The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Management

This section contains information about how to remotely manage the settings of mobile devices in the Administration Console of Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting Android devices to a Wi-Fi network

Expand all | Collapse all

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To connect the mobile device to a Wi-Fi network:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Wi-Fi section.
5. In the Wi-Fi networks section, click Add.

   This opens the Wi-Fi network window.

6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
7. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device. In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
8. Select the Automatic connection to network check box if you want the device to connect to the Wi-Fi network automatically.
9. In the Network protection section, select the type of Wi-Fi network security (open or secure network protected with the WEP, WPA/WPA2 PSK, or 802.1.x EAP protocol).

   The 802.1.x EAP security protocol is supported only in the Kaspersky Endpoint Security for Android app version 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

10. If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
    • EAP method

      Specifies an Extensible Authentication Protocol (EAP) method of network authentication. Possible values:

      • TLS (default)
      • PEAP
      • TTLS
    • Root certificate

      Specifies the root certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      You can specify a certificate in one of the following ways:

      • Select any available certificate from the drop-down list. It contains certificates previously added to the Root certificates section. On devices, these certificates are installed to a trusted certificate store.
      • Load a new certificate file (.cer, .pem, or .key) by clicking Browse. This certificate will not be added to the Root certificates section. On devices, the certificate will be used only for configuring this Wi-Fi network and will not be installed to a trusted certificate store.
    • Domain

      Specifies the constraint for the server domain name.

      If set, this Fully Qualified Domain Name (FQDN) is used as a suffix match requirement for the root certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met.

      You can specify multiple match strings using semicolons to separate the strings. A match with any of the values is considered a sufficient match for the certificate (i.e., the OR operator is used).

      If you specify *, any root certificate is considered valid. This value is specified by default.

    • User certificate

      Specifies the user certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      The following values are available in the drop-down list:

      • None - The user certificate is not specified.
      • VPN certificate - The VPN certificate that was last added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and was installed on the user device. If you choose this option, but no VPN certificate is installed on the device, the user certificate is not used for this Wi-Fi network.
      • List of SCEP certificate profiles configured in the SCEP and NDES section and used to obtain certificates.
    • Type of two-factor authentication

      Specifies a two-factor authentication type. Possible values:

      • None (default)
      • MSCHAP
      • MSCHAPV2
      • GTC
    • User identity

      Specifies a user ID to be used if the TLS EAP method is selected. You can either enter the value or select it from the Available macros drop-down list.

    • Anonymous identity

      Specifies an anonymous identity that is different from User identity and is used if the PEAP method of network authentication is selected. You can either enter the value or select it from the Available macros drop-down list.

    • Available macros

      A macro that will be used to replace values in the corresponding fields. Possible values:

      • %email%. Specifies the email address of the user to whom the device is registered. The value is retrieved from a mobile certificate.
      • %email_domain%. Specifies the email address domain of the user to whom the device is registered. The value is retrieved from a mobile certificate.
      • %email_user_name%. Specifies the username from the email address to which the device is registered. The value is retrieved from a mobile certificate.
      • %user_name%. Specifies the username under which the device is registered. The value is retrieved from a mobile certificate.
      • %device_id%. Specifies the ID of the device.
      • %group_id%. Specifies the ID of the administration group to which the device belongs to.
      • %device_platform%. Specifies the device platform.
      • %device_model%. Specifies the device model.
      • %os_version%. Specifies the operating system version on the device.
    • Password

      Specifies a password for accessing a wireless network protected using a WEP or WPA2 PSK protocol. The password will be sent in QR code.

11. In the Password field, set a network access password if you selected a secure network at step 9.
12. Select the Use proxy server option if you want to use a proxy server to connect to a Wi-Fi network. Otherwise, select the Do not use proxy server option.
13. If you selected Use proxy server, in the Proxy server address and port field, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are using a proxy server to connect to a Wi-Fi network, you can use a policy to configure the settings for connecting to the network. On devices running Android 8.0 or later, you must manually configure the proxy server settings. On devices running Android 8.0 or later, you cannot use a policy to change the Wi-Fi network connection settings, except for the network access password.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

14. In the Do not use proxy server for addresses field, generate a list of web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android version 8.0 or later, the proxy server exclusion for web addresses does not work.

15. Click OK.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    This list contains the names of suggested wireless networks.

    On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear on the saved networks list on these devices.

    On devices operating in device owner mode and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

16. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

On devices running Android version 10.0 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Wi-Fi section.
5. Click the Add button in the Wi-Fi networks section.

   This opens the Wi-Fi network window.

6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
7. If you want the iOS MDM device to connect to the Wi-Fi network automatically, select the Automatic connection check box.
8. To make it impossible to connect iOS MDM devices to a Wi-Fi network requiring preliminary authentication (captive network), select the Disable captive networks detection check box.

   To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

9. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden Network check box.

   In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

10. In the Network protection drop-down list, select the type of protection of the Wi-Fi network connection:
    • Disabled. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).
    • WPA/WPA2 (Personal). The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access).
    • WPA2 (Personal). The network is protected using WPA2 protocol (Wi-Fi Protected Access 2.0). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Personal). The network is protected using the WEP, WPA or WPA2 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (Dynamic). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA/WPA2 (Enterprise). The network is protected using the WPA/WPA2 encryption protocol with use of the 802.1X protocol.
    • WPA2 (Enterprise). The network is protected using the WPA2 encryption protocol with the use of one key shared by all users (802.1X). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication.

    If you have selected WEP (Dynamic), WPA/WPA2 (Enterprise), WPA2 (Enterprise) or Any (Enterprise) in the Network protection list, in the Protocols section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

11. Configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the Authentication section, click the Configure button.

       The Authentication window opens.

    2. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    3. To require the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    4. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network. If the list does not contain any certificates, you can add them in the Certificates section.
    6. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

       The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel.

    7. Click OK.

    As a result, the settings of the account for user authentication upon connection to the Wi-Fi network will be configured on the iOS MDM device.

12. If necessary, configure the settings of the Wi-Fi network connection via a proxy server:
    1. In the Proxy server section, click the Configure button.
    2. In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to the Wi-Fi network via a proxy server are configured on the iOS MDM device.

13. Click OK.

    The new Wi-Fi network is displayed in the list.

14. Click the Apply button to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the authentication technology.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring email

This section contains information on configuring mailboxes on mobile devices.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a mailbox on iOS MDM devices

To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.

By default, the email account is added with the following settings:

• Email protocol – IMAP.
• The user can move email messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the account.

To add an email account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Email.
5. Click the Add button in the Email account section.

   The Email account window opens.

6. In the Description field, enter a description of the user's email account.
7. Select the email protocol:
   • POP
   • IMAP
8. If necessary, specify the IMAP path prefix in the IMAP path prefix field.

   The IMAP path prefix must be entered using upper-case letters (for example: GMAIL for Google Mail). This field is available if the IMAP account protocol is selected.

9. In the User name as displayed in messages field, enter the user name to be displayed in the From: field for all outgoing messages.
10. In the Email address field, specify the email address of the iOS MDM device user.
11. Configure Additional Settings of the email account:
    • To allow the user to move email messages between the user's accounts, select the Allow movement of messages between accounts check box.
    • To allow the email addresses used to be synchronized among user accounts, select the Allow sync of recent addresses check box.
    • To allow a user to use the Mail Drop service to forward large-sized attachments, select the Allow Mail Drop check box.
    • To allow the user to use only the standard iOS mail client, select the Allow use of only Mail app check box.
12. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
13. In the Inbound mail server and Outbound mail server sections, click the Settings button to configure the server connection settings:
    • Server address and port: Names of hosts or IP addresses of inbound mail servers and outbound mail servers and server port numbers.
    • Account name: Name of the user's account for inbound and outbound mail server authorization.
    • Authentication type: Type of user's email account authentication on inbound mail servers and outbound mail servers.
    • Password: Account password for authentication on the inbound and outbound mail server protected using the selected authentication method.
    • Use one password for incoming and outgoing mail servers: use one password for user authentication on incoming and outgoing mail servers.
    • Use SSL connection: usage of the SSL (Secure Sockets Layer) data transport protocol that uses encryption and certificate-based authentication to secure data transmission.
14. Click OK.

    The new email account appears in the list.

15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, email accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox on iOS MDM devices

To enable the iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.

By default, an account with the following settings is added on the Microsoft Exchange server:

• Email is synchronized once per week.
• The user can move messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the Exchange ActiveSync account.

To add the Exchange ActiveSync account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Exchange ActiveSync section.
5. Click the Add button in the Exchange ActiveSync accounts section.

   The Exchange ActiveSync account window opens on the General tab.

6. In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can use macros from the Macros available drop-down list.
7. In the Server address field, enter the network name or IP address of the Microsoft Exchange server.
8. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data, select the Use SSL connection check box.
9. In the Domain field, enter the name of the iOS MDM device user's domain. You can use macros from the Macros available drop-down list.
10. In the Account User Name field, enter the name of the iOS MDM device user.

    If you leave this field blank, Kaspersky Device Management for iOS prompts the user to enter the user name when applying the policy on the iOS MDM device. You can use macros from the Macros available drop-down list.

11. In the Email address field, specify the email address of the iOS MDM device user. You can use macros from the Macros available drop-down list.
12. In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
13. Select the Additional tab and configure the additional settings of the Exchange ActiveSync account:
    • Number of Days to Sync Mail for <time period>.
    • Authentication type.
    • Allow movement of messages between accounts.
    • Allow sync of recent addresses.
    • Allow use of only Mail app.
14. Configure the settings for using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages.
    • To use the S/MIME protocol to sign outgoing mail, select the Sign messages check box and select a certificate for the signature. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A message signature is available on devices running iOS version 10.3 or later.
    • To use the S/MIME protocol to encrypt outgoing mail, select the Encrypt messages by default check box and select a certificate for encryption (public key). Message encryption is available on devices running iOS version 10.3 or later.
    • To enable a user to encrypt individual messages, select the Show toggle button for encrypting messages check box. To send encrypted messages, the user must click the icon in the Mail app in the To field.
15. Click OK.

    The new Exchange ActiveSync account appears in the list.

16. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox on Android devices (only Samsung)

To work with corporate mail, contacts, and the calendar on the mobile device, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).

Configuration of an Exchange mailbox is possible only for Samsung devices.

To configure an Exchange mailbox on a mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → Manage Samsung devices section.
5. In the Exchange ActiveSync window, click the Configure button.

   The Exchange mail server settings window opens.

6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
10. To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
11. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing root certificates on Android devices

A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.

Kaspersky Security Center lets you add root certificates to be installed on Android devices to a trusted certificate store.

These certificates are installed on user devices as follows:

• On devices operating in device owner mode, the certificates are installed automatically.

  If you delete a root certificate in policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.

• On personal devices (not operating in device owner mode):
  • If a work profile was not created, the device user is prompted to install each certificate manually in a personal profile by following the instructions in the notification.
  • If a work profile was created, the certificates are installed automatically to this profile. If the Duplicate installation of root certificates in personal profile check box is selected in work profile settings, the certificates can also be installed in a personal profile. The device user is prompted to do this manually by following the instructions in the notification.

    If you delete a root certificate in policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.

    For instructions on how to install certificates in personal profiles, please refer to Installing root certificates on the device.

To add a root certificate in Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Root certificates section.
5. In the Root certificates section, click Add.

   The file explorer opens.

6. Select a certificate file (.cer, .pem, or .key) and click Open.

   Make sure the selected certificate file does not contain "Root_" in its name (regardless of the case). Otherwise, the certificate will not be installed during the device synchronization with the Administration Server.

   The Certificate window opens.

7. View the certificate information and click Install Certificate.

   This starts the standard Certificate Import Wizard.

8. Follow the wizard's instructions.

   After the wizard is finished, the root certificate appears in the list of certificates.

9. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring notifications for Kaspersky Endpoint Security for Android

If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

The Kaspersky Endpoint Security uses the following tools to display the device protection status:

• Protection status notification. This notification is pinned to the notification bar. Protection status notification cannot be removed. The notification displays the device protection status (for example, ) and number of issues, if any. You can tap the device protection status and see the list issues in the app.
• App notifications. These notifications inform the device user about the application (for example, threat detection).
• Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.

An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Additional section.
5. In the App notifications section, click the Configure button.

   The Device notification settings window opens.

6. Select the Kaspersky Endpoint Security for Android issues that you want to hide on the user's mobile device and click the OK button.

   The Kaspersky Endpoint Security for Android will not display issues in the protection status notification. The Kaspersky Endpoint Security for Android will continue to display protection status notification and app notifications.

   Certain Kaspersky Endpoint Security for Android issues are mandatory and impossible to disable (such as issues about license expiration).

7. To hide all notifications and pop-up messages, select the Disable notifications and pop-ups when app is background mode.

   Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays device protection status (for example, ) and number of issues. Also the app display notifications when user is working with the app (the user updates anti-virus databases manually, for example).

   Kaspersky experts recommended that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The Kaspersky Endpoint Security for Android notifications that you disable will not be displayed on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to AirPlay

Configure the connection to AirPlay devices to enable streaming of music, photos, and videos from the iOS MDM device to AirPlay devices. To be able to use AirPlay technology, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (of the second and third generations), AirPort Express devices, speakers or radio sets with AirPlay support.

Automatic connection to AirPlay devices is available for controlled devices only.

To configure the connection of an iOS MDM device to AirPlay devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the AirPlay section.
5. In the AirPlay devices section, select the Apply settings on device check box.
6. Click the Add button in the Passwords section.

   An empty row is added in the password table.

7. In the Device name column, enter the name of the AirPlay device on the wireless network.
8. In the Password column, enter the password to the AirPlay device.
9. To restrict access of iOS MDM devices to AirPlay devices, create a list of allowed devices in the Allowed devices section. To do so, add the MAC addresses of AirPlay devices to the list of allowed devices.

   Access to AirPlay devices that are not on the list of allowed devices is blocked. If the list of allowed devices is left blank, Kaspersky Device Management for iOS will allow access to all AirPlay devices.

10. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media content.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to AirPrint

To enable printing of documents from the iOS MDM device wirelessly using AirPrint technology, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users has to be configured on the AirPrint printer.

To configure the connection of an iOS MDM device to an AirPrint printer:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the AirPrint section.
5. Click the Add button in the AirPrint printers section.

   The Printer window opens.

6. In the IP address field, enter the IP address of the AirPrint printer.
7. In the Resource Path field, enter the path to the AirPrint printer.

   The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:

   • printers/Canon_MG5300_series
   • ipp/print
   • Epson_IPP_Printer
8. Click OK.

   The newly added AirPrint printer appears on the list.

9. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Bypassing the Activation Lock on supervised iOS devices

Activation Lock is an iOS feature that is designed to prevent others from using a lost or stolen iOS device or reactivating it without an owner's permission. Kaspersky Security Center allows to bypass the Activation Lock on supervised iOS devices without entering Apple ID and user's password by using a bypass code.

A bypass code is generated when an iOS device is connected to Kaspersky Security Center and becomes supervised.

To disable Activation Lock using a bypass code:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device for which you need to view the bypass code by double-clicking.

   The properties window of the selected device opens.

3. In the properties window of the selected device, select the Advanced iOS MDM settings tab.
4. On the Advanced iOS MDM settings tab, click the crossed-out eye icon next to the Bypass code for Activation Lock (supervised only) option.

   The bypass code for Activation Lock is displayed.

5. On the Activation Lock screen of the supervised iOS device, enter the bypass code in the Apple ID password field. Leave the username field empty.

   Activation Lock is disabled on the device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the Access Point Name (APN)

To connect a mobile device to data transfer services on a mobile network, you should configure the APN (Access Point Name) settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring APN on Android devices (only Samsung)

Configuration of APN is possible only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile telephony operator. Incorrect access point settings may result in additional mobile telephony charges.

To configure the Access Point Name (APN) settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → APN section.
5. In the APN section, click the Configure button.

   The APN settings window opens.

6. On the General tab, specify the following access point settings:
   1. In the APN type drop-down list, select the type of access point.
   2. In the APN name field, specify the name of the access point.
   3. In the MCC field, enter the mobile country code (MCC).
   4. In the MNC field, enter the mobile network code (MNC).
   5. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS settings:
      • In the MMS server field, specify the full domain name of the mobile carrier's server used for MMS exchange.
      • In the MMS proxy server field, specify the network name or IP address of the proxy server and the port number of the mobile carrier's server used for MMS exchange.
7. On the Additional tab, configure the additional settings of the Access Point Name (APN):
   1. In the Authentication type drop-down list, select the type of mobile device user's authentication on the mobile carrier's server for network access.
   2. In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
   3. In the Proxy server address field, specify the network name or IP address and port number of the mobile carrier's proxy server for network access.
   4. In the User name field, enter the user name for authorization on the mobile network.
   5. In the Password field, enter the password for user authorization on the mobile network.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring APN on iOS MDM devices

The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.

The APN section is out of date. It is recommended to configure APN settings in the Cellular communications section. Before configuring cellular communication settings, make sure that the settings of the APN section have not been applied on the device (the Apply settings on device check box is cleared). The settings of the APN and Cellular communications sections cannot be used concurrently.

To configure an access point on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Cellular communications section.
5. In the Cellular communication settings section, select the Apply settings on device check box.
6. In the APN type list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
   • Built-in APN – configuration of cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, please visit the Apple Technical Support website.
   • APN – configuration of cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
   • Built-in APN and APN – configuration of cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, please visit the Apple Technical Support website.
7. In the APN name field, specify the name of the access point.
8. In the Authentication type drop-down list, select the type of device user authentication on the mobile operator's server for network access (internet and MMS):
9. In the User name field, enter the user name for authorization on the mobile network.
10. In the Password field, enter the password for user authorization on the mobile network.
11. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
12. Click the Apply button to save the changes you have made.

As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the Android work profile

This section contains information about working with an Android work profile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Android work profile

Android Enterprise is a platform for managing the corporate mobile infrastructure, which provides company employees with a work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.

You can create the Android work profile (hereinafter also "work profile") on the user's mobile device. Android work profile is a safe environment on the user's device in which the administrator can manage apps and user accounts without restricting the user's use of his/her own data. When a work profile is created on the user's mobile device, the following corporate apps are automatically installed to it: Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the work profile and notifications of these apps are marked with a icon. You have to create a separate Google corporate account for the Google Play Market app. Apps installed in the work profile appear in the common list of apps.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring the work profile

Expand all | Collapse all

To configure the settings of the Android work profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Android work profile.
5. In the Android work profile workspace, select the Create work profile check box.
6. Specify the work profile settings:
   • On the General tab, specify the data sharing, contact, and other settings:
     • Settings in the Data access and sharing section:
       • Prohibit personal profile apps to share data with work profile apps

         Restricts sharing of files, pictures, or other data from personal profile apps with work profile apps.

         If the check box is selected, apps in personal profile can't share data with work profile apps.

         If the check box is cleared, the apps in personal profile can share data with work profile apps.

         The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.

         This check box is selected by default.

       • Prohibit work profile apps to share data with personal profile apps

         Restricts sharing of files, pictures, or other data from work profile apps with personal profile apps.

         If the check box is selected, the apps in work profile can't share data with personal profile apps.

         If the check box is cleared, the apps in work profile can share data with personal profile apps.

         The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.

         This check box is selected by default.

       • Prohibit work profile apps to access files in personal profile

         Restricts access of work profile apps to files in personal profile.

         If the check box is selected, the user can't access files in personal profile when using work profile apps.

         If the check box is cleared, the user can access files in personal profile when using work profile apps. Note that the access must be also supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit personal profile apps to access files in work profile

         Restricts access of personal profile apps to files in work profile.

         If the check box is selected, the user can't access files in work profile when using personal profile apps.

         If the check box is cleared, the user can access files in work profile when using personal profile apps. Note that the access must be supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit use of clipboard content across personal and work profiles

         Selecting or clearing this check box specifies whether the device user is allowed to copy data via clipboard across personal and work profiles.

         This check box is selected by default.

       • Prohibit activation of USB debugging mode

         Restricts the use of USB debugging node on the user's mobile device in the work profile. In USB debugging mode, the user can download an app via a workstation, for example.

         If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.

         If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.

         This check box is selected by default.

       • Prohibit the user to add and remove accounts in work profile

         If the check box is selected, the user is prohibited to add and remove accounts in work profile via Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in work profile.

         Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.

         This check box is selected by default.

       • Prohibit screen sharing, recording, and screenshots in work profile apps

         Selecting or clearing this check box specifies whether the device user is allowed to take screenshots, record and share the device screen in work profile apps.

         This check box is selected by default.

     • Settings in the Contacts section:
       • Prohibit showing contact name from work profile for incoming calls in personal profile

         Selecting or clearing this check box specifies whether a contact name from work profile will be shown in personal profile for incoming calls.

         This check box is selected by default.

       • Prohibit personal profile apps to access work profile contacts

         Selecting or clearing this check box specifies whether contact management apps (for example, built-in Google Contacts Manager) in personal profile are allowed to access work profile contacts.

         This check box is selected by default.

   • On the Apps tab, specify the following settings:
     • Enable App Control in Work profile only

       Controls the startup of apps in the work profile on the user's mobile device. You can create lists of allowed, blocked, recommended, and required apps as well as allowed and blocked app categories in the App Control section.

       If this check box is selected, depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the work profile. Meanwhile, App Control does not work in the personal profile.

       This check box is cleared by default.

     • Enable Web Protection in work profile only

       Restricts user access to websites in the work profile on the device.You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section. If Web Protection is disabled, Kaspersky Endpoint Security only restricts user access to websites in the Phishing and Malware categories. These categories are selected by default in the Websites of selected categories are forbidden area of Web Protection.

       If this check box is selected, Web Protection for Google Chrome blocks or allows access to websites only in the Android work profile. Meanwhile, Web Protection does not work in the personal profile.

       If this check box is cleared, depending on the Web Protection settings, Kaspersky Endpoint Security blocks or allows access to websites in the personal and work profiles of the mobile device.

       For Samsung Internet Browser and Huawei Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

       This check box is cleared by default.

       For Samsung Internet Browser and Huawei Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.

       You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.

     • Prohibit installation of apps in the work profile from unknown sources

       Restricts installation of apps in the work profile from all sources other than Google Play Enterprise.

       If the check box is selected, the user can install apps from Google Play only. Users use their own Google corporate accounts to install apps.

       If the check box is cleared, the user can install apps in any available way. Only blocked apps the list of which can be created in the App Control section cannot be installed.

       This check box is cleared by default.

     • Prohibit removal of apps from work profile

       Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the work profile.

       This check box is cleared by default.

     • Prohibit display of notifications from work profile apps when screen is locked

       Restricts display of notification contents from work profile apps on the lock screen of the device.

       If the check box is selected, contents of notifications from work profile apps can't be viewed on the device lock screen. To view the notifications, the user has to unlock the device \ work profile.

       If the check box is cleared, notifications from work profile apps are displayed on the device lock screen.

       This check box is cleared by default.

     • Prohibit use of camera for work profile apps

       Selecting or clearing this check box specifies whether work profile apps can access the device camera.

       This check box is selected by default.

       On devices running Android 10 or later, if the Prohibit use of camera check box in the Device Management section is selected, the device camera may be blocked in the work profile even if the Prohibit use of camera for work profile apps check box is cleared.

     • Granting runtime permissions for work profile apps

       The Granting runtime permissions for work profile apps setting allows you to select an action to be performed when work profile apps are running and request additional permissions. This does not apply to permissions granted in device Settings (e.g. Access All Files).

       • Prompt the user for permissions

         When a permission is requested, the user decides whether to grant the specified permission to the app.

         This option is selected by default.

       • Grant permissions automatically

         All work profile apps are granted permissions without user interaction.

       • Deny permissions automatically

         All work profile apps are denied permissions without user interaction.

         Users can modify app permissions in the device Settings.

       On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:

       • Manifest.permission.ACCESS_FINE_LOCATION
       • Manifest.permission.ACCESS_BACKGROUND_LOCATION
       • Manifest.permission.ACCESS_COARSE_LOCATION
       • Manifest.permission.CAMERA
       • Manifest.permission.RECORD_AUDIO
       • Manifest.permission.RECORD_BACKGROUND_AUDIO
       • Manifest.permission.ACTIVITY_RECOGNITION
       • Manifest.permission.BODY_SENSORS
       • Manifest.permission.READ_SMS
     • Adding widgets of work profile apps to device home screen

       The Adding widgets of work profile apps to device home screen setting allows you to choose whether the device user is allowed to add widgets of work profile apps to device home screen.

       • Prohibit for all apps

         The device user is prohibited from adding widgets of apps installed in the work profile.

         This option is selected by default.

       • Allow for all apps

         The device user is allowed to add widgets of all apps installed in the work profile.

       • Allow only for the listed apps

         The device user is allowed to add widgets of listed apps installed in the work profile.

         To add an app to the list, click Add and enter an app package name. How to get the package name of an app

         To get the package name of an app:

         1. Open Google Play.
         2. Find the required app and open its page.

         The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

         To get the package name of an app that has been added to Kaspersky Security Center:

         1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
         2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

         In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

         If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

         To remove an app from the list, select the app and click Delete.

   • On the Certificates tab, you can configure the following settings:
     • Duplicate installation of the VPN certificates in personal profile

       Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and installed to the work profile will also be installed to the personal profile.

       By default, VPN certificates received from Kaspersky Security Center are installed in the work profile.This setting is applied when a new VPN certificate is issued.

       This check box is cleared by default.

     • Duplicate installation of root certificates in personal profile

       Selecting or clearing the check box specifies whether the root certificates added in the Root certificates policy section and installed to the work profile will also be installed to the personal profile.

       This check box is cleared by default.

   • On the Password tab, specify work profile password settings:
     • Require to set password for work profile

       Allows to specify the requirements for work profile password according to company security requirements.

       If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting to set up work profile password according to company requirements.

       If the check box is cleared, editing password settings is not available.

       This check box is cleared by default.

     • Minimum number of characters

       The minimum number of characters in the user password. Possible values: 4 to 16 characters.

       The user's password is 4 characters long by default.

       The following is applicable only to personal and work profiles:

       • In personal profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 10 or later.
       • In work profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 12 or later.

       The values are determined by the following rules:

       • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
       • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
     • Minimum password complexity requirements (Android 12 or earlier)

       Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

       • Numeric

         The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

         This option is selected by default.

       • Alphabetic

         The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

       • Alphanumeric

         The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

       • Not specified

         The user can set any password.

       • Complex

         The user must set a complex password according to the specified password properties:

         • Minimum number of letters
         • Minimum number of digits
         • Minimum number of special symbols (for example, !@#$%)
         • Minimum number of uppercase letters
         • Minimum number of lowercase letters
         • Minimum number of non-letter characters (for example, 1^&*9)
       • Complex numeric

         The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

       This option applies only to devices running Android 12 or earlier.

     • Maximum number of incorrect password attempts before deletion of work profile

       Specifies the maximum number of attempts by the user to enter password to unlock the device. When the policy is applied, the work profile will be deleted from the device after the maximum number of attempts is exceeded.

       Possible values are 4 to 16.

       The default value is not set. This means that the attempts are not limited.

     • Maximum password age, in days

       Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

       The default value is 0. This means that the password won't expire.

     • Number of days to notify that a password change is required

       Specifies the number of days to notify the user before the password expires.

       The default value is 0. This means that the user won't be notified about password expiration.

     • Number of recent passwords that can't be used as a new password

       Specifies the maximum number of previous user passwords that can't be used as a new password. This setting will apply only when the user sets new password on the device.

       The default value is 0. This means that the new user password can match any previous password except the current one.

     • The period of inactivity before the device screen locks, in seconds

       Specifies the period of inactivity before the device locks. After this period, the device will lock.

       The default value is 0. This means that the device won't lock after a certain period.

     • Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0+)

       Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

       The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

       This option applies only to devices running Android 8 or later.

     • Allow biometric unlock methods (Android 9+)

       If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

       This check box is selected by default.

       This setting applies only to devices running Android 9.0 or later. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow use of fingerprints

       The use of fingerprints to unlock the screen.

       This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

       If the check box is selected, the use of fingerprints on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

       This check box is available only if the Allow biometric unlock methods (Android 9.0 or later; starting from Android 10, only for device owner mode) check box is selected.

       This check box is selected by default.

       This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow face scanning (Android 9+)

       If the check box is selected, the use of face scanning on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods (Android 9.0 or later; starting from Android 10, only for device owner mode) check box is selected.

       This check box is selected by default.

       This setting applies only to devices running Android 9.0 or later. Starting from Android 10, this setting applies only to the device owner mode.

     • Allow iris scanning (Android 9+)

       If the check box is selected, the use of iris scanning on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods (Android 9.0 or later; starting from Android 10, only for device owner mode) check box is selected.

       This check box is selected by default.

       This setting applies only to devices running Android 9.0 or later. Starting from Android 10, this setting applies only to the device owner mode.

   • On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their work profile if it was locked.
     • Passcode length

       The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.

       The passcode length is 4 digits by default.

     • Passcode

       This field is displayed if you view the policy settings for a certain user device, not a group of devices.

       This field displays the passcode required to unlock work profile. A new passcode is generated after the user unlocks work profile with the passcode.

       This field is not editable.

7. To configure work profile settings on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Unlocking the work profile

The work profile can be locked if the device does not meet the Compliance Control security requirements.

To unlock the work profile, the user of the mobile device must enter a one-time work profile passcode on the locked screen. The passcode is generated by MMC-based Administration Console and is unique for each mobile device. When the device work profile is unlocked, the work profile password is set to default value (1234).

As an administrator, you can view the passcode in the policy settings, which are applied to the mobile device. The length of the passcode can be changed (4, 8, 12 or 16 digits).

To unlock the mobile device using the one-time passcode:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. Select the mobile device for which you want to get the one-time passcode.
3. Open the mobile device properties window.
4. Select Apps → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window.
6. Select the Android work profile section.

   The passcode for the selected device is shown on the Passcode tab in the Passcode field.

Use any available method (such as email) to communicate the one-time passcode to the user.

The user should enter the received one-time passcode on their device.

After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding an LDAP account

To enable the iOS MDM device user to access corporate contacts on the LDAP server, add the LDAP account.

To add the LDAP account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the LDAP section.
5. Click the Add button in the LDAP accounts section.

   The LDAP account window opens.

6. In the Description field, enter a description of the user's LDAP account. You can use macros from the Macros available drop-down list.
7. In the Account name field, enter the account name for authorization on the LDAP server. You can use macros from the Macros available drop-down list.
8. In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
9. In the Server address field, enter the name of the LDAP server domain. You can use macros from the Macros available drop-down list.
10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
11. Compile a list of search queries for the iOS MDM mobile device user access to corporate data on the LDAP server:
    1. Click the Add button in the Search settings section.

       A blank row appears in the table with search queries.

    2. In the Name column, enter the name of a search query.
    3. In the Search scope column, select the nesting level of the folder for the corporate data search on the LDAP server:
       • Base – search in the base folder of the LDAP server.
       • One level – search in folders on the first nesting level counting from the base folder.
       • Subtree – search in folders on all nesting levels counting from the base folder.
    4. In the Search base column, enter the path to the folder on the LDAP server with which the search begins (for example: "ou=people", "o=example corp").
    5. Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
12. Click OK.

    The new LDAP account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, LDAP accounts from the compiled list will be added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a calendar account

To enable the iOS MDM device user to access the user's calendar events on the CalDAV server, add the CalDAV account. Synchronization with the CalDAV server enables the user to create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.

To add the CalDAV account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Calendar section.
5. Click the Add button in the CalDAV accounts section.

   The CalDAV account window opens.

6. In the Description field, enter a description of the user's CalDAV account.
7. In the Server address and port field, enter the name of a host or the IP address of a CalDAV server and the number of the CalDAV server port.
8. In the Main URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example: http://example.com/caldav/users/mycompany/user).

   The URL should begin with "http://" or "https://".

9. In the Account name field, enter the account name for authorization on the CalDAV server.
10. In the Password field, set the CalDAV account password for authorization on the CalDAV server.
11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
12. Click OK.

    The new CalDAV account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CalDAV accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding a contacts account

To enable the iOS MDM device user to synchronize data with the CardDAV server, add the CardDAV account. Synchronization with the CardDAV server enables the user to access the contact details from any device.

To add the CardDAV account of the iOS MDM device user:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Contacts section.
5. Click the Add button in the CardDAV accounts section.

   The CardDAV account window opens.

6. In the Description field, enter a description of the user's CardDAV account. You can use macros from the Macros available drop-down list.
7. In the Server address and port field, enter the name of a host or the IP address of a CardDAV server and the number of the CardDAV server port.
8. In the Main URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).

   The URL should begin with "http://" or "https://".

9. In the Account name field, enter the account name for authorization on the CardDAV server. You can use macros from the Macros available drop-down list.
10. In the Password field, set the CardDAV account password for authorization on the CardDAV server.
11. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of contacts between the CardDAV server and the mobile device, select the Use SSL connection check box.
12. Click OK.

    The new CardDAV account appears in the list.

13. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring calendar subscription

To enable the iOS MDM device user to add events of shared calendars (such as the corporate calendar) to the user's calendar, add subscription to this calendar. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other openly published calendars.

To add calendar subscription:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Calendar subscription section.
5. Click the Add button in the Calendar subscriptions section.

   The Calendar Subscription window opens.

6. In the Description field, enter a description of the calendar subscription.
7. In the Server web address field, specify the URL of the third-party calendar.

   In this field, you can enter the mail URL of the CalDAV account of the user to whose calendar you are subscribing. You can also specify the URL of an iCal calendar or a different openly published calendar.

8. In the User name field, enter the user account name for authentication on the server of the third-party calendar.
9. In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
10. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
11. Click OK.

    The new calendar subscription appears in the list.

12. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, events from shared calendar on the list will be added to the calendar on the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding web clips

A web clip is an app that opens a website from the Home screen of the mobile device. By clicking web clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website).

You can add web clips to user devices and specify web clip icons displayed on the screen.

Adding web clips to Android devices

To add a web clip on a user's Android device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device management section.
5. In the Adding web clips to device home screen section, click Add.

   The Add web clip window opens.

6. In the Name field, enter the name of the web clip to be displayed on the home screen of the Android device.
7. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
8. In the Icon field, specify the image for the web clip icon: click Browse... and select an image file. The PNG and JPEG file formats are supported. If you do not select an image for the web clip, a blank square is displayed as the icon.
9. Click OK.

   The new web clip appears in the list.

10. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the web clips you created. After the user installs these web clips, the corresponding icons are added on the home screen of the device.

The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

Adding web clips to iOS MDM devices

By default, the following restrictions on web clip usage apply:

• The user cannot manually remove web clips from the mobile device.
• Websites that open when the user clicks a web clip icon do not open in full-screen mode.
• The corner rounding, shadow, and gloss visual effects are applied to the web clip icon on the screen.

To add a web clip on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Web Clips section.
5. Click the Add button in the Web Clips section.

   The Web Clip window opens.

6. In the Name field, enter the name of the web clip to be displayed on the home screen of the iOS MDM device.
7. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with "http://" or "https://".
8. To allow the user to remove a web clip from the iOS MDM device, select the Allow removal check box.
9. Click the Select button and specify the file with the image for the web clip icon.

   The icon is displayed on the home screen of the iOS MDM device. The image must meet the following requirements:

   • Image size no greater than 400 х 400 pixels.
   • File format: GIF, JPEG, or PNG.
   • File size no greater than 1 MB.

   The web clip icon is available for preview in the Icon field. If you do not select an image for the web clip, a blank square is displayed as the icon.

   If you want the web clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.

10. If you want the website to open in full-screen mode on the iOS MDM device when you click the icon, select the Full screen Web Clip check box.

    In full-screen mode, the Safari toolbar is hidden and only the website is shown on the device screen.

11. Click OK.

    The new web clip appears in the list.

12. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, web clip icons from the list you have created are added on the home screen of the user's mobile device.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding fonts

To add a font on a user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Fonts section.
5. Click the Add button in the Fonts section.

   The Font window opens.

6. In the File name field, specify the path to the font file (a file with the .ttf or .otf extension).

   Fonts with the ttc or otc extension are not supported.

   Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an undefined error.

7. Click Open.

   The new font appears in the list.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.