The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuration and Management

This Help section is intended for specialists who administer Kaspersky Security for Mobile, as well as for specialists who provide technical support to organizations that use Kaspersky Security for Mobile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Getting Started

This section describes the actions that you are recommended to perform when getting started with Kaspersky Security for Mobile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Starting and stopping the application

Kaspersky Security Center automatically starts and stops administration plug-ins of Kaspersky Endpoint Security and Kaspersky Device Management for iOS.

Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use group policies to configure user permissions to manage app components.

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, such as running a scheduled virus scan or synchronizing the device with Kaspersky Security Center. This issue is attributable to the specific features of the embedded software of these devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Group policies for managing mobile devices

A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices. You can create a group policy using the Policy Wizard.

You can use a policy to configure settings of both individual devices and a group of devices. For a group of devices, administration settings can be configured in the window of group policy properties. For an individual device, they can be configured in the window of local application settings. Individual management settings specified for one device may differ from the values of settings configured in the policy for a group to which this device belongs.

Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and secondary Administration Servers), in local application settings.

The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator.

To keep corporate security of mobile devices up to date, you can monitor users' devices for compliance with the group management policy.

The security level indicator is displayed in the upper part of the group policy window. The security level indicator will help you configure the policy so as to ensure a high level of device protection. The protection level indicator status changes depending on the policy settings:

• High protection level – an appropriate level of device protection is provided. All protection components function according to the settings recommended by Kaspersky.
• Medium protection level – the protection level is lower than recommended. Some critical protection components are disabled (for example, Web Protection). Important issues are marked with the icon.
• Low protection level – there are problems that may lead to infection of the device and loss of data. Some critical protection components are disabled (for example, real-time protection of devices is disabled). Critical issues are marked with the icon.

For more details on managing policies and administration groups in the Administration Console of Kaspersky Security Center, see Kaspersky Security Center help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a group policy

This section describes the process of creating group policies for devices on which Kaspersky Endpoint Security for Android mobile app are installed and policies for iOS MDM devices.

Policies created for an administration group are shown in the group workspace in the Administration Console of Kaspersky Security Center on the Policies tab. The icon indicating the policy status (active / inactive) appears before the policy name. Several policies for different apps can be created in one group. Only one policy for each app can be active. When a new active policy is created, the previous active policy becomes inactive.

You can modify a policy after it is created.

To a policy for managing mobile devices:

1. From the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Click the Create policy link to start the Policy Wizard.

This starts the Policy Wizard.

Step 1. Choose an application for creating a group policy

At this step, select the application for which you want to create a group policy in the list of applications:

• Kaspersky Endpoint Security for Android – for devices using the Kaspersky Endpoint Security for Android mobile app.

It is recommended to create a separate policy for Huawei and Honor devices that do not have Google play services. This way you can send links to Huawei AppGallery to the users of all such devices.

• Kaspersky Device Management for iOS – for iOS MDM devices.

A policy for mobile devices can be created if the Kaspersky Endpoint Security for Android Administration Plug-in and the Kaspersky Device Management for iOS Administration Plug-in are installed on the administrator's desktop. If the plug-ins are not installed, the name of the relevant application does not appear in the list of applications.

Proceed to the next step of the Policy Wizard.

Step 2. Enter a group policy name

At this step, type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically.

Proceed to the next step of the Policy Wizard.

Step 3. Create a group policy for the application

At this step, the Wizard prompts you to select the status of the policy:

• Active policy. The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy.
• Inactive policy. The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state.

  Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

Exit the Wizard.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:

• By schedule. Synchronization by schedule is performed using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

• Forced. Forced synchronization is performed using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. If you want to use forced synchronization, make sure that the GSM settings are configured in Kaspersky Security Center. For more information, refer to Kaspersky Security Center help.

To configure the settings of mobile device synchronization with the Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Synchronization section.
5. Select the frequency of synchronization in the Synchronize drop-down list.
6. To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings ( → Settings → Synchronization → Synchronize).

7. To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the Kaspersky Security Center help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing revisions to group policies

Kaspersky Security Center lets you track group policy modifications. Every time you save changes made to a group policy, a revision is created. Each revision has a number.

You can manage revisions only for Kaspersky Endpoint Security for Android policies. You cannot manage revisions for a Kaspersky Device Management for iOS policy.

You can perform the following actions on group policy revisions:

• Compare a selected revision to the current one.
• Compare selected revisions.
• Compare a policy with a selected revision of another policy.
• View a selected revision.
• Roll back policy changes to a selected revision.
• Save revisions as a .txt file.

For more details about managing revisions of group policies and other objects (for example, user accounts), please refer to Kaspersky Security Center help.

To view the history of group policy revisions:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Revision history section.

   A list of policy revisions is displayed. It contains the following information:

   • Policy revision number.
   • Date and time the policy was modified.
   • Name of the user who modified the policy.
   • Action performed on the policy.
   • Description of the revision made to policy settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing a group policy

To remove a group policy:

1. In the console tree, select an administration group for which you want to remove a policy.
2. In the workspace of the administration group on the Policies tab select the policy you want to remove.
3. In the context menu of the policy, select Delete.

As a result, the group policy is deleted. Before the new group policy is applied, mobile devices belonging to the administration group continue to work with the settings specified in the policy that has been deleted.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Restricting permissions to configure group policies

Kaspersky Security Center administrators can configure the access permissions of Administration Console users for different functions of the Kaspersky Security for Mobile integrated solution depending on the job duties of users.

In the Administration Console interface, you can configure access rights in the Administration Server properties window on the Security and User roles tabs. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

You can also configure user permissions specific to functional areas. Information about the correspondence between functional areas and policy tabs is given in Annex.

For each functional area, the administrator can assign the following permissions:

• Allow editing. The Administration Console user is allowed to change the policy settings in the properties window.
• Block editing. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.

For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, see the Kaspersky Security Center help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protection

This section contains information about how to remotely manage protection of mobile devices in the Administration Console of Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-virus protection on Android devices

For the timely detection of threats, viruses, and other malicious applications, you should configure the settings for real-time protection and autorun of virus scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

• Viruses, worms, Trojans, and malicious tools
• Adware
• Apps that can be exploited by criminals to harm your device or personal data

Anti-Virus has a number of limitations:

• When Anti-Virus is running, a threat detected in the external memory of the device (such as an SD card) cannot be neutralized automatically in the Work profile (Applications with a briefcase icon, Configuring the Android work profile). Kaspersky Endpoint Security for Android does not have access to external memory in the Work profile. Information about detected objects is displayed in app notifications. To neutralize objects detected in the external memory, the object files have to be deleted manually and the device scan restarted.
• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.

To configure the mobile device real-time protection settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Protection section.
5. In the Protection section, configure the settings of mobile device file system protection:
   • To enable real-time protection of the mobile device against threats, select the Enable Protection check box.

     Kaspersky Endpoint Security for Android scans only new apps and files from the Downloads folder.

   • To enable extended protection of the mobile device against threats, select the Extended protection mode check box.

     Kaspersky Endpoint Security for Android will scan all files that the user opens, modifies, moves, copies, installs or saves on the device, as well as newly installed mobile apps.

     On devices running Android 8.0 or later, Kaspersky Endpoint Security for Android scans files that the user modifies, moves, installs and saves, as well as copies of files. Kaspersky Endpoint Security for Android does not scan files when they are opened, or source files when they are copied.

   • To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Cloud protection (KSN) check box.
   • To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that can be used by criminals to cause harm to the user's device and data check box.
6. In the Action on threat detection list, select one of the following options:
   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

   • Quarantine
7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

To configure autorun of virus scans on the mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Scan section.
5. To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that can be used by criminals to cause harm to the user's device and data check box.
6. In the Action on threat detection list, select one of the following options:
   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

   • Quarantine
   • Ask user

     The Kaspersky Endpoint Security for Android app displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.

     When the app detects several objects, the Ask user option allows the device user to apply a selected action to each file by using the Apply to all threats check box.

     Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10.0 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.

7. The Scheduled scan section lets you configure the settings of the automatic launch of the full scan of the device file system. To do so, click the Schedule button and specify the frequency and start time of the full scan in the Schedule window.

   On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.

To keep mobile device protection up to date, configure the anti-virus database update settings.

By default, anti-virus database updates are disabled for when the device is roaming. Scheduled updates of anti-virus databases are not performed.

To configure the settings of anti-virus database updates:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Database update section.
5. If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is in the roaming zone, select the Allow database update while roaming check box in the Database update while roaming section.

   Even if the check box is cleared, the user can manually start an anti-virus database update when the device is roaming.

6. In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-virus database updates:
   • Kaspersky servers

     Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases from Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.

   • Administration Server

     Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.

   • Other source

     Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you should enter the address of an HTTP server in the field below (e.g., http://domain.com/).

7. In the Scheduled database update section, configure the settings for automatic anti-virus database updates on the user's device. To do so, click the Schedule button and specify the frequency and start time of updates in the Schedule window.

   On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Android devices on the internet

To protect the personal data of a mobile device user on the internet, enable Web Protection. Web Protection blocks malicious websites that distribute malicious code, and phishing websites designed to steal your confidential data and gain access to your financial accounts. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. Web Protection also lets you configure a user's access to websites based on predefined lists of allowed and blocked websites.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time.

Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser. Web Protection for Samsung Internet Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

To enable Web Protection in Google Chrome, Huawei browser, or Samsung Internet Browser:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Web Protection.
5. To use the Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
   1. Click the link Web Protection Statement.

      This opens Statement regarding data processing for purpose of using Web Protection window. To accept the Web Protection Statement, you must read and accept Privacy Policy.

   2. Click the Privacy Policy link. Read and accept the Privacy Policy.

      If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app ( → About → Terms and conditions → Privacy Policy).

   3. Select the Web Protection Statement acceptance mode:
      • I have read and accept the Web Protection Statement
      • Request acceptance of the Web Protection Statement from the device user
      • I do not accept the Web Protection Statement
6. If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.
7. Select the Enable Web Protection check box.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protection of stolen or lost device data

This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Sending commands to a mobile device

To protect data on a mobile device that is lost or stolen, you can send special commands (see the table below).

Commands for protecting data on a lost or stolen device

Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10.0 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11.0 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to Commands for mobile devices. To learn more about sending commands from Administration Console, please refer to Kaspersky Security Center help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Unlocking a mobile device

You can unlock a mobile device by using the following methods:

• Send the mobile device unlock command.
• Enter the one-time unlock code on the mobile device (only for Android devices).

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time unlock code. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Administration Console, please refer to Kaspersky Security Center help.

A one-time unlock code is a secret application code for unlocking the mobile device. The one-time code is generated by the application and is unique to each mobile device. You can change the length of the one-time code (4, 8 or 16 digits) in group policy settings in the Anti-Theft section.

To unlock the mobile device using a one-time code:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. Select a mobile device for which you want to get a one-time unlock code.
3. Open the mobile device properties window by double-clicking.
4. Select Apps → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the Anti-Theft section.
7. A unique code for the selected device is shown in the One-time code field of the One-time device unlock code section.
8. Use any available method (such as email) to communicate the one-time code to the user of the locked device.
9. The user enters the one-time code on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The mobile device will be unlocked. After unlocking the mobile device running Android 5.0 – 6.Х, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Data encryption

To protect data against unauthorized access, you must enable encryption of all data on the device (for example, account credentials, external devices and apps, as well as email messages, SMS messages, contacts, photos, and other files). For access to encrypted data, you must specify a special key – device unlock password. If data is encrypted, access to it can be obtained only when the device is unlocked.

Data encryption is enabled by default on password-locked iOS devices (Settings → Touch ID / Face ID and Password → Enable Password).

To encrypt all data on an Android device:

1. Enable screen lock on the Android device (Settings → Security → Screen lock).
2. Set a device unlock password that is compliant with corporate security requirements.

   It is not recommended to use a pattern lock for unlocking the device. On certain Android devices running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device instead of a pattern lock. This issue is related to the operation of the Accessibility Features service. To unlock the device screen in this case, convert the pattern lock into a numeric password. For more details about converting a pattern lock into a numeric password, please refer to the Technical Support website of the mobile device manufacturer.

3. Enable encryption of all data on the device (Settings → Security → Encrypt data).

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting data on Android devices after failed password entry attempts

You can configure deleting all data on an Android device (that is, resetting the device to factory settings) after the user makes too many failed attempts to enter the screen unlock password.

These settings apply to devices operating in device owner mode and to personal devices on which the Kaspersky Endpoint Security for Android app is enabled as a device administrator.

To configure wiping all data:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Anti-Theft section.
5. In the Data wipe on device section, select the Wipe all data after failed attempts to enter unlock password check box.
6. In the Maximum number of attempts to enter unlock password field, specify the number of attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center. If the user exceeds the specified number of attempts to enter the correct screen unlock password, the Kaspersky Endpoint Security for Android app wipes all device data.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a strong unlock password for an Android device

To keep an Android device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password is not compliant with security requirements criterion.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To configure the use of an unlock password:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device Management section.
5. If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password check box in the Screen lock section.

   If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.

6. Specify the following options, if required:
   • Minimum number of characters

     The minimum number of characters in the user password. Possible values: 4 to 16 characters.

     The user's password is 4 characters long by default.

     On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

     The values for devices running Android 10.0 or later are determined by the following rules:

     • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
     • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
   • Minimum unlock password requirements (for device owner mode, Android 12 or earlier)

     Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

     • Numeric

       The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

       This option is selected by default.

     • Alphabetic

       The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

     • Alphanumeric

       The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

     • Any

       The user can set any password.

     • Complex

       The user must set a complex password according to the specified password properties:

       • Minimum number of letters
       • Minimum number of digits
       • Minimum number of special symbols
       • Minimum number of uppercase letters
       • Minimum number of lowercase letters
       • Minimum number of non-letter characters
     • Complex numeric

       The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

     • Weak biometric

       The user can use biometric unlock methods or set a stronger complex password.

     This option applies only to devices running Android 12 or later in device owner mode.

   • Password lifetime, in days

     Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

     The default value is 0. This means that the password won't expire.

   • Number of days to notify before password expires (for device owner mode)

     Specifies the number of days to notify the user before the password expires.

     The default value is 0. This means that the user won't be notified about password expiration.

     This option applies only to devices operating in device owner mode.

   • Password history length

     Specifies the maximum number of previous user passwords that can't be used as a new password.

     The default value is 0. This means that the new user password can match any previous password except the current one.

   • Period of inactivity before device locks, in seconds

     Specifies the period of inactivity before the device locks. After this period, the device will lock.

     The default value is 0. This means that the device won't lock after a certain period.

   • Period for unlocking without password, in minutes (for device owner mode, Android 8.0+)

     Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

     The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

     This option applies only to devices running Android 8 or later in device owner mode.

   • Allow biometric unlock methods (Android 9+)

     If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

     This check box is selected by default.

     This setting applies only to devices running Android 9 or later.

   • Allow use of fingerprints

     The use of fingerprints to unlock the screen. This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

     On devices running Android 10.0 or later, the use of fingerprints to unlock the screen can be managed for work profiles only.

     If the check box is selected, the use of fingerprints on the mobile device is allowed. If the unlock password does not comply with corporate security requirements, the user cannot use a fingerprint scanner to unlock the screen.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

     This check box is available only if the Allow biometric unlock methods (Android 9+) check box is selected.

     This check box is selected by default.

   • Allow face scanning (Android 9+)

     If the check box is selected, the use of face scanning on the mobile device is allowed.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

     This check box is available only if the Allow biometric unlock methods (Android 9+) check box is selected.

     This check box is selected by default.

     This setting applies only to devices running Android 9 or later.

   • Allow iris scanning (Android 9+)

     If the check box is selected, the use of iris scanning on the mobile device is allowed.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

     This check box is available only if the Allow biometric unlock methods (Android 9+) check box is selected.

     This check box is selected by default.

     This setting applies only to devices running Android 9 or later.

   • Force use of password at startup

     If the check box is selected, the user is not required to enter the password when the device starts up.

     Once this option is applied, it cannot be reverted without resetting the device to factory defaults.

     If the check box is cleared, the startup requirements remain unchanged.

     This check box is cleared by default.

   • Unlock password

     This option lets you set the password on the user device.

     On devices running Android 11 or later, this option applies only if the device is in device owner mode.

     Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.

     • If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
     • If the device is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

     If you leave this option empty, no changes are applied to the device.

7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a strong unlock password for iOS MDM devices

To protect iOS MDM device data, configure the unlock password strength settings.

By default, the user can use a simple password. A simple password is a password that contains successive or repetitive characters, such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.

To configure the strength settings for an iOS MDM device unlock password:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Password section.
5. In the Password settings section, select the Apply settings on device check box.
6. Configure unlock password strength settings:
   • To allow the user to use a simple password, select the Allow simple password check box.
   • To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
   • In the Minimum password length list, select the minimum password length in characters.
   • In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").
   • In the Maximum password lifetime field, specify the period of time in days during which the password will stay current. When this period expires, Kaspersky Device Management for iOS prompts the user to change the password.
   • In the Enable Auto-Lock in list, select the amount of time after which iOS MDM device Auto-Lock should be enabled.
   • In the Password history field, specify the number of used passwords (including the current password) that Kaspersky Device Management for iOS will compare with the new password when the user changes the old password. If passwords match, the new password is rejected.
   • In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
   • In the Maximum number of access attempts, select the number of access attempts that the user can make to enter the iOS MDM device unlock password.
7. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Kaspersky Device Management for iOS checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not conform to the policy, the user is prompted to change the password.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a virtual private network (VPN)

This section contains information on configuring virtual private network (VPN) settings for secure connection to Wi-Fi networks.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring VPN on Android devices (only Samsung)

To securely connect an Android device to Wi-Fi networks and protect data transfer, you should configure the settings for VPN (Virtual Private Network).

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements should be considered when using a virtual private network:

• The app that uses the VPN connection must be allowed in Firewall settings.
• Virtual private network settings configured in the policy cannot be applied to system applications. The VPN connection for system applications has to be configured manually.
• Some applications that use the VPN connection need to have additional settings configured at first startup. To configure settings, the VPN connection has to be allowed in application settings.

To configure VPN on a user's mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
5. In the VPN section, click the Configure button.

   This opens the VPN network window.

6. In the Connection type drop-down list, select the type of VPN connection.
7. In the Network name field, enter the name of the VPN tunnel.
8. In the Server address field, enter the network name or IP address of the VPN server.
9. In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.

   You can specify several DNS search domains, separating them with blank spaces.

10. In the DNS server(s) field, enter the full domain name or IP address of the DNS server.

    You can specify several DNS servers, separating them with blank spaces.

11. In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.

    If the range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.

12. Additionally configure the following settings for networks of the IPSec Xauth PSK and L2TP IPSec PSK types:
    1. In the IPSec shared key field, enter the password for the preset IPSec security key.
    2. In the IPSec ID field, enter the name of the mobile device user.
13. For an L2TP IPSec PSK network, additionally specify the password for the L2TP key in the L2TP key field.
14. For a PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
15. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring VPN on iOS MDM devices

To connect an iOS MDM device to a virtual private network (VPN) and protect data during the connection to the VPN, configure the VPN connection settings. The IKEv2 VPN protocol also lets you set up a VPN connection for selected website domains in Safari.

To configure the VPN connection on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the VPN section.
5. Click the Add button in the VPN networks section.

   This opens the VPN network window.

6. In the Network name field, enter the name of the VPN tunnel.
7. In the Connection type drop-down list, select the type of VPN connection:
   • L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of iOS MDM mobile device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
   • PPTP (Point-to-Point Tunneling Protocol). The connection supports authentication of iOS MDM mobile device user using MS-CHAP v2 passwords and two-factor authentication.
   • IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
   • IPSec (Cisco). The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
   • Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall of version 8.0(3).1 or later. To configure the VPN connection, install the Cisco AnyConnect app from App Store on the iOS MDM mobile device.
   • Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, of version 6.4 or later with the Juniper Networks IVE package of version 7.0 or later. To configure the VPN connection, install the JUNOS app from App Store on the iOS MDM mobile device.
   • F5 SSL. The connection supports F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure the VPN connection, install the F5 BIG-IP Edge Client app from App Store on the iOS MDM mobile device.
   • SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices of version 10.5.4 or later, SonicWALL SRA devices of version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, E-Class NSA with SonicOS of version 5.8.1.0 or later. To configure the VPN connection, install the SonicWALL Mobile Connect app from App Store on the iOS MDM mobile device.
   • Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from App Store on the iOS MDM mobile device.
   • Custom SSL. The connection supports authentication of the iOS MDM mobile device user using passwords and certificates and two-factor authentication.
8. In the Server address field, enter the network name or IP address of the VPN server.
9. In the Account name field, enter the account name for authorization on the VPN server. You can use macros from the Macros available drop-down list.
10. Configure the security settings for the VPN connection according to the selected type of virtual private network. For information about these settings, refer to the context help of the administration plug-in.
11. For an IKEv2 connection, if necessary, set up a VPN connection for selected domains in Safari:
    1. Select the Set up VPN connection for domains (Safari only) check box to specify the website domains that trigger a VPN connection.
    2. Select the Connect automatically check box if you want the device to automatically activate a VPN connection when associated domains initiate network communication. If the check box is cleared, the user must activate a VPN connection manually before associated domains initiate network communication.
    3. In the table, specify the domains that trigger a VPN connection in Safari. Each domain should be in the "www.example.com" format.
12. If necessary, configure the settings of the VPN connection via a proxy server:
    1. Select the Proxy server settings tab.
    2. Select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to a VPN via a proxy server are configured on the iOS MDM device.

13. Click OK.

    The new VPN is displayed in the list.

14. Click the Apply button to save the changes you have made.

As a result, a VPN connection will be configured on the user's iOS MDM device once the policy is applied.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Firewall on Android devices (only Samsung)

Configure Firewall settings to monitor network connections on the user's mobile device.

To configure Firewall on a mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
5. In the Firewall window, click Configure.

   The Firewall window opens.

6. Select the Firewall mode:
   • To allow all inbound and outbound connections, move the slider to Allow all.
   • To block all network activity except that of apps on the list of exclusions, move the slider up to Block all but exceptions.
7. If you have set the Firewall mode to Block all but exceptions, create a list of exclusions:
   1. Click Add.

      This opens the Exclusion for Firewall window.

   2. In the App name field, enter the name of the mobile app.
   3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
   4. Click OK.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Kaspersky Endpoint Security for Android against removal

For mobile device protection and compliance with corporate security requirements, you can enable protection against removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app using the Kaspersky Endpoint Security for Android interface. When removing the app using the tools of the Android operating system, you are prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To enable protection against removal of Kaspersky Endpoint Security for Android:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, clear the Allow removal of Kaspersky Endpoint Security for Android check box.

   To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

6. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. If an attempt is made to remove the app, the mobile device will be locked.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Detecting device hacks (root)

Kaspersky Security for Mobile enables you to detect device hacks (root). System files are unprotected on a hacked device, and therefore can be modified. Moreover, third-party apps from unknown sources could be installed on hacked devices. Upon detection of a hack attempt, we recommend that you immediately restore normal operation of the device.

To detect when a user obtains root privileges, Kaspersky Endpoint Security for Android uses the following services:

• Embedded service of Kaspersky Endpoint Security for Android is a Kaspersky service that checks whether a mobile device user has obtained root privileges (Kaspersky Mobile Security SDK).
• SafetyNet Attestation is a Google service that checks the integrity of the operating system, analyzes the device hardware and software, and identifies other security issues. For more details about SafetyNet Attestation, visit the Android Technical Support website.

If the device is hacked, you receive a notification. You can view hacking notifications in the workspace of the Administration Server on the Monitoring tab. You can also disable notifications about hacks in the event notification settings.

On devices running Android, you can impose restrictions on the user's activity on the device if the device is hacked (for example, lock the device). You can impose restrictions by using the Compliance Control component (see the figure below). To do this, in the scan rule settings, select the Device has been rooted criterion.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a global HTTP proxy on iOS MDM devices

To protect the user's internet traffic, configure the connection of the iOS MDM device to the internet via a proxy server.

Automatic connection to the internet via a proxy server is available for controlled devices only.

To configure global HTTP proxy settings on the user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Global HTTP Proxy section.
5. In the Global HTTP proxy settings section, select the Apply settings on device check box.
6. Select the type of global HTTP proxy configuration.

   By default, the manual type of global HTTP proxy configuration is selected, and the user is prohibited from connecting to captive networks without connecting to a proxy server. Captive networks are wireless networks that require preliminary authentication on the mobile device without connecting to the proxy server.

   • To specify the proxy server connection settings manually:
     1. In the Proxy settings type drop-down list, select Manual.
     2. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
     3. In the User name field, set the user account name for proxy server authorization. You can use macros from the Macros available drop-down list.
     4. In the Password field, set the user account password for proxy server authorization.
     5. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
   • To configure the proxy server connection settings using a predefined PAC (Proxy Auto Configuration) file:
     1. In the Proxy settings type drop-down list, select Automatic.
     2. In the URL of PAC file field, enter the web address of the PAC file (for example: http://www.example.com/filename.pac).
     3. To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
     4. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
7. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the mobile device user will connect to the internet via a proxy server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding security certificates to iOS MDM devices

To simplify user authentication and ensure data security, add certificates on the user's iOS MDM device. Data signed with a certificate is protected against modification during network exchange. Data encryption using a certificate provides an added level of security for data. The certificate can be also used to verify the user's identity.

Kaspersky Device Management for iOS supports the following certificate standards:

• PKCS#1 – encryption with a public key based on RSA algorithms.
• PKCS#12 – storage and transmission of a certificate and a private key.

To add a security certificate on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Certificates section.
5. Click the Add button in the Certificates section.

   The Certificate window opens.

6. In the File name field, specify the path to the certificate:

   Files of PKCS#1 certificates have the cer, crt, or der extensions. Files of PKCS#12 certificates have the p12 or pfx extensions.

7. Click Open.

   If the certificate is password-protected, specify the password. The new certificate appears in the list.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user will be prompted to install certificates from the list that has been created.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a SCEP profile to iOS MDM devices

You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.

A SCEP profile with the following settings is added by default:

• The alternative subject name is not used for registering certificates.
• Three attempts 10 seconds apart are made to poll the SCEP server. If all attempts to sign the certificate have failed, you have to generate a new certificate signing request.
• The certificate that has been received cannot be used for data signing or encryption.

You can edit the specified settings when adding the SCEP profile.

To add a SCEP profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the SCEP section.
5. Click the Add button in the SCEP profiles section.

   The SCEP profile window opens.

6. In the Server web address field, enter the web address of the SCEP server on which the Certification Center is deployed.

   The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.

7. In the Name field, enter the name of the Certification Center deployed on the SCEP server.
8. In the Subject field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.

   Attributes can contain details of the country (С), organization (O), and common user name (CN). For example: /C=RU/O=MyCompany/CN=User/. You can also use other attributes specified in RFC 5280.

9. In the Type of alternative name of subject drop-down list, select the type of alternative name of the subject of the SCEP server:
   • No – alternative name identification is not used.
   • RFC 822 name – identification using the email address. The email address must be specified according to RFC 822.
   • DNS name – identification using the domain name.
   • URI – identification using the IP address or address in FQDN format.

   You can use an alternative name of the subject for identifying the user of the iOS MDM mobile device.

10. In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the subject type: the user's email address, domain, or web address.
11. In the NT subject name field, enter the DNS name of the iOS MDM mobile device user on the Windows NT network.

    The NT subject name is contained in the certificate request sent to the SCEP server.

12. In the Number of polling attempts on SCEP server field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed.
13. In the Frequency of attempts (sec) field, specify the period of time in seconds between attempts to poll the SCEP server to get the certificate signed.
14. In the Registration request field, enter a pre-published registration key.

    Before signing a certificate, the SCEP server requests the mobile device user to supply a key. If this field is left blank, the SCEP does not request the key.

15. In the Key Size drop-down list, select the size of the registration key in bits: 1024 or 2048.
16. If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use for signing check box.
17. If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.

    It is prohibited to use the SCEP server certificate as a data signing certificate and a data encryption certificate at the same time.

18. In the Certificate fingerprint field, enter a unique certificate fingerprint for verifying the authenticity of the response from the Certification Center. You can use certificate fingerprints with the SHA-1 or MD5 hashing algorithm. You can copy the certificate fingerprint manually or select a certificate using the Create from certificate button. When the fingerprint is created using the Create from certificate button, the fingerprint is added to the field automatically.

    The certificate fingerprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.

19. Click OK.

    The new SCEP profile appears in the list.

20. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Control

This section contains information about how to remotely monitor mobile devices in the Administration Console of Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions

This section provides instructions on how to configure user access to the features of mobile devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Special considerations for devices running Android version 10 and later

Android 10 introduced numerous changes and restrictions targeting API 29 or higher. Some of these changes affect the availability or functionality of some of the app's features. These considerations apply only to devices running Android 10 or later.

Ability to enable, disable, and configure Wi-Fi

• Wi-Fi networks can be added, deleted, and configured in the Administration Console of Kaspersky Security Center. When a Wi-Fi network is added to a policy, Kaspersky Endpoint Security receives this network configuration when it first connects to Kaspersky Security Center.
• When a device detects a network configured through Kaspersky Security Center, Kaspersky Endpoint Security prompts the user to connect to that network. If the user chooses to connect to the network, all of the settings configured through Kaspersky Security Center are automatically applied. The device then automatically connects to that network when in range, without showing further notifications to the user.
• If a user's device is already connected to another Wi-Fi network, sometimes the user may not be prompted to approve a network addition. In such cases, the user must turn Wi-Fi off and on again to receive the suggestion.
• When Kaspersky Endpoint Security suggests a user connect to a Wi-Fi network and the user refuses to do so, the app's permission to change the Wi-Fi state is revoked. Kaspersky Endpoint Security then cannot suggest connecting to Wi-Fi networks until the user grants the permission again by going to Settings → Apps & notifications → Special App access → Wi-Fi Control → Kaspersky Endpoint Security.
• Only open networks and networks encrypted with WPA2-PSK are supported. WEP and WPA encryption are not supported.
• If the password for a network previously suggested by the app is changed, the user must manually delete that network from the list of known networks. The device will then be able to receive a network suggestion from Kaspersky Endpoint Security and connect to it.
• When a device OS is updated from Android version 9 or earlier to Android version 10 or later, and/or Kaspersky Endpoint Security installed on a device running Android version 10 or later is updated, the networks that were previously added via Kaspersky Security Center cannot be modified or deleted through Kaspersky Security Center policies. The user, however, can manually modify or delete such networks in the device settings.
• On devices running Android 10, a user is prompted for the password during an attempt to connect manually to a protected suggested network. Automatic connection does not require entering the password. If a user's device is connected to some other Wi-Fi network, the user must first disconnect from that network to connect automatically to one of the suggested networks.
• On devices running Android 11, a user may manually connect to a protected network suggested by the app, without entering the password.
• When Kaspersky Endpoint Security is removed from a device, the networks previously suggested by the app are ignored.
• Prohibiting use of Wi-Fi networks is not supported.

Camera access

• On devices running Android 10, use of the camera cannot be completely prohibited. Prohibiting use of the camera for a work profile is still available.
• If a third-party app attempts to access the device's camera, that app will be blocked, and the user will be notified about the issue. However, the apps that use the camera while running in background mode cannot be blocked.
• When an external camera is disconnected from a device, a notification about the camera not being available may be displayed in some cases.

Managing screen unlock methods

• Kaspersky Endpoint Security now resolves the password strength requirements into one of the system values: medium or high.
  • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.
  • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
• Using a fingerprint to unlock the screen can be managed for a work profile only.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions for Android devices

To keep an Android device secure, configure the Wi-Fi, camera, and Bluetooth usage settings on the device.

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device Management section.
5. In the Restrictions section, configure usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.

     On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     On devices running Android 10.0 or later, the use of the camera cannot be completely prohibited.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

6. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring iOS MDM device feature restrictions

To ensure compliance with corporate security requirements, configure restrictions on the operation of the iOS MDM device. For information about available restrictions, refer to the context help of the administration plug-in.

To configure iOS MDM device feature restrictions:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Features Restriction section.
5. In the Features restriction settings section, select the Apply settings on device check box.
6. Configure iOS MDM device feature restrictions.
7. Click the Apply button to save the changes you have made.
8. Select the Restrictions for applications section.
9. In the Applications restriction settings section, select the Apply settings on device check box.
10. Configure restrictions for apps on the iOS MDM device.
11. Click the Apply button to save the changes you have made.
12. Select the Restrictions for Media Content section.
13. In the Media content restriction settings section, select the Apply settings on device check box.
14. Configure restrictions for media content on the iOS MDM device.
15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, restrictions on features, apps, and media content will be configured on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring user access to websites

This section contains instructions on how to configure access to websites on Android and iOS devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to websites on Android devices

You can use Web Protection to configure access of Android device users to websites. Web Protection supports website filtering by categories defined in Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, those from the "Gambling, lotteries, sweepstakes", or "Internet communication" categories). Web Protection also protects the personal data of users on the internet.

To enable Web Protection:

• Kaspersky Endpoint Security must be enabled as an Accessibility Features service.
• The Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement) should be accepted. Kaspersky Endpoint Security uses Kaspersky Security Network (KSN) to scan websites. The Web Protection Statement contains the terms of data exchange with KSN.

  You can accept the Web Protection Statement for the user in Kaspersky Security Center. In this case, the user is not required to take any action.

  If you have not accepted the Web Protection Statement and prompt the user to do this, the user must read and accept the Web Protection Statement in the app settings.

  If you have not accepted the Web Protection Statement, Web Protection is not available.

Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser. Web Protection for Samsung Internet Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

Web Protection is enabled by default: user access to websites in the Phishing and Malware categories is blocked.

To configure the settings of the device user's access to websites:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Web Protection.
5. Select the Enable Web Protection check box.
6. To use the Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
   1. Click the link Web Protection Statement.

      This opens Statement regarding data processing for purpose of using Web Protection window. To accept the Web Protection Statement, you must read and accept Privacy Policy.

   2. Click the Privacy Policy link. Read and accept the Privacy Policy.

      If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app ( → About → Terms and conditions → Privacy Policy).

   3. Select the Web Protection Statement acceptance mode:
      • I have read and accept the Web Protection Statement
      • Request acceptance of the Web Protection Statement from the device user
      • I do not accept the Web Protection Statement

   If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.

7. If you want the app to restrict user access to websites depending on their content, do the following:
   1. In the Web Protection section, in the drop-down list select Websites of selected categories are forbidden.
   2. Create a list of blocked categories by selecting check boxes next to the categories of websites to which the app will block access.
8. If you want the app to allow user access only to websites specified by the administrator, do the following:
   1. In the Web Protection section, in the drop-down list select Only listed websites are allowed.
   2. Create a list of websites by adding addresses of websites to which the app will not block access. Kaspersky Endpoint Security for Android supports only regular expressions. When entering the address of an allowed website, use the following templates:
      • https://example.com.*—All child pages of the website are allowed (for example, https://example.com/about).
      • https://.*example.com—All subdomain pages of the website are allowed (for example, https://pictures.example.com).

      You can also use the expression https? to select the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.

9. If you want the app to block user access to all websites, in the Web Protection section, in the drop-down list, select All websites are blocked.
10. To lift content-based restrictions on user access to websites, clear the Enable Web Protection check box.
11. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to websites on iOS MDM devices

Configure Web Protection settings to control access to websites for iOS MDM device users. Web Protection controls a user's access to websites based on lists of allowed and blocked websites. Web Protection also lets you add website bookmarks on the bookmark panel in Safari.

By default, access to websites is not restricted.

Web Protection settings can be configured for supervised devices only.

To configure access to websites on the user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Web Protection section.
5. In the Web Protection settings section, select the Apply settings on device check box.
6. To block access to blocked websites and allow access to allowed websites:
   1. In the Web Filter Mode drop-down list, select the Limit adult content mode.
   2. In the Allowed websites section, create a list of allowed websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS allows access to all websites in the domain. For example, if you have added http://www.example.com to the list of allowed websites, access is allowed to http://pictures.example.com and http://example.com/movies. If the list of allowed websites is empty, the application allows access to all websites other than those included in the list of blocked websites.

   3. In the Forbidden websites section, create a list of blocked websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS blocks access to all websites in the domain.

7. To block access to all websites other than allowed websites on the tab list:
   1. In the Web Filter Mode drop-down list, select the Allow bookmarked websites only mode.
   2. In the Bookmarks section, create a list of bookmarks of allowed websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS allows access to all websites in the domain. If the bookmark list is empty, the application allows access to all websites. Kaspersky Device Management for iOS adds websites from the list of bookmarks on the bookmarks tab in Safari in the user's mobile device.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Web Protection will be configured on the user's mobile device according to the mode selected and lists created.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of Android devices with corporate security requirements

You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-virus databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device check criterion (for example, absence of blocked apps on the device).
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).
• Action that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock device).

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

If the user does not fix the non-compliance within the specified time, the following actions are available:

• Block all applications except system ones. All apps on the user's mobile device, except system apps, are blocked from starting.
• Lock device. Mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.
• Wipe corporate data. Containerized data, the corporate email account, settings for connecting to the corporate Wi-Fi network and VPN, Access Point Name (APN), Android work profile, KNOX container, and the KNOX License Manager key are wiped.
• Full Reset. All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

To create a scan rule for checking devices for compliance with a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Compliance control section.
5. To receive notifications about devices that do not comply with the policy, in the Noncompliance notification section select the Notify administrator check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

6. To notify the device user that the user's device does not comply with the policy, in the Noncompliance notification section select the Notify user check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.

7. In the Compliance Rules section, compile a list of rules for checking the device for compliance with the policy. Follow the steps below:
   1. Click Add.

      The Scan Rule Wizard starts.

   2. Follow the instructions of the Scan Rule Wizard.

      When the wizard finishes, the new rule is displayed in the Compliance Rules section in the list of scan rules.

8. To temporarily disable a scan rule that you have created, use the toggle switch opposite the selected rule.
9. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of iOS MDM devices with corporate security requirements

Compliance Control allows you to monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

• Status (whether the rule is enabled or disabled).
• Non-compliance criteria (for example, absence of the specified apps or operating system version).
• Actions performed on the device if non-compliance is found (for example, wipe corporate data or send an email message to the user).

To create a rule:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Compliance Control section.
5. In the Compliance Control rules section, click Add.

   The Compliance Control Rule Wizard starts.

6. Select the Enable rule check box if you want to activate the rule. If the check box is cleared, the rule is disabled.
7. In the Non-compliance criteria tab, click Add criterion and select a non-compliance criterion for the rule. You can add multiple criteria. They are combined by the AND logical operator.

   The following criteria are available:

   • List of apps on device

     Checks whether the list of apps on the device contains forbidden apps or does not contain required apps.

     For this criterion, you need to select a check type (Contains or Does not contain) and specify app IDs.

   • Operating system version

     Checks the version of the operating system on the device.

     For this criterion, you need to select a comparison operator (Equal, Not equal, Less than, or Greater than) and specify the iOS version.

     Note that the Equal and Not equal operators check for a full match of the operating system version with the specified value. For instance, if you specify 15 in the rule, but the device is running iOS 15.2, the Equal criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Less than and Greater than operators.

   • Management mode

     Checks the device's management mode.

     For this criterion, you need to select a mode (Supervised device or Non-supervised device).

8. In the Actions tab, specify actions to be performed on the device if all specified non-compliance criteria are detected. Add an action in one of the following ways:
   • Click the Add action button if the action should be taken on the device immediately after non-compliance is detected.
   • Click the Add postponed action button if you want to also set a time period in which the user can fix the non-compliance. If the non-compliance is not fixed within this period, the action is performed on the device.

   The following actions are available:

   • Send email message to user

     The device user is informed about the non-compliance by email.

     For this action, you need to specify the user's email address(es) and the email message.

   • Install profile

     The configuration profile is installed on the device. This action is performed by sending the Install profile command.

     For this action, you need to specify the ID of the configuration profile to be installed.

   • Delete profile

     The configuration profile is deleted from the device. This action is performed by sending the Remove profile command.

     For this action, you need to specify the ID of the configuration profile to be removed.

   • Delete all profiles

     All previously installed configuration profiles are deleted from the device.

   • Wipe corporate data

     All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. This action is performed by sending the Wipe corporate data command.

9. Click the Save button to save the rule and close the wizard.

   The new rule appears in the list in the Compliance Control rules section.

10. Click the Apply button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control

This section contains instructions on how to configure user access to apps on a mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on Android devices

The App Control component allows you to manage apps on Android devices to keep these devices secure.

• You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.

In device owner mode, you have extended control over the device. App Control operates without notifying the device user:

• Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
• Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.

To configure the settings of app startup on the mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the App Control section.
5. In the Operation mode section, select the mode of app startup on the user's mobile device:
   • To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Blocked apps mode. The app will hide blocked app icons.
   • To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
6. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, write to event log only check box.

   During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

7. If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
8. If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.

   Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

9. Create a list of categories and apps to configure startup of apps.

   For details on app categories, please refer to the Appendices.

   For a list of the apps that belong to each category, please visit the Kaspersky website.

10. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on iOS MDM devices

Kaspersky Security Center allows you to manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launching on devices.

These restrictions apply only to supervised iOS MDM devices.

Open Restrictions for applications section

To open settings for app restrictions on iOS MDM devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Restrictions for applications section.

Restrict app installation

By default, the user can install any apps on the supervised iOS MDM device.

To restrict the apps that can be installed on the device:

1. Select the Allow installation of apps from the list (supervised only) check box.
2. In the table, click Add to add an app to the list.
3. Specify the app's bundle ID. To get the app's bundle ID, you can follow instructions in Apple documentation. Specify the com.apple.webapp value to allow all web clips.
4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Only apps from the list and system apps will be available for installation. All other apps can't be installed on the device.

The specified apps can be installed on the device in the following ways (if the corresponding options are enabled in the Features restrictions section):

• Installation from Apple Configurator or iTunes
• Installation from App Store
• Automatic loading

Specify prohibited apps

By default, all apps can be displayed and launched on the supervised iOS MDM device.

To specify prohibited apps:

1. Select the Prohibit displaying and launching apps from the list (supervised only) check box.
2. In the table, click Add to add an app to the list.
3. Specify the app's bundle ID. To get the app's bundle ID, you can follow instructions in Apple documentation. Specify the com.apple.webapp value to restrict all web clips.
4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Apps from the list will be prohibited from being displayed and launching on the device. All other apps will be displayed and available to run.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation and uninstallation of apps on a group of iOS MDM devices

Kaspersky Security Center allows you to install and remove apps on iOS MDM devices by sending commands to these devices.

Selecting devices

To select iOS MDM devices on which apps should be installed or removed:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the iOS MDM device on which apps should be installed or removed.

   You can also select multiple devices and send commands simultaneously. To select a group of devices, do one of the following:

   • To select all devices in the workspace, filter the list of devices as required and press Ctrl+A.
   • To select a range of devices, hold down the Shift key, click the first device in the range, and then click the last device in the range.
   • To select individual devices, hold down the Ctrl key and click devices you want to include in the group.

Installing apps on devices

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. For more information, refer to Adding a managed app.

To install apps on selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Install app.

   For a single device, you can also select Show command log in the context menu, proceed to the Install app section, and click the Send command button.

   The Select apps window opens showing a list of managed apps.

2. Select the apps you want to install on iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are installed. If the command is successfully executed, the command log will show its current status as Completed.

Removing apps from devices

To remove apps from selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Remove app.

   For a single device, you can also select Show command log in the context menu, proceed to the Remove app section, and click the Send command button.

   The Remove apps window opens showing a list of previously installed apps.

2. Select the apps you want to remove from iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are uninstalled. If the command is successfully executed, the command log will show its current status as Completed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Software inventory on Android devices

You can inventory apps on Android devices connected to Kaspersky Security Center. Kaspersky Endpoint Security for Android receives information about all apps installed on mobile devices. Information acquired during inventory is displayed in the device properties in the Events section. You can view detailed information on each installed app, including its version and publisher.

To enable software inventory:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the App Control section.
5. In the Software inventory section, select the Send data on installed apps check box.
6. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the display of Android devices in Kaspersky Security Center

For convenient operations with the list of mobile devices, you should configure the settings for displaying devices in Kaspersky Security Center. By default, the list of mobile devices is displayed in the Additional → Mobile Device Management → Mobile devices console tree. Device information is updated automatically. You can also manually update the list of mobile devices by clicking the Update button in the upper right corner.

After connecting the device to Kaspersky Security Center, devices are added to the mobile device list automatically. The mobile device list may contain detailed information about that device: model, operation system, IP address, and others.

You can configure the device name format and select the device status. The device status informs you about how the components of Kaspersky Endpoint Security for Android are operating on the user's mobile device.

Kaspersky Endpoint Security for Android components could be non-operational for the following reasons:

• The user disabled the component in the device settings.
• The user did not grant the app the necessary permissions for the component to operate (for example, there is no permission to determine the device location for the corresponding Anti-Theft command).

To display the device status, you must enable the Determined by the application condition in the administration group properties (Properties → Device status → Set device status to Critical if and Set device status to Warning if). In the administration group properties, you can also select other criteria for forming the mobile device status.

To configure the display of Android devices in Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device information section.
5. In the Device name in Kaspersky Security Center section, select the device name format for the device name in the Administration Console:
   • Device model [email, device ID]
   • Device model [email (if any) or device ID]

   A device ID is a unique ID that Kaspersky Endpoint Security for Android generates from the data received from a device. For mobile devices running Android 10 or later, Kaspersky Endpoint Security for Android uses the SSAID (Android ID) or checksum of other data received from the device. For earlier versions of Android, the app uses the IMEI.

6. Set the Lock attribute in the locked position ().
7. In the Device status in Kaspersky Security Center section, select the appropriate device status if a component of Kaspersky Endpoint Security for Android is not working: (Critical), (Warning) or (OK).

   In the list of mobile devices, the device status will be changed according to the selected status.

8. Set the Lock attribute in the locked position.
9. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Management

This section contains information about how to remotely manage the settings of mobile devices in the Administration Console of Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting Android devices to a Wi-Fi network

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To connect the mobile device to a Wi-Fi network:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Wi-Fi section.
5. In the Wi-Fi networks section, click Add.

   This opens the Wi-Fi network window.

6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
7. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device. In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
8. Select the Automatic connection to network check box if you want the device to connect to the Wi-Fi network automatically.
9. In the Network protection section, select the type of Wi-Fi network security (open or secure network protected with the WEP, WPA/WPA2 PSK, or 802.1.x EAP protocol).

   The 802.1.x EAP security protocol is supported only in the Kaspersky Endpoint Security for Android app version 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

10. If you selected the 802.1.x EAP security protocol, specify additional network protection settings (EAP method, Root certificate and other). For information about these settings, refer to the context help of the administration plug-in.
11. In the Password field, set a network access password if you selected a secure network at step 9.
12. Select the Use proxy server option if you want to use a proxy server to connect to a Wi-Fi network. Otherwise, select the Do not use proxy server option.
13. If you selected Use proxy server, in the Proxy server address and port field, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are using a proxy server to connect to a Wi-Fi network, you can use a policy to configure the settings for connecting to the network. On devices running Android 8.0 or later, you must manually configure the proxy server settings. On devices running Android 8.0 or later, you cannot use a policy to change the Wi-Fi network connection settings, except for the network access password.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

14. In the Do not use proxy server for addresses field, generate a list of web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android version 8.0 or later, the proxy server exclusion for web addresses does not work.

15. Click OK.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

16. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. After the policy is applied on the mobile device, the user can connect to the Wi-Fi network that has been added, without specifying the network settings.

On devices running Android version 10.0 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Wi-Fi section.
5. Click the Add button in the Wi-Fi networks section.

   This opens the Wi-Fi network window.

6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
7. If you want the iOS MDM device to connect to the Wi-Fi network automatically, select the Automatic connection check box.
8. To make it impossible to connect iOS MDM devices to a Wi-Fi network requiring preliminary authentication (captive network), select the Disable captive networks detection check box.

   To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

9. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden Network check box.

   In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

10. In the Network protection drop-down list, select the type of protection of the Wi-Fi network connection:
    • Disabled. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).
    • WPA/WPA2 (Personal). The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access).
    • WPA2 (Personal). The network is protected using WPA2 protocol (Wi-Fi Protected Access 2.0). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Personal). The network is protected using the WEP, WPA or WPA2 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (Dynamic). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA/WPA2 (Enterprise). The network is protected using the WPA/WPA2 encryption protocol with use of the 802.1X protocol.
    • WPA2 (Enterprise). The network is protected using the WPA2 encryption protocol with the use of one key shared by all users (802.1X). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication.

    If you have selected WEP (Dynamic), WPA/WPA2 (Enterprise), WPA2 (Enterprise) or Any (Enterprise) in the Network protection list, in the Protocols section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

11. Configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the Authentication section, click the Configure button.

       The Authentication window opens.

    2. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    3. To require the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    4. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network. If the list does not contain any certificates, you can add them in the Certificates section.
    6. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

       The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel.

    7. Click OK.

    As a result, the settings of the account for user authentication upon connection to the Wi-Fi network will be configured on the iOS MDM device.

12. If necessary, configure the settings of the Wi-Fi network connection via a proxy server:
    1. In the Proxy server section, click the Configure button.
    2. In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to the Wi-Fi network via a proxy server are configured on the iOS MDM device.

13. Click OK.

    The new Wi-Fi network is displayed in the list.

14. Click the Apply button to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the authentication technology.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring email

This section contains information on configuring mailboxes on mobile devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a mailbox on iOS MDM devices

To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.

By default, the email account is added with the following settings:

• Email protocol – IMAP.
• The user can move email messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the account.

To add an email account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Email.
5. Click the Add button in the Email account section.

   The Email account window opens.

6. In the Description field, enter a description of the user's email account.
7. Select the email protocol:
   • POP
   • IMAP
8. If necessary, specify the IMAP path prefix in the IMAP path prefix field.

   The IMAP path prefix must be entered using upper-case letters (for example: GMAIL for Google Mail). This field is available if the IMAP account protocol is selected.

9. In the User name as displayed in messages field, enter the user name to be displayed in the From: field for all outgoing messages.
10. In the Email address field, specify the email address of the iOS MDM device user.
11. Configure Additional Settings of the email account:
    • To allow the user to move email messages between the user's accounts, select the Allow movement of messages between accounts check box.
    • To allow the email addresses used to be synchronized among user accounts, select the Allow sync of recent addresses check box.
    • To allow a user to use the Mail Drop service to forward large-sized attachments, select the Allow Mail Drop check box.
    • To allow the user to use only the standard iOS mail client, select the Allow use of only Mail app check box.
12. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
13. In the Inbound mail server and Outbound mail server sections, click the Settings button to configure the server connection settings:
    • Server address and port: Names of hosts or IP addresses of inbound mail servers and outbound mail servers and server port numbers.
    • Account name: Name of the user's account for inbound and outbound mail server authorization.
    • Authentication type: Type of user's email account authentication on inbound mail servers and outbound mail servers.
    • Password: Account password for authentication on the inbound and outbound mail server protected using the selected authentication method.
    • Use one password for incoming and outgoing mail servers: use one password for user authentication on incoming and outgoing mail servers.
    • Use SSL connection: usage of the SSL (Secure Sockets Layer) data transport protocol that uses encryption and certificate-based authentication to secure data transmission.
14. Click OK.

    The new email account appears in the list.

15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, email accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox on iOS MDM devices

To enable the iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.

By default, an account with the following settings is added on the Microsoft Exchange server:

• Email is synchronized once per week.
• The user can move messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the Exchange ActiveSync account.

To add the Exchange ActiveSync account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Exchange ActiveSync section.
5. Click the Add button in the Exchange ActiveSync accounts section.

   The Exchange ActiveSync account window opens on the General tab.

6. In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can use macros from the Macros available drop-down list.
7. In the Server address field, enter the network name or IP address of the Microsoft Exchange server.
8. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data, select the Use SSL connection check box.
9. In the Domain field, enter the name of the iOS MDM device user's domain. You can use macros from the Macros available drop-down list.
10. In the Account User Name field, enter the name of the iOS MDM device user.

    If you leave this field blank, Kaspersky Device Management for iOS prompts the user to enter the user name when applying the policy on the iOS MDM device. You can use macros from the Macros available drop-down list.

11. In the Email address field, specify the email address of the iOS MDM device user. You can use macros from the Macros available drop-down list.
12. In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
13. Select the Additional tab and configure the additional settings of the Exchange ActiveSync account:
    • Number of Days to Sync Mail for <time period>.
    • Authentication type.
    • Allow movement of messages between accounts.
    • Allow sync of recent addresses.
    • Allow use of only Mail app.
14. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
15. Click OK.

    The new Exchange ActiveSync account appears in the list.

16. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox on Android devices (only Samsung)

To work with corporate mail, contacts, and the calendar on the mobile device, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).

Configuration of an Exchange mailbox is possible only for Samsung devices.

To configure an Exchange mailbox on a mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
5. In the Exchange ActiveSync window, click the Configure button.

   The Exchange mail server settings window opens.

6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
10. To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
11. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing root certificates on Android devices

A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.

Kaspersky Security Center lets you add root certificates for Android devices operating in device owner mode. These root certificates are automatically installed to a trusted certificate store on devices.

To add a root certificate in Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Root certificates section.
5. In the Root certificates section, click Add.

   The file explorer opens.

6. Select a certificate file (.cer, .pem, or .key) and click Open.

   The Certificate window opens.

7. View the certificate information and click Install Certificate...

   This starts the standard Certificate Import Wizard.

8. Follow the wizard's instructions.

   After the wizard is finished, the root certificate appears in the list of certificates.

The added root certificates will be installed on Android devices in device owner mode after the next synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing third-party mobile apps

You can use containers to monitor the activity of mobile applications launched on the user's device. A container is a special shell for mobile apps which makes it possible to control the activity of the containerized app, thereby protecting the user's personal and corporate data on the device.

In Kaspersky Security for Mobile Service Pack 3 Maintenance Release 2, there is no longer support for creating containers for mobile apps. However, containers that were created in earlier versions of the application can be added to Android devices.

You can install a containerized app on the user's device in one of the following ways:

• By sending the user an email message with a link to the installation package of the containerized app.
• By specifying a containerized app as a required or allowed app in the App Control section of the policy properties window. After the mobile device is synchronized with Kaspersky Security Center, the app distribution package in the container is automatically copied to the user's device.

To install containerized apps, installation of apps from unknown sources must be allowed on the user's mobile device. To protect your device and data after installing containerized apps, it is recommended to prohibit installation of apps from unknown sources. For details about installing apps without Google Play, please refer to the Android Help Guide.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring notifications for Kaspersky Endpoint Security for Android

If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

The Kaspersky Endpoint Security uses the following tools to display the device protection status:

• Protection status notification. This notification is pinned to the notification bar. Protection status notification cannot be removed. The notification displays the device protection status (for example, ) and number of issues, if any. You can tap the device protection status and see the list issues in the app.
• App notifications. These notifications inform the device user about the application (for example, threat detection).
• Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.

An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the App notifications section, click the Configure button.

   The Device notification settings window opens.

6. Select the Kaspersky Endpoint Security for Android issues that you want to hide on the user's mobile device and click the OK button.

   The Kaspersky Endpoint Security for Android will not display issues in the protection status notification. The Kaspersky Endpoint Security for Android will continue to display protection status notification and app notifications.

   Certain Kaspersky Endpoint Security for Android issues are mandatory and impossible to disable (such as issues about license expiration).

7. To hide all notifications and pop-up messages, select the Disable notifications and pop-ups when app is background mode.

   Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays device protection status (for example, ) and number of issues. Also the app display notifications when user is working with the app (the user updates anti-virus databases manually, for example).

   Kaspersky experts recommended that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The Kaspersky Endpoint Security for Android notifications that you disable will not be displayed on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to AirPlay

Configure the connection to AirPlay devices to enable streaming of music, photos, and videos from the iOS MDM device to AirPlay devices. To be able to use AirPlay technology, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (of the second and third generations), AirPort Express devices, speakers or radio sets with AirPlay support.

Automatic connection to AirPlay devices is available for controlled devices only.

To configure the connection of an iOS MDM device to AirPlay devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the AirPlay section.
5. In the AirPlay devices section, select the Apply settings on device check box.
6. Click the Add button in the Passwords section.

   An empty row is added in the password table.

7. In the Device name column, enter the name of the AirPlay device on the wireless network.
8. In the Password column, enter the password to the AirPlay device.
9. To restrict access of iOS MDM devices to AirPlay devices, create a list of allowed devices in the Allowed devices section. To do so, add the MAC addresses of AirPlay devices to the list of allowed devices.

   Access to AirPlay devices that are not on the list of allowed devices is blocked. If the list of allowed devices is left blank, Kaspersky Device Management for iOS will allow access to all AirPlay devices.

10. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media content.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to AirPrint

To enable printing of documents from the iOS MDM device wirelessly using AirPrint technology, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users has to be configured on the AirPrint printer.

To configure the connection of an iOS MDM device to an AirPrint printer:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the AirPrint section.
5. Click the Add button in the AirPrint printers section.

   The Printer window opens.

6. In the IP address field, enter the IP address of the AirPrint printer.
7. In the Resource Path field, enter the path to the AirPrint printer.

   The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:

   • printers/Canon_MG5300_series
   • ipp/print
   • Epson_IPP_Printer
8. Click OK.

   The newly added AirPrint printer appears on the list.

9. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the Access Point Name (APN)

To connect a mobile device to data transfer services on a mobile network, you should configure the APN (Access Point Name) settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring APN on Android devices (only Samsung)

Configuration of APN is possible only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile telephony operator. Incorrect access point settings may result in additional mobile telephony charges.

To configure the Access Point Name (APN) settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Manage Samsung KNOX → APN section.
5. In the APN section, click the Configure button.

   The APN settings window opens.

6. On the General tab, specify the following access point settings:
   1. In the APN type drop-down list, select the type of access point.
   2. In the APN name field, specify the name of the access point.
   3. In the MCC field, enter the mobile country code (MCC).
   4. In the MNC field, enter the mobile network code (MNC).
   5. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS settings:
      • In the MMS server field, specify the full domain name of the mobile carrier's server used for MMS exchange.
      • In the MMS proxy server field, specify the network name or IP address of the proxy server and the port number of the mobile carrier's server used for MMS exchange.
7. On the Additional tab, configure the additional settings of the Access Point Name (APN):
   1. In the Authentication type drop-down list, select the type of mobile device user's authentication on the mobile carrier's server for network access.
   2. In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
   3. In the Proxy server address field, specify the network name or IP address and port number of the mobile carrier's proxy server for network access.
   4. In the User name field, enter the user name for authorization on the mobile network.
   5. In the Password field, enter the password for user authorization on the mobile network.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring APN on iOS MDM devices

The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.

The APN section is out of date. It is recommended to configure APN settings in the Cellular communications section. Before configuring cellular communication settings, make sure that the settings of the APN section have not been applied on the device (the Apply settings on device check box is cleared). The settings of the APN and Cellular communications sections cannot be used concurrently.

To configure an access point on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Cellular communications section.
5. In the Cellular communication settings section, select the Apply settings on device check box.
6. In the APN type list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
   • Built-in APN – configuration of cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, please visit the Apple Technical Support website.
   • APN – configuration of cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
   • Built-in APN and APN – configuration of cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, please visit the Apple Technical Support website.
7. In the APN name field, specify the name of the access point.
8. In the Authentication type drop-down list, select the type of device user authentication on the mobile operator's server for network access (internet and MMS):
9. In the User name field, enter the user name for authorization on the mobile network.
10. In the Password field, enter the password for user authorization on the mobile network.
11. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
12. Click the Apply button to save the changes you have made.

As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the Android work profile

This section contains information about working with an Android work profile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Android work profile

Android Enterprise is a platform for managing the corporate mobile infrastructure, which provides company employees with a work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.

You can create the Android work profile (hereinafter also "work profile") on the user's mobile device. Android work profile is a safe environment on the user's device in which the administrator can manage apps and user accounts without restricting the user's use of his/her own data. When a work profile is created on the user's mobile device, the following corporate apps are automatically installed to it: Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the work profile and notifications of these apps are marked with a icon. You have to create a separate Google corporate account for the Google Play Market app. Apps installed in the work profile appear in the common list of apps.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the work profile

To configure the settings of the Android work profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Android work profile.
5. In the Android work profile workspace, select the Create work profile check box.
6. Specify the work profile settings:
   • To enable App Control in the Android work profile and disable it in the personal profile, select the Enable App Control in work profile only check box.

     In the Users section you can select App Control and use the workspace to create lists of allowed, blocked, recommended, and required apps, as well as allowed and blocked app categories in the section.

   • To enable Web Protection in the work profile and disable it in the personal profile for the Google Chrome browser, select the Enable Web Protection in work profile only check box.

     For Samsung Internet Browser and Huawei Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

     You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.

   • To prohibit the user from copying data by means of the Clipboard from work profile apps to personal apps, select the Prohibit data transfer from work profile to personal profile check box.
   • To block the user from using USB debugging mode on the mobile device in the work profile, select the Prohibit activation of USB debugging mode check box.

     In USB debugging mode, the user can download an app by using a workstation, for example.

   • To prohibit the user from installing apps in the Android work profile from all sources except Google Play, select the Prohibit installation of apps in work profile from unknown sources check box.
   • To prohibit the user from removing apps from the Android work profile, select the Prohibit removal of apps from work profile check box.
   • To also install the VPN-certificate in the personal profile, select the Duplicate installation of the VPN-certificate in personal profile check box. By default, VPN-certificates received from Kaspersky Security Center are installed in the work profile. This setting is applied when a new VPN-certificate is issued.
7. To configure work profile settings on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding an LDAP account

To enable the iOS MDM device user to access corporate contacts on the LDAP server, add the LDAP account.

To add the LDAP account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the LDAP section.
5. Click the Add button in the LDAP accounts section.

   The LDAP account window opens.

6. In the Description field, enter a description of the user's LDAP account. You can use macros from the Macros available drop-down list.
7. In the Account name field, enter the account name for authorization on the LDAP server. You can use macros from the Macros available drop-down list.
8. In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
9. In the Server address field, enter the name of the LDAP server domain. You can use macros from the Macros available drop-down list.
10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
11. Compile a list of search queries for the iOS MDM mobile device user access to corporate data on the LDAP server:
    1. Click the Add button in the Search settings section.

       A blank row appears in the table with search queries.

    2. In the Name column, enter the name of a search query.
    3. In the Search scope column, select the nesting level of the folder for the corporate data search on the LDAP server:
       • Base – search in the base folder of the LDAP server.
       • One level – search in folders on the first nesting level counting from the base folder.
       • Subtree – search in folders on all nesting levels counting from the base folder.
    4. In the Search base column, enter the path to the folder on the LDAP server with which the search begins (for example: "ou=people", "o=example corp").
    5. Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
12. Click OK.

    The new LDAP account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, LDAP accounts from the compiled list will be added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a calendar account

To enable the iOS MDM device user to access the user's calendar events on the CalDAV server, add the CalDAV account. Synchronization with the CalDAV server enables the user to create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.

To add the CalDAV account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Calendar section.
5. Click the Add button in the CalDAV accounts section.

   The CalDAV account window opens.

6. In the Description field, enter a description of the user's CalDAV account.
7. In the Server address and port field, enter the name of a host or the IP address of a CalDAV server and the number of the CalDAV server port.
8. In the Main URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example: http://example.com/caldav/users/mycompany/user).

   The URL should begin with "http://" or "https://".

9. In the Account name field, enter the account name for authorization on the CalDAV server.
10. In the Password field, set the CalDAV account password for authorization on the CalDAV server.
11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
12. Click OK.

    The new CalDAV account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CalDAV accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a contacts account

To enable the iOS MDM device user to synchronize data with the CardDAV server, add the CardDAV account. Synchronization with the CardDAV server enables the user to access the contact details from any device.

To add the CardDAV account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Contacts section.
5. Click the Add button in the CardDAV accounts section.

   The CardDAV account window opens.

6. In the Description field, enter a description of the user's CardDAV account. You can use macros from the Macros available drop-down list.
7. In the Server address and port field, enter the name of a host or the IP address of a CardDAV server and the number of the CardDAV server port.
8. In the Main URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).

   The URL should begin with "http://" or "https://".

9. In the Account name field, enter the account name for authorization on the CardDAV server. You can use macros from the Macros available drop-down list.
10. In the Password field, set the CardDAV account password for authorization on the CardDAV server.
11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of contacts between the CardDAV server and the mobile device, select the Use SSL connection check box.
12. Click OK.

    The new CardDAV account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring calendar subscription

To enable the iOS MDM device user to add events of shared calendars (such as the corporate calendar) to the user's calendar, add subscription to this calendar. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other openly published calendars.

To add calendar subscription:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Calendar subscription section.
5. Click the Add button in the Calendar subscriptions section.

   The Calendar Subscription window opens.

6. In the Description field, enter a description of the calendar subscription.
7. In the Server web address field, specify the URL of the third-party calendar.

   In this field, you can enter the mail URL of the CalDAV account of the user to whose calendar you are subscribing. You can also specify the URL of an iCal calendar or a different openly published calendar.

8. In the User name field, enter the user account name for authentication on the server of the third-party calendar.
9. In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
11. Click OK.
12. The new calendar subscription appears in the list.
13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, events from shared calendar on the list will be added to the calendar on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding web clips

A web clip is an app that opens a website from the Home screen of the mobile device. By clicking web clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website).

You can add web clips to user devices and specify web clip icons displayed on the screen.

Adding web clips to Android devices

To add a web clip on a user's Android device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device management section.
5. In the Adding web clips to device home screen section, click Add.

   The Add web clip window opens.

6. In the Name field, enter the name of the web clip to be displayed on the home screen of the Android device.
7. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
8. In the Icon field, specify the image for the web clip icon: click Browse... and select an image file. The PNG and JPEG file formats are supported. If you do not select an image for the web clip, a blank square is displayed as the icon.
9. Click OK.

   The new web clip appears in the list.

10. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the web clips you created. After the user installs these web clips, the corresponding icons are added on the home screen of the device.

The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

Adding web clips to iOS MDM devices

By default, the following restrictions on web clip usage apply:

• The user cannot manually remove web clips from the mobile device.
• Websites that open when the user clicks a web clip icon do not open in full-screen mode.
• The corner rounding, shadow, and gloss visual effects are applied to the web clip icon on the screen.

To add a web clip on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Web Clips section.
5. Click the Add button in the Web Clips section.

   The Web Clip window opens.

6. In the Name field, enter the name of the web clip to be displayed on the home screen of the iOS MDM device.
7. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
8. To allow the user to remove a web clip from the iOS MDM device, select the Allow removal check box.
9. Click the Select button and specify the file with the image for the web clip icon.

   The icon is displayed on the home screen of the iOS MDM device. The image must meet the following requirements:

   • Image size no greater than 400 х 400 pixels.
   • File format: GIF, JPEG, or PNG.
   • File size no greater than 1 MB.

   The web clip icon is available for preview in the Icon field. If you do not select an image for the web clip, a blank square is displayed as the icon.

   If you want the web clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.

10. If you want the website to open in full-screen mode on the iOS MDM device when you click the icon, select the Full screen Web Clip check box.
11. Click OK.

    The new web clip appears in the list.

12. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, web clip icons from the list you have created are added on the home screen of the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding fonts

To add a font on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Fonts section.
5. Click the Add button in the Fonts section.

   The Font window opens.

6. In the File name field, specify the path to the font file (a file with the .ttf or .otf extension).

   Fonts with the ttc or otc extension are not supported.

   Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an undefined error.

7. Click Open.

   The new font appears in the list.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Device owner mode

This section contains information about how to manage the settings of Android mobile devices in device owner mode. For information about device owner mode deployment, see here.

Device owner mode offers the following features and control options for Android mobile devices:

• Restrictions on Android operating system features
• Management of Google Chrome settings
• Silent installation of required apps and removal of blocked apps in App Control
• Kiosk mode
• Management of Exchange ActiveSync for Gmail
• NDES and SCEP integration

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Restricting Android features on devices

You can restrict Android operating system features in device owner mode. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and manage system updates.

You can restrict Android features in the Feature restrictions section.

To open the Feature restrictions section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device owner mode > Feature restrictions section.

Restrict device features

On the Device Features tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit factory reset

  Selecting or clearing this check box specifies whether the device user is allowed to perform a factory reset from device settings.

  This check box is cleared by default.

• Prohibit screen capture

  Selecting or clearing this check box specifies whether the device user is allowed to take screenshots or capture the device screen.

  This check box is cleared by default.

• Prohibit outgoing phone calls

  Selecting or clearing this check box specifies whether the device user is allowed to make outgoing phone calls on this device.

  This check box is cleared by default.

• Prohibit sending and receiving SMS messages

  Selecting or clearing this check box specifies whether the device user is allowed to send and receive SMS messages on this device.

  This check box is cleared by default.

• Prohibit changing credentials

  Selecting or clearing this check box specifies whether the device user is allowed to change user credentials in the operating system.

  This check box is cleared by default.

• Prohibit status bar (Android 6.0 or later)

  Preventing the status bar from being displayed.

  If the check box is selected, the status bar is not displayed on the device. Notifications and quick settings accessible via the status bar are also blocked.

  If the check box is cleared, the status bar can be displayed on the device.

  The restriction is supported on devices with Android 6.0 or later.

  This check box is cleared by default.

• Prohibit safe boot (Android 6.0 or later)

  Selecting or clearing this check box specifies whether the device user is allowed to boot the device in safe mode.

  The restriction is supported on devices with Android 6.0 or later.

  This check box is cleared by default.

• Force screen on when plugged in to AC charger (Android 6.0 or later)

  Selecting or clearing the check box specifies if the device screen will be on while the device is charging with an AC charger.

  The restriction is supported on devices with Android 6.0 or later.

  This check box is cleared by default.

• Force screen on when plugged in to USB charger (Android 6.0 or later)

  Selecting or clearing of the check box specifies whether the device screen will be on while the device is charging via a USB charger.

  The restriction is supported on devices with Android 6.0 or later.

  This check box is cleared by default.

• Force screen on when plugged in to wireless charger (Android 6.0 or later)

  Selecting or clearing this check box specifies whether the device screen will be on while the device is charging via a wireless charger.

  The restriction is supported on devices with Android 6.0 or later.

  This check box is cleared by default.

Restrict app features

On the Apps tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit use of camera

  Selecting or clearing the check box specifies whether the device user is allowed to use all cameras on the device.

  This check box is cleared by default.

• Prohibit camera toggle (Android 12.0 or later)

  Preventing the device user from toggling the camera.

  If the check box is selected, the device user cannot block the camera access via the system toggle.

  If the check box is cleared, the device user is allowed to use the camera toggle.

  The restriction is supported on devices with Android 12.0 or later.

  This check box is cleared by default.

• Prohibit use of Google Play

  Selecting or clearing the check box specifies whether the device user is allowed to use Google Play.

  This check box is cleared by default.

• Prohibit use of Google Chrome

  Preventing use of Google Chrome.

  If the check box is selected, the device user cannot start Google Chrome or configure it in system settings.

  If the check box is cleared, the device user is allowed to use Google Chrome on the device.

  The check box is cleared by default.

• Prohibit use of Google Assistant

  Selecting or clearing the check box specifies whether the device user is allowed to use Google Assistant on the device.

  This check box is cleared by default.

• Prohibit installation of apps from unknown sources

  Selecting or clearing the check box specifies whether the device user is allowed to install apps from unknown sources.

  This check box is cleared by default.

• Prohibit modification of apps in Settings

  Preventing modifying apps in Settings.

  If the check box is selected, the device user is disallowed to perform the following actions:

  • Uninstalling apps
  • Disabling apps
  • Clearing app caches
  • Clearing app data
  • Force stopping apps
  • Clearing app defaults

    If the check box is cleared, the device user is allowed to modify apps in Settings.

    This check box is cleared by default.

• Prohibit installation of apps

  Selecting or clearing the check box specifies whether the device user is allowed to install apps on the device.

  This check box is cleared by default.

• Prohibit uninstallation of apps

  Selecting or clearing the check box specifies whether a device user is allowed to uninstall apps from this device.

  This check box is cleared by default.

• Prohibit disabling app verification

  Selecting or clearing the check box specifies whether the device user is allowed to disable app verification.

  This check box is cleared by default.

Restrict storage features

On the Storage tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit debugging features

  Preventing use of debugging features.

  If the check box is selected, the device user cannot use USB debugging features and developer mode.

  If the check box is cleared, the device user is allowed to enable and access debugging features and developer mode.

  This check box is cleared by default.

• Prohibit mounting physical external media

  Selecting or clearing the check box specifies whether the device user is allowed to mount physical external media, such as SD cards and OTG adapters.

  This check box is cleared by default.

• Prohibit file transfer over USB

  Selecting or clearing this check box specifies whether the device user is allowed to transfer files over USB.

  This check box is cleared by default.

• Prohibit backup service (Android 8.0 or later)

  Selecting or clearing the check box specifies whether the device user is allowed to enable or disable the backup service.

  The restriction is supported on devices with Android 8.0 or later.

  This check box is cleared by default.

Restrict network features

On the Network tab of the Feature restrictions section, you can enable or disable the following features:

• Prohibit use of Wi-Fi

  Selecting or clearing the check box specifies whether the device user is allowed to use Wi-Fi and configure it in Settings.

  This check box is cleared by default.

• Prohibit use of Bluetooth (Android 8.0 or later)

  Preventing use of Bluetooth.

  If the check box is selected, the device user cannot turn on and configure Bluetooth via Settings.

  If the check box is cleared, the device user is allowed to use Bluetooth.

  The restriction is supported on devices with Android 8.0 and later. For earlier versions of Android, select the Prohibit use of Bluetooth check box in the Device Management section.

  This check box is cleared by default.

• Prohibit changing Wi-Fi settings

  Selecting or clearing the check box specifies whether the device user is allowed to configure Wi-Fi access points via Settings. The restriction does not affect Wi-Fi tethering settings.

  This check box is cleared by default.

• Prohibit changing pre-configured Wi-Fi networks

  Selecting or clearing the check box specifies whether the device user is allowed to change Wi-Fi configurations added by the administrator in the Wi-Fi section.

  This check box is cleared by default.

• Prohibit changing Bluetooth settings

  Selecting or clearing the check box specifies whether the device user is allowed to configure Bluetooth via Settings.

  This check box is cleared by default.

• Prohibit changing VPN settings

  Preventing changing VPN settings.

  If the check box is selected, the device user cannot configure a VPN in Settings and VPNs are prohibited from starting.

  If the check box is cleared, the device user is allowed to modify a VPN in Settings.

  This check box is cleared by default.

• Prohibit changing mobile network settings

  Selecting or clearing the check box specifies whether the device user is allowed to change mobile network settings.

  This check box is cleared by default.

• Prohibit use of Android Beam via NFC

  Selecting or clearing the check box specifies whether beaming out data from apps via NFC is allowed on the device. However, the device user can enable or disable NFC.

  This check box is cleared by default.

• Prohibit use of tethering

  Selecting or clearing the check box specifies whether the device user is allowed to configure tethering and hotspots.

  This check box is cleared by default.

• Prohibit outgoing data sharing over Bluetooth (Android 8.0 or later)

  Selecting or clearing the check box specifies whether outgoing Bluetooth data sharing is allowed on the device.

  The restriction is supported on devices with Android 8.0 or later.

  This check box is cleared by default.

Restrict location services

On the Location Services tab of the Feature restrictions section, you can configure the following settings:

• Prohibit use of location

  Preventing turning location on and off.

  If the check box is selected, the device user cannot turn location on or off. Search in Anti-Theft mode becomes unavailable.

  If the check box is cleared, the device user can turn location on or off.

  This check box is cleared by default.

  If both the Prohibit use of location and Prohibit changing location settings (Android 9.0 and later) check boxes are selected, location is disabled and the device user cannot enable it.

• Prohibit changing location settings (Android 9.0 or later)

  Preventing changing location settings.

  If the check box is selected, the device user cannot change location settings or disable location.

  If the check box is cleared, the device user can change location settings.

  The restriction is supported on devices with Android 9.0 or later.

  This check box is cleared by default.

  If both the Prohibit use of location and Prohibit changing location settings (Android 9.0 and later) check boxes are selected, location is disabled and the device user cannot enable it.

Restrict system updates

Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.

On the Updates tab of the Feature restrictions section, you can configure the following settings:

• Set system update policy

  Type of system update policy.

  If the check box is selected, one of the following system update policies is set:

  • Install updates automatically. Installs system updates immediately without user interaction. This option is selected by default.
  • Install updates during daily window. Installs system updates during a daily maintenance window without user interaction.

    The administrator also needs to set the start and end of the daily maintenance window in the Start time and End time fields respectively.

  • Postpone updates for 30 days. Postpones the installation of system updates for 30 days.

    After the specified period, the operating system prompts the device user to install the updates. The period is reset and starts again if a new system update is available.

    If the check box is cleared, a system update policy is not set.

    This check box is selected by default.

    Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.

• System update freeze periods (Android 9.0 and later)

  The System update freeze periods (Android 9.0 and later) block lets you set one or more freeze periods of up to 90 days during which system updates will not be installed on the device. When the device is in a freeze period, it behaves as follows:

  • The device does not receive any notifications about pending system updates.
  • System updates are not installed.
  • The device user cannot check for system updates manually.

    To add a freeze period, click Add period and enter the start and end of the freeze period in the Start time and End time fields respectively.

  Note: Each freeze period can be at most 90 days long, and the interval between adjacent freeze periods must be at least 60 days.

  The restriction is supported on devices with Android 9.0 and later.

  Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing Google Chrome settings

You can manage Google Chrome settings in the Google Chrome settings section in device owner mode.

To open the Google Chrome settings section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device owner mode > Google Chrome settings section.

Manage content settings

On the Content tab of the Google Chrome settings section, you can specify the following content settings:

• Set default cookie settings

  Default cookie settings.

  If the check box is selected, one of the following options will be applied to all sites by default:

  • Allow all sites to set local data (default)
  • Do not allow any site to set local data
  • Keep cookies for duration of session

    If the check box is cleared, the user's personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is selected by default.

    There must be no conflicting URL patterns that you specify in the Allow cookies on these sites, Block cookies on these sites, and Allow cookies on these sites for one session only fields. If no URL is specified and the Set default cookies settings check box is selected, the option selected in the drop-down list will be applied to all sites.

• Allow cookies on these sites

  A list of sites that are allowed to set cookies. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

• Block cookies on these sites

  A list of sites that are prohibited to set cookies. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

• Allow cookies on these sites for one session only

  A list of sites that are allowed to set cookies only for one session. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

• Set default JavaScript settings

  Default JavaScript settings.

  If the check box is selected, one of the following options will be applied and the device user will not be able to change it:

  • Allow all sites to run JavaScript (default)
  • Do not allow any site to run JavaScript

    If the check box is cleared, user personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is cleared by default.

    If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.

• Allow JavaScript on these sites

  A list of sites that are allowed to run JavaScript. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

  If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.

• Block JavaScript on these sites

  A list of sites that are prohibited to run JavaScript. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 30 or later.

  If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.

• Set default pop-up settings

  Default pop-up setting.

  If the check box is selected, one of the following options applies to pop-ups:

  • Allow all sites to show pop-ups. Lets all sites open pop-up windows. This value is selected by default.
  • Do not allow any site to show pop-ups. Prohibits all sites to open pop-up windows.

    If the check box is cleared, pop-ups are blocked, but a device user can change this behavior in Settings.

    The setting is supported in Google Chrome version 33 or later.

    The check box is cleared by default.

    If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.

• Allow pop-ups on these sites

  A list of sites that are allowed to show pop-ups. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 34 or later.

  If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.

• Block pop-ups on these sites

  A list of sites that are prohibited to show pop-ups. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 34 or later.

  If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.

• Set user location tracking settings

  The default geographic location settings.

  If the check box is selected, one of the following options will be applied to all sites by default:

  • Allow all sites to track location
  • Do not allow any site to track location
  • Ask whenever site wants to track location (default)

    If the check box is cleared, user personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is cleared by default.

Manage proxy settings

On the Proxy tab of the Google Chrome settings section, you can specify the following proxy settings:

• Set proxy mode

  Proxy settings for Google Chrome and ARC-apps.

  If the check box is selected, one of the following options will be applied and the device user is prevented from changing proxy settings:

  • Never use proxy. Prohibits use of proxies and all other proxy settings are ignored. This option is selected by default.
  • Detect proxy settings automatically. Detects proxy settings automatically and all other options are ignored.
  • Use PAC file. Uses the proxy PAC file specified in the PAC file URL field.
  • Use fixed proxy servers. Uses the data specified in the Proxy server URL and Bypass list fields.
  • Use system proxy settings. Uses the system proxy settings.

    If the check box is cleared, user personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is selected by default.

• Proxy server URL

  A URL of the proxy server.

  The setting is supported in Google Chrome version 30 or later.

• PAC file URL

  A URL to a proxy .PAC file.

  The setting is supported in Google Chrome version 30 or later.

• Bypass list

  A list of hosts for which the proxy will be bypassed.

  The setting is supported in Google Chrome version 30 or later.

Manage search settings

On the Search tab of the Google Chrome settings section, you can specify the following search settings:

• Enable Touch to Search

  Selecting or clearing this check box specifies whether the device user is allowed to use Touch to Search and turn the feature on or off.

  The setting is supported in Google Chrome version 40 or later.

  This check box is selected by default.

• Enable default search provider

  Default search provider settings.

  If the check box is selected, a default search provider is used when a user enters non-URL text in the address bar. The default search provider depends on search provider settings below this check box:

  • If you leave search provider settings empty, the device user can choose the search provider in the browser settings.
  • If you configure settings of the default search provider, this search provider is always used, and the device user can't choose the search provider in the browser.

  This check box is selected by default, but the default search provider settings are not configured.

  If you want to disable search in Google Chrome, we recommend that you leave the Enable default search provider check box selected and set the Search provider name parameter to the site of a non-search system. On some Google Chrome versions, there can be problems in Google Chrome operation if the check box is cleared.

  The setting is supported in Google Chrome version 30 or later.

  The default search provider parameters are:

  • Search provider name
  • Keyword
  • Search URL
  • Suggest URL
  • Icon URL
  • Encodings
  • Alternate URLs
  • Image URL
  • New tab URL
  • Parameters for search URL that uses POST
  • Parameters for suggest URL that uses POST
  • Parameters for image URL that uses POST
• Search provider name

  The default search provider name.

  The setting is supported in Google Chrome version 30 or later.

• Keyword

  A keyword or shortcut used in the address bar to trigger the search for the search provider.

  The setting is supported in Google Chrome version 30 or later.

• Search URL

  The URL of the search engine used during default searches.

  The setting is supported in Google Chrome version 30 or later.

• Suggest URL

  The URL of the search engine to provide search suggestions.

  The setting is supported in Google Chrome version 30 or later.

• Icon URL

  The URL of the default search provider's favicon.

  The setting is supported in Google Chrome version 30 or later.

• Encodings

  Character encodings supported by the search provider. The supported encodings are:

  • UTF-8
  • UTF-16
  • GB2312
  • ISO-8859-1

    The setting is supported in Google Chrome version 30 or later.

• Alternate URLs

  A list of alternate URLs to retrieve search terms from the search engine.

  The setting is supported in Google Chrome version 30 or later.

• Image URL

  The URL of the search engine used for image search.

  The setting is supported in Google Chrome version 30 or later.

• New tab URL

  The URL of the search engine used to provide a New Tab page.

  The setting is supported in Google Chrome version 30 or later.

• Parameters for search URL that uses POST

  URL parameters when searching a URL with the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:

  q={searchTerms},ie=utf-8,oe=utf-8

  The setting is supported in Google Chrome version 30 or later.

• Parameters for suggest URL that uses POST

  URL parameters for search suggestions using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:

  q={searchTerms},ie=utf-8,oe=utf-8

  The setting is supported in Google Chrome version 30 or later.

• Parameters for image URL that uses POST

  URL parameters for image search using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{imageThumbnail}', it is replaced with the real image thumbnail. For example:

  content={imageThumbnail},url={imageURL},sbisrc={SearchSource}

  The setting is supported in Google Chrome version 30 or later.

Manage password settings

On the Passwords tab of the Google Chrome settings section, you can specify the following password settings:

• Enable saving passwords

  Selecting or clearing the check box specifies whether Google Chrome will remember the passwords the device user enters and also offer them the next time the device user signs in.

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

Manage page settings

On the Pages tab of the Google Chrome settings section, you can specify the following page settings:

• Enable alternate error pages

  Selecting the check box specifies whether Google Chrome is allowed to use built-in error pages, such as "Page not found".

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

• Enable AutoFill for addresses

  Autofill settings for addresses.

  If the check box is selected, the device user is allowed to manage AutoFill for addresses in the user interface.

  If the check box is cleared, AutoFill never suggests or fills in address information, nor does it save additional address information that the device user submits while browsing the web.

  The setting is supported in Google Chrome version 69 or later.

  This check box is selected by default.

• Enable AutoFill for credit cards

  Autofill settings for credit cards.

  If the check box is selected, the device user is allowed to manage AutoFill suggestions for credit cards in the user interface.

  If the check box is cleared, AutoFill never suggests or fills in credit card information, nor does it save additional credit card information that the device user might submit while browsing the web.

  The setting is supported in Google Chrome version 63 or later.

  This check box is selected by default.

Manage other settings

On the Other tab of the Google Chrome settings section, you can specify the following settings:

• Enable printing

  Selecting or clearing this check box specifies whether the device user is allowed to print in Google Chrome.

  The setting is supported in Google Chrome version 39 or later.

  This check box is selected by default.

• Set Google Safe Browsing settings

  Google Safe Browsing protection level.

  If the check box is selected, the device user is allowed to manage the Google Safe Browsing settings in Google Chrome, as well as select the protection level. The protection levels are:

  • Google Safe Browsing is never active. Disables Google Safe Browsing completely.
  • Google Safe Browsing is active in standard mode. Makes Google Safe Browsing always enabled in standard protection mode. This option is selected by default.
  • Google Safe Browsing is active in enhanced mode. Makes Google Safe Browsing always enabled in enhanced protection mode, but device user browsing experience data will be sent to Google.

    If the check box is cleared, Google Safe Browsing will operate in standard protection mode and the device user is allowed to change Google Safe Browsing settings.

    The setting is supported in Google Chrome version 87 or later.

    This check box is selected by default.

• Disable saving browser history

  Selecting or clearing this check box specifies whether browsing history is saved and tab syncing is on.

  The setting is supported in Google Chrome version 30 or later.

  This check box is cleared by default.

• Disable proceeding from Google Safe Browsing warning page

  Selecting or clearing this check box specifies whether the device user is allowed to proceed to the flagged site on Google Safe Browsing warnings, such as malware and phishing. The restriction does not apply to issues related to SSL certificate, such as invalid or expired certificates.

  The setting is supported in Google Chrome version 30 or later.

  This check box is cleared by default.

• Enable network prediction

  Selecting or clearing this check box specifies whether Google Chrome will predict such network actions as DNS prefetching, TCP and SSL preconnection and prerendering of webpages.

  If the check box is cleared, network prediction is disabled, but the device user can enable it.

  The setting is supported in Google Chrome version 38 or later.

  This check box is cleared by default.

• Force Google SafeSearch

  Selecting or clearing this check box specifies whether Google Search queries will be performed via Google SafeSearch.

  The setting is supported in Google Chrome version 41 or later.

  This check box is cleared by default.

• Set Restricted Mode for YouTube

  Minimum required Restricted Mode level for YouTube.

  If the check box is selected, a minimum required Restricted Mode level for YouTube is set and the device user cannot pick a less restricted mode. Restricted mode levels are:

  • Do not enforce Restricted Mode. Specifies that Google Chrome does not force Restricted mode. However, external policies might still enforce Restricted mode. This option is selected by default.
  • Enforce at least Moderate Restricted Mode. Lets a device user enable the Moderate and Strict Restricted mode on YouTube, but prohibits turning Restricted mode off.
  • Enforce Strict Restricted Mode. Makes Strict Restricted mode on YouTube be always active.

    If the check box is cleared, Google Chrome does not require use of Restricted mode for YouTube, but Restricted mode can be enforced by external rules, such as YouTube rules.

    The setting is supported in Google Chrome version 55 or later.

    This check box is selected by default.

• Set availability of Incognito mode

  Availability of Incognito mode in Google Chrome.

  If the check box is selected, the admin can specify whether the device user is allowed to open pages in Incognito mode by selecting one of the following options:

  • Incognito mode is available (default)
  • Incognito mode is disabled

    If the check box is cleared, the device user cannot open pages in Incognito mode in Google Chrome.

    The setting is supported in Google Chrome version 30 or later.

    This check box is selected by default.

• Enable search suggestions

  Selecting or clearing this check box specifies whether search suggestions are enabled in Google Chrome's address bar.

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

• Set Translate settings

  Enabling translation functionality.

  If the check box is selected, the administrator can set the following translation options:

  • Always offer translation. Shows the integrated translation toolbar and a translate option on the right-click context menu. This option is selected by default.
  • Never offer translation. Disables all built-in translation functionality.

    If the check box is cleared, the user's personal settings will be applied.

    The setting is supported in Google Chrome version 30 or later.

    This check box is cleared by default.

• Enable bookmark editing

  Selecting or clearing this check box specifies whether the device user is allowed to add, remove, or modify bookmarks.

  The setting is supported in Google Chrome version 30 or later.

  This check box is selected by default.

• Managed bookmarks

  An admin-managed list of bookmarks. The list is a dictionary where the keys are the "name" and "url". In other words, the key holds a bookmark's name and target. You can also set up a subfolder with a "children" key, which also has a list of bookmarks.

  By default, the folder name for managed bookmarks is "Managed bookmarks". You can change it by adding a new sub-dictionary. To do this, specify the "toplevel_name" key with the required folder name as its value.

  If you enter an incomplete URL as a bookmark's target, Google Chrome will substitute it with a URL as if it was submitted through the address bar. For example, "kaspersky.com" becomes "https://www.kaspersky.com".

  For example:

  "ManagedBookmarks": [{

  //Changes the default folder name

  "toplevel_name": "My managed bookmarks folder"

  },

  {

  //Adds a bookmark to the managed bookmarks folder

  "name": "Kaspersky",

  "url": "kaspersky.com"

  },

  {

  "name": "Kaspersky products",

  "children": [{

  "name": "Kaspersky Endpoint Security",

  "url": "kaspersky.com/enterprise-security/endpoint"

  },

  {

  "name": "Kaspersky Security for Mail Server",

  "url": "kaspersky.com/enterprise-security/mail-server-security"

  }

  ]

  }

  ]

  The setting is supported in Google Chrome version 37 or later.

• Block access to these URLs

  A list of forbidden URLs. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 86 or later.

• Allow access to these URLs (exceptions to blocked URLs)

  A list of URLs that are exceptions to the list specified in Block access to these URLs. You can also set URL patterns, for example: [*.]example.com.

  The setting is supported in Google Chrome version 86 or later.

• Set minimum SSL version

  Minimum allowed SSL version.

  If the check box is selected, Google Chrome will not use SSL and TLS older than the selected version. Available version are:

  • TLS 1.0 (default)
  • TLS 1.1
  • TLS 1.2

    If the check box is cleared, Google Chrome will report an error for TLS 1.0 and TLS 1.1 protocols, but the device user will be able to bypass it.

    The setting is supported in Google Chrome version 66 or later.

    This check box is cleared by default.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Kiosk mode

Kiosk mode is a Kaspersky Endpoint Security for Android feature that lets you limit the set of apps available to a device user, whether a single app or multiple apps. You can also efficiently manage some device settings.

The kiosk mode settings apply to devices managed via Kaspersky Endpoint Security for Android in device owner mode.

Kiosk mode types

The following kiosk mode types are available in Kaspersky Endpoint Security:

• Single-app mode - Kiosk mode with only a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings.

  If the app that you want to add to kiosk mode is not installed on the device, kiosk mode activates after the app is installed.

  On devices with Android 9.0 or later, an app must support kiosk mode functionality and call the startLockTask() method itself to launch the app.

  On devices with Android 9.0 or earlier, the app launches directly in kiosk mode.

• Multi-app mode - Kiosk mode with multiple apps. In this mode, a device user can open only the set of apps that are allowed on the device and specified in the kiosk mode settings.

Presettings

Pre-configuration for kiosk mode includes the following:

• Before specifying apps that are allowed to be run on the device in kiosk mode, you need first to add these apps in App Control > List of categories and apps and mark them as required. Then, they will appear in the App package list of the kiosk mode.

  Recently added required apps may not appear in the App package list. To view all added apps and select the app for single-app mode, you need to save and close the policy, and then reopen it. All added apps will appear in the list.

• Before activating kiosk mode, we recommend that you prohibit launching of Google Assistant by enabling the corresponding restriction in Policy > Device owner mode > Feature restrictions > Apps > Prohibit use of Google Assistant. Otherwise, Google Assistant launches in kiosk mode and allows non-trusted apps to be opened.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device owner mode > Kiosk mode section.

Configure single-app mode

To configure single-app mode:

1. In the Kiosk mode drop-down list, select Single-app mode.
2. In the App package drop-down list, select an app package with the app that is allowed to be run on the device.
3. Specify any required restrictions. For available restrictions, see Kiosk mode restrictions below.
4. Select the Trusted apps check box if you want to add additional apps that are allowed on the device. To learn how to do this, see Add trusted apps below.
5. Click the Apply button to save the changes you have made.

Configure multi-app mode

To configure multi-app mode:

1. In the Kiosk mode drop-down list, select Multi-app mode.
2. Click Add, select apps that are allowed to be run on the device, and then click OK.
3. Specify any required restrictions. For available restrictions, see Kiosk mode restrictions below.
4. Select the Allow navigation to trusted apps check box if you want to add additional apps that are allowed on the device. To learn how to do this, see Add trusted apps below.
5. Click the Apply button to save the changes you have made.

Kiosk mode restrictions

You can set the following restrictions in kiosk mode:

• Prohibit Overview button (Android 9.0 or later)

  Selecting or clearing this check box specifies whether the Overview button is hidden. This restriction is supported on devices with Android 9.0 or later.

  The check box is selected by default.

• Prohibit Home button (Android 9.0 or later)

  Selecting or clearing this check box specifies whether the Home button is hidden. This restriction is supported on devices with Android 9.0 or later.

  The check box is selected by default.

• Prohibit status bar (Android 9.0 or later)

  Selecting or clearing this check box specifies whether the status bar is blank with notifications and indicators such as connectivity, battery, and sound and vibrate options. This restriction is supported on devices with Android 9.0 or later.

  The check box is selected by default.

• Prohibit displaying system notifications (Android 9.0 or later)

  Selecting or clearing this check box specifies whether system notifications are hidden. This restriction is supported on devices with Android 9.0 or later.

  The check box is selected by default.

• Add Kaspersky Endpoint Security for Android as trusted app

  Selecting or clearing this check box specifies whether Kaspersky Endpoint Security for Android will be added to the list of trusted apps. This option is available if the Allow navigation to trusted apps check box is selected.

  The check box is selected by default.

Add trusted apps

Besides locking the device to a single app or set of apps, you can also add trusted apps that a device user can navigate to. To do this, in the Kiosk mode section:

1. Select the Allow navigation to trusted apps check box. The Trusted Apps list appears.
2. Click Add, select the desired app package name, and then click OK.
3. Click the Apply button to save the changes you have made.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing Exchange ActiveSync for Gmail

You can manage Exchange ActiveSync settings for Gmail in device owner mode.

To open the Exchange ActiveSync section:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device owner mode > Exchange ActiveSync section.
5. Specify the following settings:
   • Exchange ActiveSync server address

     The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL.

   • Force use of SSL

     Selecting or clearing this check box specifies whether SSL communication to the server port that you specified in the Exchange ActiveSync server address field will be used.

     The checkbox is selected by default.

   • Disable SSL certificate validation

     Selecting or clearing this check box specifies whether validation checks on SSL certificates used on Exchange ActiveSync servers will be performed. Performing a check is useful if certificates are self-signed.

     The checkbox is cleared by default.

   • Allow unmanaged accounts

     Selecting or clearing the check box specifies whether the device user is allowed to add other accounts to Gmail.

     The checkbox is selected by default.

   • Authentication type

     The authentication type used to verify a device user's email credential. Possible values:

     • Modern token-based authentication. Uses a token-based identity management method. This value is selected by default.
     • Basic authentication. Prompts the device user for their password and stores it for future use.
   • Device ID

     A string used by Kaspersky Security Center proxy or a third-party gateway to identify the device and connect it to Exchange ActiveSync. You can either enter the value or select it from the Available macros drop-down list.

   • Username

     A username that will be used to pull the username from Microsoft Active Directory. It might be different from a user's email address. You can either enter the value or select it from the Available macros drop-down list.

   • Email address

     An email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter the value or select it from the Available macros drop-down list.

   • Available macros

     A macro that will be used to replace values in the corresponding fields. Possible values:

     • %email%. Specifies the email address of the user to whom the device is registered. The value is retrieved from a mobile certificate.
     • %email_domain%. Specifies the email address domain of the user to whom the device is registered. The value is retrieved from a mobile certificate.
     • %email_user_name%. Specifies the username from the email address to which the device is registered. The value is retrieved from a mobile certificate.
     • %user_name%. Specifies the username under which the device is registered. The value is retrieved from a mobile certificate.
     • %device_id%. Specifies the ID of the device.
     • %group_id%. Specifies the ID of the administration group to which the device belongs to.
     • %device_platform%. Specifies the device platform.
     • %device_model%. Specifies the device model.
     • %os_version%. Specifies the operating system version on the device.
   • User certificate

     The string alias that represents a certificate with a private key. The certificate can be a user certificate for authentication to the Exchange ActiveSync servers.

   • Default synchronization interval

     The default time interval when the Exchange ActiveSync servers synchronize mail items to Gmail. Possible values:

     • 1 day
     • 3 days
     • 1 week (default)
     • 2 weeks
     • 1 month
   • Default email signature

     The default email signature that is automatically added at the bottom of emails.

6. Click Apply to save the changes you have made.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting to an NDES/SCEP server

You can configure a connection to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). To do this, you need to set up a connection to the CA using SCEP and specify a certificate profile.

To add a connection to a certificate authority and specify a certificate profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device owner mode > NDES and SCEP section.
5. In the Connection to certificate authority (CA) section, click Add.

   The Connection to certificate authority dialog appears.

6. Specify the following settings, and then click OK:
   • Connection name

     A unique connection name.

   • Protocol type

     A protocol version. Possible values:

     • SCEP
     • NDES (default)
   • SCEP server URL

     The URL of the SCEP server.

     For NDES, the URL has the http://<ServerName>/certsrv/mscep/mscep.dll format.

   • Challenge phrase type

     A type of challenge phrase required for authentication. Possible values:

     • None - Does not require authentication data.
     • Static - Requires entering an authentication phrase in the Static challenge phrase field. This is the default value.
   • Static challenge phrase

     Specifies the authentication phrase that is used to authenticate the device with the certificate with the SCEP server URL.

7. In the Certificate profiles section, click Add.

   The Certificate profile dialog appears.

8. Specify the following certificate profile settings and click OK:
   • Profile name

     A unique certificate profile name.

   • Certificate authority (CA)

     A certificate authority that you created in the Connection to certificate authority (CA) section.

   • Subject name

     A unique identifier that is the subject of the certificate. It includes information about what is being certified, including common name, organization, organizational unit, country code, and so on. You can either enter the value or select it from the Available macros drop-down list.

   • Private key length

     A length of the certificate private key. Possible values:

     • 1024
     • 2048 (default)
     • 4096
   • Private key type

     A type of the certificate private key. Possible values:

     • Signature (default)
     • Encryption
     • Signature and encryption
   • Subject Alternative Names (SAN)

     An alternative name that represents the certificate subject name. You can specify multiple subject alternative names. To do this, click Add, and then specify the SAN type and SAN value options.

9. Click Apply to save the changes you have made.

Manage connections and certificate profiles

You can later edit or remove the added connections and certificate profile.

To edit a connection or certificate profile:

1. Select the needed connection or certificate profile in the corresponding section.
2. Click Edit, make the required changes, and click OK.
3. Click Apply to save the changes you have made.

To remove a connection or certificate profile:

1. Select the needed connection or certificate profile in the corresponding section.
2. Click Delete, and then click OK.

   Note: If you remove a certificate authority connection, all certificate profiles that use this connection will be also removed.

3. Click Apply to save the changes you have made.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Commands for mobile devices

Kaspersky Security Center supports commands for remote mobile device management. For instance, if a mobile device is lost or stolen, you can send commands to locate the device or wipe all corporate data from the device.

You can send commands to the following types of managed mobile devices:

• Android devices managed via the Kaspersky Endpoint Security for Android app
• iOS MDM devices

Each device type supports a dedicated set of commands. For information about sending commands from Administration Console, please refer to Kaspersky Security Center help.

Commands for Android devices

Commands for iOS MDM devices

Permissions for execution of commands

Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10.0 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11.0 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.