The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions

This section provides instructions on how to configure user access to the features of mobile devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Special considerations for devices running Android version 10 and later

Android 10 introduced numerous changes and restrictions targeting API 29 or higher. Some of these changes affect the availability or functionality of some of the app's features. These considerations apply only to devices running Android 10 or later.

Ability to enable, disable, and configure Wi-Fi

• Wi-Fi networks can be added, deleted, and configured in the Administration Console of Kaspersky Security Center. When a Wi-Fi network is added to a policy, Kaspersky Endpoint Security receives this network configuration when it first connects to Kaspersky Security Center.
• When a device detects a network configured through Kaspersky Security Center, Kaspersky Endpoint Security prompts the user to connect to that network. If the user chooses to connect to the network, all of the settings configured through Kaspersky Security Center are automatically applied. The device then automatically connects to that network when in range, without showing further notifications to the user.
• If a user's device is already connected to another Wi-Fi network, sometimes the user may not be prompted to approve a network addition. In such cases, the user must turn Wi-Fi off and on again to receive the suggestion.
• When Kaspersky Endpoint Security suggests a user connect to a Wi-Fi network and the user refuses to do so, the app's permission to change the Wi-Fi state is revoked. Kaspersky Endpoint Security then cannot suggest connecting to Wi-Fi networks until the user grants the permission again by going to Settings → Apps & notifications → Special App access → Wi-Fi Control → Kaspersky Endpoint Security.
• Only open networks and networks encrypted with WPA2-PSK are supported. WEP and WPA encryption are not supported.
• If the password for a network previously suggested by the app is changed, the user must manually delete that network from the list of known networks. The device will then be able to receive a network suggestion from Kaspersky Endpoint Security and connect to it.
• When a device OS is updated from Android version 9 or earlier to Android version 10 or later, and/or Kaspersky Endpoint Security installed on a device running Android version 10 or later is updated, the networks that were previously added via Kaspersky Security Center cannot be modified or deleted through Kaspersky Security Center policies. The user, however, can manually modify or delete such networks in the device settings.
• On devices running Android 10, a user is prompted for the password during an attempt to connect manually to a protected suggested network. Automatic connection does not require entering the password. If a user's device is connected to some other Wi-Fi network, the user must first disconnect from that network to connect automatically to one of the suggested networks.
• On devices running Android 11, a user may manually connect to a protected network suggested by the app, without entering the password.
• When Kaspersky Endpoint Security is removed from a device, the networks previously suggested by the app are ignored.
• Prohibiting use of Wi-Fi networks is not supported.

Camera access

• On devices running Android 10, use of the camera cannot be completely prohibited. Prohibiting use of the camera for a work profile is still available.
• If a third-party app attempts to access the device's camera, that app will be blocked, and the user will be notified about the issue. However, the apps that use the camera while running in background mode cannot be blocked.
• When an external camera is disconnected from a device, a notification about the camera not being available may be displayed in some cases.

Managing screen unlock methods

• Kaspersky Endpoint Security now resolves the password strength requirements into one of the system values: medium or high.
  • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.
  • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
• Using a fingerprint to unlock the screen can be managed for a work profile only.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions for Android devices

To keep an Android device secure, configure the Wi-Fi, camera, and Bluetooth usage settings on the device.

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device Management section.
5. In the Restrictions section, configure usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.

     On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     On devices running Android 10.0 or later, the use of the camera cannot be completely prohibited.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

6. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring iOS MDM device feature restrictions

To ensure compliance with corporate security requirements, configure restrictions on the operation of the iOS MDM device. For information about available restrictions, refer to the context help of the administration plug-in.

To configure iOS MDM device feature restrictions:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Features Restriction section.
5. In the Features restriction settings section, select the Apply settings on device check box.
6. Configure iOS MDM device feature restrictions.
7. Click the Apply button to save the changes you have made.
8. Select the Restrictions for applications section.
9. In the Applications restriction settings section, select the Apply settings on device check box.
10. Configure restrictions for apps on the iOS MDM device.
11. Click the Apply button to save the changes you have made.
12. Select the Restrictions for Media Content section.
13. In the Media content restriction settings section, select the Apply settings on device check box.
14. Configure restrictions for media content on the iOS MDM device.
15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, restrictions on features, apps, and media content will be configured on the user's mobile device.