Method of connecting to Kaspersky Security Center	Command	Result of command execution
Kaspersky Endpoint Security for Android	Lock	The mobile device is locked.
	Unlock	After unlocking the mobile device running Android 5.0 – 6.Х, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.
	Locate device	The mobile device's location map coordinates are obtained. On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.
	Mugshot	The mobile device is locked. The mugshot photo is taken by the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed. When attempting to unlock the device, the user automatically consents to the mugshot. If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use camera has been revoked via Quick Settings, the notification is not displayed but the photo taken is black.
	Alarm	The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low).
	Wipe corporate data	Containerized data, the corporate email account, settings for connecting to the corporate Wi-Fi network and VPN, Access Point Name (APN), Android work profile, KNOX container, and the KNOX License Manager key are wiped.
	Reset to factory settings	All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.
iOS MDM profile	Lock	The mobile device is locked.
	Reset password	The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements.
	Wipe corporate data	All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device.
	Reset to factory settings	All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.

Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10.0 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11.0 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to Commands for mobile devices. To learn more about sending commands from Administration Console, please refer to Kaspersky Security Center help.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Unlocking a mobile device

You can unlock a mobile device by using the following methods:

Send the mobile device unlock command.
Enter the one-time unlock code on the mobile device (only for Android devices).

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time unlock code. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Administration Console, please refer to Kaspersky Security Center help.

A one-time unlock code is a secret application code for unlocking the mobile device. The one-time code is generated by the application and is unique to each mobile device. You can change the length of the one-time code (4, 8 or 16 digits) in group policy settings in the Anti-Theft section.

To unlock the mobile device using a one-time code:

In the console tree, select Mobile Device Management → Mobile devices.
Select a mobile device for which you want to get a one-time unlock code.
Open the mobile device properties window by double-clicking.
Select Apps → Kaspersky Endpoint Security for Android.
Open the Kaspersky Endpoint Security properties window by double-clicking.
Select the Anti-Theft section.
A unique code for the selected device is shown in the One-time code field of the One-time device unlock code section.
Use any available method (such as email) to communicate the one-time code to the user of the locked device.
The user enters the one-time code on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The mobile device will be unlocked. After unlocking the mobile device running Android 5.0 – 6.Х, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Data encryption

To protect data against unauthorized access, you must enable encryption of all data on the device (for example, account credentials, external devices and apps, as well as email messages, SMS messages, contacts, photos, and other files). For access to encrypted data, you must specify a special key – device unlock password. If data is encrypted, access to it can be obtained only when the device is unlocked.

Data encryption is enabled by default on password-locked iOS devices (Settings → Touch ID / Face ID and Password → Enable Password).

To encrypt all data on an Android device:

Enable screen lock on the Android device (Settings → Security → Screen lock).
Set a device unlock password that is compliant with corporate security requirements.
It is not recommended to use a pattern lock for unlocking the device. On certain Android devices running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device instead of a pattern lock. This issue is related to the operation of the Accessibility Features service. To unlock the device screen in this case, convert the pattern lock into a numeric password. For more details about converting a pattern lock into a numeric password, please refer to the Technical Support website of the mobile device manufacturer.
Enable encryption of all data on the device (Settings → Security → Encrypt data).

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting data on Android devices after failed password entry attempts

You can configure deleting all data on an Android device (that is, resetting the device to factory settings) after the user makes too many failed attempts to enter the screen unlock password.

These settings apply to devices operating in device owner mode and to personal devices on which the Kaspersky Endpoint Security for Android app is enabled as a device administrator.

To configure wiping all data:

In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
In the workspace of the group, select the Policies tab.
Open the policy properties window by double-clicking any column.
In the policy Properties window, select the Anti-Theft section.
In the Data wipe on device section, select the Wipe all data after failed attempts to enter unlock password check box.
In the Maximum number of attempts to enter unlock password field, specify the number of attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center. If the user exceeds the specified number of attempts to enter the correct screen unlock password, the Kaspersky Endpoint Security for Android app wipes all device data.

Page top

Kaspersky Secure Mobility Management

Contents

Protection of stolen or lost device data

Sending commands to a mobile device

Unlocking a mobile device

Data encryption

Deleting data on Android devices after failed password entry attempts