Kaspersky Secure Mobility Management
2.0
English

Contents

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control

This section contains instructions on how to configure user access to apps on a mobile device.

In this section

App control on Android devices

App control on iOS MDM devices

Installation and uninstallation of apps on a group of iOS MDM devices
Page top
[Topic 141381]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on Android devices

The App Control component allows you to manage apps on Android devices to keep these devices secure.

  • You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.

In device owner mode, you have extended control over the device. App Control operates without notifying the device user:

  • Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
  • Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.

To configure the settings of app startup on the mobile device:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the App Control section.
  5. In the Operation mode section, select the mode of app startup on the user's mobile device:
    • To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Blocked apps mode. The app will hide blocked app icons.
    • To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
  6. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, write to event log only check box.

    During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

  7. If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
  8. If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.

    Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation (the device may stop responding to user actions or start continuous reboot). To restore normal operation of the device, the user should reset it to factory settings in recovery mode (the procedure is vendor-specific).

  9. Create a list of categories and apps to configure startup of apps.

    Mobile app packages previously created in the Kaspersky Security Center can be added to the list. How to get the package name of an app

    To get the package name of an app:

    1. Open Google Play.
    2. Find the required app and open its page.

    The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

    To get the package name of an app that has been added to Kaspersky Security Center:

    1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
    2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

    In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

    If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

    For details on app categories, please refer to the Appendices.

    For a list of the apps that belong to each category, please visit the Kaspersky website.

  10. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

Page top
[Topic 90538]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on iOS MDM devices

Expand all | Collapse all

Kaspersky Security Center allows you to manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launching on devices.

These restrictions apply only to supervised iOS MDM devices.

Open Restrictions for applications section

To open settings for app restrictions on iOS MDM devices:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Restrictions for applications section.

Restrict app installation

By default, the user can install any apps on the supervised iOS MDM device.

To restrict the apps that can be installed on the device:

  1. Select the Allow installation of apps from the list (supervised only) check box.
  2. In the table, click Add to add an app to the list.
  3. Specify the app's bundle ID. Specify the com.apple.webapp value to allow all web clips. How to get the bundle ID of an app

    To get the bundle ID of a native iPhone or iPad app,

    Follow the instruction in Apple documentation.

    To get the bundle ID of any iPhone or iPad app:

    1. Open App Store.
    2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

    3. Copy this identifier (without letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

    5. Open the downloaded file and find there the "bundleId" fragment.

    The text that directly follows this fragment is the bundle ID of the required app.

    To get the bundle ID of an app that has been added to Kaspersky Security Center:

    1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
    2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

    In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

    If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

  4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Only apps from the list and system apps will be available for installation. All other apps can't be installed on the device.

The specified apps can be installed on the device in the following ways (if the corresponding options are enabled in the Features restrictions section):

  • Installation from Apple Configurator or iTunes
  • Installation from App Store
  • Automatic loading

Specify prohibited apps

By default, all apps can be displayed and launched on the supervised iOS MDM device.

To specify prohibited apps:

  1. Select the Prohibit displaying and launching apps from the list (supervised only) check box.
  2. In the table, click Add to add an app to the list.
  3. Specify the app's bundle ID. Specify the com.apple.webapp value to restrict all web clips. How to get the bundle ID of an app

    To get the bundle ID of a native iPhone or iPad app,

    Follow the instruction in Apple documentation.

    To get the bundle ID of any iPhone or iPad app:

    1. Open App Store.
    2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

    3. Copy this identifier (without letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

    5. Open the downloaded file and find there the "bundleId" fragment.

    The text that directly follows this fragment is the bundle ID of the required app.

    To get the bundle ID of an app that has been added to Kaspersky Security Center:

    1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
    2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

    In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

    If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

  4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Apps from the list will be prohibited from being displayed and launching on the device. All other apps will be displayed and available to run.

Page top
[Topic 242959]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation and uninstallation of apps on a group of iOS MDM devices

Kaspersky Security Center allows you to install and remove apps on iOS MDM devices by sending commands to these devices.

Selecting devices

To select iOS MDM devices on which apps should be installed or removed:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
  3. Select the iOS MDM device on which apps should be installed or removed.

    You can also select multiple devices and send commands simultaneously. To select a group of devices, do one of the following:

    • To select all devices in the workspace, filter the list of devices as required and press Ctrl+A.
    • To select a range of devices, hold down the Shift key, click the first device in the range, and then click the last device in the range.
    • To select individual devices, hold down the Ctrl key and click devices you want to include in the group.

Installing apps on devices

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. For more information, refer to Adding a managed app.

To install apps on selected iOS MDM devices:

  1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Install app.

    For a single device, you can also select Show command log in the context menu, proceed to the Install app section, and click the Send command button.

    The Select apps window opens showing a list of managed apps.

  2. Select the apps you want to install on iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
  3. Click OK to send the command to the devices.

    When the command is executed on a device, the selected apps are installed. If the command is successfully executed, the command log will show its current status as Completed.

Removing apps from devices

To remove apps from selected iOS MDM devices:

  1. Right-click the selected devices. In the context menu that appears, select All commands, and then select Remove app.

    For a single device, you can also select Show command log in the context menu, proceed to the Remove app section, and click the Send command button.

    The Remove apps window opens showing a list of previously installed apps.

  2. Select the apps you want to remove from iOS MDM devices. To select a range of apps, use the Shift key. To select multiple apps individually, use the Ctrl key.
  3. Click OK to send the command to the devices.

    When the command is executed on a device, the selected apps are uninstalled. If the command is successfully executed, the command log will show its current status as Completed.

Page top
[Topic 241837]