which the mobile devices will be added automatically after the first synchronization with the Administration Server. Follow the steps below:
   • In the Connection to the Administration Server section, in the Server address field, type the name of the Administration Server for mobile devices in the format that was used for installing Mobile devices support during the Administration Server deployment.

     Depending on the Administration Server name format for the Mobile devices support component, specify the DNS name or the IP address of the Administration Server. In the SSL port number field, specify the number of the port open on the Administration Server for connecting mobile devices. Port 13292 is used by default.

   • In the Allocation of computers to groups section, in the Group name field, type the name of the group to which mobile devices will be added after the first synchronization with the Administration Server (KES10 is used by default).

     The specified group will be automatically created in the Additional → Network poll → Domains folder.

   • In the Actions during installation section, select the Request email address check box if you want the app to ask users to provide their corporate email address when the app is started for the first time.

     The user's email address is used to form the name of the mobile device when it is added to the administration group.

4. To apply the specified settings, click Apply.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a standalone installation package

To create a standalone installation package, follow the steps below:

1. In the console tree, select the Additional → Remote installation → Installation packages folder.
2. Choose the installation package of Kaspersky Endpoint Security for Android.
3. In the context menu of the installation package, select Create a standalone installation package.

   The wizard that creates the standalone installation package will be started. Follow the instructions of the Wizard.

4. Configure ways in which the standalone installation package is distributed:
   • To distribute the path to the created standalone installation package among users via email, in the Further actions section click the link Send the link to the standalone installation package by email.

     The message editor window opens, and the text in the window contains the path to the shared folder with the standalone installation package.

   • To post the link to the created standalone installation package on your corporate website, click the link Sample HTML code for posting link on website.

     A tmp file containing HTML_RJL links opens.

5. To publish the created standalone installation package on the Kaspersky Security Center Web Server and view the entire list of standalone packages for the selected installation package, in the Standalone installation package wizard completed successfully window select the Open the stand-alone packages list check box.

After the wizard closes, the window List of standalone packages for the installation package <Installation package name> opens.

The List of standalone packages for the installation package <Installation package name> window contains the following information:

• A list of standalone installation packages.
• The network path to the shared folder in the Path field.
• The address of the standalone package on the Kaspersky Security Center Web Server in the URL field.

When sending email notifications, you can specify either the address in the URL field or the path in the Path field as a resource from which users can download the setup file of the app. When sending text message notifications to users, you have to specify the download link appearing in the URL field.

You are advised to copy the address of the created standalone package to clipboard and then paste the link to the required installation package into the email or text message notification for users.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:

• By schedule. Synchronization by schedule is performed using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

• Forced. Forced synchronization is performed using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. If you want to use forced synchronization, make sure that the GSM settings are configured in Kaspersky Security Center. For more information, refer to Kaspersky Security Center help.

To configure the settings of mobile device synchronization with the Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Synchronization section.
5. Select the frequency of synchronization in the Synchronize drop-down list.
6. To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings ( → Settings → Synchronization → Synchronize).

7. To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the Kaspersky Security Center help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating the Kaspersky Endpoint Security for Android app

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app is fully functional, the Kaspersky Security Center license purchased by the organization must provide for the Mobile Device Management functionality. The Mobile Device Management functionality is intended for connecting mobile devices to Kaspersky Security Center and managing them.

For detailed information about the licensing of Kaspersky Security Center and licensing options, please refer to Kaspersky Security Center Help.

Activating the Kaspersky Endpoint Security for Android app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the Kaspersky Endpoint Security for Android app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the Kaspersky Endpoint Security for Android app on their devices manually.

To activate the Kaspersky Endpoint Security for Android app:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Licensing section.
5. In the Licensing section, open the Key drop-down list, and then select the required application activation key from the key storage of the Kaspersky Security Center Administration Server.

   The details of the app for which the license has been purchased are displayed in the field below.

6. Select the Activate with a key from Kaspersky Security Center storage check box.

   If the app was activated without a key stored in the Kaspersky Security Center storage, Kaspersky Security for Mobile replaces this key with the activation key selected in the Key drop-down list.

7. To activate the app on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

   Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an iOS MDM profile

This section describes the methods of deploying iOS MDM profiles on a corporate network.

Before deploying an iOS MDM profile, the administrator must do the following:

1. Install an iOS MDM Server.
2. Obtain an Apple Push Notification Service certificate (APNs certificate).
3. Install an APNs certificate to the iOS MDM Server.

For more details on installing an iOS MDM Server and working with an APNs certificate, please refer to Kaspersky Security Center help.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About iOS device management modes

You can deploy an iOS device management system in several different ways. The management mode depends on the owner of the mobile device (personal or corporate) and corporate security requirements. You can choose the management mode that is most suitable for the company, and use several modes at the same time.

Unsupervised devices

Unsupervised iOS devices are employees' personal devices that are connected to Kaspersky Security Center. In this mode, the user is allowed to use a personal Apple ID, work with any apps, and store personal data on the device. You can use a Kaspersky Device Management for iOS group policy to configure access to corporate resources, security settings, and other settings. By default, all iOS devices are unsupervised.

Supervised devices

Supervised iOS devices are corporate devices that are connected to Kaspersky Security Center. Initial configuration of the mobile device is performed in Apple Configurator. Apple Configurator is an application designed to prepare and configure iOS devices. Apple Configurator is installed on a computer running OS X. For more details about working with Apple Configurator, please refer to the Apple Technical Support website. You can use a Kaspersky Device Management for iOS group policy for further configuration. On supervised devices, you can access an extended selection of settings. For example, you can configure Global HTTP Proxy and additional restrictions (for example, blocked use of iMessage and Game Center), and you can block user account modifications.

To work with supervised and unsupervised iOS devices, the iOS MDM Server must have an APNs certificate installed, and an iOS MDM profile must be installed on the mobile devices of users.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing via Kaspersky Security Center

The iOS MDM profile is installed to the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center help.

To install an iOS MDM profile:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select iOS.
4. In the iOS MDM device protection method window of the Wizard, select Use iOS MDM profile of iOS MDM Server and specify the iOS MDM profile from the list.
5. In the Select users window of the Wizard, select one or several users for installation of the iOS MDM profile to their mobile devices.

   If the user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

6. In the Certificate source window of the Wizard, select the source of the certificate for protection of data transfer between the mobile device and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install the iOS MDM profile to several mobile devices. A separate certificate must be created for each user.
7. In the User notification method window of the Wizard, select the channel used to forward the app installation link:
   • To send the link by email, select Send link to iOS MDM profile and configure the settings in the By email section. Make sure that the email address is specified in the settings of user accounts.
   • To install the iOS MDM profile using a QR code, select Show link to installation package and scan the QR code using the camera of the mobile device.
   • If none of the listed methods are suitable for you, select Show link to installation package → Copy to copy the iOS MDM profile installation link to the clipboard. Use any available method to deliver the app installation link.
8. Finish the New Mobile Device Connection Wizard.

After installing the iOS MDM profile to users' mobile devices, you will be able to configure the app settings by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

On mobile devices running iOS 12.1 or later, you must manually confirm installation of an iOS MDM profile on the mobile device. You must also grant permission for remote management of the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins

To manage mobile devices, the following administration plug-ins must be installed to the administrator's workstation:

• The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.
• The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center.

You can install administration plug-ins by using the following methods:

• Install an administration plug-in using Quick Start Wizard of Kaspersky Security Center.

  The application automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

  The Quick Start Wizard allows you to accept the Terms and Conditions of the End User License Agreement (EULA) for the Kaspersky Endpoint Security for the Android app in Administration Console. If the administrator accepts the terms of the License Agreement in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. For more details on the Quick Start Wizard for Kaspersky Security Center, please refer to Kaspersky Security Center Help.

• Install the administration plug-in using the list of available distribution packages in Administration Console of Kaspersky Security Center.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution package from an external source and install the administration plug-in using the EXE file.

  For example, the distribution package of the administration plug-in can be downloaded on the Kaspersky website.

Installing administration plug-ins from the list in Administration Console

To install the administration plug-ins:

1. In the console tree, select Advanced → Remote installation → Installation packages.
2. In the workspace, select Additional actions → View current versions of Kaspersky applications.

   This opens the list of up-to-date versions of Kaspersky applications.

3. In the Mobile devices section, select the Kaspersky Endpoint Security for Android or Kaspersky Device Management for iOS plug-in.
4. Click Download distribution packages button.

   A plug-in distribution will be downloaded to the computer memory (EXE file).

5. Run the EXE file and follow the instructions of the Installation Wizard.

Installing administration plug-ins from the distribution package

To install the Kaspersky Endpoint Security for Android Administration Plug-in,

Copy the plug-in installation file klcfinst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not have to configure the settings.

To install the Kaspersky Device Management for iOS Administration Plug-in,

Copy the plug-in installation file klmdminst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not have to configure the settings.

You can make sure that the administration plug-ins are installed by viewing the list of installed app administration plug-ins in the properties window of the Administration Server in the Advanced → Details of application management plug-ins installed section.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Updating a previous version of the application

The application upgrade must meet the following requirements:

• The version of the Kaspersky Endpoint Security Administration Plug-in and the version of the Kaspersky Endpoint Security for Android mobile app must match.

  You can view the build numbers of the versions of the Administration Plug-in and mobile app in the Release Notes for Kaspersky Security for Mobile.

• Make sure that Kaspersky Security Center satisfies the software requirements of Kaspersky Security for Mobile.
• The administration plug-ins of Kaspersky Endpoint Security 10.0 Service Pack 2 (Build 10.6.0.1801) and Kaspersky Device Management for iOS 10.0 Service Pack 2 (Build 10.6.0.1767) and later versions can be automatically upgraded to the current version. Upgrades of earlier versions of administration plug-ins are not supported.

  To upgrade administration plug-ins of earlier versions, you must remove the installed administration plug-ins and group policies that were created with them. Then install the new versions of the administration plug-ins. For details on removing administration plug-ins, please visit the Kaspersky Technical Support website.

• Use the same version of Kaspersky Endpoint Security for Android on all mobile devices of the organization.

The terms and conditions of technical support for Kaspersky Security for Mobile versions are available on the Kaspersky Technical Support website.

To view the version and build number of administration plug-ins:

1. In the console tree in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Advanced → Details of application management plug-ins installed.

The workspace displays information about installed administration plug-ins in the format <Plug-in name> <Version> <Build>.

You can view the version and build number of the Kaspersky Endpoint Security for Android app by using the following methods:

• If Kaspersky Endpoint Security for Android was installed with a standalone installation package, you can view the version and build number of the app in the package properties.
• If Kaspersky Endpoint Security for Android was installed through Google Play, you can view the build number in the app settings ( → About the app).

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Upgrading the previous version of Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be updated in the following ways:

• Using Google Play. The mobile device user downloads the new version of the app from Google Play and installs it on the device.
• Using Kaspersky Security Center. You can remotely update the version of the app on the device using the Kaspersky Security Center remote administration system.

You can select the app update method that is most suitable for your organization. You can use only one update method.

Updating the app from Google Play

The app can be updated from Google Play by following the standard update procedure of the Android platform. The following conditions must be met in order for the app to be updated:

• The device user must have a Google account.
• The device must be linked to your Google account.
• The device must be connected to the internet.

After downloading the app from Google Play, Kaspersky Endpoint Security for Android checks the Terms and Conditions of the End User License Agreement (EULA). If the terms of the EULA are updated, the app sends a request to the Kaspersky Security Center. If the administrator accepts the EULA in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. If the administrator uses an outdated version of the administration plug-in, Kaspersky Security Center prompts you to update the administration plug-in. When updating the administration plug-in, an administrator can accept the terms of the EULA in Administration Console for the Kaspersky Endpoint Security for Android.

You can update the app through Google Play if Kaspersky Endpoint Security for Android was installed from Google Play. If the app was installed using another method, you cannot update the app through Google Play.

Updating the app through Kaspersky Security Center

Kaspersky Endpoint Security for Android can be upgraded using Kaspersky Security Center after application of a group policy. In the group policy settings, you can select the Kaspersky Endpoint Security for the Android standalone installation package of the version that meets the corporate security requirements.

You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed through Kaspersky Security Center. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.

To upgrade Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help Guide.

To update the version of the app:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Upgrading Kaspersky Endpoint Security for Android section, click the Select button.

   This opens the Upgrading Kaspersky Endpoint Security for Android window.

6. In the list of Kaspersky Endpoint Security standalone installation packages, select the package whose version meets the corporate security requirements.

   You can upgrade Kaspersky Endpoint Security only to a more recent application version. Kaspersky Endpoint Security cannot be upgraded to an older application version.

7. Click the Select button.

   A description of the selected standalone installation package is displayed in the Upgrading Kaspersky Endpoint Security for Android section.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The mobile device user is prompted to install the new version of the app. After the user gives consent, the new app version is installed on the mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an earlier version of Kaspersky Endpoint Security for Android

If you want to prevent automatic update of the app and use a specific version of Kaspersky Endpoint Security for Android, disable automatic update of the app in Google Play settings. For more detail, refer to the Google technical support website.

Automatic update of Kaspersky Endpoint Security for Android is available only if the app was installed from Google Play or through Kaspersky Security Center using the Google Play link. If the app was installed through Kaspersky Security Center using a link to your own web server (using the standalone installation package), automatic update is not available. In this case, you can use a group policy to manually update Kaspersky Endpoint Security for Android.

To install an earlier version of Kaspersky Endpoint Security for Android:

1. Remove Kaspersky Endpoint Security for Android from users' mobile devices.
2. Install Kaspersky Endpoint Security for Android through Kaspersky Security Center using a link to your own web server. To do so, you will need the installation package for the specific version. You can download the distribution package for earlier versions of Kaspersky Endpoint Security for Android on the Kaspersky Technical Support website.

For details on earlier versions of Kaspersky Endpoint Security for Android, please refer to the Help for the appropriate version of Kaspersky Security for Mobile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Upgrading previous versions of administration plug-ins

You can upgrade administration plug-ins by using the following methods:

• Install new version administration plug-in from the list of available distribution packages in Administration Console of Kaspersky Security Center.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution package from an external source and install new version administration plug-in using the EXE file.

  To upgrade Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS Administration Plug-ins, you need to download the latest version of the application from the web page of Kaspersky Security for Mobile and run the Setup Wizard for each of the two plug-ins. Previous versions of plug-ins are removed automatically during operation of the Installation Wizard.

Kaspersky experts recommend using the same version of the app and administration plug-ins. If user upgrades the app from Google Play, the Kaspersky Security Center shows notification with a prompt to upgrade the administration plug-in.

When administration plug-ins are updated, the existing administration groups in the Managed devices folder and rules for the automatic allocation of devices from the Unassigned devices folder to these groups are saved. The existing group policies for mobile devices are also saved. New policy settings that implement the new functions of the Kaspersky Security for Mobile integrated solution will be added to the existing policies and will have the default values.

If new settings have been added or the default values have been changed in the new version of the administration plug-in, the changes will be applied only after a group policy is opened. Until the administrator opens a group policy, the settings of the previous version of the plug-in will be applied on mobile devices even if the plug-in version has been updated.

Upgrading from the list in Administration Console

To upgrade the administration plug-ins:

1. In the console tree, select Advanced → Remote installation → Installation packages.
2. In the workspace, select Additional actions → View current versions of Kaspersky applications.

   This opens the list of up-to-date versions of Kaspersky applications.

3. In the Mobile devices section, select the Kaspersky Endpoint Security for Android or Kaspersky Device Management for iOS plug-in.
4. Click Download distribution packages button.

   A plug-in distribution will be downloaded to computer memory (EXE file). Run the EXE file. Follow the instructions of the Installation Wizard.

Upgrading from the distribution package

To upgrade the Kaspersky Endpoint Security for Android Administration Plug-in,

Copy the plug-in installation file klcfinst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not need to configure the settings.

To upgrade the Kaspersky Device Management for iOS Administration Plug-in,

Copy the plug-in installation file klmdminst.exe from the integrated solution distribution package and run it on the administrator's workstation.

Plug-in installation is performed by the Wizard, and you do not need to configure the settings.

You can make sure that the administration plug-ins are upgraded by viewing the list of installed app administration plug-ins in the properties window of the Administration Server, in the Advanced → Details of application management plug-ins installed section.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removal of Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be removed in the following ways:

1. App removal by the user

   The user removes Kaspersky Endpoint Security for Android manually using the app interface. In order for users to be able to remove the app, app removal should be allowed in the policy applied to the device.

2. App removal by the administrator

   The administrator removes the app remotely using the Administration Console of Kaspersky Security Center. The app can be removed from a separate device or from several devices at once.

To remove Kaspersky Endpoint Security for Android from a device operating in device owner mode:

1. Send the Reset to factory settings command from Administration Console to the device. This command removes all device data and rolls back device settings to their factory values.
2. Manually remove the device from the list of managed devices in Administration Console.

   If the device is not removed from Administration Console, there can be problems with further installation of Kaspersky apps on this device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Remote app removal

You can remove Kaspersky Endpoint Security for Android from users' mobile devices remotely in the following ways:

• Using a group policy. This method is convenient if you want to remove the app from several devices at once.
• By configuring local app settings. This method is convenient if you want to remove the app from a separate device.

For information about removing Kaspersky Endpoint Security for Android from devices operating in device owner mode, see the App removal in device owner mode section below.

To remove the app by applying a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, select the Remove Kaspersky Endpoint Security for Android from device check box.

   This setting doesn't apply to devices operating in device owner mode.

6. Click the Apply button to save the changes you have made.

As a result, Kaspersky Endpoint Security for Android is removed from mobile devices after synchronization with the Administration Server. Users of mobile devices receive a notification that the app has been removed.

To remove the app by configuring local settings:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device on which you want to remove the app.
3. Open the device properties window double-clicking.
4. Select Apps → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the Additional section.
7. In the Removal of Kaspersky Endpoint Security for Android section, select the Remove Kaspersky Endpoint Security for Android from device check box.

   This setting doesn't apply to devices operating in device owner mode.

8. Click the Apply button to save the changes you have made.

As a result, Kaspersky Endpoint Security for Android is removed from mobile device after synchronization with the Administration Server. The mobile device user receives a notification that the app has been removed.

App removal in device owner mode

To remove Kaspersky Endpoint Security for Android from a device operating in device owner mode:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device on which you want to remove the app.
3. Right-click the device.
4. In the context menu, select Mobile Device Management → Reset to factory settings.

   The Reset to factory settings command is sent to the device. This command removes all device data and rolls back device settings to their factory values.

5. In the list of devices, right-click the device and select Delete.

   The device is removed from the list of managed devices in Administration Console.

   If the device is not removed from Administration Console, there can be problems with further installation of Kaspersky apps on this device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Permitting users to remove the app

To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

You can allow users to remove Kaspersky Endpoint Security for Android from their mobile devices in the following ways:

• Using a group policy. This method is convenient if you want to allow users to remove the app from several devices at once.
• Using local app settings. This method is convenient if you want to allow the user of a separate device to remove the app.

On devices operating in device owner mode, Kaspersky Endpoint Security for Android can be removed only by the administrator. For instructions, please refer to Remote app removal.

To allow removal of the app in a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, set the Allow removal of Kaspersky Endpoint Security for Android check box.

   This setting doesn't apply to devices operating in device owner mode.

6. Click the Apply button to save the changes you have made.

As a result, removal of the app by users is allowed on mobile devices after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

To allow removal of the app in the local app settings:

1. In the console tree, select Additional → Mobile Device Management → Mobile devices.
2. In the list of devices, select the device from which you want to allow app removal by the user.
3. Open the device properties window double-clicking.
4. Select Applications → Kaspersky Endpoint Security for Mobile.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the section Additional.
7. In the Removal of Kaspersky Endpoint Security for Android section, set the Allow removal of Kaspersky Endpoint Security for Android check box.

   This setting doesn't apply to devices operating in device owner mode.

8. Click the Apply button to save the changes you have made.

As a result, removal of the app by the user is allowed on the mobile device after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App removal by the user

To independently remove Kaspersky Endpoint Security for Android from a mobile device, the user must do the following:

1. In the main window of Kaspersky Endpoint Security for Android, tap   → Uninstall the app.

   A confirmation prompt appears on the screen.

   If the Uninstall the app button is missing, this means that the administrator enabled protection against removal of Kaspersky Endpoint Security for Android or the device operates in device owner mode.

   On devices operating in device owner mode, Kaspersky Endpoint Security for Android can be removed only by the administrator. For instructions, please refer to Remote app removal.

2. Confirm removal of Kaspersky Endpoint Security for Android.

The Kaspersky Endpoint Security for Android app will be removed from the user's mobile device.