- Kaspersky Secure Mobility Management help
- What's new
- Working in Kaspersky Security Center Web Console
- About Kaspersky Secure Mobility Management
- Getting started
- Solution architecture
- Deployment scenarios
- Deploying a mobile device management solution in Kaspersky Security Center Web Console
- Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console
- Deploying mobile management plug-ins
- Configuring Administration Server settings for connecting mobile devices
- Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console
- Adding installation packages to Administration Server repository
- Adding a license key to the Administration Server repository
- Installing Network Agent Linux
- Configuring Kaspersky Security Center Linux Web Server settings
- Deploying an iOS device management system
- About iOS device operating modes
- About device management profiles
- Deploying Kaspersky Security for iOS
- Deploying a management system using the iOS MDM protocol
- Deploying iOS MDM Server
- Configuring an iOS MDM Server installation package
- Installing iOS MDM Server using a remote installation task
- Local installation of iOS MDM Server on a device via an installation package
- Updating iOS MDM Server using a remote installation task or locally
- Deleting iOS MDM Server using a remote uninstallation task
- Viewing the list of installed iOS MDM Servers and configuring their settings
- Configuring an iOS MDM Server certificate
- Configuring a reserve iOS MDM Server certificate
- Receiving or renewing an APNs certificate
- Installing an APNs certificate on iOS MDM Server
- Configuring access to Apple Push Notification service
- iOS MDM Server events
- Obtaining iOS MDM Server diagnostic data
- Deploying iOS MDM Server
- Deploying an Android device management system
- About Android device operating modes
- Using Firebase Cloud Messaging
- Deploying Kaspersky Endpoint Security for Android
- Permissions for Kaspersky Endpoint Security for Android
- Starting and stopping Kaspersky Endpoint Security for Android
- Activating Kaspersky Endpoint Security for Android
- Updating Kaspersky Endpoint Security for Android
- Removing Kaspersky Endpoint Security for Android
- Managing mobile devices in Kaspersky Security Center Web Console
- Creating administration groups
- Configuring policies
- Creating a policy
- Modifying a policy
- Copying a policy
- Moving a policy to another administration group
- Viewing the list of policies
- Viewing the policy distribution results
- Managing revisions to policies
- Restricting permissions to configure policies
- Configuring role-based access control
- Configuring policy profiles
- Deleting a policy
- Connecting mobile devices to Kaspersky Security Center Web Console
- Configuring synchronization settings
- Managing certificates of mobile devices
- Configuration and management
- Control
- Protection
- Configuring anti-malware protection on Android devices
- Protecting Android devices on the internet
- Protection of data on a stolen or lost device
- Configuring the device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting hacked devices
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Management of mobile devices
- Managing Android devices
- Managing iOS MDM devices
- Adding a configuration profile
- Installing a configuration profile on a device
- Removing a configuration profile from a device
- Configuring managed apps
- Installing an app on a mobile device
- Removing an app from a device
- Configuring roaming on an iOS MDM mobile device
- Viewing information about an iOS MDM device
- Disconnecting an iOS MDM device from management
- Configuring kiosk mode for iOS MDM devices
- Management of mobile device settings
- Configuring connection to a Wi-Fi network
- Configuring email
- Configuring protection levels in Kaspersky Security Center
- Managing app configurations
- Managing app permissions
- Creating a report on installed mobile apps
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Configuring the Access Point Name (APN)
- Corporate container
- Adding an LDAP account
- Adding a contacts account
- Adding a calendar account
- Configuring a calendar subscription
- Configuring SSO
- Managing Web Clips
- Setting a wallpaper
- Adding fonts
- Working with commands for mobile devices
- Managing the app by using third-party EMM systems (Android only)
- Participating in Kaspersky Security Network
- Samsung Knox
- Using the Kaspersky Endpoint Security for Android app
- App features
- Main window at a glance
- Status bar icon
- Device scan
- Running a scheduled scan
- Changing the Protection mode
- Anti-malware database updates
- Scheduled database update
- Things to do if your device gets lost or stolen
- Web Protection
- Get Certificate
- Synchronizing with Kaspersky Security Center
- Activating the Kaspersky Endpoint Security for Android app without Kaspersky Security Center
- Installing the app on corporate devices
- Installing root certificates on the device
- Installing and using mail and VPN certificates on the device
- Enabling accessibility on Android 13 or later
- Updating the app
- Removing the app
- Applications with a briefcase icon
- Knox app
- Using the Kaspersky Security for iOS app
- Application licensing
- Comparison of solution features by management tool
- Contact Technical Support
- Sources of information about the application
- Glossary
- Activating the application
- Activation code
- Administration group
- Administration Server
- Administrator's workstation
- Anti-malware databases
- Apple Push Notification service (APNs) certificate
- Application management plug-in
- Basic control
- Basic protection
- Certificate Signing Request
- Compliance Control
- Corporate container
- Corporate device
- Device administrator
- Device management profile
- End User License Agreement
- Group task
- IMAP
- Installation package
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- Kaspersky categories
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- Key file
- License
- License term
- Malware
- Manifest file
- Network Agent
- Personal device
- Phishing
- Policy
- POP3
- Proxy server
- Quarantine
- SSL
- Standalone installation package
- Subscription
- Supervised device
- Unlock code
- Virtual Administration Server
- Information about third-party code
- Trademark notices
Configuring VPN on iOS MDM devices
These settings apply to supervised devices and devices operating in basic control mode.
To connect an iOS MDM device to a virtual private network (VPN) and protect data while connected to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a Per App VPN connection.
To configure a VPN connection on a user's iOS MDM device:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Device configuration section.
- On the VPN card, click Settings.
The VPN window opens.
- Enable the settings using the VPN toggle switch.
- Click Add.
The Add VPN configuration window opens.
- On the General settings tab, in the Network section, configure the following settings:
- In the Network name field, enter the name of the VPN tunnel.
- In the Protocol drop-down list, select the type of the VPN connection.
- L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of the iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
- IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
- IPSec. The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
- Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall version 8.0(3).1 or later. To configure a VPN connection, install the Cisco AnyConnect app from the App Store on the iOS MDM device.
- Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, version 6.4 or later with the Juniper Networks IVE package version 7.0 or later. To configure a VPN connection, install the JUNOS app from the App Store on the iOS MDM device.
- F5 SSL. The connection supports the F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure a VPN connection, install the F5 BIG-IP Edge Client app from the App Store on the iOS MDM device.
- SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices version 10.5.4 or later, SonicWALL SRA devices version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, and E-Class NSA with SonicOS version 5.8.1.0 or later. To configure a VPN connection, install the SonicWALL Mobile Connect app from the App Store on the iOS MDM device.
- Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from the App Store on the iOS MDM device.
- Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
- In the Server address field, enter the network name or IP address of the VPN server.
- Configure the settings for the VPN connection according to the selected type of virtual private network.
- L2TP
- Settings in the Authentication section:
- Authentication type
Two-factor authentication of an iOS MDM device user using an RSA SecurID token or password-based authentication.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Shared secret
Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.
- Authentication certificate
The certificate used for user authentication.
- Authentication type
- Settings in the Other section:
- Send all traffic via VPN
Transmission of all outbound traffic via the VPN connection if a different network service is used (example: AirPort or Ethernet).
If the check box is selected, all traffic is sent via the VPN connection.
If the check box is cleared, outbound traffic is transmitted without requiring the use of the VPN connection.
This check box is cleared by default.
- Send all traffic via VPN
- Settings in the Authentication section:
- IPSec
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Shared secret
Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.
- Group name
Name of the group of iOS MDM devices that connect to the VPN via L2TP and IPSec (Cisco) protocols. If the Use hybrid authentication check box is selected, the group name must end with "[hybrid]" (for example: "mycompany [hybrid]").
- Use hybrid authentication
Use of hybrid authentication when the user connects to a VPN. The VPN server uses a certificate for authentication, and the iOS MDM device user enters a public key for authentication via the IPSec (Cisco) protocol.
If the check box is selected, hybrid authentication is used when the user connects to a VPN.
If the check box is cleared, the hybrid authentication is not used.
This check box is cleared by default.
- Authentication certificate
The certificate used for user authentication.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Other section:
- Prompt for PIN
The application checks whether the system password is set when the mobile device is turned on.
If the check box is selected, Kaspersky Mobile Devices Protection and Management checks if the system password is set on the device. If no system password is set on the device, the user has to set it. The password should be set in accordance with the settings configured by the administrator.
If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not require a system password.
This check box is cleared by default.
- Prompt for PIN
- Settings in the Authentication section:
- IKEv2
- Settings in the Network section:
- Dead peer detection interval
The frequency at which the IKEv2 VPN client should run the Dead Peer Detection (DPD) algorithm. The following values are available:
- Not selected. Do not run DPD.
- Low. Run DPD every 30 minutes.
- Medium. Run DPD every 10 minutes.
- High. Run DPD every 1 minute.
The default value is set to Medium.
- Dead peer detection interval
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Local identifier
The identifier of the IKEv2 VPN client (iOS MDM device).
- Remote identifier
The identifier of the IKEv2 VPN server.
- Shared secret
The shared secret used for IKEv2 VPN authentication.
- Common Name (CN) of server certificate
This name is used to validate the certificate sent by the IKEv2 VPN server. If this option is not set, the certificate is validated using the remote identifier.
- Common Name (CN) of server certificate publisher
If this option is set, IKEv2 sends a certificate request based on this certificate issuer to the server.
- Authentication certificate
The certificate used for user authentication.
- EAP authentication
The type of EAP authentication used for the VPN IKEv2 connection. The following values are available:
- Credentials
- Certificate
The default value is Credentials.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Minimum TLS version
The minimum TLS version used for EAP authentication. The following values are available:
- TLS 1.0
- TLS 1.1
- TLS 1.2
The default value is TLS 1.0.
- Maximum TLS version
The maximum TLS version used for EAP authentication. The following values are available:
- TLS 1.0
- TLS 1.1
- TLS 1.2
The default value is TLS 1.2.
- Authentication method
- Settings in the Security association section:
- SA parameters
Determines the object in which the parameters are sent. Possible values:
- IKEv2
- Child
The default value is IKEv2.
- Encryption algorithm
Determines the encryption algorithm used for the connection. Possible values:
- DES
- 3DES
- AES-128
- AES-256
- AES-128-GCM
- AES-256-GCM
- ChaCha20Poly1305
The default value is AES-256.
- Integrity algorithm
Determines the integrity algorithm used for the connection. Possible values:
- SHA1-96
- SHA1-160
- SHA2-256
- SHA2-384
- SHA2-512
The default value is SHA2-256.
- Diffie-Hellman group
Determines the Diffie-Hellman group used when setting up the VPN tunnel.
The default value is 14.
- SA Lifetime (min)
The rekey interval in minutes.
- SA parameters
- Settings in the Other section:
- Disable redirect
Specifies whether IKEv2 VPN server redirects are disabled.
If the check box is selected, the IKEv2 VPN connection is not redirected.
If the check box is cleared, the IKEv2 VPN connection is redirected if a redirect request is received from the server.
This check box is cleared by default.
- Disable Mobility and Multi-homing Protocol
Specifies whether Mobility and Multi-homing Protocol (MOBIKE) is disabled for the IKEv2 VPN connection.
If the check box is selected, MOBIKE is disabled
If the check box is cleared, MOBIKE is enabled.
This check box is cleared by default.
- Use internal IPv4 and IPv6 subnet attributes
Specifies whether the IKEv2 VPN client should use the INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET configuration attributes sent by the IKEv2 VPN server.
If the check box is selected, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are used.
If the check box is cleared, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are not used.
This check box is cleared by default.
- Enable a tunnel over cellular data
Specifies whether fallback is enabled.
If the check box is selected, the device enables a tunnel over cellular data to carry traffic that is eligible for Wi-Fi Assist and also requires a VPN.
If the check box is cleared, fallback is disabled.
This check box is cleared by default.
- Enable Perfect Forward Secrecy
Specifies whether Perfect Forward Secrecy (PFS) is enabled for the IKEv2 VPN connection.
If the check box is selected, PFS is enabled.
If the check box is cleared, PFS is disabled.
This check box is cleared by default.
- Disable redirect
- Settings in the Network section:
- Cisco AnyConnect
- Settings in the Network section:
- Idle time before disconnection (min)
The time to wait before disconnecting an on-demand connection.
- Idle time before disconnection (min)
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Group
Alias of the tunneling group for Cisco AnyConnect clients connecting to the VPN.
- Authentication certificate
The certificate used for user authentication.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Other section:
- Send all traffic via VPN
Routes all traffic via the VPN.
- Exclude local traffic
Excludes local traffic from traffic routed via the VPN connection.
This check box is available if the Send all traffic via VPN check box is selected.
- Send all traffic via VPN
- Settings in the Network section:
- Juniper SSL
- Settings in the Network section:
- Idle time before disconnection (min)
The time to wait before disconnecting an on-demand connection.
- Idle time before disconnection (min)
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Scope
Name of the network that includes VPN servers and iOS MDM devices for the VPN connection established using Juniper SSL.
- Role
Name of the user role that grants the user access to resources using Juniper SSL. A role can combine several users performing similar functions.
- Authentication certificate
The certificate used for user authentication.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Other section:
- Send all traffic via VPN
Routes all traffic via the VPN.
- Exclude local traffic
Excludes local traffic from traffic routed via the VPN connection.
This check box is available if the Send all traffic via VPN check box is selected.
- Send all traffic via VPN
- Settings in the Network section:
- F5 SSL
- Settings in the Network section:
- Idle time before disconnection (min)
The time to wait before disconnecting an on-demand connection.
- Idle time before disconnection (min)
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Authentication certificate
The certificate used for user authentication.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Other section:
- Send all traffic via VPN
Routes all traffic via the VPN.
- Exclude local traffic
Excludes local traffic from traffic routed via the VPN connection.
This check box is available if the Send all traffic via VPN check box is selected.
- Send all traffic via VPN
- Settings in the Network section:
- SonicWALL Mobile Connect
- Settings in the Network section:
- Idle time before disconnection (min)
The time to wait before disconnecting an on-demand connection.
- Idle time before disconnection (min)
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Domain or group
Domain name of the SSL VPN server (example: vpn.company.com) or the name of a group of SonicWALL Mobile Connect users.
- Authentication certificate
The certificate used for user authentication.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Other section:
- Send all traffic via VPN
Routes all traffic via the VPN.
- Exclude local traffic
Excludes local traffic from traffic routed via the VPN connection.
This check box is available if the Send all traffic via VPN check box is selected.
- Send all traffic via VPN
- Settings in the Network section:
- Aruba VIA
- Settings in the Network section:
- Idle time before disconnection (min)
The time to wait before disconnecting an on-demand connection.
- Idle time before disconnection (min)
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Authentication certificate
The certificate used for user authentication.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Other section:
- Send all traffic via VPN
Routes all traffic via the VPN.
- Exclude local traffic
Excludes local traffic from traffic routed via the VPN connection.
This check box is available if the Send all traffic via VPN check box is selected.
- Send all traffic via VPN
- Settings in the Network section:
- Custom SSL
- Settings in the Network section:
- Idle time before disconnection (min)
The time to wait before disconnecting an on-demand connection.
- Idle time before disconnection (min)
- Settings in the Configuration data section:
- Settings in the Authentication section:
- Authentication method
The method of authenticating iOS MDM device users on the virtual private network.
- Account name
The account name for authorization on the VPN server.
- Password
The password of the account for authentication on the virtual private network.
- Authentication certificate
The certificate used for user authentication.
- Bundle ID
If the custom VPN configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
- Authentication method
- Settings in the Domains section:
- Enable VPN when connecting to specified domains
The domains for which the VPN connection will be enabled.
- Enable VPN when connecting to specified domains
- Settings in the Network section:
- L2TP
- If necessary, on the Advanced settings tab, in the Proxy server section, configure the settings of the VPN connection via a proxy server:
- Select the Use a proxy server check box.
- Configure a connection to a proxy server:
- If you want to configure the connection automatically:
- Select Automatic.
- In the PAC file URL field, specify the URL of the proxy PAC file.
- To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
- If you want to configure the connection manually:
- Select Manual.
- In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
- In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
- In the Password field, specify the password for the connection to the proxy server.
- If you want to configure the connection automatically:
- For IKEv2 and IPSec connections, if necessary, set up Per App VPN functionality for supported system apps (Mail, Calendar, Contacts, and Safari).
- Click Add.
The new VPN is displayed in the list.
You can modify or delete VPN in the list using the Edit and Delete buttons at the top of the list.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with the iOS MDM Server.
As a result, once the policy is applied, the VPN connection will be configured on the user's iOS MDM device.