- Kaspersky Secure Mobility Management help
- What's new
- Working in Kaspersky Security Center Web Console
- About Kaspersky Secure Mobility Management
- Getting started
- Solution architecture
- Deployment scenarios
- Deploying a mobile device management solution in Kaspersky Security Center Web Console
- Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console
- Deploying mobile management plug-ins
- Configuring Administration Server settings for connecting mobile devices
- Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console
- Adding installation packages to Administration Server repository
- Adding a license key to the Administration Server repository
- Installing Network Agent Linux
- Configuring Kaspersky Security Center Linux Web Server settings
- Deploying an iOS device management system
- About iOS device operating modes
- About device management profiles
- Deploying Kaspersky Security for iOS
- Deploying a management system using the iOS MDM protocol
- Deploying iOS MDM Server
- Configuring an iOS MDM Server installation package
- Installing iOS MDM Server using a remote installation task
- Local installation of iOS MDM Server on a device via an installation package
- Updating iOS MDM Server using a remote installation task or locally
- Deleting iOS MDM Server using a remote uninstallation task
- Viewing the list of installed iOS MDM Servers and configuring their settings
- Configuring an iOS MDM Server certificate
- Configuring a reserve iOS MDM Server certificate
- Receiving or renewing an APNs certificate
- Installing an APNs certificate on iOS MDM Server
- Configuring access to Apple Push Notification service
- iOS MDM Server events
- Obtaining iOS MDM Server diagnostic data
- Deploying iOS MDM Server
- Deploying an Android device management system
- About Android device operating modes
- Using Firebase Cloud Messaging
- Deploying Kaspersky Endpoint Security for Android
- Permissions for Kaspersky Endpoint Security for Android
- Starting and stopping Kaspersky Endpoint Security for Android
- Activating Kaspersky Endpoint Security for Android
- Updating Kaspersky Endpoint Security for Android
- Removing Kaspersky Endpoint Security for Android
- Managing mobile devices in Kaspersky Security Center Web Console
- Creating administration groups
- Configuring policies
- Creating a policy
- Modifying a policy
- Copying a policy
- Moving a policy to another administration group
- Viewing the list of policies
- Viewing the policy distribution results
- Managing revisions to policies
- Restricting permissions to configure policies
- Configuring role-based access control
- Configuring policy profiles
- Deleting a policy
- Connecting mobile devices to Kaspersky Security Center Web Console
- Configuring synchronization settings
- Managing certificates of mobile devices
- Configuration and management
- Control
- Protection
- Configuring anti-malware protection on Android devices
- Protecting Android devices on the internet
- Protection of data on a stolen or lost device
- Configuring the device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting hacked devices
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Management of mobile devices
- Managing Android devices
- Managing iOS MDM devices
- Adding a configuration profile
- Installing a configuration profile on a device
- Removing a configuration profile from a device
- Configuring managed apps
- Installing an app on a mobile device
- Removing an app from a device
- Configuring roaming on an iOS MDM mobile device
- Viewing information about an iOS MDM device
- Disconnecting an iOS MDM device from management
- Configuring kiosk mode for iOS MDM devices
- Management of mobile device settings
- Configuring connection to a Wi-Fi network
- Configuring email
- Configuring protection levels in Kaspersky Security Center
- Managing app configurations
- Managing app permissions
- Creating a report on installed mobile apps
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Configuring the Access Point Name (APN)
- Corporate container
- Adding an LDAP account
- Adding a contacts account
- Adding a calendar account
- Configuring a calendar subscription
- Configuring SSO
- Managing Web Clips
- Setting a wallpaper
- Adding fonts
- Working with commands for mobile devices
- Managing the app by using third-party EMM systems (Android only)
- Participating in Kaspersky Security Network
- Samsung Knox
- Using the Kaspersky Endpoint Security for Android app
- App features
- Main window at a glance
- Status bar icon
- Device scan
- Running a scheduled scan
- Changing the Protection mode
- Anti-malware database updates
- Scheduled database update
- Things to do if your device gets lost or stolen
- Web Protection
- Get Certificate
- Synchronizing with Kaspersky Security Center
- Activating the Kaspersky Endpoint Security for Android app without Kaspersky Security Center
- Installing the app on corporate devices
- Installing root certificates on the device
- Installing and using mail and VPN certificates on the device
- Enabling accessibility on Android 13 or later
- Updating the app
- Removing the app
- Applications with a briefcase icon
- Knox app
- Using the Kaspersky Security for iOS app
- Application licensing
- Comparison of solution features by management tool
- Contact Technical Support
- Sources of information about the application
- Glossary
- Activating the application
- Activation code
- Administration group
- Administration Server
- Administrator's workstation
- Anti-malware databases
- Apple Push Notification service (APNs) certificate
- Application management plug-in
- Basic control
- Basic protection
- Certificate Signing Request
- Compliance Control
- Corporate container
- Corporate device
- Device administrator
- Device management profile
- End User License Agreement
- Group task
- IMAP
- Installation package
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- Kaspersky categories
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- Key file
- License
- License term
- Malware
- Manifest file
- Network Agent
- Personal device
- Phishing
- Policy
- POP3
- Proxy server
- Quarantine
- SSL
- Standalone installation package
- Subscription
- Supervised device
- Unlock code
- Virtual Administration Server
- Information about third-party code
- Trademark notices
Configuring a corporate container
To configure the settings of a corporate container:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Corporate container section.
- On the Corporate container on devices card, click Settings.
The Corporate container on devices window opens.
- Enable the settings using the Corporate container on devices toggle switch.
- Specify the corporate container settings:
- On the General tab, you can specify the settings for data sharing, contacts, and more.
- Settings in the Data access and sharing section:
- Prohibit personal apps from sharing data with corporate container apps
Restricts sharing files, pictures, or other data from personal apps with corporate container apps.
If the check box is selected, personal apps can't share data with corporate container apps.
If the check box is cleared, personal apps can share data with corporate container apps.
This check box is selected by default.
- Prohibit corporate container apps from sharing data with personal apps
Restricts sharing files, pictures, or other data from corporate container apps with personal apps.
If the check box is selected, the apps in the corporate container can't share data with personal apps.
If the check box is cleared, the apps in the corporate container can share data with personal apps.
This check box is selected by default.
- Prohibit corporate container apps from accessing personal files
Restricts access of corporate container apps to personal files.
If the check box is selected, the user can't access personal files when using corporate container apps.
If the check box is cleared, the user can access personal files when using corporate container apps. Note that the access must be also supported by the apps that are being used.
This check box is selected by default.
- Prohibit personal apps from accessing files in corporate container
Restricts access of personal apps to files in the corporate container.
If the check box is selected, the user can't access files in the corporate container when using personal apps.
If the check box is cleared, the user can access files in the corporate container when using personal apps. Note that the access must be supported by the apps that are being used.
This check box is selected by default.
- Prohibit use of clipboard between personal apps and corporate container
Selecting or clearing this check box specifies whether the device user is allowed to copy data via the clipboard between personal apps and the corporate container.
This check box is selected by default.
- Prohibit activation of USB debugging
Restricts the use of USB debugging on the user's mobile device in the corporate container. In USB debugging mode, the user can download an app via a workstation, for example.
If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.
If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.
This check box is selected by default.
- Prohibit users from adding and removing accounts in corporate container
If the check box is selected, the user is prohibited to add and remove accounts in the corporate container via the Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in the corporate container.
Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.
This check box is selected by default.
- Prohibit screen sharing, recording, and screenshots in corporate container apps
Selecting or clearing this check box specifies whether the device user is allowed to take screenshots of, record and share the device screen in corporate container apps. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.
This check box is selected by default.
- Prohibit personal apps from sharing data with corporate container apps
- Settings in the Contacts section:
- Prohibit showing contact name from corporate container for incoming personal calls
Selecting or clearing this check box specifies whether a contact name from the corporate container will be shown for personal incoming calls.
This check box is selected by default.
- Prohibit personal apps from accessing corporate container contacts
Selecting or clearing this check box specifies whether personal contact management apps are allowed to access corporate container contacts.
This check box is selected by default.
- Prohibit showing contact name from corporate container for incoming personal calls
- Settings in the Data access and sharing section:
- On the Apps tab, specify the following settings:
- Settings in the General section:
- Enable App Control in corporate container only
Controls the startup of apps in the corporate container on the user's mobile device. You can create lists of allowed, forbidden, and recommended apps as well as allowed and forbidden app categories in the App Control section.
If this check box is selected, then depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the corporate container. Moreover, App Control does not work in the user's personal space.
This check box is selected by default.
- Enable Web Protection and Web Control in corporate container only
Restricts user access to websites in the corporate container on the device. You can specify website access settings in the Web Control settings.
If this check box is selected, Web Protection and Web Control block or allow access to websites only in the corporate container. Moreover, Web Protection and Web Control do not work in the user's personal space.
If this check box is cleared, then depending on the Web Protection and Web Control settings, Kaspersky Endpoint Security blocks or allows access to websites in the user's personal space and the corporate container.
This check box is selected by default.
- Prohibit installation of apps from unknown sources in corporate container
Restricts installation of apps in the corporate container from all sources other than Google Play Enterprise.
If the check box is selected, the user can install apps only from Google Play. Users use their own Google corporate accounts to install apps.
If the check box is cleared, the user can install apps in any available way. Only apps forbidden in the App Control settings can't be installed.
This check box is cleared by default.
- Prohibit removing apps from corporate container
Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the corporate container.
This check box is cleared by default.
- Prohibit displaying notifications from corporate container apps when screen is locked
Restricts displaying the contents of notifications from corporate container apps on the lock screen of the device.
If the check box is selected, the contents of notifications from corporate container apps can't be viewed on the device lock screen. To view these notifications, the user has to unlock the device or corporate container.
If the check box is cleared, notifications from corporate container apps are displayed on the device lock screen.
This check box is selected by default.
- Prohibit use of camera for corporate container apps
Selecting or clearing this check box specifies whether corporate container apps can access the device camera.
This check box is selected by default.
- Enable App Control in corporate container only
- In the Granting runtime permissions for corporate container apps section you can select an action to be performed when corporate container apps are running and request additional permissions. This does not apply to permissions granted in the device settings (for example, Access All Files).
- Allow users to configure permissions
When a permission is requested, the user decides whether to grant the specified permission to the app.
This option is selected by default.
- Grant permissions automatically
All corporate container apps are granted permissions without user interaction.
On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select this option, the app will prompt the user for these permissions:
- Location permissions
- Permissions for camera
- Permissions to record audio
- Permission for activity recognition
- Permissions to access body sensor data
- Deny permissions automatically
All corporate container apps are denied permissions without user interaction.
Users can adjust app permissions in the device settings before these permissions are denied automatically.
- Allow users to configure permissions
- In the Adding widgets of corporate container apps to device home screen section you can choose whether the device user is allowed to add widgets of corporate container apps to the device home screen.
- Prohibit for all apps
The device user is prohibited from adding widgets of apps installed in the corporate container.
This option is selected by default.
- Allow for all apps
The device user is allowed to add widgets of all apps installed in the corporate container.
- Allow only for the listed apps
The device user is allowed to add widgets of listed apps installed in the corporate container.
To add an app to the list, click Add and enter an app package name.
How to get the package name of an app
To get the name of an app package:
- Open Google Play.
- Find the app and open its page.
The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
To get the name of an app package that has been added to Kaspersky Security Center:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
- Click Android apps.
In the list of apps that opens, app identifiers are displayed in the Package name column.
- Prohibit for all apps
- Settings in the General section:
- On the Certificates tab, you can configure the following settings:
- Duplicate installation of VPN certificates in user's personal space
Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile → Certificates section of the Kaspersky Security Center Web Console and installed in the corporate container will also be installed in the user's personal space.
By default, VPN certificates received from Kaspersky Security Center are installed in the corporate container. This setting is applied when a new VPN certificate is issued.
This check box is cleared by default.
- Duplicate installation of root certificates in user's personal space
Selecting or clearing the check box specifies whether the root certificates added in the Root certificates settings and installed in the corporate container will also be installed in the user's personal space.
This check box is cleared by default.
- Duplicate installation of VPN certificates in user's personal space
- On the Password tab, specify the corporate container password settings:
- Require setting a password for corporate container
Lets you specify the requirements for the corporate container password according to company security requirements.
If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting them to set up a corporate container password according to company requirements.
If the check box is cleared, password settings cannot be edited.
This check box is cleared by default.
- Minimum password length
The minimum number of characters in the user password. Possible values: 4 to 16 characters.
The user's password is 4 characters long by default.
The following applies only to the user's personal space and the corporate container:
- In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
- In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.
The values are determined using the following rules:
- If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
- If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
- Minimum password complexity requirements
Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:
- Numeric
The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).
This option is selected by default.
- Alphabetic
The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).
- Alphanumeric
The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.
- No requirements
The user can set any password.
- Complex
The user must set a complex password according to the specified password properties:
- Minimum number of letters
- Minimum number of digits
- Minimum number of special characters (for example, !@#$%)
- Minimum number of uppercase letters
- Minimum number of lowercase letters
- Minimum number of non-alphabetic characters (for example, 1^*9)
- Complex numeric
The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.
- Numeric
- Maximum number of failed password attempts before corporate container is deleted
Specifies the maximum number of user attempts to enter the password to unlock the corporate container. When the policy is applied, the corporate container will be deleted from the device after the maximum number of failed attempts is exceeded.
Possible values are 4 to 16.
The default value is not set. This means that the attempts are not limited.
- Maximum password lifetime (days)
Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.
The default value is 0. This means that the password won't expire.
- Number of days to send a notification before a required password change
Specifies the number of days to notify the user before the password expires.
The default value is 0. This means that the user won't be notified about an expiring password.
- Number of recent passwords that cannot be set as a new password
Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.
The default value is 0. This means that the new user password can match any previous password except the current one.
- Period of inactivity before corporate container is locked (sec)
Specifies the period of inactivity before the device locks.
The default value is 0. This means that the device won't lock after a certain period.
- Period after biometric unlock before password must be entered (min)
Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.
The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.
- Allow biometric unlock methods
If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.
This check box is selected by default.
- Allow fingerprint unlock
Specifies whether fingerprints can be used to unlock the screen.
This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.
If the check box is selected, the use of fingerprints on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.
This check box is available only if the Allow biometric unlock methods check box is selected.
This check box is selected by default.
On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.
- Allow face unlock
If the check box is selected, the use of face scanning is allowed on the mobile device.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.
This check box is available only if the Allow biometric unlock methods check box is selected.
This check box is selected by default.
- Allow iris scanning
If the check box is selected, the use of iris scanning is allowed on the mobile device.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.
This check box is available only if the Allow biometric unlock methods check box is selected.
This check box is selected by default.
- Require setting a password for corporate container
- On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their corporate container if it is locked.
- Passcode length
The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.
The passcode length is 4 characters by default.
- Passcode length
- On the General tab, you can specify the settings for data sharing, contacts, and more.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The user's mobile device is divided into a corporate container and a personal space.