The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Device owner mode
This section contains information about how to manage the settings of Android mobile devices in device owner mode. For information about device owner mode deployment, see here.
Device owner mode offers the following features and control options for Android mobile devices:
Page top
[Topic 241818]
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Restricting Android features on devices
You can restrict Android operating system features in device owner mode. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and manage system updates.
You can restrict Android features in the Feature restrictions section.
To open the Feature restrictions section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
- In the policy Properties window, select the Device owner mode > Feature restrictions section.
Restrict device features
On the Device Features tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit factory reset
Selecting or clearing this check box specifies whether the device user is allowed to perform a factory reset from device settings.
This check box is cleared by default.
- Prohibit screen capture
Selecting or clearing this check box specifies whether the device user is allowed to take screenshots or capture the device screen.
This check box is cleared by default.
- Prohibit outgoing phone calls
Selecting or clearing this check box specifies whether the device user is allowed to make outgoing phone calls on this device.
This check box is cleared by default.
- Prohibit sending and receiving SMS messages
Selecting or clearing this check box specifies whether the device user is allowed to send and receive SMS messages on this device.
This check box is cleared by default.
- Prohibit changing credentials
Selecting or clearing this check box specifies whether the device user is allowed to change user credentials in the operating system.
This check box is cleared by default.
- Prohibit status bar (Android 6.0 or later)
Preventing the status bar from being displayed.
If the check box is selected, the status bar is not displayed on the device. Notifications and quick settings accessible via the status bar are also blocked.
If the check box is cleared, the status bar can be displayed on the device.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Prohibit safe boot (Android 6.0 or later)
Selecting or clearing this check box specifies whether the device user is allowed to boot the device in safe mode.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Force screen on when plugged in to AC charger (Android 6.0 or later)
Selecting or clearing the check box specifies if the device screen will be on while the device is charging with an AC charger.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Force screen on when plugged in to USB charger (Android 6.0 or later)
Selecting or clearing of the check box specifies whether the device screen will be on while the device is charging via a USB charger.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Force screen on when plugged in to wireless charger (Android 6.0 or later)
Selecting or clearing this check box specifies whether the device screen will be on while the device is charging via a wireless charger.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
Restrict app features
On the Apps tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit use of camera
Selecting or clearing the check box specifies whether the device user is allowed to use all cameras on the device.
This check box is cleared by default.
- Prohibit camera toggle (Android 12.0 or later)
Preventing the device user from toggling the camera.
If the check box is selected, the device user cannot block the camera access via the system toggle.
If the check box is cleared, the device user is allowed to use the camera toggle.
The restriction is supported on devices with Android 12.0 or later.
This check box is cleared by default.
- Prohibit use of Google Play
Selecting or clearing the check box specifies whether the device user is allowed to use Google Play.
This check box is cleared by default.
- Prohibit use of Google Chrome
Preventing use of Google Chrome.
If the check box is selected, the device user cannot start Google Chrome or configure it in system settings.
If the check box is cleared, the device user is allowed to use Google Chrome on the device.
The check box is cleared by default.
- Prohibit use of Google Assistant
Selecting or clearing the check box specifies whether the device user is allowed to use Google Assistant on the device.
This check box is cleared by default.
- Prohibit installation of apps from unknown sources
Selecting or clearing the check box specifies whether the device user is allowed to install apps from unknown sources.
This check box is cleared by default.
- Prohibit modification of apps in Settings
Preventing modifying apps in Settings.
If the check box is selected, the device user is disallowed to perform the following actions:
- Uninstalling apps
- Disabling apps
- Clearing app caches
- Clearing app data
- Force stopping apps
- Clearing app defaults
If the check box is cleared, the device user is allowed to modify apps in Settings.
This check box is cleared by default.
- Prohibit installation of apps
Selecting or clearing the check box specifies whether the device user is allowed to install apps on the device.
This check box is cleared by default.
- Prohibit uninstallation of apps
Selecting or clearing the check box specifies whether a device user is allowed to uninstall apps from this device.
This check box is cleared by default.
- Prohibit disabling app verification
Selecting or clearing the check box specifies whether the device user is allowed to disable app verification.
This check box is cleared by default.
Restrict storage features
On the Storage tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit debugging features
Preventing use of debugging features.
If the check box is selected, the device user cannot use USB debugging features and developer mode.
If the check box is cleared, the device user is allowed to enable and access debugging features and developer mode.
This check box is cleared by default.
- Prohibit mounting physical external media
Selecting or clearing the check box specifies whether the device user is allowed to mount physical external media, such as SD cards and OTG adapters.
This check box is cleared by default.
- Prohibit file transfer over USB
Selecting or clearing this check box specifies whether the device user is allowed to transfer files over USB.
This check box is cleared by default.
- Prohibit backup service (Android 8.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to enable or disable the backup service.
The restriction is supported on devices with Android 8.0 or later.
This check box is cleared by default.
Restrict network features
On the Network tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit use of Wi-Fi
Selecting or clearing the check box specifies whether the device user is allowed to use Wi-Fi and configure it in Settings.
This check box is cleared by default.
- Prohibit use of Bluetooth (Android 8.0 or later)
Preventing use of Bluetooth.
If the check box is selected, the device user cannot turn on and configure Bluetooth via Settings.
If the check box is cleared, the device user is allowed to use Bluetooth.
The restriction is supported on devices with Android 8.0 and later. For earlier versions of Android, select the Prohibit use of Bluetooth check box in the Device Management section.
This check box is cleared by default.
- Prohibit changing Wi-Fi settings
Selecting or clearing the check box specifies whether the device user is allowed to configure Wi-Fi access points via Settings. The restriction does not affect Wi-Fi tethering settings.
This check box is cleared by default.
- Prohibit changing pre-configured Wi-Fi networks
Selecting or clearing the check box specifies whether the device user is allowed to change Wi-Fi configurations added by the administrator in the Wi-Fi section.
This check box is cleared by default.
- Prohibit changing Bluetooth settings
Selecting or clearing the check box specifies whether the device user is allowed to configure Bluetooth via Settings.
This check box is cleared by default.
- Prohibit changing VPN settings
Preventing changing VPN settings.
If the check box is selected, the device user cannot configure a VPN in Settings and VPNs are prohibited from starting.
If the check box is cleared, the device user is allowed to modify a VPN in Settings.
This check box is cleared by default.
- Prohibit changing mobile network settings
Selecting or clearing the check box specifies whether the device user is allowed to change mobile network settings.
This check box is cleared by default.
- Prohibit use of Android Beam via NFC
Selecting or clearing the check box specifies whether beaming out data from apps via NFC is allowed on the device. However, the device user can enable or disable NFC.
This check box is cleared by default.
- Prohibit use of tethering
Selecting or clearing the check box specifies whether the device user is allowed to configure tethering and hotspots.
This check box is cleared by default.
- Prohibit outgoing data sharing over Bluetooth (Android 8.0 or later)
Selecting or clearing the check box specifies whether outgoing Bluetooth data sharing is allowed on the device.
The restriction is supported on devices with Android 8.0 or later.
This check box is cleared by default.
Restrict location services
On the Location Services tab of the Feature restrictions section, you can configure the following settings:
- Prohibit use of location
Preventing turning location on and off.
If the check box is selected, the device user cannot turn location on or off. Search in Anti-Theft mode becomes unavailable.
If the check box is cleared, the device user can turn location on or off.
This check box is cleared by default.
If both the Prohibit use of location and Prohibit changing location settings (Android 9.0 and later) check boxes are selected, location is disabled and the device user cannot enable it.
- Prohibit changing location settings (Android 9.0 or later)
Preventing changing location settings.
If the check box is selected, the device user cannot change location settings or disable location.
If the check box is cleared, the device user can change location settings.
The restriction is supported on devices with Android 9.0 or later.
This check box is cleared by default.
If both the Prohibit use of location and Prohibit changing location settings (Android 9.0 and later) check boxes are selected, location is disabled and the device user cannot enable it.
Restrict system updates
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
On the Updates tab of the Feature restrictions section, you can configure the following settings:
- Set system update policy
Type of system update policy.
If the check box is selected, one of the following system update policies is set:
- Install updates automatically. Installs system updates immediately without user interaction. This option is selected by default.
- Install updates during daily window. Installs system updates during a daily maintenance window without user interaction.
The administrator also needs to set the start and end of the daily maintenance window in the Start time and End time fields respectively.
- Postpone updates for 30 days. Postpones the installation of system updates for 30 days.
After the specified period, the operating system prompts the device user to install the updates. The period is reset and starts again if a new system update is available.
If the check box is cleared, a system update policy is not set.
This check box is selected by default.
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
- System update freeze periods (Android 9.0 and later)
The System update freeze periods (Android 9.0 and later) block lets you set one or more freeze periods of up to 90 days during which system updates will not be installed on the device. When the device is in a freeze period, it behaves as follows:
Note: Each freeze period can be at most 90 days long, and the interval between adjacent freeze periods must be at least 60 days.
The restriction is supported on devices with Android 9.0 and later.
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
Page top
[Topic 241819]
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing Google Chrome settings
You can manage Google Chrome settings in the Google Chrome settings section in device owner mode.
To open the Google Chrome settings section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
- In the policy Properties window, select the Device owner mode > Google Chrome settings section.
Manage content settings
On the Content tab of the Google Chrome settings section, you can specify the following content settings:
- Set default cookie settings
Default cookie settings.
If the check box is selected, one of the following options will be applied to all sites by default:
- Allow all sites to set local data (default)
- Do not allow any site to set local data
- Keep cookies for duration of session
If the check box is cleared, the user's personal settings will be applied.
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
There must be no conflicting URL patterns that you specify in the Allow cookies on these sites, Block cookies on these sites, and Allow cookies on these sites for one session only fields. If no URL is specified and the Set default cookies settings check box is selected, the option selected in the drop-down list will be applied to all sites.
- Allow cookies on these sites
A list of sites that are allowed to set cookies. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 30 or later.
- Block cookies on these sites
A list of sites that are prohibited to set cookies. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 30 or later.
- Allow cookies on these sites for one session only
A list of sites that are allowed to set cookies only for one session. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 30 or later.
- Set default JavaScript settings
Default JavaScript settings.
If the check box is selected, one of the following options will be applied and the device user will not be able to change it:
- Allow all sites to run JavaScript (default)
- Do not allow any site to run JavaScript
If the check box is cleared, user personal settings will be applied.
The setting is supported in Google Chrome version 30 or later.
This check box is cleared by default.
If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.
- Allow JavaScript on these sites
A list of sites that are allowed to run JavaScript. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 30 or later.
If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.
- Block JavaScript on these sites
A list of sites that are prohibited to run JavaScript. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 30 or later.
If the Allow JavaScript on these sites and Block JavaScript on these sites settings are not specified and the Set default JavaScript settings check box is selected, the selected option will be applied to all sites.
- Set default pop-up settings
Default pop-up setting.
If the check box is selected, one of the following options applies to pop-ups:
- Allow all sites to show pop-ups. Lets all sites open pop-up windows. This value is selected by default.
- Do not allow any site to show pop-ups. Prohibits all sites to open pop-up windows.
If the check box is cleared, pop-ups are blocked, but a device user can change this behavior in Settings.
The setting is supported in Google Chrome version 33 or later.
The check box is cleared by default.
If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.
- Allow pop-ups on these sites
A list of sites that are allowed to show pop-ups. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 34 or later.
If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.
- Block pop-ups on these sites
A list of sites that are prohibited to show pop-ups. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 34 or later.
If the Allow pop-ups on these sites and Block pop-ups on these sites settings are not specified and the Set default pop-up settings check box is selected, the selected option will be applied to all sites.
- Set user location tracking settings
The default geographic location settings.
If the check box is selected, one of the following options will be applied to all sites by default:
- Allow all sites to track location
- Do not allow any site to track location
- Ask whenever site wants to track location (default)
If the check box is cleared, user personal settings will be applied.
The setting is supported in Google Chrome version 30 or later.
This check box is cleared by default.
Manage proxy settings
On the Proxy tab of the Google Chrome settings section, you can specify the following proxy settings:
- Set proxy mode
Proxy settings for Google Chrome and ARC-apps.
If the check box is selected, one of the following options will be applied and the device user is prevented from changing proxy settings:
- Never use proxy. Prohibits use of proxies and all other proxy settings are ignored. This option is selected by default.
- Detect proxy settings automatically. Detects proxy settings automatically and all other options are ignored.
- Use PAC file. Uses the proxy PAC file specified in the PAC file URL field.
- Use fixed proxy servers. Uses the data specified in the Proxy server URL and Bypass list fields.
- Use system proxy settings. Uses the system proxy settings.
If the check box is cleared, user personal settings will be applied.
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
- Proxy server URL
A URL of the proxy server.
The setting is supported in Google Chrome version 30 or later.
- PAC file URL
A URL to a proxy .PAC file.
The setting is supported in Google Chrome version 30 or later.
- Bypass list
A list of hosts for which the proxy will be bypassed.
The setting is supported in Google Chrome version 30 or later.
Manage search settings
On the Search tab of the Google Chrome settings section, you can specify the following search settings:
- Enable Touch to Search
Selecting or clearing this check box specifies whether the device user is allowed to use Touch to Search and turn the feature on or off.
The setting is supported in Google Chrome version 40 or later.
This check box is selected by default.
- Enable default search provider
Default search provider settings.
If the check box is selected, a default search provider is used when a user enters non-URL text in the address bar. The default search provider depends on search provider settings below this check box:
- If you leave search provider settings empty, the device user can choose the search provider in the browser settings.
- If you configure settings of the default search provider, this search provider is always used, and the device user can't choose the search provider in the browser.
This check box is selected by default, but the default search provider settings are not configured.
If you want to disable search in Google Chrome, we recommend that you leave the Enable default search provider check box selected and set the Search provider name parameter to the site of a non-search system. On some Google Chrome versions, there can be problems in Google Chrome operation if the check box is cleared.
The setting is supported in Google Chrome version 30 or later.
The default search provider parameters are:
- Search provider name
- Keyword
- Search URL
- Suggest URL
- Icon URL
- Encodings
- Alternate URLs
- Image URL
- New tab URL
- Parameters for search URL that uses POST
- Parameters for suggest URL that uses POST
- Parameters for image URL that uses POST
- Search provider name
The default search provider name.
The setting is supported in Google Chrome version 30 or later.
- Keyword
A keyword or shortcut used in the address bar to trigger the search for the search provider.
The setting is supported in Google Chrome version 30 or later.
- Search URL
The URL of the search engine used during default searches.
The setting is supported in Google Chrome version 30 or later.
- Suggest URL
The URL of the search engine to provide search suggestions.
The setting is supported in Google Chrome version 30 or later.
- Icon URL
The URL of the default search provider's favicon.
The setting is supported in Google Chrome version 30 or later.
- Encodings
Character encodings supported by the search provider. The supported encodings are:
- Alternate URLs
A list of alternate URLs to retrieve search terms from the search engine.
The setting is supported in Google Chrome version 30 or later.
- Image URL
The URL of the search engine used for image search.
The setting is supported in Google Chrome version 30 or later.
- New tab URL
The URL of the search engine used to provide a New Tab page.
The setting is supported in Google Chrome version 30 or later.
- Parameters for search URL that uses POST
URL parameters when searching a URL with the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:
q={searchTerms},ie=utf-8,oe=utf-8
The setting is supported in Google Chrome version 30 or later.
- Parameters for suggest URL that uses POST
URL parameters for search suggestions using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:
q={searchTerms},ie=utf-8,oe=utf-8
The setting is supported in Google Chrome version 30 or later.
- Parameters for image URL that uses POST
URL parameters for image search using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{imageThumbnail}', it is replaced with the real image thumbnail. For example:
content={imageThumbnail},url={imageURL},sbisrc={SearchSource}
The setting is supported in Google Chrome version 30 or later.
Manage password settings
On the Passwords tab of the Google Chrome settings section, you can specify the following password settings:
- Enable saving passwords
Selecting or clearing the check box specifies whether Google Chrome will remember the passwords the device user enters and also offer them the next time the device user signs in.
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
Manage page settings
On the Pages tab of the Google Chrome settings section, you can specify the following page settings:
- Enable alternate error pages
Selecting the check box specifies whether Google Chrome is allowed to use built-in error pages, such as "Page not found".
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
- Enable AutoFill for addresses
Autofill settings for addresses.
If the check box is selected, the device user is allowed to manage AutoFill for addresses in the user interface.
If the check box is cleared, AutoFill never suggests or fills in address information, nor does it save additional address information that the device user submits while browsing the web.
The setting is supported in Google Chrome version 69 or later.
This check box is selected by default.
- Enable AutoFill for credit cards
Autofill settings for credit cards.
If the check box is selected, the device user is allowed to manage AutoFill suggestions for credit cards in the user interface.
If the check box is cleared, AutoFill never suggests or fills in credit card information, nor does it save additional credit card information that the device user might submit while browsing the web.
The setting is supported in Google Chrome version 63 or later.
This check box is selected by default.
Manage other settings
On the Other tab of the Google Chrome settings section, you can specify the following settings:
- Enable printing
Selecting or clearing this check box specifies whether the device user is allowed to print in Google Chrome.
The setting is supported in Google Chrome version 39 or later.
This check box is selected by default.
- Set Google Safe Browsing settings
Google Safe Browsing protection level.
If the check box is selected, the device user is allowed to manage the Google Safe Browsing settings in Google Chrome, as well as select the protection level. The protection levels are:
- Google Safe Browsing is never active. Disables Google Safe Browsing completely.
- Google Safe Browsing is active in standard mode. Makes Google Safe Browsing always enabled in standard protection mode. This option is selected by default.
- Google Safe Browsing is active in enhanced mode. Makes Google Safe Browsing always enabled in enhanced protection mode, but device user browsing experience data will be sent to Google.
If the check box is cleared, Google Safe Browsing will operate in standard protection mode and the device user is allowed to change Google Safe Browsing settings.
The setting is supported in Google Chrome version 87 or later.
This check box is selected by default.
- Disable saving browser history
Selecting or clearing this check box specifies whether browsing history is saved and tab syncing is on.
The setting is supported in Google Chrome version 30 or later.
This check box is cleared by default.
- Disable proceeding from Google Safe Browsing warning page
Selecting or clearing this check box specifies whether the device user is allowed to proceed to the flagged site on Google Safe Browsing warnings, such as malware and phishing. The restriction does not apply to issues related to SSL certificate, such as invalid or expired certificates.
The setting is supported in Google Chrome version 30 or later.
This check box is cleared by default.
- Enable network prediction
Selecting or clearing this check box specifies whether Google Chrome will predict such network actions as DNS prefetching, TCP and SSL preconnection and prerendering of webpages.
If the check box is cleared, network prediction is disabled, but the device user can enable it.
The setting is supported in Google Chrome version 38 or later.
This check box is cleared by default.
- Force Google SafeSearch
Selecting or clearing this check box specifies whether Google Search queries will be performed via Google SafeSearch.
The setting is supported in Google Chrome version 41 or later.
This check box is cleared by default.
- Set Restricted Mode for YouTube
Minimum required Restricted Mode level for YouTube.
If the check box is selected, a minimum required Restricted Mode level for YouTube is set and the device user cannot pick a less restricted mode. Restricted mode levels are:
- Do not enforce Restricted Mode. Specifies that Google Chrome does not force Restricted mode. However, external policies might still enforce Restricted mode. This option is selected by default.
- Enforce at least Moderate Restricted Mode. Lets a device user enable the Moderate and Strict Restricted mode on YouTube, but prohibits turning Restricted mode off.
- Enforce Strict Restricted Mode. Makes Strict Restricted mode on YouTube be always active.
If the check box is cleared, Google Chrome does not require use of Restricted mode for YouTube, but Restricted mode can be enforced by external rules, such as YouTube rules.
The setting is supported in Google Chrome version 55 or later.
This check box is selected by default.
- Set availability of Incognito mode
Availability of Incognito mode in Google Chrome.
If the check box is selected, the admin can specify whether the device user is allowed to open pages in Incognito mode by selecting one of the following options:
- Incognito mode is available (default)
- Incognito mode is disabled
If the check box is cleared, the device user cannot open pages in Incognito mode in Google Chrome.
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
- Enable search suggestions
Selecting or clearing this check box specifies whether search suggestions are enabled in Google Chrome's address bar.
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
- Set Translate settings
Enabling translation functionality.
If the check box is selected, the administrator can set the following translation options:
- Always offer translation. Shows the integrated translation toolbar and a translate option on the right-click context menu. This option is selected by default.
- Never offer translation. Disables all built-in translation functionality.
If the check box is cleared, the user's personal settings will be applied.
The setting is supported in Google Chrome version 30 or later.
This check box is cleared by default.
- Enable bookmark editing
Selecting or clearing this check box specifies whether the device user is allowed to add, remove, or modify bookmarks.
The setting is supported in Google Chrome version 30 or later.
This check box is selected by default.
- Managed bookmarks
An admin-managed list of bookmarks. The list is a dictionary where the keys are the "name" and "url". In other words, the key holds a bookmark's name and target. You can also set up a subfolder with a "children" key, which also has a list of bookmarks.
By default, the folder name for managed bookmarks is "Managed bookmarks". You can change it by adding a new sub-dictionary. To do this, specify the "toplevel_name" key with the required folder name as its value.
If you enter an incomplete URL as a bookmark's target, Google Chrome will substitute it with a URL as if it was submitted through the address bar. For example, "kaspersky.com" becomes "https://www.kaspersky.com".
For example:
"ManagedBookmarks": [{
//Changes the default folder name
"toplevel_name": "My managed bookmarks folder"
},
{
//Adds a bookmark to the managed bookmarks folder
"name": "Kaspersky",
"url": "kaspersky.com"
},
{
"name": "Kaspersky products",
"children": [{
"name": "Kaspersky Endpoint Security",
"url": "kaspersky.com/enterprise-security/endpoint"
},
{
"name": "Kaspersky Security for Mail Server",
"url": "kaspersky.com/enterprise-security/mail-server-security"
}
]
}
]
The setting is supported in Google Chrome version 37 or later.
- Block access to these URLs
A list of forbidden URLs. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 86 or later.
- Allow access to these URLs (exceptions to blocked URLs)
A list of URLs that are exceptions to the list specified in Block access to these URLs. You can also set URL patterns, for example: [*.]example.com.
The setting is supported in Google Chrome version 86 or later.
- Set minimum SSL version
Minimum allowed SSL version.
If the check box is selected, Google Chrome will not use SSL and TLS older than the selected version. Available version are:
- TLS 1.0 (default)
- TLS 1.1
- TLS 1.2
If the check box is cleared, Google Chrome will report an error for TLS 1.0 and TLS 1.1 protocols, but the device user will be able to bypass it.
The setting is supported in Google Chrome version 66 or later.
This check box is cleared by default.
Page top
[Topic 241820]
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring Kiosk mode
Kiosk mode is a Kaspersky Endpoint Security for Android feature that lets you limit the set of apps available to a device user, whether a single app or multiple apps. You can also efficiently manage some device settings.
The kiosk mode settings apply to devices managed via Kaspersky Endpoint Security for Android in device owner mode.
Kiosk mode types
The following kiosk mode types are available in Kaspersky Endpoint Security:
- Single-app mode - Kiosk mode with only a single app. In this mode, a device user can open only one app that is allowed on the device and specified in the kiosk mode settings.
If the app that you want to add to kiosk mode is not installed on the device, kiosk mode activates after the app is installed.
On devices with Android 9.0 or later, an app must support kiosk mode functionality and call the startLockTask() method itself to launch the app.
On devices with Android 9.0 or earlier, the app launches directly in kiosk mode.
- Multi-app mode - Kiosk mode with multiple apps. In this mode, a device user can open only the set of apps that are allowed on the device and specified in the kiosk mode settings.
Presettings
Pre-configuration for kiosk mode includes the following:
- Before specifying apps that are allowed to be run on the device in kiosk mode, you need first to add these apps in App Control > List of categories and apps and mark them as required. Then, they will appear in the App package list of the kiosk mode.
Recently added required apps may not appear in the App package list. To view all added apps and select the app for single-app mode, you need to save and close the policy, and then reopen it. All added apps will appear in the list.
- Before activating kiosk mode, we recommend that you prohibit launching of Google Assistant by enabling the corresponding restriction in Policy > Device owner mode > Feature restrictions > Apps > Prohibit use of Google Assistant. Otherwise, Google Assistant launches in kiosk mode and allows non-trusted apps to be opened.
Open the kiosk mode settings
To open the kiosk mode settings:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
- In the policy Properties window, select the Device owner mode > Kiosk mode section.
Configure single-app mode
To configure single-app mode:
- In the Kiosk mode drop-down list, select Single-app mode.
- In the App package drop-down list, select an app package with the app that is allowed to be run on the device.
- Specify any required restrictions. For available restrictions, see Kiosk mode restrictions below.
- Select the Trusted apps check box if you want to add additional apps that are allowed on the device. To learn how to do this, see Add trusted apps below.
- Click the Apply button to save the changes you have made.
Configure multi-app mode
To configure multi-app mode:
- In the Kiosk mode drop-down list, select Multi-app mode.
- Click Add, select apps that are allowed to be run on the device, and then click OK.
- Specify any required restrictions. For available restrictions, see Kiosk mode restrictions below.
- Select the Allow navigation to trusted apps check box if you want to add additional apps that are allowed on the device. To learn how to do this, see Add trusted apps below.
- Click the Apply button to save the changes you have made.
Kiosk mode restrictions
You can set the following restrictions in kiosk mode:
- Prohibit Overview button (Android 9.0 or later)
Selecting or clearing this check box specifies whether the Overview button is hidden. This restriction is supported on devices with Android 9.0 or later.
The check box is selected by default.
- Prohibit Home button (Android 9.0 or later)
Selecting or clearing this check box specifies whether the Home button is hidden. This restriction is supported on devices with Android 9.0 or later.
The check box is selected by default.
- Prohibit status bar (Android 9.0 or later)
Selecting or clearing this check box specifies whether the status bar is blank with notifications and indicators such as connectivity, battery, and sound and vibrate options. This restriction is supported on devices with Android 9.0 or later.
The check box is selected by default.
- Prohibit displaying system notifications (Android 9.0 or later)
Selecting or clearing this check box specifies whether system notifications are hidden. This restriction is supported on devices with Android 9.0 or later.
The check box is selected by default.
- Add Kaspersky Endpoint Security for Android as trusted app
Selecting or clearing this check box specifies whether Kaspersky Endpoint Security for Android will be added to the list of trusted apps. This option is available if the Allow navigation to trusted apps check box is selected.
The check box is selected by default.
Add trusted apps
Besides locking the device to a single app or set of apps, you can also add trusted apps that a device user can navigate to. To do this, in the Kiosk mode section:
- Select the Allow navigation to trusted apps check box. The Trusted Apps list appears.
- Click Add, select the desired app package name, and then click OK.
- Click the Apply button to save the changes you have made.
Page top
[Topic 241821]
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Managing Exchange ActiveSync for Gmail
You can manage Exchange ActiveSync settings for Gmail in device owner mode.
To open the Exchange ActiveSync section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
- In the policy Properties window, select the Device owner mode > Exchange ActiveSync section.
- Specify the following settings:
- Exchange ActiveSync server address
The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL.
- Force use of SSL
Selecting or clearing this check box specifies whether SSL communication to the server port that you specified in the Exchange ActiveSync server address field will be used.
The checkbox is selected by default.
- Disable SSL certificate validation
Selecting or clearing this check box specifies whether validation checks on SSL certificates used on Exchange ActiveSync servers will be performed. Performing a check is useful if certificates are self-signed.
The checkbox is cleared by default.
- Allow unmanaged accounts
Selecting or clearing the check box specifies whether the device user is allowed to add other accounts to Gmail.
The checkbox is selected by default.
- Authentication type
The authentication type used to verify a device user's email credential. Possible values:
- Modern token-based authentication. Uses a token-based identity management method. This value is selected by default.
- Basic authentication. Prompts the device user for their password and stores it for future use.
- Device ID
A string used by Kaspersky Security Center proxy or a third-party gateway to identify the device and connect it to Exchange ActiveSync. You can either enter the value or select it from the Available macros drop-down list.
- Username
A username that will be used to pull the username from Microsoft Active Directory. It might be different from a user's email address. You can either enter the value or select it from the Available macros drop-down list.
- Email address
An email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter the value or select it from the Available macros drop-down list.
- Available macros
A macro that will be used to replace values in the corresponding fields. Possible values:
- %email%. Specifies the email address of the user to whom the device is registered. The value is retrieved from a mobile certificate.
- %email_domain%. Specifies the email address domain of the user to whom the device is registered. The value is retrieved from a mobile certificate.
- %email_user_name%. Specifies the username from the email address to which the device is registered. The value is retrieved from a mobile certificate.
- %user_name%. Specifies the username under which the device is registered. The value is retrieved from a mobile certificate.
- %device_id%. Specifies the ID of the device.
- %group_id%. Specifies the ID of the administration group to which the device belongs to.
- %device_platform%. Specifies the device platform.
- %device_model%. Specifies the device model.
- %os_version%. Specifies the operating system version on the device.
- User certificate
The string alias that represents a certificate with a private key. The certificate can be a user certificate for authentication to the Exchange ActiveSync servers.
- Default synchronization interval
The default time interval when the Exchange ActiveSync servers synchronize mail items to Gmail. Possible values:
- 1 day
- 3 days
- 1 week (default)
- 2 weeks
- 1 month
- Default email signature
The default email signature that is automatically added at the bottom of emails.
- Click Apply to save the changes you have made.
Page top
[Topic 242220]
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting to an NDES/SCEP server
You can configure a connection to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). To do this, you need to set up a connection to the CA using SCEP and specify a certificate profile.
To add a connection to a certificate authority and specify a certificate profile:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
- In the policy Properties window, select the Device owner mode > NDES and SCEP section.
- In the Connection to certificate authority (CA) section, click Add.
The Connection to certificate authority dialog appears.
- Specify the following settings, and then click OK:
- Connection name
A unique connection name.
- Protocol type
A protocol version. Possible values:
- SCEP server URL
The URL of the SCEP server.
For NDES, the URL has the http://<ServerName>/certsrv/mscep/mscep.dll format.
- Challenge phrase type
A type of challenge phrase required for authentication. Possible values:
- None - Does not require authentication data.
- Static - Requires entering an authentication phrase in the Static challenge phrase field. This is the default value.
- Static challenge phrase
Specifies the authentication phrase that is used to authenticate the device with the certificate with the SCEP server URL.
- In the Certificate profiles section, click Add.
The Certificate profile dialog appears.
- Specify the following certificate profile settings and click OK:
- Profile name
A unique certificate profile name.
- Certificate authority (CA)
A certificate authority that you created in the Connection to certificate authority (CA) section.
- Subject name
A unique identifier that is the subject of the certificate. It includes information about what is being certified, including common name, organization, organizational unit, country code, and so on. You can either enter the value or select it from the Available macros drop-down list.
- Private key length
A length of the certificate private key. Possible values:
- Private key type
A type of the certificate private key. Possible values:
- Signature (default)
- Encryption
- Signature and encryption
- Subject Alternative Names (SAN)
An alternative name that represents the certificate subject name. You can specify multiple subject alternative names. To do this, click Add, and then specify the SAN type and SAN value options.
- Click Apply to save the changes you have made.
Manage connections and certificate profiles
You can later edit or remove the added connections and certificate profile.
To edit a connection or certificate profile:
- Select the needed connection or certificate profile in the corresponding section.
- Click Edit, make the required changes, and click OK.
- Click Apply to save the changes you have made.
To remove a connection or certificate profile:
- Select the needed connection or certificate profile in the corresponding section.
- Click Delete, and then click OK.
Note: If you remove a certificate authority connection, all certificate profiles that use this connection will be also removed.
- Click Apply to save the changes you have made.
Page top
[Topic 241827]