Kaspersky Secure Mobility Management
1.0
English

Contents

[Topic 136323]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

In this section

Connecting Android devices to a Wi-Fi network

Connecting iOS MDM devices to a Wi-Fi network
Page top
[Topic 142052]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting Android devices to a Wi-Fi network

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To connect the mobile device to a Wi-Fi network:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Wi-Fi section.
  5. In the Wi-Fi networks section, click Add.

    This opens the Wi-Fi network window.

  6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
  7. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device. In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
  8. Select the Automatic connection to network check box if you want the device to connect to the Wi-Fi network automatically.
  9. In the Network protection section, select the type of Wi-Fi network security (open or secure network protected with the WEP, WPA/WPA2 PSK, or 802.1.x EAP protocol).

    The 802.1.x EAP security protocol is supported only in the Kaspersky Endpoint Security for Android app version 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

  10. If you selected the 802.1.x EAP security protocol, specify additional network protection settings (EAP method, Root certificate and other). For information about these settings, refer to the context help of the administration plug-in.
  11. In the Password field, set a network access password if you selected a secure network at step 9.
  12. Select the Use proxy server option if you want to use a proxy server to connect to a Wi-Fi network. Otherwise, select the Do not use proxy server option.
  13. If you selected Use proxy server, in the Proxy server address and port field, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are using a proxy server to connect to a Wi-Fi network, you can use a policy to configure the settings for connecting to the network. On devices running Android 8.0 or later, you must manually configure the proxy server settings. On devices running Android 8.0 or later, you cannot use a policy to change the Wi-Fi network connection settings, except for the network access password.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

  14. In the Do not use proxy server for addresses field, generate a list of web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android version 8.0 or later, the proxy server exclusion for web addresses does not work.

  15. Click OK.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

  16. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. After the policy is applied on the mobile device, the user can connect to the Wi-Fi network that has been added, without specifying the network settings.

On devices running Android version 10.0 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

Page top
[Topic 90533]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Wi-Fi section.
  5. Click the Add button in the Wi-Fi networks section.

    This opens the Wi-Fi network window.

  6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
  7. If you want the iOS MDM device to connect to the Wi-Fi network automatically, select the Automatic connection check box.
  8. To make it impossible to connect iOS MDM devices to a Wi-Fi network requiring preliminary authentication (captive network), select the Disable captive networks detection check box.

    To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

  9. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden Network check box.

    In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

  10. In the Network protection drop-down list, select the type of protection of the Wi-Fi network connection:
    • Disabled. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).
    • WPA/WPA2 (Personal). The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access).
    • WPA2 (Personal). The network is protected using WPA2 protocol (Wi-Fi Protected Access 2.0). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Personal). The network is protected using the WEP, WPA or WPA2 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (Dynamic). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA/WPA2 (Enterprise). The network is protected using the WPA/WPA2 encryption protocol with use of the 802.1X protocol.
    • WPA2 (Enterprise). The network is protected using the WPA2 encryption protocol with the use of one key shared by all users (802.1X). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication.

    If you have selected WEP (Dynamic), WPA/WPA2 (Enterprise), WPA2 (Enterprise) or Any (Enterprise) in the Network protection list, in the Protocols section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

  11. Configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the Authentication section, click the Configure button.

      The Authentication window opens.

    2. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    3. To require the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    4. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network. If the list does not contain any certificates, you can add them in the Certificates section.
    6. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

      The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel.

    7. Click OK.

    As a result, the settings of the account for user authentication upon connection to the Wi-Fi network will be configured on the iOS MDM device.

  12. If necessary, configure the settings of the Wi-Fi network connection via a proxy server:
    1. In the Proxy server section, click the Configure button.
    2. In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to the Wi-Fi network via a proxy server are configured on the iOS MDM device.

  13. Click OK.

    The new Wi-Fi network is displayed in the list.

  14. Click the Apply button to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the authentication technology.

Page top
[Topic 88185]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring email

This section contains information on configuring mailboxes on mobile devices.

In this section

Configuring a mailbox on iOS MDM devices

Configuring an Exchange mailbox on iOS MDM devices

Configuring an Exchange mailbox on Android devices (only Samsung)
Page top
[Topic 140750]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a mailbox on iOS MDM devices

To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.

By default, the email account is added with the following settings:

  • Email protocol – IMAP.
  • The user can move email messages between the user's accounts and synchronize account addresses.
  • The user can use any email clients (other than Mail) to use email.
  • The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the account.

To add an email account of the iOS MDM device user:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Email.
  5. Click the Add button in the Email account section.

    The Email account window opens.

  6. In the Description field, enter a description of the user's email account.
  7. Select the email protocol:
    • POP
    • IMAP
  8. If necessary, specify the IMAP path prefix in the IMAP path prefix field.

    The IMAP path prefix must be entered using upper-case letters (for example: GMAIL for Google Mail). This field is available if the IMAP account protocol is selected.

  9. In the User name as displayed in messages field, enter the user name to be displayed in the From: field for all outgoing messages.
  10. In the Email address field, specify the email address of the iOS MDM device user.
  11. Configure Additional Settings of the email account:
    • To allow the user to move email messages between the user's accounts, select the Allow movement of messages between accounts check box.
    • To allow the email addresses used to be synchronized among user accounts, select the Allow sync of recent addresses check box.
    • To allow a user to use the Mail Drop service to forward large-sized attachments, select the Allow Mail Drop check box.
    • To allow the user to use only the standard iOS mail client, select the Allow use of only Mail app check box.
  12. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the mail_lock icon in the Mail app in the To field.
  13. In the Inbound mail server and Outbound mail server sections, click the Settings button to configure the server connection settings:
    • Server address and port: Names of hosts or IP addresses of inbound mail servers and outbound mail servers and server port numbers.
    • Account name: Name of the user's account for inbound and outbound mail server authorization.
    • Authentication type: Type of user's email account authentication on inbound mail servers and outbound mail servers.
    • Password: Account password for authentication on the inbound and outbound mail server protected using the selected authentication method.
    • Use one password for incoming and outgoing mail servers: use one password for user authentication on incoming and outgoing mail servers.
    • Use SSL connection: usage of the SSL (Secure Sockets Layer) data transport protocol that uses encryption and certificate-based authentication to secure data transmission.
  14. Click OK.

    The new email account appears in the list.

  15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, email accounts from the compiled list will be added on the user's mobile device.

Page top
[Topic 88332]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox on iOS MDM devices

To enable the iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.

By default, an account with the following settings is added on the Microsoft Exchange server:

  • Email is synchronized once per week.
  • The user can move messages between the user's accounts and synchronize account addresses.
  • The user can use any email clients (other than Mail) to use email.
  • The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the Exchange ActiveSync account.

To add the Exchange ActiveSync account of the iOS MDM device user:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Exchange ActiveSync section.
  5. Click the Add button in the Exchange ActiveSync accounts section.

    The Exchange ActiveSync account window opens on the General tab.

  6. In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can use macros from the Macros available drop-down list.
  7. In the Server address field, enter the network name or IP address of the Microsoft Exchange server.
  8. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data, select the Use SSL connection check box.
  9. In the Domain field, enter the name of the iOS MDM device user's domain. You can use macros from the Macros available drop-down list.
  10. In the Account User Name field, enter the name of the iOS MDM device user.

    If you leave this field blank, Kaspersky Device Management for iOS prompts the user to enter the user name when applying the policy on the iOS MDM device. You can use macros from the Macros available drop-down list.

  11. In the Email address field, specify the email address of the iOS MDM device user. You can use macros from the Macros available drop-down list.
  12. In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
  13. Select the Additional tab and configure the additional settings of the Exchange ActiveSync account:
    • Number of Days to Sync Mail for <time period>.
    • Authentication type.
    • Allow movement of messages between accounts.
    • Allow sync of recent addresses.
    • Allow use of only Mail app.
  14. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the mail_lock icon in the Mail app in the To field.
  15. Click OK.

    The new Exchange ActiveSync account appears in the list.

  16. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list will be added on the user's mobile device.

Page top
[Topic 88340]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox on Android devices (only Samsung)

To work with corporate mail, contacts, and the calendar on the mobile device, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).

Configuration of an Exchange mailbox is possible only for Samsung devices.

To configure an Exchange mailbox on a mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
  5. In the Exchange ActiveSync window, click the Configure button.

    The Exchange mail server settings window opens.

  6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
  7. In the Domain field, enter the name of the mobile device user's domain on the corporate network.
  8. In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
  9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
  10. To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
  11. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

Page top
[Topic 138694]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing root certificates on Android devices

A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.

Kaspersky Security Center lets you add root certificates for Android devices operating in device owner mode. These root certificates are automatically installed to a trusted certificate store on devices.

To add a root certificate in Kaspersky Security Center:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Root certificates section.
  5. In the Root certificates section, click Add.

    The file explorer opens.

  6. Select a certificate file (.cer, .pem, or .key) and click Open.

    The Certificate window opens.

  7. View the certificate information and click Install Certificate...

    This starts the standard Certificate Import Wizard.

  8. Follow the wizard's instructions.

    After the wizard is finished, the root certificate appears in the list of certificates.

The added root certificates will be installed on Android devices in device owner mode after the next synchronization with Kaspersky Security Center.

Page top
[Topic 241826]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing third-party mobile apps

You can use containers to monitor the activity of mobile applications launched on the user's device. A container is a special shell for mobile apps which makes it possible to control the activity of the containerized app, thereby protecting the user's personal and corporate data on the device.

In Kaspersky Security for Mobile Service Pack 3 Maintenance Release 2, there is no longer support for creating containers for mobile apps. However, containers that were created in earlier versions of the application can be added to Android devices.

You can install a containerized app on the user's device in one of the following ways:

  • By sending the user an email message with a link to the installation package of the containerized app.
  • By specifying a containerized app as a required or allowed app in the App Control section of the policy properties window. After the mobile device is synchronized with Kaspersky Security Center, the app distribution package in the container is automatically copied to the user's device.

To install containerized apps, installation of apps from unknown sources must be allowed on the user's mobile device. To protect your device and data after installing containerized apps, it is recommended to prohibit installation of apps from unknown sources. For details about installing apps without Google Play, please refer to the Android Help Guide.

Page top
[Topic 92963]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring notifications for Kaspersky Endpoint Security for Android

If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

The Kaspersky Endpoint Security uses the following tools to display the device protection status:

  • Protection status notification. This notification is pinned to the notification bar. Protection status notification cannot be removed. The notification displays the device protection status (for example, ) and number of issues, if any. You can tap the device protection status and see the list issues in the app.
  • App notifications. These notifications inform the device user about the application (for example, threat detection).
  • Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.

An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Additional section.
  5. In the App notifications section, click the Configure button.

    The Device notification settings window opens.

  6. Select the Kaspersky Endpoint Security for Android issues that you want to hide on the user's mobile device and click the OK button.

    The Kaspersky Endpoint Security for Android will not display issues in the protection status notification. The Kaspersky Endpoint Security for Android will continue to display protection status notification and app notifications.

    Certain Kaspersky Endpoint Security for Android issues are mandatory and impossible to disable (such as issues about license expiration).

  7. To hide all notifications and pop-up messages, select the Disable notifications and pop-ups when app is background mode.

    Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays device protection status (for example, ) and number of issues. Also the app display notifications when user is working with the app (the user updates anti-virus databases manually, for example).

    Kaspersky experts recommended that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.

  8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The Kaspersky Endpoint Security for Android notifications that you disable will not be displayed on the user's mobile device.

Page top
[Topic 133611]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to AirPlay

Configure the connection to AirPlay devices to enable streaming of music, photos, and videos from the iOS MDM device to AirPlay devices. To be able to use AirPlay technology, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (of the second and third generations), AirPort Express devices, speakers or radio sets with AirPlay support.

Automatic connection to AirPlay devices is available for controlled devices only.

To configure the connection of an iOS MDM device to AirPlay devices:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the AirPlay section.
  5. In the AirPlay devices section, select the Apply settings on device check box.
  6. Click the Add button in the Passwords section.

    An empty row is added in the password table.

  7. In the Device name column, enter the name of the AirPlay device on the wireless network.
  8. In the Password column, enter the password to the AirPlay device.
  9. To restrict access of iOS MDM devices to AirPlay devices, create a list of allowed devices in the Allowed devices section. To do so, add the MAC addresses of AirPlay devices to the list of allowed devices.

    Access to AirPlay devices that are not on the list of allowed devices is blocked. If the list of allowed devices is left blank, Kaspersky Device Management for iOS will allow access to all AirPlay devices.

  10. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media content.

Page top
[Topic 90313]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to AirPrint

To enable printing of documents from the iOS MDM device wirelessly using AirPrint technology, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users has to be configured on the AirPrint printer.

To configure the connection of an iOS MDM device to an AirPrint printer:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the AirPrint section.
  5. Click the Add button in the AirPrint printers section.

    The Printer window opens.

  6. In the IP address field, enter the IP address of the AirPrint printer.
  7. In the Resource Path field, enter the path to the AirPrint printer.

    The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:

    • printers/Canon_MG5300_series
    • ipp/print
    • Epson_IPP_Printer
  8. Click OK.

    The newly added AirPrint printer appears on the list.

  9. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.

Page top
[Topic 90312]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the Access Point Name (APN)

To connect a mobile device to data transfer services on a mobile network, you should configure the APN (Access Point Name) settings.

In this section

Configuring APN on Android devices (only Samsung)

Configuring APN on iOS MDM devices
Page top
[Topic 141382]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring APN on Android devices (only Samsung)

Configuration of APN is possible only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile telephony operator. Incorrect access point settings may result in additional mobile telephony charges.

To configure the Access Point Name (APN) settings:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Manage Samsung KNOX APN section.
  5. In the APN section, click the Configure button.

    The APN settings window opens.

  6. On the General tab, specify the following access point settings:
    1. In the APN type drop-down list, select the type of access point.
    2. In the APN name field, specify the name of the access point.
    3. In the MCC field, enter the mobile country code (MCC).
    4. In the MNC field, enter the mobile network code (MNC).
    5. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS settings:
      • In the MMS server field, specify the full domain name of the mobile carrier's server used for MMS exchange.
      • In the MMS proxy server field, specify the network name or IP address of the proxy server and the port number of the mobile carrier's server used for MMS exchange.
  7. On the Additional tab, configure the additional settings of the Access Point Name (APN):
    1. In the Authentication type drop-down list, select the type of mobile device user's authentication on the mobile carrier's server for network access.
    2. In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
    3. In the Proxy server address field, specify the network name or IP address and port number of the mobile carrier's proxy server for network access.
    4. In the User name field, enter the user name for authorization on the mobile network.
    5. In the Password field, enter the password for user authorization on the mobile network.
  8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

Page top
[Topic 90651]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring APN on iOS MDM devices

The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.

The APN section is out of date. It is recommended to configure APN settings in the Cellular communications section. Before configuring cellular communication settings, make sure that the settings of the APN section have not been applied on the device (the Apply settings on device check box is cleared). The settings of the APN and Cellular communications sections cannot be used concurrently.

To configure an access point on a user's iOS MDM device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Cellular communications section.
  5. In the Cellular communication settings section, select the Apply settings on device check box.
  6. In the APN type list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
    • Built-in APN – configuration of cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, please visit the Apple Technical Support website.
    • APN – configuration of cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
    • Built-in APN and APN – configuration of cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, please visit the Apple Technical Support website.
  7. In the APN name field, specify the name of the access point.
  8. In the Authentication type drop-down list, select the type of device user authentication on the mobile operator's server for network access (internet and MMS):
  9. In the User name field, enter the user name for authorization on the mobile network.
  10. In the Password field, enter the password for user authorization on the mobile network.
  11. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
  12. Click the Apply button to save the changes you have made.

As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.

Page top
[Topic 90309]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the Android work profile

This section contains information about working with an Android work profile.

In this section

About Android work profile

Configuring the work profile
Page top
[Topic 140467]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Android work profile

Android Enterprise is a platform for managing the corporate mobile infrastructure, which provides company employees with a work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.

You can create the Android work profile (hereinafter also "work profile") on the user's mobile device. Android work profile is a safe environment on the user's device in which the administrator can manage apps and user accounts without restricting the user's use of his/her own data. When a work profile is created on the user's mobile device, the following corporate apps are automatically installed to it: Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the work profile and notifications of these apps are marked with a KSM_afw_box icon. You have to create a separate Google corporate account for the Google Play Market app. Apps installed in the work profile appear in the common list of apps.

Page top
[Topic 140468]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the work profile

To configure the settings of the Android work profile:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Android work profile.
  5. In the Android work profile workspace, select the Create work profile check box.
  6. Specify the work profile settings:
    • To enable App Control in the Android work profile and disable it in the personal profile, select the Enable App Control in work profile only check box.

      In the Users section you can select App Control and use the workspace to create lists of allowed, blocked, recommended, and required apps, as well as allowed and blocked app categories in the section.

    • To enable Web Protection in the work profile and disable it in the personal profile for the Google Chrome browser, select the Enable Web Protection in work profile only check box.

      For Samsung Internet Browser and Huawei Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

      You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.

    • To prohibit the user from copying data by means of the Clipboard from work profile apps to personal apps, select the Prohibit data transfer from work profile to personal profile check box.
    • To block the user from using USB debugging mode on the mobile device in the work profile, select the Prohibit activation of USB debugging mode check box.

      In USB debugging mode, the user can download an app by using a workstation, for example.

    • To prohibit the user from installing apps in the Android work profile from all sources except Google Play, select the Prohibit installation of apps in work profile from unknown sources check box.
    • To prohibit the user from removing apps from the Android work profile, select the Prohibit removal of apps from work profile check box.
    • To also install the VPN-certificate in the personal profile, select the Duplicate installation of the VPN-certificate in personal profile check box. By default, VPN-certificates received from Kaspersky Security Center are installed in the work profile. This setting is applied when a new VPN-certificate is issued.
  7. To configure work profile settings on the user's mobile device, block changes to settings.
  8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.

Page top
[Topic 102298]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding an LDAP account

To enable the iOS MDM device user to access corporate contacts on the LDAP server, add the LDAP account.

To add the LDAP account of the iOS MDM device user:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the LDAP section.
  5. Click the Add button in the LDAP accounts section.

    The LDAP account window opens.

  6. In the Description field, enter a description of the user's LDAP account. You can use macros from the Macros available drop-down list.
  7. In the Account name field, enter the account name for authorization on the LDAP server. You can use macros from the Macros available drop-down list.
  8. In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
  9. In the Server address field, enter the name of the LDAP server domain. You can use macros from the Macros available drop-down list.
  10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
  11. Compile a list of search queries for the iOS MDM mobile device user access to corporate data on the LDAP server:
    1. Click the Add button in the Search settings section.

      A blank row appears in the table with search queries.

    2. In the Name column, enter the name of a search query.
    3. In the Search scope column, select the nesting level of the folder for the corporate data search on the LDAP server:
      • Base – search in the base folder of the LDAP server.
      • One level – search in folders on the first nesting level counting from the base folder.
      • Subtree – search in folders on all nesting levels counting from the base folder.
    4. In the Search base column, enter the path to the folder on the LDAP server with which the search begins (for example: "ou=people", "o=example corp").
    5. Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
  12. Click OK.

    The new LDAP account appears in the list.

  13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, LDAP accounts from the compiled list will be added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.

Page top
[Topic 88355]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a calendar account

To enable the iOS MDM device user to access the user's calendar events on the CalDAV server, add the CalDAV account. Synchronization with the CalDAV server enables the user to create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.

To add the CalDAV account of the iOS MDM device user:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Calendar section.
  5. Click the Add button in the CalDAV accounts section.

    The CalDAV account window opens.

  6. In the Description field, enter a description of the user's CalDAV account.
  7. In the Server address and port field, enter the name of a host or the IP address of a CalDAV server and the number of the CalDAV server port.
  8. In the Main URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example: http://example.com/caldav/users/mycompany/user).

    The URL should begin with "http://" or "https://".

  9. In the Account name field, enter the account name for authorization on the CalDAV server.
  10. In the Password field, set the CalDAV account password for authorization on the CalDAV server.
  11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
  12. Click OK.

    The new CalDAV account appears in the list.

  13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CalDAV accounts from the compiled list will be added on the user's mobile device.

Page top
[Topic 90278]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a contacts account

To enable the iOS MDM device user to synchronize data with the CardDAV server, add the CardDAV account. Synchronization with the CardDAV server enables the user to access the contact details from any device.

To add the CardDAV account of the iOS MDM device user:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Contacts section.
  5. Click the Add button in the CardDAV accounts section.

    The CardDAV account window opens.

  6. In the Description field, enter a description of the user's CardDAV account. You can use macros from the Macros available drop-down list.
  7. In the Server address and port field, enter the name of a host or the IP address of a CardDAV server and the number of the CardDAV server port.
  8. In the Main URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).

    The URL should begin with "http://" or "https://".

  9. In the Account name field, enter the account name for authorization on the CardDAV server. You can use macros from the Macros available drop-down list.
  10. In the Password field, set the CardDAV account password for authorization on the CardDAV server.
  11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of contacts between the CardDAV server and the mobile device, select the Use SSL connection check box.
  12. Click OK.

    The new CardDAV account appears in the list.

  13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.

Page top
[Topic 90315]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring calendar subscription

To enable the iOS MDM device user to add events of shared calendars (such as the corporate calendar) to the user's calendar, add subscription to this calendar. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other openly published calendars.

To add calendar subscription:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Calendar subscription section.
  5. Click the Add button in the Calendar subscriptions section.

    The Calendar Subscription window opens.

  6. In the Description field, enter a description of the calendar subscription.
  7. In the Server web address field, specify the URL of the third-party calendar.

    In this field, you can enter the mail URL of the CalDAV account of the user to whose calendar you are subscribing. You can also specify the URL of an iCal calendar or a different openly published calendar.

  8. In the User name field, enter the user account name for authentication on the server of the third-party calendar.
  9. In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
  10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
  11. Click OK.
  12. The new calendar subscription appears in the list.
  13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, events from shared calendar on the list will be added to the calendar on the user's mobile device.

Page top
[Topic 90316]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding web clips

A web clip is an app that opens a website from the Home screen of the mobile device. By clicking web clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website).

You can add web clips to user devices and specify web clip icons displayed on the screen.

Adding web clips to Android devices

To add a web clip on a user's Android device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.
  4. In the policy Properties window, select the Device management section.
  5. In the Adding web clips to device home screen section, click Add.

    The Add web clip window opens.

  6. In the Name field, enter the name of the web clip to be displayed on the home screen of the Android device.
  7. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
  8. In the Icon field, specify the image for the web clip icon: click Browse... and select an image file. The PNG and JPEG file formats are supported. If you do not select an image for the web clip, a blank square is displayed as the icon.
  9. Click OK.

    The new web clip appears in the list.

  10. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the web clips you created. After the user installs these web clips, the corresponding icons are added on the home screen of the device.

The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

Adding web clips to iOS MDM devices

By default, the following restrictions on web clip usage apply:

  • The user cannot manually remove web clips from the mobile device.
  • Websites that open when the user clicks a web clip icon do not open in full-screen mode.
  • The corner rounding, shadow, and gloss visual effects are applied to the web clip icon on the screen.

To add a web clip on a user's iOS MDM device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Web Clips section.
  5. Click the Add button in the Web Clips section.

    The Web Clip window opens.

  6. In the Name field, enter the name of the web clip to be displayed on the home screen of the iOS MDM device.
  7. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
  8. To allow the user to remove a web clip from the iOS MDM device, select the Allow removal check box.
  9. Click the Select button and specify the file with the image for the web clip icon.

    The icon is displayed on the home screen of the iOS MDM device. The image must meet the following requirements:

    • Image size no greater than 400 х 400 pixels.
    • File format: GIF, JPEG, or PNG.
    • File size no greater than 1 MB.

    The web clip icon is available for preview in the Icon field. If you do not select an image for the web clip, a blank square is displayed as the icon.

    If you want the web clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.

  10. If you want the website to open in full-screen mode on the iOS MDM device when you click the icon, select the Full screen Web Clip check box.
  11. Click OK.

    The new web clip appears in the list.

  12. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, web clip icons from the list you have created are added on the home screen of the user's mobile device.

Page top
[Topic 90308]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding fonts

To add a font on a user's iOS MDM device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking.
  4. In the policy Properties window, select the Fonts section.
  5. Click the Add button in the Fonts section.

    The Font window opens.

  6. In the File name field, specify the path to the font file (a file with the .ttf or .otf extension).

    Fonts with the ttc or otc extension are not supported.

    Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an undefined error.

  7. Click Open.

    The new font appears in the list.

  8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.

Page top
[Topic 90275]