The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Control

This section contains information about how to remotely monitor mobile devices in the Administration Console of Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions

This section provides instructions on how to configure user access to the features of mobile devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Special considerations for devices running Android version 10 and later

Android 10 introduced numerous changes and restrictions targeting API 29 or higher. Some of these changes affect the availability or functionality of some of the app's features. These considerations apply only to devices running Android 10 or later.

Ability to enable, disable, and configure Wi-Fi

• Wi-Fi networks can be added, deleted, and configured in the Administration Console of Kaspersky Security Center. When a Wi-Fi network is added to a policy, Kaspersky Endpoint Security receives this network configuration when it first connects to Kaspersky Security Center.
• When a device detects a network configured through Kaspersky Security Center, Kaspersky Endpoint Security prompts the user to connect to that network. If the user chooses to connect to the network, all of the settings configured through Kaspersky Security Center are automatically applied. The device then automatically connects to that network when in range, without showing further notifications to the user.
• If a user's device is already connected to another Wi-Fi network, sometimes the user may not be prompted to approve a network addition. In such cases, the user must turn Wi-Fi off and on again to receive the suggestion.
• When Kaspersky Endpoint Security suggests a user connect to a Wi-Fi network and the user refuses to do so, the app's permission to change the Wi-Fi state is revoked. Kaspersky Endpoint Security then cannot suggest connecting to Wi-Fi networks until the user grants the permission again by going to Settings → Apps & notifications → Special App access → Wi-Fi Control → Kaspersky Endpoint Security.
• Only open networks and networks encrypted with WPA2-PSK are supported. WEP and WPA encryption are not supported.
• If the password for a network previously suggested by the app is changed, the user must manually delete that network from the list of known networks. The device will then be able to receive a network suggestion from Kaspersky Endpoint Security and connect to it.
• When a device OS is updated from Android version 9 or earlier to Android version 10 or later, and/or Kaspersky Endpoint Security installed on a device running Android version 10 or later is updated, the networks that were previously added via Kaspersky Security Center cannot be modified or deleted through Kaspersky Security Center policies. The user, however, can manually modify or delete such networks in the device settings.
• On devices running Android 10, a user is prompted for the password during an attempt to connect manually to a protected suggested network. Automatic connection does not require entering the password. If a user's device is connected to some other Wi-Fi network, the user must first disconnect from that network to connect automatically to one of the suggested networks.
• On devices running Android 11, a user may manually connect to a protected network suggested by the app, without entering the password.
• When Kaspersky Endpoint Security is removed from a device, the networks previously suggested by the app are ignored.
• Prohibiting use of Wi-Fi networks is not supported.

Camera access

• On devices running Android 10, use of the camera cannot be completely prohibited. Prohibiting use of the camera for a work profile is still available.
• If a third-party app attempts to access the device's camera, that app will be blocked, and the user will be notified about the issue. However, the apps that use the camera while running in background mode cannot be blocked.
• When an external camera is disconnected from a device, a notification about the camera not being available may be displayed in some cases.

Managing screen unlock methods

• Kaspersky Endpoint Security now resolves the password strength requirements into one of the system values: medium or high.
  • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.
  • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
• Using a fingerprint to unlock the screen can be managed for a work profile only.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions for Android devices

To keep an Android device secure, configure the Wi-Fi, camera, and Bluetooth usage settings on the device.

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device Management section.
5. In the Restrictions section, configure usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.

     On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     On devices running Android 10.0 or later, the use of the camera cannot be completely prohibited.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

6. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring iOS MDM device feature restrictions

To ensure compliance with corporate security requirements, configure restrictions on the operation of the iOS MDM device. For information about available restrictions, refer to the context help of the administration plug-in.

To configure iOS MDM device feature restrictions:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Features Restriction section.
5. In the Features restriction settings section, select the Apply settings on device check box.
6. Configure iOS MDM device feature restrictions.
7. Click the Apply button to save the changes you have made.
8. Select the Restrictions for applications section.
9. In the Applications restriction settings section, select the Apply settings on device check box.
10. Configure restrictions for apps on the iOS MDM device.
11. Click the Apply button to save the changes you have made.
12. Select the Restrictions for Media Content section.
13. In the Media content restriction settings section, select the Apply settings on device check box.
14. Configure restrictions for media content on the iOS MDM device.
15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, restrictions on features, apps, and media content will be configured on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring user access to websites

This section contains instructions on how to configure access to websites on Android and iOS devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to websites on Android devices

You can use Web Protection to configure access of Android device users to websites. Web Protection supports website filtering by categories defined in Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, those from the "Gambling, lotteries, sweepstakes", or "Internet communication" categories). Web Protection also protects the personal data of users on the internet.

To enable Web Protection:

• Kaspersky Endpoint Security must be enabled as an Accessibility Features service.
• The Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement) should be accepted. Kaspersky Endpoint Security uses Kaspersky Security Network (KSN) to scan websites. The Web Protection Statement contains the terms of data exchange with KSN.

  You can accept the Web Protection Statement for the user in Kaspersky Security Center. In this case, the user is not required to take any action.

  If you have not accepted the Web Protection Statement and prompt the user to do this, the user must read and accept the Web Protection Statement in the app settings.

  If you have not accepted the Web Protection Statement, Web Protection is not available.

Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser. Web Protection for Samsung Internet Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

Web Protection is enabled by default: user access to websites in the Phishing and Malware categories is blocked.

To configure the settings of the device user's access to websites:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Web Protection.
5. Select the Enable Web Protection check box.
6. To use the Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
   1. Click the link Web Protection Statement.

      This opens Statement regarding data processing for purpose of using Web Protection window. To accept the Web Protection Statement, you must read and accept Privacy Policy.

   2. Click the Privacy Policy link. Read and accept the Privacy Policy.

      If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app ( → About → Terms and conditions → Privacy Policy).

   3. Select the Web Protection Statement acceptance mode:
      • I have read and accept the Web Protection Statement
      • Request acceptance of the Web Protection Statement from the device user
      • I do not accept the Web Protection Statement

   If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.

7. If you want the app to restrict user access to websites depending on their content, do the following:
   1. In the Web Protection section, in the drop-down list select Websites of selected categories are forbidden.
   2. Create a list of blocked categories by selecting check boxes next to the categories of websites to which the app will block access.
8. If you want the app to allow user access only to websites specified by the administrator, do the following:
   1. In the Web Protection section, in the drop-down list select Only listed websites are allowed.
   2. Create a list of websites by adding addresses of websites to which the app will not block access. Kaspersky Endpoint Security for Android supports only regular expressions. When entering the address of an allowed website, use the following templates:
      • https://example.com.*—All child pages of the website are allowed (for example, https://example.com/about).
      • https://.*example.com—All subdomain pages of the website are allowed (for example, https://pictures.example.com).

      You can also use the expression https? to select the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.

9. If you want the app to block user access to all websites, in the Web Protection section, in the drop-down list, select All websites are blocked.
10. To lift content-based restrictions on user access to websites, clear the Enable Web Protection check box.
11. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to websites on iOS MDM devices

Configure Web Protection settings to control access to websites for iOS MDM device users. Web Protection controls a user's access to websites based on lists of allowed and blocked websites. Web Protection also lets you add website bookmarks on the bookmark panel in Safari.

By default, access to websites is not restricted.

Web Protection settings can be configured for supervised devices only.

To configure access to websites on the user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Web Protection section.
5. In the Web Protection settings section, select the Apply settings on device check box.
6. To block access to blocked websites and allow access to allowed websites:
   1. In the Web Filter Mode drop-down list, select the Limit adult content mode.
   2. In the Allowed websites section, create a list of allowed websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS allows access to all websites in the domain. For example, if you have added http://www.example.com to the list of allowed websites, access is allowed to http://pictures.example.com and http://example.com/movies. If the list of allowed websites is empty, the application allows access to all websites other than those included in the list of blocked websites.

   3. In the Forbidden websites section, create a list of blocked websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS blocks access to all websites in the domain.

7. To block access to all websites other than allowed websites on the tab list:
   1. In the Web Filter Mode drop-down list, select the Allow bookmarked websites only mode.
   2. In the Bookmarks section, create a list of bookmarks of allowed websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS allows access to all websites in the domain. If the bookmark list is empty, the application allows access to all websites. Kaspersky Device Management for iOS adds websites from the list of bookmarks on the bookmarks tab in Safari in the user's mobile device.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Web Protection will be configured on the user's mobile device according to the mode selected and lists created.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of Android devices with corporate security requirements

You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-virus databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device check criterion (for example, absence of blocked apps on the device).
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).
• Action that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock device).

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

If the user does not fix the non-compliance within the specified time, the following actions are available:

• Block all applications except system ones. All apps on the user's mobile device, except system apps, are blocked from starting.
• Lock device. Mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.
• Wipe corporate data. Containerized data, the corporate email account, settings for connecting to the corporate Wi-Fi network and VPN, Access Point Name (APN), Android work profile, KNOX container, and the KNOX License Manager key are wiped.
• Full Reset. All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

To create a scan rule for checking devices for compliance with a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Compliance control section.
5. To receive notifications about devices that do not comply with the policy, in the Noncompliance notification section select the Notify administrator check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

6. To notify the device user that the user's device does not comply with the policy, in the Noncompliance notification section select the Notify user check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.

7. In the Compliance Rules section, compile a list of rules for checking the device for compliance with the policy. Follow the steps below:
   1. Click Add.

      The Scan Rule Wizard starts.

   2. Follow the instructions of the Scan Rule Wizard.

      When the wizard finishes, the new rule is displayed in the Compliance Rules section in the list of scan rules.

8. To temporarily disable a scan rule that you have created, use the toggle switch opposite the selected rule.
9. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of iOS MDM devices with corporate security requirements

Compliance Control allows you to monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

• Status (whether the rule is enabled or disabled).
• Non-compliance criteria (for example, absence of the specified apps or operating system version).
• Actions performed on the device if non-compliance is found (for example, wipe corporate data or send an email message to the user).

To create a rule:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Compliance Control section.
5. In the Compliance Control rules section, click Add.

   The Compliance Control Rule Wizard starts.

6. Select the Enable rule check box if you want to activate the rule. If the check box is cleared, the rule is disabled.
7. In the Non-compliance criteria tab, click Add criterion and select a non-compliance criterion for the rule. You can add multiple criteria. They are combined by the AND logical operator.

   The following criteria are available:

   • List of apps on device

     Checks whether the list of apps on the device contains forbidden apps or does not contain required apps.

     For this criterion, you need to select a check type (Contains or Does not contain) and specify app IDs.

   • Operating system version

     Checks the version of the operating system on the device.

     For this criterion, you need to select a comparison operator (Equal, Not equal, Less than, or Greater than) and specify the iOS version.

     Note that the Equal and Not equal operators check for a full match of the operating system version with the specified value. For instance, if you specify 15 in the rule, but the device is running iOS 15.2, the Equal criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Less than and Greater than operators.

   • Management mode

     Checks the device's management mode.

     For this criterion, you need to select a mode (Supervised device or Non-supervised device).

8. In the Actions tab, specify actions to be performed on the device if all specified non-compliance criteria are detected. Add an action in one of the following ways:
   • Click the Add action button if the action should be taken on the device immediately after non-compliance is detected.
   • Click the Add postponed action button if you want to also set a time period in which the user can fix the non-compliance. If the non-compliance is not fixed within this period, the action is performed on the device.

   The following actions are available:

   • Send email message to user

     The device user is informed about the non-compliance by email.

     For this action, you need to specify the user's email address(es) and the email message.

   • Install profile

     The configuration profile is installed on the device. This action is performed by sending the Install profile command.

     For this action, you need to specify the ID of the configuration profile to be installed.

   • Delete profile

     The configuration profile is deleted from the device. This action is performed by sending the Remove profile command.

     For this action, you need to specify the ID of the configuration profile to be removed.

   • Delete all profiles

     All previously installed configuration profiles are deleted from the device.

   • Wipe corporate data

     All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. This action is performed by sending the Wipe corporate data command.

9. Click the Save button to save the rule and close the wizard.

   The new rule appears in the list in the Compliance Control rules section.

10. Click the Apply button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control

This section contains instructions on how to configure user access to apps on a mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on Android devices

The App Control component allows you to manage apps on Android devices to keep these devices secure.

• You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.

In device owner mode, you have extended control over the device. App Control operates without notifying the device user:

• Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
• Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.

To configure the settings of app startup on the mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the App Control section.
5. In the Operation mode section, select the mode of app startup on the user's mobile device:
   • To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Blocked apps mode. The app will hide blocked app icons.
   • To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
6. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, write to event log only check box.

   During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

7. If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
8. If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.

   Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

9. Create a list of categories and apps to configure startup of apps.

   For details on app categories, please refer to the Appendices.

   For a list of the apps that belong to each category, please visit the Kaspersky website.

10. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on iOS MDM devices

Kaspersky Security Center allows you to manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launching on devices.

These restrictions apply only to supervised iOS MDM devices.

Open Restrictions for applications section

To open settings for app restrictions on iOS MDM devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Restrictions for applications section.

Restrict app installation

By default, the user can install any apps on the supervised iOS MDM device.

To restrict the apps that can be installed on the device:

1. Select the Allow installation of apps from the list (supervised only) check box.
2. In the table, click Add to add an app to the list.
3. Specify the app's bundle ID. To get the app's bundle ID, you can follow instructions in Apple documentation. Specify the com.apple.webapp value to allow all web clips.
4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Only apps from the list and system apps will be available for installation. All other apps can't be installed on the device.

The specified apps can be installed on the device in the following ways (if the corresponding options are enabled in the Features restrictions section):

• Installation from Apple Configurator or iTunes
• Installation from App Store
• Automatic loading

Specify prohibited apps

By default, all apps can be displayed and launched on the supervised iOS MDM device.

To specify prohibited apps:

1. Select the Prohibit displaying and launching apps from the list (supervised only) check box.
2. In the table, click Add to add an app to the list.
3. Specify the app's bundle ID. To get the app's bundle ID, you can follow instructions in Apple documentation. Specify the com.apple.webapp value to restrict all web clips.
4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Apps from the list will be prohibited from being displayed and launching on the device. All other apps will be displayed and available to run.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation and uninstallation of apps on a group of iOS MDM devices

Kaspersky Security Center allows you to install and remove apps on iOS MDM devices by sending commands to these devices.

Selecting devices

To select iOS MDM devices on which apps should be installed or removed:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the iOS MDM device on which apps should be installed or removed.

   You can also select multiple devices and send commands simultaneously. To select a group of devices, do one of the following:

   • To select all devices in the workspace, filter the list of devices as required and press Ctrl+A.
   • To select a range of devices, hold down the Shift key, click the first device in the range, and then click the last device in the range.
   • To select individual devices, hold down the Ctrl key and click devices you want to include in the group.

Installing apps on devices

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. For more information, refer to Adding a managed app.

To install apps on selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Install app.

   For a single device, you can also select Show command log in the context menu, proceed to the Install app section, and click the Send command button.

   The Select apps window opens showing a list of managed apps.

2. Select the apps you want to install on iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are installed. If the command is successfully executed, the command log will show its current status as Completed.

Removing apps from devices

To remove apps from selected iOS MDM devices:

1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Remove app.

   For a single device, you can also select Show command log in the context menu, proceed to the Remove app section, and click the Send command button.

   The Remove apps window opens showing a list of previously installed apps.

2. Select the apps you want to remove from iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
3. Click OK to send the command to the devices.

   When the command is executed on a device, the selected apps are uninstalled. If the command is successfully executed, the command log will show its current status as Completed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Software inventory on Android devices

You can inventory apps on Android devices connected to Kaspersky Security Center. Kaspersky Endpoint Security for Android receives information about all apps installed on mobile devices. Information acquired during inventory is displayed in the device properties in the Events section. You can view detailed information on each installed app, including its version and publisher.

To enable software inventory:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the App Control section.
5. In the Software inventory section, select the Send data on installed apps check box.
6. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the display of Android devices in Kaspersky Security Center

For convenient operations with the list of mobile devices, you should configure the settings for displaying devices in Kaspersky Security Center. By default, the list of mobile devices is displayed in the Additional → Mobile Device Management → Mobile devices console tree. Device information is updated automatically. You can also manually update the list of mobile devices by clicking the Update button in the upper right corner.

After connecting the device to Kaspersky Security Center, devices are added to the mobile device list automatically. The mobile device list may contain detailed information about that device: model, operation system, IP address, and others.

You can configure the device name format and select the device status. The device status informs you about how the components of Kaspersky Endpoint Security for Android are operating on the user's mobile device.

Kaspersky Endpoint Security for Android components could be non-operational for the following reasons:

• The user disabled the component in the device settings.
• The user did not grant the app the necessary permissions for the component to operate (for example, there is no permission to determine the device location for the corresponding Anti-Theft command).

To display the device status, you must enable the Determined by the application condition in the administration group properties (Properties → Device status → Set device status to Critical if and Set device status to Warning if). In the administration group properties, you can also select other criteria for forming the mobile device status.

To configure the display of Android devices in Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device information section.
5. In the Device name in Kaspersky Security Center section, select the device name format for the device name in the Administration Console:
   • Device model [email, device ID]
   • Device model [email (if any) or device ID]

   A device ID is a unique ID that Kaspersky Endpoint Security for Android generates from the data received from a device. For mobile devices running Android 10 or later, Kaspersky Endpoint Security for Android uses the SSAID (Android ID) or checksum of other data received from the device. For earlier versions of Android, the app uses the IMEI.

6. Set the Lock attribute in the locked position ().
7. In the Device status in Kaspersky Security Center section, select the appropriate device status if a component of Kaspersky Endpoint Security for Android is not working: (Critical), (Warning) or (OK).

   In the list of mobile devices, the device status will be changed according to the selected status.

8. Set the Lock attribute in the locked position.
9. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.