- Kaspersky Secure Mobility Management help
- What's new
- Working in Kaspersky Security Center Web Console
- About Kaspersky Secure Mobility Management
- Getting started
- Solution architecture
- Deployment scenarios
- Deploying a mobile device management solution in Kaspersky Security Center Web Console
- Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console
- Deploying mobile management plug-ins
- Configuring Administration Server settings for connecting mobile devices
- Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console
- Adding installation packages to Administration Server repository
- Adding a license key to the Administration Server repository
- Installing Network Agent Linux
- Configuring Kaspersky Security Center Linux Web Server settings
- Deploying an iOS device management system
- About iOS device operating modes
- About device management profiles
- Deploying Kaspersky Security for iOS
- Deploying a management system using the iOS MDM protocol
- Deploying iOS MDM Server
- Configuring an iOS MDM Server installation package
- Installing iOS MDM Server using a remote installation task
- Local installation of iOS MDM Server on a device via an installation package
- Updating iOS MDM Server using a remote installation task or locally
- Deleting iOS MDM Server using a remote uninstallation task
- Viewing the list of installed iOS MDM Servers and configuring their settings
- Configuring an iOS MDM Server certificate
- Configuring a reserve iOS MDM Server certificate
- Receiving or renewing an APNs certificate
- Installing an APNs certificate on iOS MDM Server
- Configuring access to Apple Push Notification service
- iOS MDM Server events
- Obtaining iOS MDM Server diagnostic data
- Deploying iOS MDM Server
- Deploying an Android device management system
- About Android device operating modes
- Using Firebase Cloud Messaging
- Deploying Kaspersky Endpoint Security for Android
- Permissions for Kaspersky Endpoint Security for Android
- Starting and stopping Kaspersky Endpoint Security for Android
- Activating Kaspersky Endpoint Security for Android
- Updating Kaspersky Endpoint Security for Android
- Removing Kaspersky Endpoint Security for Android
- Managing mobile devices in Kaspersky Security Center Web Console
- Creating administration groups
- Configuring policies
- Creating a policy
- Modifying a policy
- Copying a policy
- Moving a policy to another administration group
- Viewing the list of policies
- Viewing the policy distribution results
- Managing revisions to policies
- Restricting permissions to configure policies
- Configuring role-based access control
- Configuring policy profiles
- Deleting a policy
- Connecting mobile devices to Kaspersky Security Center Web Console
- Configuring synchronization settings
- Managing certificates of mobile devices
- Configuration and management
- Control
- Protection
- Configuring anti-malware protection on Android devices
- Protecting Android devices on the internet
- Protection of data on a stolen or lost device
- Configuring the device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting hacked devices
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Management of mobile devices
- Managing Android devices
- Managing iOS MDM devices
- Adding a configuration profile
- Installing a configuration profile on a device
- Removing a configuration profile from a device
- Configuring managed apps
- Installing an app on a mobile device
- Removing an app from a device
- Configuring roaming on an iOS MDM mobile device
- Viewing information about an iOS MDM device
- Disconnecting an iOS MDM device from management
- Configuring kiosk mode for iOS MDM devices
- Management of mobile device settings
- Configuring connection to a Wi-Fi network
- Configuring email
- Configuring protection levels in Kaspersky Security Center
- Managing app configurations
- Managing app permissions
- Creating a report on installed mobile apps
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Configuring the Access Point Name (APN)
- Corporate container
- Adding an LDAP account
- Adding a contacts account
- Adding a calendar account
- Configuring a calendar subscription
- Configuring SSO
- Managing Web Clips
- Setting a wallpaper
- Adding fonts
- Working with commands for mobile devices
- Managing the app by using third-party EMM systems (Android only)
- Participating in Kaspersky Security Network
- Samsung Knox
- Using the Kaspersky Endpoint Security for Android app
- App features
- Main window at a glance
- Status bar icon
- Device scan
- Running a scheduled scan
- Changing the Protection mode
- Anti-malware database updates
- Scheduled database update
- Things to do if your device gets lost or stolen
- Web Protection
- Get Certificate
- Synchronizing with Kaspersky Security Center
- Activating the Kaspersky Endpoint Security for Android app without Kaspersky Security Center
- Installing the app on corporate devices
- Installing root certificates on the device
- Installing and using mail and VPN certificates on the device
- Enabling accessibility on Android 13 or later
- Updating the app
- Removing the app
- Applications with a briefcase icon
- Knox app
- Using the Kaspersky Security for iOS app
- Application licensing
- Comparison of solution features by management tool
- Contact Technical Support
- Sources of information about the application
- Glossary
- Activating the application
- Activation code
- Administration group
- Administration Server
- Administrator's workstation
- Anti-malware databases
- Apple Push Notification service (APNs) certificate
- Application management plug-in
- Basic control
- Basic protection
- Certificate Signing Request
- Compliance Control
- Corporate container
- Corporate device
- Device administrator
- Device management profile
- End User License Agreement
- Group task
- IMAP
- Installation package
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- Kaspersky categories
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- Key file
- License
- License term
- Malware
- Manifest file
- Network Agent
- Personal device
- Phishing
- Policy
- POP3
- Proxy server
- Quarantine
- SSL
- Standalone installation package
- Subscription
- Supervised device
- Unlock code
- Virtual Administration Server
- Information about third-party code
- Trademark notices
Configuring SSO
These settings apply to supervised devices and devices operating in basic control mode.
The SSO settings let you configure account settings for using Single Sign-On technology. Single Sign-On (SSO) is an authentication method that allows a user to sign in to multiple services with a single ID. The Kerberos protocol is used for user authentication.
To configure the use of SSO on iOS MDM devices:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Device configuration section.
- On the SSO card, click Settings.
The SSO window opens.
- Enable the settings using the SSO toggle switch.
- Specify the following settings:
- In the Account name field, specify the name of the user's Single Sign-On account for Kerberos server authorization. You can either enter a value or select a macro by clicking the
button. - In the Authentication section, specify the authentication settings:
- Kerberos user name
Main name of the account of an iOS MDM device user on the Kerberos server. The Kerberos user name is case-sensitive and must be specified in the format
<primary>/<instance>, where:1.
<primary>is the user name.2.
<instance>is a description of the primary name, such as "admin". The instance may be omitted.Example: if the Kerberos user name is
mycompany/admin@EXAMPLE.COMormycompany@EXAMPLE.COM, you must entermycompany/adminormycompanyrespectively,You can either enter a value or select a macro by clicking the
button.Do not use the at sign (@) in this field. Otherwise the SSO profile will not be applied on the device.
- Kerberos scope
Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is
EXAMPLE.COM.Example: if the Kerberos user name is
mycompany/admin@EXAMPLE.COM, you must enterEXAMPLE.COM. - Authentication certificate
The certificate used for user authentication.
- Kerberos user name
- In the URL prefixes section, specify the addresses of websites on which Kaspersky Mobile Devices Protection and Management allows using SSO:
- Limit account to the listed URLs
Use of Single Sign-On for automatic sign-in only to websites added to the list of allowed web addresses. You can create a list of allowed web addresses by clicking the Add URL button next to the check box.
If the check box is selected, the user can use Single Sign-On for authorization on websites that have been added to the list of allowed web addresses.
If the check box is cleared or the list is empty, the user can use Single Sign-On for all websites within the Kerberos scope.
Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is
EXAMPLE.COM.Example: if the Kerberos user name is
mycompany/admin@EXAMPLE.COM, you must enterEXAMPLE.COM.This check box is cleared by default.
- Add URL
Clicking the button adds the URL prefix field for specifying a new website in the list of web addresses for which automatic Single Sign-On is allowed.
The button is available if the Limit account to the listed URLs check box is selected.
The web address must begin with
http://orhttps://. Automatic Single Sign-On is performed only when the URL fully matches the URL template. For example, the web addresshttps://example.com/does not match the web addresshttps://example.com:443/.To allow Single Sign-On access only to websites that use the HTTP protocol, enter the value
http://. To allow access only to websites that use the secure HTTPS protocol, enterhttps://.If the web address does not end with the "/" symbol, Kaspersky Mobile Devices Protection and Management adds this symbol automatically.
If the list of allowed web addresses is empty, the user can use Single Sign-On to automatically sign in to all websites within the Kerberos scope.
Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is
EXAMPLE.COM.Example: if the Kerberos user name is
mycompany/admin@EXAMPLE.COM, you must enterEXAMPLE.COM.
- Limit account to the listed URLs
- In the Bundle IDs section, specify the IDs of apps in which Kaspersky Mobile Devices Protection and Management allows using SSO:
- Limit account to the listed apps
Using Single Sign-On for automatic sign-in to apps added to the list of bundle identifiers. You can create a list of bundle IDs by clicking the Add app button next to the check box.
If the check box is selected, the user can use Single Sign-On only for authorization in apps that have been added to the list of bundle IDs.
If the check box is cleared or the list is empty, the user can use Single Sign-On for all apps within the Kerberos scope.
Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is
EXAMPLE.COM.Example: if the Kerberos user name is
mycompany/admin@EXAMPLE.COM, you must enterEXAMPLE.COM.This check box is cleared by default.
- Add app
Clicking the button adds the Bundle ID field for specifying a new bundle ID in the list of apps for which automatic Single Sign-On is allowed.
The button is available if the Limit account to the listed apps check box is selected.
Automatic Single Sign-On is performed only when the added ID fully matches the bundle ID. For example:
com.mycompany.myapp.To grant access to several apps using Single Sign-On, use the "*" symbol after the "." character. For example:
com.mycompany.*. Access will be allowed to all apps whose bundle ID begins with the specified prefix.If the list of bundle IDs is empty, the user can use Single Sign-On to automatically sign in to all apps within the Kerberos scope.
Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is
EXAMPLE.COM.Example: if the Kerberos user name is
mycompany/admin@EXAMPLE.COM, you must enterEXAMPLE.COM.
- Limit account to the listed apps
- In the Account name field, specify the name of the user's Single Sign-On account for Kerberos server authorization. You can either enter a value or select a macro by clicking the
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with the iOS MDM Server.
As a result, once the policy is applied, SSO is configured on the iOS MDM device.