Kaspersky Secure Mobility Management
1.0
English

Contents

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing the app using third-party EMM systems (Android only)

You can use the Kaspersky Endpoint Security for Android app without Kaspersky Administration Systems. Use solutions of other EMM (Enterprise Mobility Management) service providers to deploy and manage the Kaspersky Endpoint Security for Android app. Kaspersky participates in the AppConfig Community to ensure that the app operates with third-party EMM solutions.

You can manage the Kaspersky Endpoint Security for Android app through third-party EMM solutions only on devices running Android.

You can use the third-party EMM solutions to deploy the Kaspersky Endpoint Security for Android app only. Connect the device to Kaspersky Security Center and manage the app in the Administration Console. In this case, managing Kaspersky Endpoint Security for Android app in the EMM console will be unavailable.

If you deployed the Kaspersky Endpoint Security for Android app using the third-party EMM system, it is impossible to manage the app in the Kaspersky Endpoint Security Cloud. You can manage the Kaspersky Endpoint Security for Android app in the EMM Console.

The following EMM solutions support the use of the Kaspersky Endpoint Security for Android app:

  • VMware AirWatch
  • MobileIron
  • IBM Maas360
  • Microsoft Intune
  • SOTI MobiControl

You can perform the following actions in the EMM Console:

  • Deploy the app to an Android work profile on users' devices.
  • Activate the app.
  • Configure app settings:
    • Enable protection against malicious and phishing websites on the internet.
    • Configure settings for connecting the device to Kaspersky Security Center.
    • Configure Anti-Virus settings.
    • Configure the schedule for running a virus scan on the device.
    • Enable detection of adware and apps that could be exploited by criminals to harm the user's device or personal data.
    • Configure the schedule for app database updates.

In this section

Getting Started

How to install the app

How to activate the app

How to connect a device to Kaspersky Security Center

AppConfig File
Page top
[Topic 155903]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Getting Started

To deploy the app on users' mobile devices, you must add Kaspersky Endpoint Security for Android to the EMM app store. You can add Kaspersky Endpoint Security for Android to the EMM app store by using a Google Play link. For more details about working with apps in the EMM Console, visit the technical support website of the EMM service provider.

The Kaspersky Endpoint Security for Android app is deployed in an Android work profile. The app is isolated from the user's personal data and protects only corporate data in the work profile. It is recommended to ensure that Kaspersky Endpoint Security for Android is protected from removal by EMM Console tools.

Page top
[Topic 155912]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

How to install the app

Depending on the EMM Console, select the method for installing the app to devices: silent installation, send an email containing a link to the app in Google Play, or another available method.

The following permissions are required for the app to work:

  • Storage permission for accessing files when Anti-Virus is running (only for Android 6.0 or later).
  • Phone permission for identifying the device, for example, when activating the app.
  • Request to add Kaspersky Endpoint Security for Android to the list of apps that are started at operating system startup (on certain devices, such as Huawei, Meizu, and Xiaomi). If the add request is not displayed, manually add Kaspersky Endpoint Security for Android to the list of startup apps. The request may not be displayed if the Security app is not installed in the work profile.

You can grant the required permissions in the EMM Console before deploying the Kaspersky Endpoint Security for Android app. For more details about granting the permissions in the EMM Console, visit the technical support website of the EMM service provider. You can also grant the permissions while completing the Initial Configuration Wizard of Kaspersky Endpoint Security for Android on device.

The Kaspersky Endpoint Security for Android app will be installed in the Android work profile.

For operation of Web Protection, you must also configure a proxy server in Google Chrome settings:

  • Proxy server configuration mode: manual.
  • Proxy server address and port: 127.0.0.1:3128.
  • SPDY protocol support: disabled.
  • Data compression through proxy server: disabled.
Page top
[Topic 156203]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

How to activate the app

Information about the license is transmitted to the mobile device together with the other settings in the configuration file.

If the app is not activated within 30 days after its installation on the mobile device, the trial license expires. When the trial license expires, all features of the Kaspersky Endpoint Security for Android mobile app are disabled.

When the commercial license expires, the mobile app continues running with limited functionality (for example, Kaspersky Endpoint Security for Android database updates are not available). To continue using the app in fully functional mode, you must renew your commercial license.

To activate Kaspersky Endpoint Security for Android:

  1. In the EMM Console, open the settings of the Kaspersky Endpoint Security for Android app.
  2. In the LicenseActivationCode field, enter the app activation code.

    To activate the app on a device, you must have access to Kaspersky activation servers.

Page top
[Topic 156199]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

How to connect a device to Kaspersky Security Center

After Kaspersky Endpoint Security for Android is installed on a mobile device, you can connect the device to Kaspersky Security Center. The data necessary for connecting the device to Kaspersky Security Center is transmitted to the mobile device together with the other settings listed in the configuration file. After connecting the device to Kaspersky Security Center, you can use group policies to centrally configure the app settings. You can also receive reports and statistics on the performance of Kaspersky Endpoint Security for Android.

Prior to connecting devices to Kaspersky Security Center, make sure that the following conditions are fulfilled:

Prior to connecting devices to Kaspersky Security Center, it is recommended to do the following:

To connect a device to Kaspersky Security Center:

  1. In the EMM Console, open the settings of the Kaspersky Endpoint Security for Android app.
  2. In the KscServer field, enter the DNS name or IP address of the Kaspersky Security Center Administration Server. The default port is 13292.
  3. If you do not want the user to be distracted by Kaspersky Endpoint Security for Android notifications, disable app notifications. To do so, set the DisableNotification = True setting.

    After connecting, the app shows all notifications. You can disable certain app notifications in the policy settings.

    Do not disable app notifications if you do not use Kaspersky Security Center. This could cause a user to not receive notifications about the license expiring. As a result, the app will stop performing its functions.

After the connection settings are configured, Kaspersky Endpoint Security for Android displays a notification prompting you to grant the following additional rights and permissions:

  • Permission to use the Camera for Anti-Theft operation (Mugshot command).
  • Permission to use Location for Anti-Theft operation (Locate device command).
  • Device administrator rights (Android work profile owner) for operation of the following app functions:
    • Install security certificate.
    • Configure Wi-Fi.
    • Configure Exchange ActiveSync.
    • Restrict use of the camera, Bluetooth, and Wi-Fi.

    Due to the specific characteristics of an Android work profile (absence of the Accessibility service), the App Control and Anti-Theft features are unavailable in the app.

When the user grants the necessary rights and permissions, the device will be connected to Kaspersky Security Center. If a rule for automatically moving devices to an administration group has not been created, the device will be automatically added to the Unassigned devices folder. If a rule for automatically moving devices to an administration group has been created, the device will be automatically added to the defined group.

Kaspersky Endpoint Security provides the following devices name format:

  • Device model [email, device ID]
  • Device model [email (if any) or device ID]

A device ID is a unique ID that Kaspersky Endpoint Security for Android generates from the data received from a device. For mobile devices running Android 10 or later, Kaspersky Endpoint Security for Android uses the SSAID (Android ID) or checksum of other data received from the device. For earlier versions of Android, the app uses the IMEI. You can configure device name format in the group policy.

In SOTI MobiControl, you can use the %DEVICENAME% macro in the KscDeviceName field. This macro allows you automatically get the device name from the SOTI MobiControl console to Kaspersky Security Center.

You can also add a tag to the device name. This makes it easier to find and sort devices in Kaspersky Security Center. The tag is available only for VMware AirWatch.

To add the tag to the device name:

  1. In the EMM Console, open the settings of the Kaspersky Endpoint Security for Android app.
  2. In the KscDeviceNameTag field, select the values:
    • {DeviceSerialNumber} – Serial number of the device.
    • {DeviceUid} – Unique device identifier (UDID).
    • {DeviceAssetNumber} – Device asset number. This number is created internally from within your organization.

    We recommend using only these values. VMware AirWatch supports other values, but Kaspersky Endpoint Security cannot guarantee work these values.

You can add some values (for example, {DeviceSerialNumber} {DeviceUid}). The tag will be added to the device name in Kaspersky Security Center. A space separates the tag and the device name. For example, if the device name is Google Pixel 2 a10c6b75f7b31de9 22:7D:78:9E:C5:1E, then 22:7D:78:9E:C5:1E is UDID tag. If you use Kaspersky Security Center and VMwareAirWatch, the tag allows you to identify devices in both consoles. To match the device, select the same values for the device name (for example, the serial number of the device).

After the device is connected to Kaspersky Security Center, the app settings will be changed according to the group policy. Kaspersky Endpoint Security for Android ignores the app settings from the configuration file that was configured in the EMM Console. You can configure all sections of the policy except the following sections:

  • Anti-Theft (Device lock)
  • Device management (Screen lock)
  • App Control (Block forbidden apps)
  • Android work profile
  • Manage Samsung KNOX

Due to the method used to deploy a work profile, you cannot apply group policy settings from the Android work profile section. These settings can be applied only if the work profile was created using Kaspersky Security Center.

Page top
[Topic 184071]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

AppConfig File

A configuration file is generated to configure the app in an EMM Console. The app settings in the configuration file are presented in the table below.

Configuration file settings

Configuration key

Description

Type

Value

Default value

LicenseActivationCode

App activation code

String

App activation code consisting of 20 Latin letters and numerals. To activate the app with an activation code, you need internet access to connect to Kaspersky activation servers.

If you leave the field blank, the app will be activated with a trial license. The trial license is valid for 30 days. When the trial license expires, all features of the Kaspersky Endpoint Security for Android mobile app are disabled. To continue using the app, you must purchase a commercial license.

 

EulaAcceptanceConfirmationV1

<License Agreement link>

Choice

This setting is available only for VMware AirWatch.

Accepted – I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement.

Declined – I do not accept the terms and conditions of this End User License Agreement (EULA).

To accept the terms and conditions of the EULA for all mobile devices, you need internet access to connect to Kaspersky servers.

If you chose Declined, the app will ask the user to accept the terms and conditions of the EULA. Mobile device users can accept the conditions in the Initial Configuration Wizard.

 

EulaAcceptanceCodeV1

License Agreement code

String

These settings are available only for VMware AirWatch.

Use EulaAcceptanceCodeV1 if you want to accept a single End User License Agreement (EULA). Use EulaAcceptanceCodesV2 if you want to accept several EULAs at the same time. The EulaAcceptanceCodesV2 field must contain a semicolon-separated list of EULA codes: "<EULAid1>;<EULAid2>;<EULAid3>;...".

License Agreement code is contained in the End User License Agreement.

To learn License Agreement code:

  1. Copy the License Agreement link (EulaAcceptanceConfirmationV1) from the EMM Console.
  2. Paste the link into the browser.

    The End User License Agreement (EULA) opens.

  3. Read the terms and conditions of this EULA and find the License Agreement code.

    To accept the terms and conditions of the EULAs for all mobile devices, you need internet access to connect to Kaspersky servers.

If you leave the fields blank, the app will ask the user to accept the terms and conditions of the EULAs. Mobile device user can accept the conditions in the Initial Configuration Wizard.

If you specify the values of both fields, the terms and conditions of all EULAs specified in them will be accepted.

 

EulaAcceptanceCodesV2

License Agreement codes

String

 

KscServer

Kaspersky Security Center Administration Server address and port

String

DNS name or IP address of the Kaspersky Security Center Administration Server and port number. Enter the address as follows: <server address>:<port>. If you enter the server address without specifying the port, the app will use the default port 13292.

<server address>:13292

DisableNotification

Disable app notifications before connecting to Kaspersky Security Center

Boolean

True – Kaspersky Endpoint Security for Android hides all app notifications. Kaspersky Endpoint Security for Android hides notifications until the device connects to Kaspersky Security Center. After connecting, the app shows all notifications. You can disable certain app notifications in the policy settings.

Do not disable app notifications if you do not use Kaspersky Security Center. This could cause a user to miss receiving notifications about a license expiration. In this case, the app would stop performing its functions.

False – Kaspersky Endpoint Security for Android shows all app notifications.

False

ScanScheduleType

Scan run mode

Choice

AfterUpdate – Start a virus scan after a database update. The app updates anti-virus databases according to the defined schedule (UpdateScheduleType).

Daily – Start a virus scan once a day. Configure the scan start time (ScanScheduleTime).

Weekly – Start a virus scan once a week. Select the day of the week to start a virus scan (ScanScheduleDay) and configure the time (ScanScheduleTime).

Off – Autostart of a virus scan is disabled.

Irrespective of which value is set, the device user can manually start a virus scan.

AfterUpdate

ScanScheduleDay

Day of scan

Choice

Monday / Tuesday / Wednesday / Thursday / Friday / Saturday / Sunday

You can select only one value for this setting.

Monday

ScanScheduleTime

Time of scan

String

The time can be indicated in 24-hour format (for example, 13:00) or 12-hour format (for example, 10:30 P.M.).

8:00

ScanScheduleLock

Block configuration of the scan run mode

Boolean

True – The user cannot access the virus scan run mode settings within the app settings.

False – The user can configure the virus scan run mode and, for example, disable autostart of a virus scan.

True

ScanOnlyExecutableFiles

Types of files to scan (Virus Scan)

Choice

AllFiles – Scan all files.

OnlyExecutables – Scan only executable files. Executable files are files with the .apk (.zip), .dex, or .so extension.

In Kaspersky Endpoint Security for Android Service Pack 4 Maintenance Release 1, you cannot enable scanning of executable files only.

AllFiles

ScanArchives

Scan archives with unpacking

Boolean

True – The app unpacks archives and scans their contents.

False – The app scans only the archive files.

The app scans only archives with the .zip (.apk) extension.

In Kaspersky Endpoint Security for Android Service Pack 4 Maintenance Release 1, you cannot disable scanning of contents of archives.

True

ScanActionOnThreatFound

Action on threat detection (Virus Scan)

Choice

Quarantine – The app puts detected objects in Quarantine. Quarantine stores files as archives, so they cannot harm the device. The Quarantine lets you delete or restore the files that were moved to isolated storage.

Delete – The app deletes the detected objects.

Skip – The app leaves the detected objects unchanged. If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. When there is an attempt to access an object on the device (such as an attempt to copy or open it), the app blocks access to the object.

AskUser – The app prompts the user to select an action for each detected object: skip, quarantine, or delete. When multiple objects are detected, the user can apply a selected action to all objects.

Information about detected threats and the actions taken on them is logged in app reports.

Quarantine

ScanLock

Block configuration of scan settings

Boolean

True – The following scan settings cannot be accessed by the user in the app settings: the type of files to scan, scanning of archives, and the action to take when a threat is detected.

False – The user can configure scan settings and, for example, select the Skip action for detected threats.

True

ScanAndProtectionAdwareRiskware

Block adware, autodialers, and apps that can be used by criminals to cause harm to the user's device and data

Boolean

True – The app detects adware and other apps that can be used by criminals to cause harm to the user's device and data.

False – The app skips adware and other apps that can be used by criminals to cause harm to the user's device and data.

True

ProtectionMode

Real-time protection mode

Choice

Recommended – The app only scans new apps once, immediately after they have been installed, as well as files from the Downloads folder.

Extended – The app scans all files that the user opens, modifies, copies, runs and saves on the device. The app also scans new apps and files from the Downloads folder.

Disabled – Real-time protection is disabled.

Recommended

UseKsnMode

Kaspersky Security Network mode

Choice

Recommended – The app exchanges data with Kaspersky Security Network (KSN). Kaspersky Endpoint Security for Android uses KSN for real-time protection of the device against threats (Cloud Protection) and the operation of Web Protection on the internet.

Extended – The app exchanges data with Kaspersky Security Network and also sends the Virus Laboratory certain performance statistics from Kaspersky Endpoint Security for Android. This information makes it possible to keep track of threats in real time. No personal data is collected, processed, or stored by KSN services.

Disabled – The app does not use data from Kaspersky Security Network. You cannot enable Web Protection (EnableWebFilter). The Cloud Protection component is not available for Anti-Virus.

Recommended

ProtectScanOnlyExecutableFiles

Types of files to scan (Real-time Protection)

Boolean

AllFiles – Scan all files.

OnlyExecutables – Scan only executable files. Executable files are files with the .apk (.zip), .dex, or .so extension.

In Kaspersky Endpoint Security for Android Service Pack 4 Maintenance Release 1, you cannot enable scanning of executable files only.

AllFiles

ProtectionActionOnThreatFound

Action on threat detection (Real-time Protection)

Choice

Quarantine – The app puts detected objects in Quarantine. Quarantine stores files as archives, so they cannot harm the device. Quarantine lets you delete or restore the files that were moved to isolated storage.

Delete – The app deletes detected objects.

Skip – The app leaves the detected objects unchanged. If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. When an attempt is made to access an object on the device (such as an attempt to copy or open it), the app blocks access to the object.

Information about detected threats and the actions taken on them is logged in app reports.

Quarantine

ProtectionLock

Block configuration of real-time protection settings

Boolean

True – The following real-time protection settings cannot be accessed by the user in the app settings: real-time protection mode, types of files to scan, and the action to take when a threat is detected.

False – The user can configure real-time protection settings and, for example, can select the Skip action for detected threats.

True

UpdateScheduleType

Databases update run mode

Choice

Daily – Check for new anti-virus databases and download them to devices once a day. Configure the database update start time (UpdateScheduleTime).

Weekly – Check for new anti-virus databases and download them to devices once a week. Select the day of the week to start a database update (UpdateScheduleDay) and configure the time (UpdateScheduleTime).

Off – Automatic update of antivirus databases is disabled.

Irrespective of which value is set, the device user can manually start an update of anti-virus databases.

Daily

UpdateScheduleDay

Day to start a database update

Choice

Monday / Tuesday / Wednesday / Thursday / Friday / Saturday / Sunday

You can select only one value for this setting.

Monday

UpdateScheduleTime

Database update start time

String

The time can be indicated in 24-hour format (for example, 13:00) or 12-hour format (for example, 10:30 P.M.).

8:00

UpdateScheduleLock

Block configuration of the database update run mode

Boolean

True – The user cannot access the database update run mode settings within the app settings.

False – The user can configure the database update run mode and, for example, disable autostart of anti-virus database updates.

True

AllowUpdateInRoaming

Update databases in roaming

Boolean

True – The app downloads anti-virus databases if the device is in the roaming zone. The app downloads anti-virus databases according to the defined schedule (UpdateScheduleType).

False – The app downloads anti-virus databases only if the device is in the home network.

False

EnableWebFilter

Web Protection

Boolean

True – The app uses the Web Protection component to block malicious and phishing websites on the internet. Web Protection supports Google Chrome only.

Malicious and phishing websites using the HTTPS protocol are allowed to remain unblocked if the domain is trusted. If the domain is untrusted, Web Protection blocks malicious and phishing websites.

False – Protection against malicious and phishing websites is disabled.

For the Web Protection component to work, the following conditions must be met:

  • Device users accept the Privacy Policy and the Web Protection Statement in the Initial Configuration Wizard or app settings.
  • A proxy server is configured in the browser settings:

    ProxyMode = "fixed_servers"

    ProxyServer = "127.0.0.1:3128"

    DisableSpdy = true

    DataCompressionProxyEnabled = false

    Proxy server configuration may vary depending on the Google Chrome version. For more details about configuring Google Chrome, visit the Chromium project website.

    After the Kaspersky Endpoint Security for Android app is removed from the mobile device, reset the proxy server settings.

  • Use of KSN is enabled in the app settings: UseKsnMode = Recommended or UseKsnMode = Extended.
  • It is recommended to select Google Chrome as the default browser in the operating system settings.

False

EnableWebFilterLock

Block configuration of Web Protection

Boolean

True – The user cannot access Web Protection settings within the app settings.

False – The user can configure Web Protection settings and, for example, disable protection against malicious and phishing websites on the internet.

True

UpdateServer

Database update source server address

String

Address of the server hosting the database updates, for example, http://update.server.com.

If you leave the field blank, Kaspersky Endpoint Security for Android uses the Kaspersky database update servers.

 

AllowGoogleAnalytics

Submit data to the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services

Boolean

True – The app automatically submits Kaspersky Endpoint Security for Android operating data to the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services. This data is necessary in order to improve the performance of the app and to analyze user satisfaction. Data is transferred to the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services over a secure connection. Access to and protection of data is regulated by the relevant terms of use of the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services.

False – Submission of data to the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services is disabled.

True

KscDeviceNameTag

Device Name Tag for Kaspersky Security Center

String

This setting is available only for VMware AirWatch.

The tag will be added to the device name in Kaspersky Security Center. A space separates the tag and the device name. This makes it easier to find and sort devices in Kaspersky Security Center.

  • {DeviceSerialNumber} – Serial number of the device.
  • {DeviceUid} – Unique device identifier (UDID).
  • {DeviceAssetNumber} – Device asset number. This number is created internally within your organization.

You can add some values (for example, {DeviceSerialNumber} {DeviceUid}).

We recommend using only these values. VMware AirWatch supports other values, but Kaspersky Endpoint Security cannot guarantee that these values work.

 

KscGroup

Device group name

String

You can specify device groups in an EMM console. When a device is connected to Kaspersky Security Center, it will be automatically added to a subfolder of the of Unassigned devices folder. The name of the subfolder will match the group name specified in this parameter. You can then create rules for automatically moving devices from subfolders of the Unassigned devices folder to administration groups in the Managed devices folder.

If you leave the field blank, the device will be automatically added to the root of the Unassigned devices folder.

KES10

KscCorporateEmail

User's corporate email

String

You can specify users' corporate email addresses in an EMM console. These emails will be displayed in Kaspersky Security Center.

The string must be a valid email address. Other values are ignored.

 

KscDeviceName

Device name in Kaspersky Security Center

String

This setting is available only for SOTI MobiControl.

You can specify the device name displayed in Kaspersky Security Center. You can type any name or use the %DEVICENAME% macro to automatically get the device name from the SOTI MobiControl console. If you leave the field blank, the device name will be generated according to the format specified in the Kaspersky Security Center group policy.

 

Page top
[Topic 155920]